Everything Online Is a Possible Target for the Bad Guys

The savvy Internet attacker can capture customer data, billing information, and even credit card numbers. Today, it is not at all difficult to imagine a situation in which such an offender is able to intercept online ecommerce transactions in real-time and to dynamically replace account number to which customers are paying for goods purchased.

The principle of Internet attacks has remained the same for years. The only changes have been in the context and in the hacking tools used.

There continue to be many reasons to worry. For example, in the summer of 2011 a malware attack which had initially been thought to have infected about 140,000 Web pages was later determined to have successfully infected greater than 8 million commercial Web pages within weeks of appearing on the Internet! These were pages generated on ecommerce sites powered by the popular open source osCommerce merchant software. Sites impacted by this computer worm had become the target of malware which exploited known vulnerabilities in the software. Visitors to these sites were redirected to other Web sites containing malicious Javascript code.

Weak access points in website infrastructure can expose company information and trade secrets.

This article does not intend to single out osCommerce. Although in the end a malicious computer worm named ‘Willysy’ was found to have been used by some perpetrator to cause the damage, the true fault really lies with those site and server owners and administrators who had failed to implement proper configuration management practices. That is, they did not routinely acquire, test, and then implement fixes and security updates which had periodically been released for these products and platforms, let alone for the osCommerce software itself. This is a responsibility not to be shrugged off, but a great many Web sites in existence today are maintained by amateur administrators with little experience in the protocols necessary to ensure the security and integrity of business-critical infrastructure, software, databases, and data.

More recent events of Web site break-ins, arson, and general disruption related to the very unpopular Anti-Counterfeiting Trade Agreement (ACTA) initiative have demonstrated that all systems linked to the Web (and the overall Internet) are potentially as full of holes as a brick of Swiss cheese! Each day, large organizations in such industries as banking and public administration, and even countries themselves fall victim to criminals constantly working to exploit weaknesses in the various technologies with which the overall World Wide Web is comprised. Their crimes are wide-ranging: everything from cracking passwords to stealing credit card numbers from PlayStation users to attacking a country’s industrial facilities (remember the Stuxnet virus attack on Iran?).

The Web and our need to use it for business in the modern age are not going away. The only logical conclusion to take away from this article is this: One of the cornerstones of an effective security strategy is to prevent attacks and to detect potential attackers. If you decide to self- install Web applications (such as Joomla + Virtuemart or someother e-commerce components) you must make it a necessary part of your routine to perform regular updates to the platform and to keep up with testing and installation of security components and patches (new versions) for all products as they are released.Use appropriate password policies and strict development policies . This is the minimum effort required in your attempts to safeguard against the never-ending efforts of hackers and criminal factions operating online.

Remember that although you may be selling goods, more importantly you are selling trust. As an ecommerce site owner or administrator, you should be in the habit of regularly verifying the overall process of ordering from your website, including checking just how client contact details and account numbers are being displayed on the website.