Sunday, May 03, 2015
Security experts more concerned that news and non-commercial sites face increasing hacking and snooping risk unless they start using encryption everywhere
Recently, there has been more attention to the idea that unencrypted web traffic can be dangerous to users in ways other than just the obvious risk inherent in sites that you have to log on to (for credit card or financial transactions or for conveying any PII).
It is possible for ordinary video to be hijacked, with users redirected. DNS redirection is possible, and of course viewing habits can be spied on by governments, as discussed in this Freedom Press blog article by Kevin Gallagher, here.
Tim Lee, on a story for Vox media, reports on a grim-sounding attack on Github, after posting materials supposedly censored by the Chinese government. Code from Baidu was used without Baidu’s consent to insert malware, knocking the Github site offline, link here. News media report random hacks (sometimes from religious radicals) on a few scattered small business sites around the country (but these seem to have been commercial and would normally have been encrypted). A few small newspaper or television stations have experienced hacks. But major corporations, retailers and governments have also experienced hacks (despite having encryption). And of course the Sony data breach was huge, and involved non-commercial areas, but may have been an “inside job” of some sort involving administrator privileges leaking. It’s possible that an attack could occur not on the site itself but through the PC used by the business owner to maintain the site.
I experienced a bizarre attack on my old hppub.com site (now doaskdotell.com), when it was on a shared Apache server, in early April 2002. The Unix “site command” had been left open, and I don’t think that the hack was similar to the Github one. This hasn’t happened since, but the material is on a Windows server now, which could pose its own risks.
After 9/11, security experts expressed a concern that foreign terrorists could hack amateur websites with “steganographic” messages to launch attacks. But this sort of event has not been reported as actually having happened.
Recently, my “doaskdotell” site has experienced two 12-hour-plus outages (within three months), in a shared hosting environment, when there had been none for years. I have not gotten any feedback that security concerns were involved, however.
The idea of requiring all of the web, even non-commercial sites, to be encrypted is being discussed now in some places, and the feasibility (for me at least) is something I will take up on my main blog very soon. But encrypted sites, even news and non-commercial sites not requiring log-on or even not carrying advertising, could be more resistant to foreign terrorist hacking or malice.
This is surely a developing story.