I was reading this post and I was thinking that this is another good example of the general theme in a lot of modern business and security.
People will a lot of times neglect some of the “plumbing” of their website and not realise quite how important it is to their sites security. In the linked example it was DNS. An attacker was able to get control of the site domain name and then essentially controlled the site. That’s one way of pulling it off but there are others.
Good examples of services which are often overlooked but are critical
- Hosting services. If you use VPS or the like and the hosting service is compromised then, the attackers can likely get access to your servers too. A good example of this was the Linode hack in 2013. There the attackers didn’t even have Linode as a primary target, they were after one specific customer.
- DNS providers. If the attacker can control your DNS, they can redirect mail, carry out MITM attacks on web sites, basically make a right mess of your system. But hacks on DNS providers (either social engineering or direct) are a common theme in stories of compromise.
- E-Mail providers. Might not seem as critical, but how are most password resets done…. by E-Mail. If the attacker owns your e-mail service they can usually trigger password resets for other things like DNS or hosting.
So what makes me say these things are “neglected”? Well look at the market and it’s pretty obvious. In a lot of cases the successful providers in these areas are the cheapest/easiest to use, not the most secure. Of course there’s the usual security problem of a “market for lemons” in that all providers will say that they’re secure but I’d still recommend that if you have a system that’s important to you (and that’s true for an increasing number of companies who do business primarily on-line), then spending some time trying to find high quality “plumbing” will pay off in the long run.
