You have been hacked banana.
Image used on the ottawa.ca website when it was hacked.

Published: January 12th, 2016

So you have a website, how many third-party organizations are involved in making it run? It’s easy to forget about them, but third-party agencies are ultimately going to be supporting your site.

Most organizations can track down who they use for what, but it is often something that people set it and forget it. As long as the accounting department keeps paying the renewal charges, nobody in IT or communications tends to think about it.

Every computer on the Internet has an IP address, but most people use a domain name for simplicity. This has to be provided by a Registrar who is ultimately responsible for relaying it to the the Internet Corporation for Assigned Names and Numbers (ICANN).

These Registrars sometimes bundle Domain Name System (DNS) hosting in with their services, but this is optional. There are a number of services that provide DNS either alone or associated with things like DDoS attack mitigation. Other times this can be covered by the web hosting company with the price of their services.

You might have set up an arrangement with a Content Delivery Network (CDN) for better performance and SEO. Many sites are now have close integration with various social network sites.

This really is just touching the surface of the relationships that many organizations have with third party web services.

If the protocol for communicating with these agencies isn’t clear and well documented (on both sides) there is an opening for a “social engineering” hack to compromise your site. This recently happened to the City of Ottawa’s website that was redirected to an image of a dancing banana.

Hackers didn’t find a technical hole, but rather were able to leverage human vulnerability, to gain control of critical infrastructure.

Properly documented procedures are important, as third-party services can often be manipulated by fraudulent email or telephone requests. Document the relationship with organizations you use to run your site and keep it in a central place.

Train your staff so that they are more cautious about what they share with others, particularly over email. Many organizations have passwords stored in email archives, this is less secure than most people think.

Be cautious about emails, messages and calls from your service providers. Make sure to verify the source before giving out any information. Default to calling them back at the number or email listed in your records (or the website).

Email attachments from unknown senders can easily contain viruses which can compromise your computer. Pay close attention to website URL, often cracker may either use an HTML link to hide that they are sending you to a different URL than you think.

The need for organizations to understand security has never been higher, unfortunately bad assumptions have lead to many sites being left very vulnerable to attack.

Share on LinkedIn Share with Google+
More Articles