9 Cybersecurity Chronicles: Lessons Learned

I would like to clarify that I am not a cybersecurity expert; my knowledge in this field merely scratches the surface. I identify as more of a cybersecurity enthusiast, conducting independent research to enhance online safety for my friends, family, colleagues, people following me on social media, people reading this blog (people like you), and for myself. For those interested in delving deeper into the complex realm of cybersecurity, I recommend visiting the blog of Loshana Aloka, an infosec student active on Twitter under the handle @aCursed_Comrade. I’ve previously authored various cybersecurity articles, one of which gained significant attention when featured in the Have I Been Pwned website and the newsletter, particularly my piece on the PayHere hack. Today, I aim to share nine personal cybersecurity incident experiences, hoping that by doing so, you can take meaningful steps to bolster your online protection.

SA3D Was Here

In 2010, I had my first encounter with a cybersecurity incident when I woke up to discover that my blog had been hacked and defaced. The hackers left a message, “SA3D was Here,” accompanied by an image [screenshot]. When I reported the breach to the local reseller hosting company, they swiftly blamed my passwords, despite my passwords being strong. I was partially responsible for the inconvenience because I had not installed an SSL certificate. Nevertheless, the real vulnerabilities lay with the hosting provider. They lacked support for Secure FTP and SSH, instead using non-secure FTP that transmitted passwords in plain text. Moreover, their cPanel lacked two-factor authentication (2FA). To enhance security, when it was time to renew my hosting plan, I migrated my blog to a more secure provider and installed an SSL certificate. This new host offers secure FTP and SSH, and I can secure the cPanel, and the customer portal logins with 2FA. Since the switch, I haven’t encountered any significant security issues, ensuring a safer online presence for my blog.

Heil, mein Führer!

In 2012, I encountered an incident involving my first credit card. Back then, I regularly made online payments to my cellular services provider through their website. One morning, I woke up to find I’d missed several calls from the Card Center of the bank that issued my card and received an SMS alert for a transaction worth 16 Deutsche Marks. It became evident that my card details had been compromised through the cellular provider’s website. What triggered suspicion with the bank was that the transaction occurred somewhere in Germany, and the payment was in Deutsche Marks. Unable to reach me by phone, the Card Center swiftly blocked my card to prevent further unauthorized transactions. Thankfully, since my card hadn’t been physically used, the bank didn’t hold me responsible for covering the payment. Since that incident, I’ve exercised extreme caution when using my card online, even opting to link it to PayPal. Fortunately, modern online credit card transactions typically require a one-time password (OTP), enhancing security.

A Hole in the Wall

On 10th December 2020, Automatic introduced WordPress 5.6, code-named “Simone,” to the public, along with the App Passwords feature. This feature aimed to help users utilize software applications incompatible with Two-Factor Authentication (2FA) to bypass the requirement when connecting to WordPress. I embraced App Passwords as I relied on Windows Live Writer for updating my other blog because Windows Live Writer isn’t compatible with Two-Factor Authentication. However, my enthusiasm waned as an odd issue arose. Despite having WordPress pre-configured to queue all comments for my approval, and Akismet was up and running, spam comments were being approved and flooding my blog. This was puzzling. When I cleared the spam comments, new ones kept coming. Alarmed, I realized my blog was breached again. Upon retracing my steps, I found App Passwords were the hole in the wall. Disabling App Passwords stopped the spam and I never saw any spam comments making it to the live blog ever again.

The Nightmare

In 2004, I read about a nurse from the UK whose computer got hacked, letting cybercriminals encrypt her data and demanding that she purchase drugs from an online pharmacy in exchange for the decryption key. This was one of the earliest ransomware incidents, predating the term’s coinage. Little did I expect to face a similar nightmare in 2019 when a ransomware attack hit all Windows devices in my department, including our Linux-based NAS [screenshot]. The attack destroyed eight years of data. Only the Apple workstations remained unaffected. The attackers exploited the separation between our LAN and the main network, effectively bypassing the firewall. (In a way I am glad that our network was separate because had the ransomware hit the entire network the damage would have been unimaginable.) Unfortunately, we couldn’t recover the encrypted data, but we learned a valuable lesson. Back up our files regularly. Now, that optical fiber internet has become more affordable we back up data in the cloud, in addition to making local backups.

A Digital Tsunami

I had only seen DDoS attacks in movies and news before, but I never imagined I’d have to deal with one myself. In 2021, my other blog inexplicably became the target of a DDoS attack. While I don’t know the full extent of the attack, the hosting company had to suspend my account because the attacker managed to take down all the other websites on that server within seconds (the blog is hosted on a shared server). Protecting a website from a DDoS attack can be extremely costly, which is not feasible for my budget. Fortunately, I had been testing the blog with CloudFlare for some time, and when I switched my configuration to “I’m Under Attack” mode in CloudFlare, it blocked malicious traffic originating from the attacker(s), and the web host lifted the suspension on my account. Following that incident, I now rely on CloudFlare for both of my blogs, and I highly recommend it to every other blog and website owner.

Hack Me Please!

Post-COVID-19, government regulations required venues with access to the public to maintain records of entrants. An NGO I’m associated with created a web app for this purpose, including a mobile client for scanning QR codes containing personal information like names, national ID numbers, addresses, phone numbers, and emails. This data was sent to the cloud for verification and storage upon scanning. When running tests I had the shock of a lifetime because I found the login page for the web app was being indexed by search engines and cached by the server. It was like screaming “Hack Me Please!” I immediately alerted the top management about the issue and suggested that they should consult their in-house IT Department when outsourcing future projects to ensure the quality of the project is maintained. (It’s worth noting that this particular project had not been outsourced through their IT Department.)

I’m a Sitting Duck

In 2022, while collaborating with another NGO, I joined a team responsible for testing an outsourced software development project. I had full access to the Virtual Private Server (VPS) and MySQL Database. Curiosity led me to examine the Users table, and eventually, I was able to reverse the hashed passwords using an online tool, although the passwords themselves appeared to be hashed and salted. I ran the test on multiple passwords, and they all revealed their actual values. Astonishingly, I logged into the web application using these decoded passwords, revealing a major security flaw. This suggests that the passwords were not salted, and a weak hashing algorithm was possibly employed, turning the web app into a sitting duck. This incident also underscores the importance of consulting the in-house IT department before outsourcing projects, which the top management had not done in this case as well.

It smells Phishy

In 2022, I was once again called upon to address a problem with a mission-critical website. This particular website was vital for processing credit card payments, making its functionality indispensable. Upon investigation, I uncovered evidence of a hack that was redirecting visitors to a phishing site [screenshot]. I promptly cleaned the compromised website and reinstalled the Content Management System (CMS), and for a brief period, it appeared that the issue had been resolved. Unfortunately, the website was hacked repeatedly over a week, leaving me fatigued. The site was hosted by Hostgator, whose cPanel, like my previous host’s, lacked Two-Factor Authentication (2FA) support. After each breach, the attackers reset the cPanel password, exacerbating the problem. To resolve this, I took a straightforward approach: I migrated the domain, database, and content to a more secure web host, enabling 2FA for both cPanel and the CMS. Since then, the website has remained secure, and the problem has been definitively resolved.

Access Denied

Last month, I was once again called upon to troubleshoot a malfunctioning website. Upon investigation, I found that the site displayed a “white screen of death.” When I attempted to access the Content Management System (CMS), I encountered an annoying 403 forbidden error [screenshot]. Seeking guidance, I searched for information about the website online, and to my concern, I discovered that the meta title of the said website contained unknown characters, indicating a potential hack. This compromised website was hosted by HostGator. Over the next few hours, I took decisive action: I transferred the domain to a more reliable hosting provider, reinstalled the CMS, and restored the website’s content from a backup. Furthermore, I conducted a comprehensive scan of the entire setup using Clam Anti Virus, successfully identifying and eliminating a few more hidden infections. The website is now fully functional and free from issues.

Wrap Up

In these personal incidents, I’ve learned valuable lessons. From my early defaced blog due to poor hosting security to a credit card compromise during online payments, I’ve gained insights into safeguarding digital assets. WordPress vulnerabilities prompted me to prioritize security patches and configurations. A departmental ransomware attack emphasized the importance of up-to-date backups. A Distributed Denial of Service (DDoS) attack on my blog highlighted the value of cloud-based protection services like CloudFlare. An alarming incident exposed a web app security flaw, underlining in-house IT expertise in project development. Another incident revealed password hashing weaknesses, emphasizing in-house IT involvement in project outsourcing. Lastly, a compromised HostGator-hosted website led to migration, Two-Factor Authentication (2FA), and security scans. These experiences reinforce the critical role of cybersecurity in our digital lives and the need for constant improvement in online security practices to protect data and privacy.

---

If you found this content helpful, I kindly ask you to leave your feedback in the comments section below. Sharing it on social media would also be greatly appreciated. In order to promote meaningful and respectful dialogue, I request that you use your full name when commenting. Please note that any comments containing profanity, name-calling, or a disrespectful tone will be deleted. Thank you for your understanding and participation.