5 Black Hat Attack Vulnerabilities & Defensive Strategies

blackhat-2011I just re-emerged to the world of the living from a week of sessions at Black Hat and DEFCON conferences here in Las Vegas. Between sessions on how to make your own UAVs, hack a home’s network through their power lines, and conversations on the recent activities of Anonymous and LulzSec, something became readily apparent: I belonged here.

I say I “belonged” not because I am a hacker or have a background in hacking, but because in the increasingly competitive world of SEO I see these tactics used on websites every day.

Additionally, we SEOs are often asked to use services that are inherently unsafe and easily compromised, according to the security experts at these two conferences. Just ask a hacker about WordPress, Google Page Speed Service, Google Docs, Android, or the cloud itself and you quickly start to think of how insanely vulnerable these very services can make you or your client.

Getting Down To Business

Now, my goal isn’t to encourage you to lock yourself in your room, unplug your Internet, and take up a job as a beekeeper. However, you can’t properly advise, care for, and assist your clients if you don’t learn about how easy it is to harm a site, compromise data, or violate privacy in our ever-increasing digital world.

So today I want to get you educated on the latest vulnerabilities you should pay attention to. If you don’t know how to handle these yourself, find a security advisor to help you understand – so you can make sure you and your clients are as protected as possible from the attacks they can experience on any given day by any given competitor on a variety of surfaces.

1. Google Page Speed Service

Google’s Page Speed Service was created by Google to make pages faster. It runs on a new protocol made to replace the HTTP protocol and is called the SPDY protocol. This isn’t an acronym, but a shortened form of the word SPEEDY. It is meant to speed up sites, and can be very good at doing so for static sites.

However, on dynamic sites you will notice mixed results as it breaks up your site code into blocks, sends it to the service (simplified explanation of course), processes it, and returns it. Some dynamic code it can process quickly and easily, others not very well at all and it slows down your site significantly.

Other than speed, what’s the issue?

Well first, the protocol is new, developed by Google, untested in the wild, not well reviewed outside of Google, and the very process it uses opens up your code to a wider attack surface for things such as XSS (cross site scripting where someone injects their code into your site) and split response headers (where the attacker splits the header and returns to your site one injected with malicious information), but the list goes on and will surely grow as more people use it and attackers gain real time with the protocol.

Suggestion: Easy fix with this one: Clean-up your own code!

2. HTML 5

Although HTML 5 doesn’t open up many new attacks, it does open up a broader surface for these attacks. Some examples are the new event attribute in the video tag. This can be used to inject JavaScript in an XSS attack and bypass traditional filters that would have traditionally caught the JavaScript execution of such a scripting attack.

Another method is to use the drag and drop functionality in HTML5 to hide hidden information and trick the user into dropping and dragging this into say a form control. This is a “ClickJacking” attack.

Another attack is HTML cache poisoning, where you can keep a cache alive longer than it should be so you can steal the user’s credentials or even create an HTML5 generated botnet. As HTML and CSS get more sophisticated, these mark-up languages become even more vulnerable to scripting, tunneling, hijacking and a whole variety of attacks.

Think this is years away? No, it can all be done today on any modern browser – even if your site is in HTML5, even if it isn’t using most HTML5 functionality.

Suggestion: Learn the HTML5 vulnerabilities and then prepare the best you can to eliminate those and the use of vulnerable tagging.

3. Easily Accessed JavaScript Applications/Extensions

Think WordPress is safe? What about your favorite app? Browser extensions? Why should an attacker waste time rooting your device when they can get everything they need by getting access to some JavaScript?

JavaScript is like the magical key to the kingdom. Give an attacker JavaScript access and they have almost everything they need to get what they want or at least get you to do what they want to get where they want to be.

They have no review process at the Google store (Apple does). And the WordPress knows it’s insecure – they’ve been told by some of the best hackers out there, seems they just haven’t fixed it for some unknown reason.

Suggestion: Eliminate the use of JavaScript wherever possible, secure WordPress with the help of a good security team, and check app permissions to make sure they aren’t too broad.

4. Your Server

Is your server properly patched, “jailed” or “partitioned” and up to date? Does it have a good load balancer and can it handle a DDOS, or denial of service attack? What about a penetration attack?

One way someone can affect your rankings is to just keep you offline. Keep your site away from Google’s spider and the spider thinks your site isn’t there. It doesn’t take very long for Google to drop your site a few position points once it determines it no longer exists or may be offline.

In the case of a penetration attack, what if someone gets sensitive data? Can your company handle the expense, the press, the cost of reputation management if they have a database breach? There is no substituting here for an excellent system administration team.

Suggestion: Make sure you have a top notch sys admin team watching your stuff!

5. The Cloud

No need to worry about servers, you’ve gone to the cloud, right? Don’t be so sure. It depends who is watching your cloud, and if you’re a mom and pop vs. an eBay or Bank of America.

Most people think hacking attacks are all about computer system issues, but hacking can be a physical breach into your server location and a removal of those servers. I know of one travel tour company here in Las Vegas years ago that had that very thing happen, came into work one day and all their servers and computers were gone. Hacking isn’t just about hacking in through the data lines.

However, that aside, is the cloud safer? Well, if you believe the hackers, some of whom are considered the best in the world, not one told me your data is safer in a cloud than on your own server. Plus, the challenge of a cloud is much more enticing – more data!

Now, this is not to say there are no safe clouds, but since investing in a cloud is seemingly, inherently less safe, so you must do moredue diligence when it comes to who you allow to host your cloud served data. Make sure it has physical and digital security, back-ups, up-time, and updated server configurations.

Suggestion: Check out your cloud services. Vet them completely or hire your own team.

The Damage

All of these black hat/hacking techniques and vulnerabilities can affect your website rankings, site traffic, and conversions. The simple hacks can take a site with a number one ranking to where it can no longer be found on Google (and yes Bing/Yahoo). How? Here are some examples.

  • Insecure JavaScript can be a hacker’s dream and turn your website into a virtual playground.
  • XSS can be used to inject malware into your site, so that Google lowers your rankings. Why? Your site is deemed dangerous to visit and you may not notice for weeks.
  • Someone can hack your links, make it look like they come from a bad neighborhood, and down your website goes.
  • You can get proxy hacked, a hack so brutal your site can disappear overnight. I won’t mention the details here, just remember if you get the idea to try it you can wind up in jail for doing so.
  • An attacker can put their Social Security number on your site with a number of these techniques and report to Google that your top ranked page has personal data on it. Bye-bye.

There are a million more ways someone can damage your site, all with hacking techniques. I won’t go into any more detail and give anyone any more ideas, as by now I am sure you have the concept.

If you want more examples, look through the Google Help Forums. You’ll see many website owners wondering what happened to their site, where it went, how it disappeared. My guess is many of these experienced some type of hack attack that they aren’t properly educated enough to discover.

And the server issues can mean complete loss of data, hours or days of downtime, and complete turn and burn of the business at hand.

What’s An SEO To Do?

Do you need to become a hacker to understand? Read Dark Reading and take InfoSec training courses to take action? No, but to not understand any of the concepts behind a site hack, to not understand the risks and vulnerabilities of your client’s attack surface (i.e., how vulnerable they are) is to be left standing in the rain without an umbrella. You just need to know enough, so you know what to watch for and how to control the damage if it happens to you.

If you’ve read this and are thinking, “Oh my gosh my site has been attacked,” contact me and I can refer you to proper security professionals who can help.

Related reading

Using Python to recover SEO site traffic (Part three)
how to make SEO-friendly Javascript websites
Complete guide to Google Search Console