A few days ago, an incident happened to me that has prompted writing of this article. I’m sure that if this is an issue for me and one of my Web sites, it’s an issue for many others. With my personal Web site, I use a nationally known Internet Host provider to host it. They’ve hosted my site for years, and I can’t really complain about their services (except that you can rarely find a real “person” to talk to).
However, a few days ago, I wanted to give a good friend of mine, Dave Barry, access to FTP into my Web site to download a particular file. Rather than using an FTP program, he used IE (Internet Explorer) to FTP into site. The strange thing is, before I even gave him my username and password, Dave was inside server where my site is hosted!
Dave said that server, and any sites hosted on that server, were wide open for attack. He was able to see System 32 Directory, passwords, etc. The good news for me is that Dave is a Certified Internet Webmaster Security Professional Instructor, so he knows exactly what he’s talking about (and I don’t).
He ran a report to show vulnerability of my Web site. That report indicated that there were seven high risk vulnerabilities, four medium risk, and two low risk. It also said that it was imperative that I take immediate action in fixing security issues of network.
Now isn’t this a comforting thought, especially since I’ve never questioned security of my Web site? I use one of top Web hosting firms in country. This problem should NOT have happened.
I contacted hosting company, and they’re checking into it. At one point, they said, “A little further research on my part found that anonymous FTP is erroneously enabled on your website.” Then, in a later e-mail, they changed their mind, “I did misspeak last night when I said that anonymous access was enabled, as I could not upload any files at all, though I could view some directories and files, evidently some relatively innocuous system data files.”
Dave disagreed, and he promptly sent me two files to prove how vulnerable and insecure system is. I sent them those files as well as security report Dave ran, and they’re continuing to look into it. To date though, a week later, they still haven't gotten back with me on it.
In my case, though this is a very disturbing situation, it isn’t end of world. I don’t sell anything on my Web site – it’s there for informational purposes only.
But, for those of you who actually sell goods or services over Internet, this could be a huge, and extremely distressing, problem. As Dave said, “I could crash entire server in a matter of minutes.” But, he’s one of good guys wearing a white hat, not a hacker. He’s also responsible for 40+ Web sites through his company, all of which are extremely secure.