Best Practices Blog

The other viral media

As the internet has grown, many new business models and marketing strategies have come into existence. Terms like "viral marketing" are now commonplace for small business, non-profits and large corporations.

But, there’s another type of viral marketing that has become big business.

Using an arsenal of computer viruses, less-than-scrupulous companies are turning our home computers, our office work stations and our web servers into zombie robots that will do their bidding. In many cases, we don’t notice the discreet applications that are performing brute-force attacks on other web applications, denial of service attacks on servers, propagating themselves and distributing spam email.

Viruses long ago graduated from the bedrooms of the disgruntled and settled-in to the cubicle. In other parts of the world, developers are being paid salaries with benefits to develop better viruses. The companies that hire them are selling their services to anyone willing to engage in spamming, identity theft or electronic terrorism.

Any web application can be a target for these folks. They don’t care about your company or who you are. They don’t care if you’re a celebrity or not; a large corporation or a small business; or a philanthropic organization. They’re just looking for a weakness in your web application that gives them enough access to get a tiny file on your server. Once done, they get the access they need to install a host of other malware (malicious software).

For myriad reasons, there are developers and development companies that continue to be naive about this. Shortcuts, quick turnarounds and increased profit margins seem more important than security.

I was reminded of this recently when I was asked to look at a potential client’s site and assess the possibility of incorporating some existing application components into a new development project.

As soon as I connected to the server and saw the directory structure, I knew best practices had been ignored. Files for a file sharing application were stored in the wrong place.

As I started the file transfer to my development machine, my heart sank. My virus scanning software found four malware files in the first few minutes. I wasn’t worried for my sake. My network was protected. But, the potential client was a victim and their previous development partner had let them down.

What can be done?

As it goes with our personal health and biological viruses, so it goes with our web applications. Prevention is the best medicine. Regular check-ups and immunization go a long way toward thwarting unwanted invaders.

  • Ensure that your application is built the right way. Choose a development partner that uses best practices for application security.
  • Choose a hosting partner for your application that uses best practices, as well. Hosting companies should provide regular updates, virus scanning and activity monitoring. Many do–but some don’t–as evidenced by my recent experience with the potential client’s application.
  • Open Source PHP projects are a prime target for these attacks. If you’re using WordPress, Magento, Drupal or any OS PHP project for your development project, make sure that you, your company or your development partner (someone, anyone) is responsible for regularly installing updates from the open source project.
  • If you are the victim of an attack–or, suspect that you are–report it to the OS PHP community project you’re using, your development partner, or contact us to take appropriate action. The application can be restored from back-up and–in many cases–patched to prevent further attacks. In worst cases, the application can be shut down and a place-holder page put in it’s place until the issue can be resolved.
  • Back-up your application, server or hosting account regularly. Some hosting companies offer complimentary back-ups. If they do not, you or your development partner may be responsible for backing up. If you do not back-up, there is nothing to restore. And, cleaning an infected server might not be safe, realistic or even possible.
  • Have a security assessment done on your existing application. Contact us to find out more.
  • Always use secure passwords for your application. Generated or memorable, make sure that it is a combination of upper and lower case; uses punctuation, numbers and symbols; and that it is 8 or more characters long (preferably, 16 characters).
Post a comment

Required Privacy Statement