<and we’re back, despite the hack>
Appearances in your recent Google searches notwithstanding, no, I have not been operating an online pharmaceutical venture offering you controlled substances without all the fuss and bother of consulting a physician, not to mention coughing up the money to pay for them. Not enough fun in your life? Need a lift? You’ve come to the wrong place.
Imagine my surprise the other day when I was testing out some key words I use in this blog – and discovered a stream of first-page Google hits directing visitors to hot deals on Vic*din and Vi*gra. Suddenly, entering the semantic field surrounding www.davidellis.ca was like getting a free trip to Mexico, if you get my drift. I got hacked, but good.
(Btw, I’m well aware that for many geeks and code jockeys, “hacking” is a term reserved for legitimate, white-hat endeavors with no harmful effects. Not to be confused with the black-hat actions performed by “crackers.” While the distinction matters, I don’t think there’s much chance of confusion in this context.)
I spend a lot of time trying to persuade almost anyone who’ll listen to worry more about their online security. That includes my students, who make a pretty good benchmark for how mainstream onliners are behaving these days. The problem for many is either they don’t understand the risk factors, or they find using protection simply requires too much effort. In the latter category, the best example is undoubtedly strong passwords, which should be difficult to memorize and not re-used across different applications. Another would be the importance of doing timely software updates – not merely for your OS, but for the many 3rd-party utilities most of use, like the Adobe Reader, as well as plugins for platforms like this one (WordPress).
In the ignorance-isn’t-bliss category, we have a major trend that’s been growing for years now: surreptitious malware, used in conjunction with social engineering. I suspect a large number of mainstreamers don’t understand how we’ve moved from attacks that make a show of disrupting or destroying end-user resources, to attacks intended to go entirely unnoticed. Time was when people could spot viruses (the malware that can replicate itself) the minute it started inflicting damage – because that was point. These incidents were often cracker exploits intended to impress, not necessarily to take things from you.
Today, however, malware is a business tool that does its best work when it goes entirely unnoticed. Crackers are in this business to steal computing resources and sensitive information, all with a view to making money, not just show off. On the social engineering front, crackers send messages that look like legit requests from banks or other third parties for passwords, account numbers and that kind of thing. Sometimes that same information can be poached from end-user machines through the covert installation of keystroke logging software.
But the hack of this site is a kind of second-level crime: the theft of resources to keep down the costs, and boost the margins, of illicit ventures like spamming and drug-peddling. In my case, the hack had the effect of greatly expanding the number of search terms that would lead a visitor to the pharma links. Terms like “broadband” and “SOPA” don’t normally lead you to online pharmacies. They will, however, if the cracker gets into one or more of your blog directories and injects code that generates search hits linked to his drug pushing operation.
The most insidious form of malware is the kind that crackers install on end-user machines that gives them complete control of each machine, unbeknownst to the victim. Computers compromised in this way are known as “zombies.” And they are sometimes linked into a huge, distributed resource known as a “botnet.” Although botnets don’t often make the news, like damaging, high-profile viruses and trojans, there are a lot of them, all over the planet. So far, the largest known botnet, known as “DNS Changer,” comprised some 4 million personal computers (both PCs and Macs).
As with most other international rankings, Canada isn’t looking too good on this score. Out of 39 OECD and other developed countries, Canada ranked 17th in 2006 for the estimated number of bot-infected computers: 1.9 per 100 broadband subscribers (OECD, December 2006: the most recent available data).
Think about that the next time you’re in a room with 50 other broadbanders.
How about the rating for practising what I preach? On backing up, I did pretty well. Several weeks ago I made a backup of all the images in my 120-odd posts. More recently I went through the much more complicated process of backing up text stored in the site database (a tricky procedure that uses the mySQL application). A few recent posts got scrambled, but the backups made it possible to recover almost everything, despite having to trash all the WordPress software and start from scratch.
On the security front, not so smart. I cut a couple of corners in site maintenance that probably made the hack possible. What those corners were ain’t anybody else’s business. Suffice it to say I learned a few important things the hard way and intend to keep my guard up in future.
Finally, as for the douchebag or bags who killed my week, and nearly killed this blog, I hope karma’s a bitch for you and your greedy, sociopathic partners in crime. Man up and get a real job.