Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Records Over 750,000 'Hijacking' Breaches In One Year (nbcnews.com)

Posted by BeauHD on from the shocking-statistics dept.

An anonymous reader writes: A new study by Google and the University of California, Berkeley, claims over 700,000 websites were breached between June 2014 and June 2015. The research shows that "miscreants" had routinely hijacked thousands of vulnerable web servers for "cheap hosting and traffic acquisition." The exact number of recorded "hijacking incidents" within the period was 760,935 but google has been said they were able to curb the amount of breaches through direct communication with webmasters. Google's Safe Browsing Alerts sends notifications to network admins when potentially dangerous URLs are detected on their networks. These have reportedly increased the likelihood of a "cleanup" by more than 50 percent and reduced "infection lengths" by at least 62 percent. According to The Next Web, WordPress topped the chart of platforms that experienced the most breaches (almost half of all attacks). English websites experienced the most attacks, with Chinese, German, Japanese and Russian language websites following closely behind.

14 comments

  1. 750,000? by Anonymous Coward · · Score: 0

    that number sounds rather low to me. there's probably at least that many that are compromised at this very moment in time.

  2. actually by Anonymous Coward · · Score: 0

    Actually quite surprised it's not more given the tidal wave of spam I get with these subverted CMS scam hosts.

  3. PHP-based software is a security sieve by bretts · · Score: 0

    I can't believe it. It's not like the experts predicted this or anything. But it's easy to code in, so it takes over the market. As usual, "We have met the enemy, and he is us."

    1. Re: PHP-based software is a security sieve by Anonymous Coward · · Score: 0

      What's a reasonable alternative? Ruby on Rails is too bloated and slow to use on lower end VPSes. Plus you have to use Ruby and deal with Rubyists, both of which are awful. Java suffers from the resource-hogging JVM and servlet containers. Python web apps are a pain to deploy. ASP.NET was Windows-only for ages, and Mono is a joke. Node.js is just silly. Perl, aside from /., is dead in the water. All of the other options are too obscure. PHP, as bad as it is, wins out because it's the least worst option.

    2. Re: PHP-based software is a security sieve by Anonymous Coward · · Score: 0

      The alternative is to simply stop using these layers of rubbish frameworks.

      If you want something completely secure, build it in C, and don't allow it to be scriptable. That's impractical for 90% of the web.

      Ruby and Python aren't without their own drawbacks, of which "being horribly slow" is one of them. PHP is as close as you can get to just writing things in C in the first place once you have the opcode cache installed by default. Likewise PHP is much easier to understand than all the other scripting languges because the vast majority of roll-your-own-CMS are nothing but a pile of include(this) statements and very little flow control logic. The worst offenders are Wordpress sites which consume more than 64MB of opcode space just to serve an entirely blank page, where as the same thing in php is 4KB.

      So why do hacks keep happening? The "text widget" and "raw php plugin" widget allow all arbitrary code. The "auto update" process is another infection vector because for auto-update to work wordpress needs read-write access to it's directory stucture, therefor people can upload php scripts via "avatars" and such and infect the site.

      Le'ts not even get into the RPC-XML attacks.

      The only way a wordpress site can be secured is by outsourcing the comments so that nothing "user submitted" is ever run on the CMS. Turn the comments off or invoke Disqus/Intensedebate or some variant thereof.

    3. Re: PHP-based software is a security sieve by Anonymous Coward · · Score: 0

      LOL

      A substantial RoR app can use less than 100 MB of RAM.

      PHP is the worst option in every category, from sanity to performance.

    4. Re: PHP-based software is a security sieve by Anonymous Coward · · Score: 0

      Even if there are no forms for a user to get at in a wordpress site, you can still hack the shit out of it using URL's and raw packets.

  4. but google has been said by thebes · · Score: 1

    umm, wut?

  5. Imagine... by Anonymous Coward · · Score: 0

    When Reddit expose its robot. C'mon dudes, we are in a crisis here. In one month users will forget about the bug. Just open the doors, admit the error to help preventing any type of plan B existing in malwares... And the fuck a pussy. (YEAH dude it's ON motherfucker)

  6. Context, correlation, etc etc by wbr1 · · Score: 5, Insightful

    According to The Next Web, WordPress topped the chart of platforms that experienced the most breaches (almost half of all attacks). English websites experienced the most attacks, with Chinese, German, Japanese and Russian language websites following closely behind.

    Uh... http://trends.builtwith.com/cm...
    https://en.wikipedia.org/wiki/Languages_used_on_the_Internet

    Wordpress is the single most used CMS on the web and English is the most used language. The hijack rate corresponds closely to that. So Wordpress haters, go away before you open your mouth. I see more computers with Norton also have viruses. This stands to reason due to its market share. Does this mean norton doesn't suck, no. But raw numbers are misleading. WordPress may suck, but the primary thing is not updating, using poorly written and unmaintained modules/plugins and crossing your fingers. This is a recipe for disaster on any system.

    What we need is people to take ownership of their systems, be it a PC or a website or anything else. This however takes time, thought and money. People want cheap and now, so they hire a cheap designer, pay for a cheap hosting platform, then wonder why the iranian datacoders league defaced their site with militant Islamic messages, or elitehackers.ru is delivering cryptolocker with theit webserver.

    Professionalism has costs in dollars and other resources. Do not be surprised when you skimp.

    --
    Silence is a state of mime.
    1. Re:Context, correlation, etc etc by RabidReindeer · · Score: 1

      Actually, I like WordPress. But it's not the only web application in the world. There are many others, some quite popular.

      So I'm thinking that the percentage of WordPress sites that have been pwned is probably much higher than most of the other platforms.

      That may be in part because WordPress is one of those platforms geared start-to-finish for non-technical people - which is to say people who use the product without any understanding of things like industry best practices for security.

    2. Re:Context, correlation, etc etc by KGIII · · Score: 3, Interesting

      Having played, a lot, with WordPress lately, I've noticed a few things...

      It's easy if you just point and click. It's good for that. However, if you start digging into the framework then it's no longer easy and it really isn't designed that well. You can keep it reasonably secure but it takes some effort and you need to start the whole process with security in mind. I've installed a number of plugins but I've actually been really careful about it and have stopped to actually read each of them - and to at least skim their code, to make sure I know what I'm doing and what they are doing.

      The thing is, I don't think people do that. I went through the list of the most popular stuff and I made it a few pages into the list. As I was reading them, I was thinking "WTF?" So, I looked at some of the code for some of them. I remained thinking, "WTF?" At one point, I was reading about some of the footer instances and I played with that for a bit. One of the pages I was reading had the advice, "If you get an error, just CHMOD the whole themes folder and the files in it to 777 and it should go away." Or something like that. That's not verbatim, I don't think.

      So, there are a variety of problems. This is JUST a guess but it looks like someone originally wrote it just to do a few things. Then, someone decided to add plugins so they added that feature. Then, they added the next feature, then they added another feature, and now it is on 4.5.x and somewhere along the lines, it got popular. So, it looks like things have just been bolted on as they went.

      Read through the WordPress Developer Resources site. Take a look at the functions list. Look at the things they do and how they're called. It's also capable of being a hell of a resource hog. I mean a whole lot of resources... It happily eats any RAM it can find and, best of all, they've got a plugin that will help you find and use all the RAM. You know, in case your hosting company limits RAM use per script or something and you don't want to live with those paltry resources - why not find a way to bypass that and push it to the limits? It's only shared hosting so that 500 error you see will get blamed on someone else unless the hosting company's admins actually look deep enough to see who was figuring out how to use more RAM than they were allotted. I mean, it's not like the hosting company had a good reason when they put those limits in there...

      So, there are some issues and I really think WP would do well with a complete rewrite. I've actually read a whole lot of the code for WordPress. All in the past few months. I'm now well over 200 hours into it and that 200 hours is not including a whole bunch of hours spent on just researching. It probably would have been less time but I've not poked or played with much of anything since about 2007. I had a lot to relearn and a lot of new stuff to catch up on - I still do. It has changed, a lot.

      --
      "So long and thanks for all the fish."
  7. Perhaps, but... by Anonymous Coward · · Score: 0

    Google regularly classifies completely harmless streaming sites as "web forgery", a senseless term that they have invented themselves. So some doubts about their data collection methods are in place.

  8. Of course 99.9999% were PHP based. by Anonymous Coward · · Score: 0

    PHP is dogshit. People who use it should be permabanned from the internet.