Written by Ian Gorrie
Like many professionals, many attempt to avoid time consuming activities that are not core to their business. Business is enabled by the features and abilities of the software that it employs. These feature-rich software environments can, and usually do, have an invisible threat of insecurity. This is a perennial theme of information security writings and I myself have touched on it
Web defacements are nothing new, but the media attention to SEO superstars is notable and makes their online presence an attractive high-value target. The recent mass defacement of SEO wordpress blogs that was launched from a technical adversary using tor is an example of what has become a not uncommon occurrence.
What can SEOs, and bloggers in general, do to lessen the risk of public embarrassment from defacements, hacktivism, and information leakage? The answer is that quite a large number of things can be done to help prevent these incidents.
- Hardening of systems by reducing unneeded features. (For example, the bugfix for WordPress v2.0.6 addressed a correction for those webservers that had left register_globals set to “on.” Not recommended in the first place.)
- Hardening the web services themselves with security modules.
- Use of a NIDS or HIDS that will actively block or alert upon detection of questionable behaviors.
All of these methods involves time and resources that could best be applied to doing what they do best, in this case, being a SEO. It is a good example of where an application/hosted service provider model or the services of a competent information security advisor would show a lot of value in reducing the risks of media embarrassment and possible valuable information leakage.
Ian Gorrie is a friend of mine and a former peer in the security world. I asked him if he would not mind doing a little write up from his perspective on the recent h4x0r fuckingpirate on the loose trying to take out all the SEO bloggers.
Everyone needs to be aware of security. It’s too easy to forget about it when developing / using something pre-built, but it’s something that all sites need to think about and not just when problems pop up.
As an online retailer, we’ve had to think about that a whole lot more than just a blog. But it’s still important, even on blogs.
He’s not after all SEO bloggers, he’s publicly linked to my domain but hasn’t attempted anything…yet :/
think he’s trying to ‘liven up’ the SEO world, in a very strange way!
This doesn’t just apply to SEOs. In general, it happens to majority of the people out there.
The OWASP community was founded for just the purpose you described. It has links and references to many best application security best practices.
Just when the SEO world was getting too predictable, someone decided to shake things up. At the very least this will cause WordPress to be made more secure for everyone.
This has provided a chance at everyone to be more aware of what could happen. We all knew about hackers and knew it was only a matter of time before the hacking started again. Pirate was at least able to make us become a little bit more secure and less complacent in which we need to be.
You’re totally right, and the interesting thing is you can take it a step further and apply it to almost everything…
When you think about it, should SEOs be designing sites? Should they be coding? Should they be tracking finances / accounting? Should they take care of legal matters? etc. etc.
All these things are important and to be successful I think you have to understand them all, but in the end, the SEOs who are able to outsource or delegate [in-house] these tasks are going to be the ones with the most time available for ‘doing SEO.’
You are correct. This needs to addressed to all industries not just SEO.
and Yes SEO Loser
should SEOs be designing sites? Should they be coding? Should they be tracking finances / accounting? Should they take care of legal matters? etc. etc.
SEO need to know how and perform the above
Cheers
I’d be interested to hear what your mate comes back with Shoe.
How long will it be until some WordPress/Blogger worms get out? That would really hit the SEO industry who tend to be fairly tight-knit.
[…] Jeremy Schoemaker asked me to write up a little something regarding the recent string of SEO web defacements for a non-technical audience which he posted in his blog. […]
Really enjoyed this blog post.Much thanks again. Really Great.