0345 2413052
Blog
blog
by
Telephone0345 2413052

Retailer using WordPress fined £55k by ICO.

data protection breachI noticed a press release by the ICO today that is worth passing on to website owners. Particularly WordPress website owners.

It highlights the need for adequate security and good technical website development when storing clients information as not just “good practice” but as something that can become financially painful if you get it wrong.


“An online building products supplier has been fined £55,000 by the Information Commissioner’s Office (ICO) after the firm failed to protect its customers’ personal information.
On 6 May 2014 an attacker used a common hacking technique called an SQL injection to access 669 unencrypted cardholder details including names, addresses, account numbers and security codes.
An investigation by the ICO discovered the Plymouth-based firm did not have the appropriate technical measures in place to prevent the attack. This is a breach of the Data Protection Act.”

If you store customers data you become a “data controller” and as such you have legal responsibilities to ensure it is held securely from any sort of loss or attack.

In this case two of their domains were hacked by an “SQL injection”, which is a brute force attack and as such should be expected by any website hosting provider, website development company and potentially a website owner.

I believe that once the hacker had access they then changed the website so that any customer details then entered would be recorded and stored by the hackers.

The important technical details:

  • The login pages contained a coding error from 2009 until 2015 when the attack occurred.
  • An attacker exploited this vulnerability in two domains by using SQL injection to gain access to usernames and password hashes for the WordPress section of the site. (read more on WordPress below)
  • The attacker was able to modify payment pages and access 669 unencrypted cardholder details at the point of entry to the website (including name, address, primary account number and security code)

    The ICO decided that;

  • The website owner failed to carry out regular penetration testing on its website that should have detected the error.
  • The website owner failed to ensure that the passwords for the WordPress account were sufficiently complex to be resistant to a brute-force attack on the stored hash values.
  • SQL injection is a well-understood vulnerability and known defences exist.

WordPress problem

Because WordPress is open source it is very popular and easy to install and create – which of course is a good thing, it has become the worlds most popular Open Source website software. The blog you are reading is using WordPress for example. However because it is so easy and free to use it is sometimes used by developers who are not sufficiently technical to build them correctly. It seems this was the case in the unfortunate incident above.

WordPress has a base core code, a styling theme which you overlay on top and then you add modular extensions (plugin’s) to it to enable functionality; move images, add forms, edit pages etc. A lot of these plug-in’s are written by keen non-commercial entities or individuals. They can write them – so they do. Sometimes the quality of code or security considerations are overlooked and they rely on website owners to find the errors and sort it out. Clearly you can’t run a business that way very successfully – at least not for long. (We often have to fix WordPress plugins that don’t work).

The website developers in this case seem to be the website owners themselves who also set themselves up as a website design company. (some diversification!) At time of writing if you are an original website customer of theirs and have an issue you now need use a “FREE, lightweight, reliable, open source, and easy to setup and use” ticketing system to report errors to another agency as they have gone into liquidation.

What can we learn from this?

You get what you pay for.

If you didn’t spend very much on your website it is worth checking if it has been built correctly.

The software that creates websites is very complex. Hackers regularly try to find ways to gain access to websites through databases (most CMS systems run on databases) or via bad coding.

Website developers need to ensure that any website they create is tested for vulnerabilities in the code. The developers should always use the latest version of website content management systems and have update protocols in place to patch any vulnerabilities that may come to light in the future. They also need to implement regular updates to the core coding. It seemed that the error in the above example had been there for about 6 years.

Clients need to understand that they should expect to pay for skilled and experienced web developers to ensure that their websites are technically sound and are up to date. Especially at the initial build stage, but also at regular intervals over the life of the website.

So, do you get what you pay for?

We think so.

  • Ask your website developers what their plans are for updates and security patches for your website.
  • Get your website tested to see if there are any problems.

Please do it now.

 

Some nasty new emails to watch out for..

Dangerous emails
Your pc is at risk of infection if you click on a link or open an attachment  in these emails

Phishing emails on the rise again – don’t get caught!

I came across 3 new spam/phishing emails and one Trojan Horse email this week alone. I thought you need to know about them and consider yourself warned NOT to open any link or attachment.

Phishing Email 1

Apparently I’ve bought a phone from Amazon.com and this is the shipping confirmation.

I haven’t bought anything from Amazon in the States (dot com domain name) and I already have an iPhone.

What is more dangerous about this email is that it is not telling you to click the link, it just sits there expecting you to want to find out more. The link goes nowhere near Amazon and you will end up giving some criminal your Amazon login details.

Phishing Email 2

Another nasty email using the Amazon brand name is this one purportedly offering an Amazon reward card etc.

They don’t even pretend that they are Amazon and even let you know that you need to give the more details before you may get a gift card. I doubt any exist.

Phishing Email 3

Dropbox is an excellent tool for storing documents and allowing others to access them from anywhere, including you.

The link wanting me to open this file apparently shared to me from an Educational email address goes nowhere near Dropbox. Do not click this link!

Malware/Trojan Horse Email

This is another that bothered me. Apparently Companies House has had a complaint about our business. Companies House do not receive complaints about companies. They have confirmed this.

The problem is the Word attachment. Unfortunately Microsoft word can contain programming called MACROS which can install malware on your computer. Do not open the attachment if you get this.


Some definitions to help you

malware

noun
Software which is specifically designed to disrupt, damage, or gain authorised access to a computer system.

Trojan Horse

noun
A program designed to breach the security of a computer system while ostensibly performing some innocuous function.

phishing

noun
The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers.


Stay safe folks….

What is an SSL? Why do I need one?

buy a cheap ssl
Picture courtesy of Symantec

What is an SSL & Why do I need one?

SSL Certificates also known as Secure Sockets Layer (SSL) is a security protocol used by Web browsers and Web servers to help users protect their data during transfer.

Now is the time when you need to buy one and have it installed in your website. Google wants the whole Internet to be secured. We agree, but website owners need to understand what this means for them so they can purchase the correct type of SSL.

You should take advice before buying as there are many alternatives.

SSL Certificates are small data files that digitally bind a cryptographic key to an organisation’s details.

In the case of a Web browser, SSL activates the padlock symbol and “HTTPS” and allows secure connections from a Web server to the browser.

SSL is a security protocol that:

  • Protects user data during transfer.
  • Digitally binds a cryptographic key to organisation’s details.
  • Secures credit card transactions, data transfers, logon credentials, and more.
  • Provides authentication of the business and/or domain.

How do SSL Certificates work?

This is the process that happens when browser software encounters a website with SSL:

  1. The browser software (Internet Explorer, Chrome, Safari etc.) attempts to connect to a Website secured with SSL.
  2. The browser requests that the web server identify itself.
  3. The server sends the browser a copy of its SSL Certificate.
  4. The browser software checks whether it trusts the SSL Certificate. If so, it sends a message to the server.
  5. The server sends back a digitally signed acknowledgement to start an SSL encrypted session.
  6. Encrypted data is shared between the browser and the server.

That’s the technical stuff over with.

The bottom line is that Google is on the war path against unsecured websites. Your website can lose its ranking or be flagged as NOT SECURE if you don’t get one installed by your developers.

What sorts of SSL are available?

There are many types of SSL available but for the purposes of this article I will outline the three most commonly used and the types of website that they are most suited for.

  1. Domain Validated (DV) Quick, basic certificates that only need to verify that a person owns the domain they need to protect before being issued.

Used on simple brochure websites that are not one of the main marketing activities of the company. Thawte is a popular provider of these (they have others as well).

  1. Organisation Validated (OV) More robust certificates that require a light company validation before being issued.

More suited to companies whose reputation and brand are important to them. GeoTrust is a good example. (Again all major providers do these types)

  1. Extended Validation (EV) The most premium SSL certificates that require a company to complete an extensive validation process before the certificate is issued.

Ecommerce websites and others who wish to be secured by a recognisable security certificate such as Norton (Symantec). (And you guessed it, the other CA’s – Certificate Authorities – also do these).

I know that there are other providers but I’m trying to keep things simple!

Which is right for you?

That’s not an answer that I can give here as there is a conversation to be had about the most suitable SSL for your business and your business website.

If you want more advice about this rather important development, then please get in touch with us for some free advice. We can even install an SSL into your website if you need one. Call 01746 769612.