How "Secure" Is YOUR Web Site?
A few days ago, an incident happened to me that has prompted the writing of this article.
I'm sure that if this is an issue for me and one of my Web sites, it's an issue for many others.
With my personal Web site, I use a nationally known Internet Host provider to host it.
They've hosted my site for years, and I can't really complain about their services
(except that you can rarely find a real "person" to talk to).
However, a few days ago, I wanted to give a good friend of mine, Dave Barry, access
to FTP into my Web site to download a particular file. Rather than using an FTP program,
he used IE (Internet Explorer) to FTP into the site. The strange thing is, before I even
gave him my username and password, Dave was inside the server where my site is hosted!
Dave said that the server, and any sites hosted on that server, were wide open for
attack. He was able to see the System 32 Directory, passwords, etc. The good news
for me is that Dave is a Certified Internet Webmaster Security Professional Instructor,
so he knows exactly what he's talking about (and I don't).
He ran a report to show the vulnerability of my Web site. That report indicated that there
were seven high risk vulnerabilities, four medium risk, and two low risk. It also said that
it was imperative that I take immediate action in fixing the security issues of the network.
Now isn't this a comforting thought, especially since I've never questioned the security
of my Web site? I use one of the top Web hosting firms in the country. This problem
should NOT have happened.
I contacted the hosting company, and they're checking into it. At one point, they said,
"A little further research on my part found that anonymous FTP is erroneously enabled
on your website." Then, in a later e-mail, they changed their mind, "I did misspeak last
night when I said that anonymous access was enabled, as I could not upload any files at
all, though I could view some directories and files, evidently some relatively innocuous
system data files."
Dave disagreed, and he promptly sent me two files to prove how vulnerable and
insecure the system is. I sent them those files as well as the security report Dave ran,
and they're continuing to look into it.
In my case, though this is a very disturbing situation, it isn't the end of the world. I don't
sell anything on my Web site -it's there for informational purposes only.
But, for those of you who actually sell goods or services over the Internet, this could be
a huge, and extremely distressing, problem. As Dave said, "I could crash the entire server
in a matter of minutes." But, he's one of the good guys wearing a white hat, not a hacker.
He's also responsible for 40 plus Web sites through his company, all of which are extremely secure.