I have heard reports of a lot of sites ranging from simple 5 page static jobbies to full blown web apps being compromised on Irish hosts lately. Yes of course these things happen all the time, but I'm noticing a lot more security breaches lately than...well ever!
I just happened to be looking at some source code from a site I made live, many moons ago and noticed some suspicous changes to just the home page. I contacted my old client and asked them had they being doing work on the site recently and they confirmed they had not. As they were friends, I told them I would look in to it for them, and it turned out that it was most likely the result of the Gumblar virus that intially gets installed on people's workstations through a vulnerability in Flash. In the background it gathers FTP access details that might be on your PC. People such as ourselves that might manage a few sites will most likely have some FTP client on our machines which may (or many not) have cached login credentails to speedup our workflow. Anyway depending on the client you are using this may be easier to get than others. Anyhoo, their hosting company told me that this is most likely the cause and to have all PCs with FTP access scanned for the virus and to change FTP details, etc. I did all that, but on my travels I noticed that this particular virus has being doing the rounds for a while now. BTW, I didn't have the virus, I used an up to date scanner and also perfomed a manual check for the virus which apprently modifies a Windows file called sqlsodbc.chm
When you think of all the application security efforts that we put in, it's a kick when someone in the end gets FTP access and modifies what they want with ease.
It got me thinking, I have done work on sites in the past that might no longer have the best application layer security in the world and given more contemporary exploits are quite possibly very vulnerable. One such instance in particular I offered my services to as I noticed they had made some changes to their site's presentation (at least, from what I could see). It now looked terrible, and due to budget cuts they were now modifying a site's code base themselves with their limited experience. In the end I requested that my name and any affiliation to me whatsoever be removed, which they agreed to. Recently I noticed that they were hacked and all that goes through my head is "A) Thankfully I'm no longer affiliated, and I did offer my services to them before this happened and they refused, B) Since there is no way to absolutely lock down an application/site indefinately, how can we protect ourselves from clients that fall in to trouble and immediately turn to you to point the finger when they themselves do not realise that security is multi-faceted and needs to funded on an ongoing basis."
The mentality of many clients is that if it's secured properly today, then no more money needs to be invested in keeping it that way down the road.
Has anyone else beeing in this situation where they have worked on something in the past and it gets hacked? Did you feel a pang of guilt, even though you had not been hired to manage the site's security or even conducted work on the site in a long time.
I feel like contacting the site owners because I don't even think they realise themselves that the site has been hacked, and if I do, would you think it to be a kind gesture or would it just look like you feel responsible. Initially I did feel responsible, but when I thought about it, I realised that these things happen and it was work carried out many years ago which has served them very well, also God only knows what changes to the site they have made themselves. I don't think this breach was via FTP (like the Gumblar example before), but rather an application layer vulnerability.
What are we supposed to do, spend all our time revisiting the security of sites/applications developed for previous clients for free! on a round robin basis. I don't think that makes sense, perhaps all we can do is remind them that they need to invest in maintenance and have a disaster recovery plan in place.
Can anyone advise me on what would be the best thing to do? If you are suggesting I contact the site owners, how should I behave?. Should I simply tell them that I am notifying them of their problem, and what if they turn around and insist that it is my problem since I was the original developer back in the day.
I just happened to be looking at some source code from a site I made live, many moons ago and noticed some suspicous changes to just the home page. I contacted my old client and asked them had they being doing work on the site recently and they confirmed they had not. As they were friends, I told them I would look in to it for them, and it turned out that it was most likely the result of the Gumblar virus that intially gets installed on people's workstations through a vulnerability in Flash. In the background it gathers FTP access details that might be on your PC. People such as ourselves that might manage a few sites will most likely have some FTP client on our machines which may (or many not) have cached login credentails to speedup our workflow. Anyway depending on the client you are using this may be easier to get than others. Anyhoo, their hosting company told me that this is most likely the cause and to have all PCs with FTP access scanned for the virus and to change FTP details, etc. I did all that, but on my travels I noticed that this particular virus has being doing the rounds for a while now. BTW, I didn't have the virus, I used an up to date scanner and also perfomed a manual check for the virus which apprently modifies a Windows file called sqlsodbc.chm
When you think of all the application security efforts that we put in, it's a kick when someone in the end gets FTP access and modifies what they want with ease.
It got me thinking, I have done work on sites in the past that might no longer have the best application layer security in the world and given more contemporary exploits are quite possibly very vulnerable. One such instance in particular I offered my services to as I noticed they had made some changes to their site's presentation (at least, from what I could see). It now looked terrible, and due to budget cuts they were now modifying a site's code base themselves with their limited experience. In the end I requested that my name and any affiliation to me whatsoever be removed, which they agreed to. Recently I noticed that they were hacked and all that goes through my head is "A) Thankfully I'm no longer affiliated, and I did offer my services to them before this happened and they refused, B) Since there is no way to absolutely lock down an application/site indefinately, how can we protect ourselves from clients that fall in to trouble and immediately turn to you to point the finger when they themselves do not realise that security is multi-faceted and needs to funded on an ongoing basis."
The mentality of many clients is that if it's secured properly today, then no more money needs to be invested in keeping it that way down the road.
Has anyone else beeing in this situation where they have worked on something in the past and it gets hacked? Did you feel a pang of guilt, even though you had not been hired to manage the site's security or even conducted work on the site in a long time.
I feel like contacting the site owners because I don't even think they realise themselves that the site has been hacked, and if I do, would you think it to be a kind gesture or would it just look like you feel responsible. Initially I did feel responsible, but when I thought about it, I realised that these things happen and it was work carried out many years ago which has served them very well, also God only knows what changes to the site they have made themselves. I don't think this breach was via FTP (like the Gumblar example before), but rather an application layer vulnerability.
What are we supposed to do, spend all our time revisiting the security of sites/applications developed for previous clients for free! on a round robin basis. I don't think that makes sense, perhaps all we can do is remind them that they need to invest in maintenance and have a disaster recovery plan in place.
Can anyone advise me on what would be the best thing to do? If you are suggesting I contact the site owners, how should I behave?. Should I simply tell them that I am notifying them of their problem, and what if they turn around and insist that it is my problem since I was the original developer back in the day.