Tempusfugit UK

Website Security

One of the questions I was asked with respect to my implementation of Parish Council websites was "can the site be hacked?". This brings the subject of security into the picture.

The main determinant here is the greater the complexity the grester the risk. A simple site with no user logins or exchange of personal information, i.e. no forms, will be inherrently more secure that those with these features.

It is also a question of what your definition of "hacked" is. Cetainly the loss of exposure of personal and private information is a real threat to all users of technology today, but I contend that little has really changed with regard to desire by some to gather this information for their own needs. It is just the methods and platform that has changed. It is to easy to hind behind the "digital age" and the resent advances in technology and communication. The bottom line is that "security" is something that has always been that individuals need to be mindful of. We need to think of the consequences of our actions before we do something. Unloading information about ourselves and agreeing to how that data is used without reading how it is proposed that it is key.

Google and website security

Google, and the impact of other search engine information gathering, is probably the number one concern for Internet users. The tracking of web users by Google is very common, however, the risks are minimal. Google Analytics is widely used by website owners but the information gathered is largely confined to their own use. Compared to Social Media platforms where the raison d'ĂȘtre is the collection of such data is the main event, the information gathered by Google Analytics is cryptic.

For those that are really interested Google explain in detail what all the cookies store and how long they remain on your computer.

Cookies and website security

The operation of this website does not depend in any way on the use of cookies. I do not set them and as such no user data is collected by me.

Script Injection

When I ran my own webserver I became acutely aware of this attack. If you have any user interactivity on your website then you have the potential of a malicious agent attempting to gain access to your resources. This normally was in the form of a request made to your site that attempted to inject data into a "form" (or rather the "handler" for that form) so that emails or false data appeared on your site.

An email form would most commonly be injected with messages to random email addresses. This resulted in the loss of your own bandwidth and the possible association of your website with the malicious activity.

A comment, or feedback facility, would also be a target for attack. This was particularly highlighted by my experienced by my attempts at runnig a Wordpress blog. I found the the majority of my time was spent moderating and deleting spam comments.

Does the use of an SSL Certificate mitigate Injection Threats

The generally held opinion is no. However, this does raise the topic of Wordpress/Drupal and any other CMS that you have to "log-in". to to administer. As these systems are all database centric (all website content, including log-in credentials, are stored in a collection of database tables), they are targets for hackers that will attempt to gain access to these databases.

The attack vector revolves around the fact that a log-in form will presented to site visitor. This form will be easily downloaded by a hacker. Te hacker will then have a target that they know is connected to your database (and by default ALL of your website). This is not as bad as it sounds as the hacker still have to "guess" the values of passwords etc - they will know the names of the data fields and know that they are connected to your website.

The method of attack is to Inject maliciuos data into your database and if success in guessing your credentials is achieved then the whole of your website can potentially be corrupted and/or sensitive data exposed.

In addition to these attacks any form on your website will become a de facto target. Again, this is not as bad as it first sounds, everyone who uses the Internet fills in data to forms, when you login to your email, access your bank and shop on-line, all these use forms. My simple website for Parish Councils, not only does not use cookies there are no forms!

Links

External Sources

Website Security