Why Someone Will Eventually Hack This Site (and Maybe Your Computer in the Process)By Rich
I hate to admit it, but someone will probably hack this site at some point. And they may even use it to hack your computer.
And there’s not a darn thing I can do about it.
Security, and hacking, are kind of trendy. Both the good guys and the bad guys have a habit of focusing on certain attacks and defenses based on what’s “hot”. We’re kind of the fashion whores of the IT world. I mean I just can’t believe Johnny calls himself a 1337 hax0r for finding a buffer overflow in RPC. I mean that’s just so 2002. Everyone knows that all the cool hackers are working on XSS and browser attacks.
The trend of the month seems to be cross-site scripting and embedding attacks into trusted websites. Cross site scripting (XSS) is a form of attack where the attacker takes advantage of poorly-programmed or poorly-configured web pages, and can embed his or her own code in the page to go after your browser (a seriously simple explanation, check out Wiki for more). MITRE (they speak CVE!) called cross-site scripting the number 1 vulnerability of all time (in terms of volume). Dark Reading reports a number of major sites hacked recently this way. Possibly hundreds of sites hosted on HostGator were hacked (not with cross site scripting) and code inserted (using an iframe for you geeks) to infect anyone with the temerity to visit the sites using Internet Explorer (we DID warn you).
None of this is new. We’ve had attackers embedding attacks into trusted sites for years. It may be trendy, but it isn’t new by any means. Some are pretty devious- like hacking advertising servers that then distribute their ads on sites all over the net. It’s a great form of social engineering- compromising a trusted authority and using that to distribute your attack.
Not that I’m assuming my paranoid readers actually trust this site, but I won’t be surprised if it’s hacked, and hopefully most of you are following security precautions and won’t be compromised yourself.
Why? Because this site is hosted. I manage my little part of the server, but I don’t control it myself. I use all sorts of tools like Wordpress and cPanel, all of which have their own security flaws. Sure, I’ve managed secure servers and coded secure pages in the past, but I kind of have a day job now. I rely on my hosting provider, and while I tried to choose one with a good reputation, my ego can’t write checks their bodies can’t cash.
We, as users, need to take some responsibility ourselves. Just staying away from “those” sites isn’t enough, we also need to understand trusted sites may be compromised at some point, too. So far I’m safe on a Mac, and you Windows users can stay off IE (maybe until 7 comes out) and use anti-spyware and antivirus tools with maybe a little host intrusion prevention.
Not that I don’t want you to trust me, but heck, I don’t even really trust myself. I’m just some dude with a blog waiting for the fall security colors…