“There are large groups of very confident, very professional web hackers, and there are large groups of script kiddies who are just doing it for a lark.”

Interview by Mike Sullivan

____________________________________________________________

Mike:
Hi, everyone. I’m Mike Sullivan. This is MO.com, where we feature small business owners and entrepreneurs, and today joining us is Alan Wlasuk of 403 Web Security. As the name indicates, 403 Web Security is a web security firm and Alan is the CEO.

Alan, thanks for joining us. Just to get us started here, would you mind telling yourself a little bit about your company?

Alan:
It’s an offshoot of our current company, and my major company called Wlasuk, Delporte and Davis, which is a software consulting company. We do consulting over a variety of industries. 403 Web Security, in fact, is a division of WDD, which is solely set up for the testing, the design, the creation, or the remediation of secure websites.

WDD has a great deal of experience in developing high-end technology websites. A couple of years back we had a large client, a credit union, and they had two major criteria. The first criteria was it had to look pretty because it was a brochure site, and the even more important criteria was that it had to be secure. They had a previous website, which had gotten hacked. Even if a banking website gets hacked, even a brochure site, then bad things can happen, where they could send grandma over to a fake website and collect all the information from grandma.

So we spend a lot of time with web security, a lot of time with testing, remediation of the CMS that we have used, and found it to be an absolutely fascinating field as far as technology is concerned. I found that my developers were quite up to it and then moved into the testing portion of it, penetration testing, manual testing, code reviews, and found that we were quite good at that as well. So we decided to start a division of WDD around web security, which is 403.

Mike:
Should all small businesses be aware of website security?

Alan:
For sure, everybody’s got to be aware of it. 70% of all websites have major security flaws. These go from fluffy sites, which might be brochure sites, even fluffy sites have the opportunity, for instance cross site scripting, being the donors of malware. Even fluffy sites have the opportunity of getting hacked and getting changed or defaced in some fashion. If you look at the most recent PBS site, which in fact was not a data site by any means, they got hacked and got hacked in interesting ways, and it became headline news. This is not to say that the little guy is going to become headline news, but they sure as heck don’t want to be hacked. They sure as heck don’t want to be a defaced site, or even they don’t want whatever information they’ve got to move up to whatever people might have used them in some fashion.

Mike:
Tell me about hacking sites, how does that happen?

Alan:
Well, first of all, the majority of sites that do get hacked is because of social engineering. Somebody inside the company does something terribly silly. They connect to an email that’s inappropriate, they give away their login information, stuff like that. To be honest with you, we can talk to our clients about that, but clients and their employees are always going to do something silly. If you remember the old email virus phase of many years ago, people were always clicking on the Brittney Spears email for reasons that are not obvious. So social engineering, people get hacked because of that, and that’s the easiest hack in the world.

Beyond that, as I said, 70% of all websites in fact have major security flaws. The ability for someone, it might be scriptpedia, a kid who’s got a few attack opportunities they’ve looked up on YouTube, who can go in and do SQL injection, and it’s amazingly simple. SQL injections is the opportunity for someone to look at entrees in your database, for instance a search, a lookup, a pod, whatever, and write SQL scripts, which in fact are going right down into your database and pulling out whatever information they’re looking for.

The next and perhaps the biggest opportunity for attacks are cross site scripting. Cross site scripting means, for instance, if I enter a blog entry in to an orphan kiddies website, I might enter that entry and it might be really sincere except I’m going to put in a few lines of JavaScript. When you come along and read that thing that I posted as a blog, then the JavaSscript will be, in fact, run on your computer and the malware will do what it wants with your computer.

So even really simple sites can be hacked. Of course, the more complex the site, the more opportunities for user input, the more opportunities for multiple pages, makes it more hackable. We are looking at hacks on many levels. Greed, of course, is a major cause of hacks, the opportunity of stealing credit card information or personal information for identity theft, the opportunity of stealing email addresses for phishing scams. That’s always an opportunity.

There are people who hack just for fame and fortune. You look at the Sony hacks, and one wonders whether there’s anything beyond that except some folks who are looking up and saying, “Sony is a company that we don’t like. Sony is a company that has treated us poorly. Let’s hack them and it public knowledge to harm Sony in some fashion.”

You’ve got the folks who are hacking for social reasons. PETA is going to hack sites for reason. People have concerns about a religious group or a political group that will hack those folks. So the opportunities for hacking are, in fact, really broad within any given website range and the reasons for hacking are really broad.

Mike:
So what are a couple of things that we can do to ensure that, either when we’re looking for a website that it’s going to be secure or that our existing sites are secure?

Alan:
The interesting part is that most websites are built by developers and designers where the company asking for that website has never mentioned the word security. It’s a simple question, “Will my website be secure, and how will you make it secure?” So the simplest opportunity for any company who wants web security is to make sure that the company that they are in fact working with has security capabilities. Then you ask the secondary question, which is, “How do I know?”

It’s because of the depth and breadth of attacks that can be made on a website, no one really knows whether their website is secure unless, in fact, penetration testing is done on the website. Penetration is done by a number of companies. It’s relatively inexpensive, but it’s highly desirable because unless you do a test, you don’t know where the flaws, you don’t know how to remediate, you can’t triage. So number one, make sure your site has been built secure, and number two, even if you have an existing site or it’s been built, make sure you do security testing to understand what in fact you have.

Mike:
Can you tell me where your interest in web security comes from?

Alan:
Well, it comes from two directions. I’m sure you watch the news and the number of breaches, of hacks, they just seem to be going up exponentially. It may be that the number of reported breaches and hacks have gone up exponentially because people have been going after websites for a long, long time. It turns out that organized crime is certainly in web security, or the criminal end of it. There are large groups of very confident, very professional web hackers, and there are large groups of script kiddies who are just doing it for a lark. Web security, or the criminal end of it, is a billion dollar business, and if people can make money off it, particularly if it’s a billion dollar opportunity, people are going to continue the attack on websites. It will continue as long as websites are insecure, and websites will be insecure as long as people allow them to be insecure.