It's a wild world (wide web)

Maybe showing my age here, by using a bit of Cat Steven's lyrics, but it's true, the world wide web is a wild and dangerous place. Just as a "user" you are subjected to emails, the least harmful of which want you to buy viagra, others try to trick you into divulging sensitive information, or worse, infect your
computer with a trojan virus to later do the villains dirty work.

If you are reading this, you are a user and have no doubt encountered some or all of these types of dangers.

It's even worse if you run a website because not only is your own computer a potential victim, but now your web server will be preyed upon, continually poked and prodded in an effort to find a weak link in your security chain.

Over the past 2 years I've cleaned up about 20 infected web servers. In almost every case I find the weak link that allowed the server to be compromised in the first place. All too often, the weak link was the site owner, who for whatever reason didn't take their web server's "security" seriously.

So why, oh why does one go to all the trouble to create a spiffy website only to leave it unprotected ?

In my experience, the website owners consider themselves "little fish" and assume that an actual hacker won't target them, the classic "what could they possibly want with my little corner of the internet?"

What they are after differs, but it all starts the same way, by compromising your web server. then they may simply use it to attempt to hack bigger fish, except now those attacks come from your web server.

Maybe they are after the email addresses in your site's database, or if you run an e-commerce site, they may be looking for retrievable credit card info. Basically, what they are after is irrelevant. If they get in, they'll find some way of leveraging that access to their advantage and likely to your demise.

If you are a website owner, there are of course concerns about the code that makes your website go. Is it subceptable to SQL injection or XSS attacks, but.. again, and granted only in my experience.. the weakest link is you.

Do you use FTP ?
FTP is just plain bad in many respects, most notably due to the fact that user names
and passwords are sent unencrypted. Their are trojan viruses that look for the tell tale signs of an FTP login and convey that info to the bad guys, since it's not encrypted, they can be in your web server running amok within seconds after you log in.

Look into disabling FTP and enabling SSH. With SSH enabled you can use the SCP protocol to upload files. Since SCP rides on an SSH connection, everything is encrypted. I use a program called WinSCP, which is very intuitive if you've used an FTP program before. It also has some pretty nifty features I've never seen in an FTP program.

Is your password good ?
This likely seems obvious, but I'm continually amazed at how many web site owners have their passwords set to something that a brute force attack would easily plow through. Be sure to use a mixture of upper & lowercase letters and numbers.

mysite BAD
MySite Better
MyS1t3 PDG (pretty damn good)

Do you use a commonly exploited email program ? (Outlook anyone)
I try to keep my Micro$oft bashing under wraps, but in this case, for your safety.. if you must use Outlook (or Outlook Express) be aware that it is the primary program used to convey viruses to your computer. Even with up to date anti-virus software running you are still vulnerable. Consider using a web based
email client which can greatly reduce the likely hood of a virus reaching your own computer.

Do you use up to date anti-virus software ? .. is it reputable, effective ?
If I had a nickel for every time I heard, "I can't be infected, I'm running XYZ anti virus!" where XYZ is either reputable, but known to be easily circumvented (sorry Norton) or some fly by night coder in a basement somewhere that has no intentions of updating viruses definitions.

One word.. AVAST
Reputable, effective, and free, although it is certainly worth the nominal price they ask for their commercial version.

So there you have it. The weakest link in your web server's security chain is likely you, and the computer you are using right now.