Lessons from a guy who was hacked
What you need to do to keep your site from the same fate.
Hackers won’t take down my site, you say. I’m small potatoes—the cyber crooks want big payloads like the Democratic National Committee, or at least Katy Perry’s Twitter account.
But your small site, your blog, your side business or your non-profit makes a great target, says a man who knows.
Attackers turned Valentin Vesa’s charity site into a rude postcard to the world, sending out porn and Viagra spam and literally flipping off anyone who landed on the page.
“The impacts were massive,” Vesa said. “You feel everything collapses on you.”
Vesa spoke in a webinar set up by his employer, cybersecurity company Sucuri. His goal, he said—to prevent other site owners like him from falling victim.
“Our responsibility as website owners is to keep our web sites clean, so when people come to our websites, they get the message and not the malware,” he said.
It all started ten years back in Romania, where Vesa lives. He and his wife were trying to teach their young son that it was better to give than to receive, so they packed up a shoebox with treats and gifts for a poor family at Christmastime, and helped their son deliver it.
They told him it was a project just for their family. “Let’s not brag about doing a good deed, right?” Vesa recalled saying to his son.
But they were surprised when parents from their son’s kindergarten class began to call and ask how to become members of the non-profit group that delivers shoeboxes to needy families.
Vesa’s son had told his friends. And so, by force of goodwill, ShoeBox was born. The next year, they delivered more than 500 boxes. And in 2009, they decided to create a website because the phone bill was through the roof, Vesa said.
“There are so many children around us who never get anything for Christmas because there’s no funds, there’s no money,” he said.
There was very little in the way of resources for setting up a site, Vesa said. The ShoeBox project was run on love and sharing.
“There is no structure. There is no organization. There’s no money,” he said. “We do not accept any cash donations. The only thing they need to do is fill the shoebox with the items we recommend.”
Vesa found a way. He used WordPress to cobble together a quick and easy site to provide information for families who wanted to give.
“You first look for a very cheap hosting,” Vesa said. “The famous ‘installing in five minutes, be on line in five minutes.’ I was sure at that time it was the best solution go with.” And soon, ShoeBox was online.
“It was nothing impressive, but it worked,” said Vesa. Videos showed people how to pack their shoeboxes, and lists detailed the best kinds of treats, like cookies rather than oranges, as fruit can spoil. By 2013, they were delivering more than 30,000 boxes a year, with people in eight countries participating.
It was the final days before Christmas in 2014. Thousands of boxes sat ready for delivery. It was a crucial time for the little charity.
Suddenly, the ShoeBox site turned on its owners, spewing out massive amounts of ugly e-mails, and replacing the home page with an image of a hand with its middle finger extended.
“Our beloved web site was attacked,” said Vesa. “We had a great, emotional, social, loving project that was sending out porn and Viagra spam.”
At a time when Vesa needed to let families know about the distribution of their boxes, communication was shut down.
“No e-mail could go out or in. Spam e-mails were blocking and clogging the server,” he said.
The ShoeBox site was blacklisted by the end of the day.
“Anyone going to the site would see ‘this website distributes malware,’” he said. “All our credibility built on all the past experiences is now almost gone.”
His son, who first spread word of the good deed years back, was crestfallen. “He was sad that someone could try to harm our project and, to quote him, ‘stop us from spreading the message that more people can join in and help poor kids get presents for Christmas,’” Vesa told Archer News.
Getting the website back
Vesa tried cleaning up the hack himself, and eventually hired Sucuri to help. Later, he joined the company himself, as an employee.
But he said web site owners can do many things on their own to prevent attacks like this one—what Vesa believes was a random siege on a site with weak security.
“You cannot blame anybody else,” he said. “Even if the hacker, yes, hacked my site, they did it because I wasn’t paying attention. I didn’t take every security precaution I could think of.”
He shared his list of must-do’s for site owners.
First, learn about how your site’s security works. “Always learn. You can never have enough information,” he said.
Find out what the vulnerabilities are for the website platform you are using, and check your website when vulnerabilities are announced, he urged.
“Employ a web application firewall. Make sure that people who are going in, who have access to the site, are the ones who actually need it. Do they really admin-level access to change some images? Do they really need root-level to upload a PDF via your website?” he asked.
Do this, not that
Pay attention to passwords, he advised. Make them longer than 10 characters, and make them complex.
“Make sure you do not use ‘iloveyou123-blah-blah-blah’ or ‘dadada,’” said Vesa.
“Always use a password manager,” he added. “This should be the number one and also most important thing.”
He suggested password managers LastPass and 1Password, which store your usernames and passwords on your device so you don’t have to memorize them or scribble them on a piece of paper.
“And for the love of God, never reuse a password,” he said. “That’s the worst thing ever.”
Now, now, now!
Even if you are strapped for time or cash, you can stay on top of security updates for your site, he explained.
“Always update,” he said. “Always make sure you have the latest, most updated version of anything in [your site]. Especially when security updates are released, all of the vendors are very vocal about it.”
Malicious hackers can get in through the holes you leave wide open by not updating, sometimes within seconds of updates being announced. “Please update, now, now, now!” he added.
Lack of backups
Vesa was missing an important part of the puzzle when his site was hacked.
“I did not have backups. I just never thought of it,” he said. “I just assumed the host would have backups.”
Backups could have allowed him to restore his site easily.
“I never thought of asking my host ahead of time, ‘How many days are you keeping backups? Does anyone test them?’” he said. “Make sure you always have backups.”
Don’t keep the backups in the same folder as your site, he recommended, and test them yourself.
“It’s not enough that the website is backed up. What if it doesn’t work?” he asked. “You’re still back to being hacked.”
He also recommended that you get professional help if you can’t do your website security on your own.
“Security is one of those things that not everyone can do well,” he said. If you are in over your head, “admit that you’re overwhelmed,” he added.
Now, more than a year after the attack, the charity site is running smoothly, according to Vesa.
He encourages you not just to focus on your site’s security, but to also keep an eye out for a poor family in your neighborhood or city who just might need a gift box this year to help them through.
“Maybe they have children who eat once a day. When that neighbor walks to their car to leave in the morning, just spend an extra five seconds saying ‘good morning’ and just finding out extra details about them. It will only bring you so much happiness,” he said.