Date Sent: May 23, 2012
Subject: We've been HACKED!? Well, sort of
From: John Bondon
I received two rather alarming emails about this time last month. One from Howard letting me know about some strange errors showing up on the website. The other email from Andrew, followed by a subsequent post on our FaceBook page, stating that we had been HACKED!
That's not the kind of news any system administrator or webmater wants to wake up to (or end the day with either!). And it's not like I don't take such risks lightly. I employ all the industry Best Practices when it comes to securing the computer hardware and software that runs our hiking website. (I also DON'T collect certain personally identifiable information from you when you first sign up, such as your birthday, on purpose! Yes it would be great to send you a Happy Birthday email on your Special Day, but certain personal information just isn't neccessary to run a hiking website, and too risky to safegaurd.) In all the years I've been vigilantly standing guard over our hiking server, the most common hack attempts have really been mere spam attempts. Obvious non-hiker types using my New Trail and New Hike submission forms to try to get their web links posted on the website. Which is why we have an approval process and I remain the gatekeeper before any information is posted on the website.
Yes there have been numerous true hack attempts, of someone trying to gain access to the database that drives our website in order to either retrieve data out of it or insert their own data in, but none of those attempts to date have ever succeeded. UNTIL NOW!
But what occured on April 30th was different. That incident had been a TRUE hack, and not just an attempt, but successful, too! It was the first successful hack attempt I had seen launched against our website. I say it was successful, because not only was the hacker's information posted to the database, but the hacker was also able to remotely manipulate the database and cause certain other fields to be updated as he/she desired. Such as self-approving his/her new posts! YIKES!
The good news about all of this is that the hack was actually initiated by ME. I actually hired someone to hack the website on purpose to test how vulnerable it really is. Though most website owners aren't aware, a website can be hacked by numerous methods. Hardening the computer hardware and software is only one avenue for such attacks. The actual web code itself can also be vulnerable. This hiking website, for example, was created almost 10 years ago, and back then no one ever coded with hack attempts in mind. But today that is a daily concern and risk, even for a mom and pop business website or a hobby website like this. Needless to say, the way I coded 10 years ago is no longer valid today and this site needs updating. And that will be a new project to add to my list in the coming months. Stay tuned!
Copyright © 2004-2021 John Bondon all rights reserved