This past weekend, the PBS website was hacked and erroneous headlines were posted. The headline everyone has focused on is that rapper Tupac Shakur was alive and living in New Zealand; he died in 1996. A group calling itself LulzSec claimed responsibility and said this was a response to broadcasts of a program on WikiLeaks that it didn’t like. What ever happened to just writing a stern letter to the Times?
Regardless of the political motivation of the hack, a serious data breach occurred that gave the hackers access to change the content of a website. Since we rely on news organizations and their websites to inform us, creating a bogus headline can have devastating effects. Earlier this year, just the rumors of Steve Jobs taking a medical leave of absence caused Apple stock to go into a free fall – it turned out he did go on medical leave. Imagine if a fake headline said he had died. Events like that can cause havoc with financial markets and ultimately lead to panics and riots.
The criminals who hacked the PBS website used automated tools to locate and penetrate vulnerabilities. In this case, it looked like they got easy access to usernames and passwords. With that, the hackers could log into the system and do their damage. The scary thing is this isn’t as difficult as you might think. Just for fun, type this string into Google and see what you come up with. inurl:admin filetype:asp inurl:userlist
I just did that and guess what I found? A number of websites that let me edit the passwords of usernames. That was too easy and makes me wonder how many other sites are like that. This seems to be a major problem with basic security. There is no way I should be able to change a password without having to log into a system or at least providing some type of credentials.
Another scary thing about the PBS hack is the simple passwords it revealed. This is an ongoing problem with people, because we have to remember so many passwords to so many systems. Still, there is no excuse for using things like hello, or 123456 as a password. This also says that the systems aren’t forcing people to use more complex passwords. I remember years ago when I worked extensively with Windows 2000 systems that I could set password complexity. This meant forcing a user to pick upper case letters, lower case letters, numbers and non-alpha characters in their passwords. That was over 10 years ago. We shouldn’t have these problems today.
Here are some simple lessons that I learned from the PBS hack:
- You are the target of hackers whether you believe it or not
- Patch servers with the latest security fixes
- Do not store usernames and passwords in text files
- Do not store usernames and passwords in clear text in web page files (html, asp, php)
- Do not store passwords in clear text in databases
- Encrypt sensitive information in databases
- Do not allow unauthenticated access to usernames and passwords
- Change default admin credentials immediately when implementing a computer system
- Force users to create complex passwords
It’s a constant battle to keep ahead of hackers today, but try to make it a little harder for them. The situation with PBS is like leaving your front door unlocked and expecting that no one will break into your house. Most of the website and database vulnerabilities exposed in recent months are because the organization involved didn’t implement simple security procedures or the latest security patches.
It’s important to emphasize the responsibility that everyone has to protect and secure digital assets. Whether you are a news organization, a defense contractor or a small business. Your information is your business and keeping it safe is important. If you aren’t sure about the security of your servers, find someone who can help you. If you use cloud-based services, you probably are okay, since security is paramount for service providers.
Remember it’s usually the simple things that are the cause of security problems.
Photo credit zoestewart