Image Source: Reuters

For some strange reason, this old website about virtual governance is currently under attack by hackers attempting to do a brute-force discovery of the admin passwords. One wonders why, but I suspect that the main reason is that I have left this website neglected for too long!

Well, of course I have been keeping up with all the updates and upgrades and new security tools (like Wordfence which I definitely recommend to all WordPress-based websites, even the smallest ones with the least traffic). But my guess is that hackers are pretty good at noticing websites that haven’t been updated frequently: these usually show that the owners are probably lazy and disregarding elementary security precautions.

Now, there is also an issue on preserving content on the Internet, even if it gets out of date, merely for archiving/historic purposes (some people call this ‘cyberarchaeology’: the preservation of our digital past). This is mostly why I never take my sites down; nothing angers me more than getting a good reference somewhere on a page which links to something incredibly interesting… on a website that has been taken down a decade ago. That’s why I never do that on those websites which I happened to have administered at some point: they will remain around, even if left unattended, for ages and ages.

Of course, a decade ago, those pesky hackers would find different targets. Nowadays, one thing that makes hackers target pretty much anything out there is the constant need to get a plethora of easy-to-break-in websites from which they launch their attacks. Old, neglected WordPress-based websites are usually a good choice: it’s a platform that powers almost one in five websites in the whole world, it’s open source (meaning that hackers can know exactly how to penetrate its code), and it’s used by people with little to zero knowledge about computer and network security. WordPress, on its own, has few security tools — it really requires a handful of plugins to make it bullet-proof against brute-force attacks. This is something that every average WordPress administrator knows, or at least has read about it somewhere. The problem is that there are far too many people out there absolutely clueless about how to protect their own websites (and servers!), and every month a few hundreds of thousands of sites go up with little to no protection. And, of course, they get neglected. While you can automate a lot of procedures in WordPress (one might even claim that you can automate pretty much everything), not everybody is savvy enough to know how to do that — especially when it comes to replacing decade-old plugins full of security holes by modern equivalents which are secure. Websites are just left alone, unattended, and become easy prey for hackers.

Well, I guess that’s the reason why they are suddenly attacking Virtual Governance. They figured out that this 5-year-old theme (or is it older?) hasn’t been tinkered with recently. They saw that the newest post dates from several years ago. They can see that the site is up and has a reasonable response time, meaning that probably it’s running on an ’empty’ server somewhere, possibly unattended, ready to be exploited with their hacking tools.

They are wrong in all that — I actually pay attention to this website, as well as every other which I maintain, every day — but what is certainly true is that there hasn’t been any new content in here. Oh well. I cannot do much about that — except, of course, writing this post. This will tell hackers that someone is still logging in and posting new content. They might even read this article, get angry, and try even harder to defeat my security protections. They might even succeed! We all know there is no 100% secure system on the Web.

But from the pattern of the attacks, I’m just looking at brute-force attempts. These come from script kiddies — wannabe hackers with no real expertise in defeating security systems, who are able to penetrate a few servers and run simple scripts they get from hacker websites. Their purpose? With luck, they will be able to penetrate, say, a few thousand unattended websites. And then they get this information to the real hackers out there. Possibly not even for a price (even though that is a possibility as well), but merely to get some ‘street cred’ from a professional hacker — the next time the pros need a whole bunch of new servers to launch a real attack on the Web, they will contact that script kiddy again and tell him (or her): ‘please get me the admin password for another thousand WordPress websites’. And the script kiddies will do the same thing over and over again. They might not even be reading their software’s logs saying that all attacks to certain websites (like mine) are failing. They just go on and on, wasting precious Internet resources, until their software breaks into an unprotected website and alerts them.

Fortunately, for us living behind some cyberprotection, we are not isolated spots in an ocean of hackers. We communicate among ourselves. All the myriad of attacks that this particular website has suffered in the past few days are being automatically reported to a central server run by the Wordfence team, as well to the Cloudflare security team. They analyse all that data, compare it statistically to what millions of secured websites are also being subject to, and put it all into a number-crunching ‘big data’ database. From that they can figure out trends, attack vectors, patterns. And that means they can automatically disseminate methods to make the hackers’ lives very, very hard indeed.

Script kiddies are a nightmare. Professional hackers cannot afford to waste time: if they notice that a website is secure enough, unless they have a special reason for attacking that particular website, they will not waste any of their precious time in that. They move along to the next site or server, hoping to find one with less protection. There will always be easy-to-break-in systems. Script kiddies, by contrast, have little clue of what they’re doing. They can waste hours or days constantly bombarding the same site over and over again, and not even bother to look at their logs to see that they’re not having the least effect — except wasting network resources. Eventually, if they persist, their connection will be severed — if they live in a country where there are laws against cyber attacks. Or if they are stupid enough to run their scripts from their own machines at home. In practice, unfortunately, even script kiddies tend to launch their attacks from countries with few laws against cyber attacks, or, if they have such laws, don’t even bother to enforce them. Yes, Russia, Ukraine, China… I’m talking about you. And Panama, you’re on the list, too. These are countries where people can even buy, for a price, servers that are immune from any laws whatsoever — originally, these were a good choice for the porn industry (which is not illegal for adults, but which gets so easily blocked), but these days, it’s much more likely that they are crammed full of hackers targeting all the world, in the knowledge that no matter how strong and loud the complains are, their infrastructure providers will completely ignore them — for a fee.

Well, we have a way to deal with that: block them out of the Internet. And that is, indeed, happening. But professional hackers are not stupid. They know they can be blocked. And they also know that they can start their attacks from behind those semi-criminal, semi-legal infrastructure providers, but the key to their success is to infect as many servers worldwide as possible — because we cannot simply block all the Internet, especially not those servers which are legitimate. Also, becoming a victim of a successful hacker attack is a literal pain in the backside: not only you will have to clean up the mess they did to your system, but you will most likely have involuntarily attacked other systems, and therefore have been blackballed by them — and in the worst case scenario, your infrastructure provider might have blocked you out or even kicked you out of your service without refunding for breaching their terms of service. All of that happens in the middle of the night, when you have absolutely no clue what hackers are doing to your system.

Oh… and don’t think that hackers are just kids sitting deep in unlit basements, somewhere on the autism spectrum, with little to do, and living off welfare or their parents. These days, it’s governments which are doing a lot of the hacking — mostly against other governments, but also against private companies. Most developed countries and many undeveloped ones are engaged in literal cyberwar against each other — and we have all seen what happened in the 2016 US elections, haven’t we? We might imagine that this was the result of some Russian military guys figuring out how exactly to break through the defenses of a server somewhere in the US… but reality is both simpler and more complex than that. They might first have launched an all-out attack to infect dozens of thousands of WordPress-based sites. Aye, I’m not joking: this is done in multiple stages. After all, professional military hackers do not leave a digital Post-It saying ‘Russia has hacked you’. They will cover up their tracks. They will launch dozens of simultaneous attacks to all possible kinds of servers and websites, all at the same time, to confuse their opponents. And such attacks will uncover weakly protected servers, from which they will, launch new attacks, and so on and so forth. Ultimately, there will be a convoluted route from their military site to the target site, going all around the world, infecting laptops and mobile phones as well as WordPress sites, to make sure it’s not only hard to trace them down, but also very hard to block them, as they come from perfectly legitimate places. Cyberforensics — the art and science of figuring out who has attacked you — is incredibly hard, and that’s why it’s also easy for governments and megacorps to easily deny it. Getting proof that someone specific has hacked you is not easy. You can read some hints pointing at a specific modus operandi which might lead you to suspect a particular group is targeting you, but you cannot be sure. We all know, for instance, that the FBI routinely uses software developed by Russian military hackers to attack other sites on their own. It’s not because the FBI cannot develop its own software; it’s because, that way, they are able to trick their own opponents in believing that the Russians were behind the incident! Aye, it gets that complicated, and that’s one big reason why it’s really hard to shift the blame to a specific group behind an attack.

And even the military hackers use civilians — this is well-known in the case of the Russians, but it’s almost certainly true of other countries as well. ‘Civilians’ are not just large hacker organisations like, say, Anonymous, but mostly vast arrays of script kiddies, wannabe hackers eager to attract the attention of the military guys, because there might be some money in it. After all, if you’re a very patriotic American hacker, wouldn’t you want to serve your country by getting a list of passwords to the FBI for them to hack into, say, Russian servers? Sounds plausible enough, right? But what about those people who were infected? I’m a Portuguese girl, hosting a website in English hosted by a French company… why should I be the victim of a ‘patriotic American hacker’ helping the FBI to attack Russian servers? (Or Chinese hackers attacking Google?)

Anyway, enough ranting. My whole point here, after all, was just to post something ‘new’ so that all those hackers having fun with this website can see that, after all, there is someone human sitting here and watching what they are doing… even if the website has had zero new content in the past few years 🙂