Data Security: ClearUSA Hacked
HEADLINE: Major US law enforcement Website shut down after data breach
SUMMARY: A hacker penetrated the web site of CLEARUSA.ORG and downloaded a listing of members that contained names, addresses, organizations, titles, email addresses, phone numbers, and site password information. The hacker then posted this information on a blog and invited other people to attempt to try to break into various personal web sites (Facebook, email, Linkedin, etc.) to harass the organizations’ members. This tactic is in “retaliation” for the actions of law enforcement against “occupiers”. As a result of the security breach, the Clearusa web site has been temporarily shut down while its administrators are working to address security issues and repair the application.
There are no web sites that are totally invulnerable to hackers. The task of your site administrator is to make your site relatively difficult to attack so that potential hackers will go after an easier target. It’s rather like putting a “beware of dog” sign in your yard so that potential intruders will go next door. It would seem that the CLEARUSA.ORG (Coalition of Law Enforcement and Retail (C.L.E.A.R.)) site was the one without a growling dog.
In their mind, hackers perform a public service by exposing weaknesses in web applications or operating systems. They like to justify their actions as encouragement for vendors to plug leaks and fix security holes. While I disagree with this logic, there are a lot of hackers out there who will challenge any web site’s security. The current hacker has taken a step beyond into the realm of internet disruption.
“Exphin1ty”, the hacker involved in this latest foray, wanted to retaliate against “Law Enforcement’s inhumane treatment of occupiers”. He/she selected a somewhat obscure quasi-governmental organization site as the target. Fortunately, the database information that was stolen and then posted as a blog contains very little sensitive information.
Clearusa.org is a cooperative organization between local police and retailers designed to reduce organized shoplifting. Nearly all of the database information exposed may be publicly available elsewhere. Even so, we can learn valuable lessons from this event.
Am I a Target?
First, any web site may be attacked. Soft targets may be exploited by “kiddie hackers” as a game or training adventure.
Second, if your web site includes any type of database (membership roster, contact list, etc), hackers may want to test your security (and steal your data).
Third, should you have sensitive personal or corporate data on your site, you MUST be sure that you have appropriate heavy-duty security.
Protect your Site and Data
It’s not that difficult to enhance the security level of your web site. These basic steps can make your site less attractive to hackers.
Remember: Predict. Plan. Perform.
- Make sure that your administrator ID and Passwords are complex. If you are able to change the administrator ID from a pre-programmed ID (such as “admin” or “administrator”) do so. Increase the length and complexity of your passwords to at least 11 characters.
- Plug the “back door” leak. Some sites utilize back door access or super-administrator functions. Be sure that these IDs and passwords are also hardened. Joomla applications typically have a common super-administrator ID such as “62” or “42”. Change it to discourage hackers.
- BACK UP YOUR WEB SITE. It would appear that Clearusa needed to shut down because it did not have a usable backup version. There are hackers that will attack your web site with the intention of corrupting your information – not to steal database information. A backup copy is useful not only for restoration of a corrupted application but as a comparison tool so that you may find malicious code or other unauthorized changes to your source code.
- Test resistance to attack by hackers. There are hackers that have not gone over to the “dark side” that can be useful to audit your code, passwords, and attempt to penetrate your best defenses.