I just finished doing a major cleanup of several web sites I own and manage. An intruder released what is known as a ‘black hole exploit kit’ into my account. The kit proceeded to modify all the web pages with a little piece of code intended to wreak havoc on the computers of people surfing my web sites. I was warned by a few users with good anti-virus programs in place, but the questions remained . . ‘How did this happen and how can I prevent it from happening in the future?’
I called my hosting provider and had the good fortune of speaking with a support technician named Nathan. Nathan confirmed that I had been hacked and helped me with the file cleanup required. He asked what programs I used to upload files to my web sites. I listed for him the ones I had used before and he said those were all fine as long as I used SFTP as opposed to FTP. FTP stands for File Transfer Protocol while SFTP stands for Secured File Transfer Protocol. Immediately, I knew what the problem was. I was positive that I was using FTP to transfer files. Nathan explained that the user ID and password used to initiate an FTP session were not encrypted and could be stripped by network sniffers. Nathan helped me setup SFTP logins for my hosting account. He assured me that if I used SFTP to upload files, the user ID and password would be encrypted during transfer.
Nathan had saved the day, but I still felt naïve about the whole process. I had assumed that creating a user ID and password to protect my file transfers would be enough. Nathan explained that there was a way to secure an FTP login, but that most people were not aware of it. I asked why the hosting company still offered FTP if it was so unsafe and he said there were some users who still needed this simple method of file transfer. Nathan was giving me the company line. I felt the hosting company should have been more proactive in getting this message across. Unfortunately, many other hosting companies still provide an unprotected FTP login for their users. It seems like everyone is sticking their head in the sand on this one. I also have to point the finger at myself. Since the incident, I am finding more and more articles warning of this exact same problem and how it can be easily fixed.
Here is an instance where I protected myself with a user ID and password, but I wasn’t really protected at all. I have now become a bit paranoid. I still like my hosting company and want to give Nathan kudos for his customer service skills. However, in the future, I will trust but verify any services provided by vendors I work with.