What if Your Web Site Wasn't Yours?

Submitted by Holly on Tue, 07/29/2008 - 1:01pm.

Flickr Photo: kallebooFlickr Photo: kallebooImagine this scenario: Your organization provides services and support to area residents during times of crisis. When, say, an earthquake hits, it's your time to shine. You work overtime making sure people have food, shelter, and emotional support. This spike in work also means a spike in donations; during times of crisis, your organization brings in up to 50% of its yearly budget.

Only this time, your site has been hijacked and all those donations are going straight into a hacker's coffers.

Ridiculous? Not as ridiculous as you might think. Many nonprofits have trouble believing that their site could be targeted by hackers. Unless you're one of the big guys with a well-known brand, this is true to some degree. But nefarious technologies keep evolving, making it ever easier for bad folks to launch various exploits and profit by hijacking smaller organizations.

The case in point is the most recent security kerfluffle. The story is long on technical terms, short on narrative, so let me try to summarize the problem for you:

On July 8, super-smart guy and security expert Dan Kaminsky publicized a vulnerability in most Domain Name Servers. You can read Dan's remarkably understandable full explanation, but suffice it to say that the bad guys have learned a new way to direct traffic from your site to wherever they want.

If yours is the organization in our example, the hacker takes control of your domain name and drives people not to YOUR website during the crisis, but to a dummy site set up to look like yours. Your donors probably won't notice the difference, and their "donations" will head, well, who knows where.

That's an elaborate example, but a hacker can do far simpler, but equally hurtful things: your visitors could be redirected to offensive content or asked for personal information that may make them vulnerable to identity theft.

Once a hacker has control of where your visitors go, any number of bad things can happen.

So how do you protect yourself? It's a little complicated:

  • Usually, it's your Internet Service Provider handling DNS routing. Ask them if they've applied a patch to their servers and routers.
  • Check your domain name server for vulnerability. The checker on the right hand side of Dan's blog is really handy.
  • If you suspect any vulnerability -- and maybe just do it anyway -- check out services like OpenDNS.com. You should secure your computer and your network router at a minimum. Webmonkey has a nice set of instructions for you.
  • Help spread the word. The sooner every DNS system has been patched, the sooner the skulkers have to turn elsewhere.
| the blog

Your DNS may be ok, but you can't check your donors'
Submitted by Chris Berendes (not verified) on Wed, 07/30/2008 - 11:12am.
A quick read of Dan's piece suggests when I check whether I'm ok, I'm making sure that the DNS servers I'm currently using (say, at work) are protected against the vulnerability. If I later go to an Internet Cafe, or home, I should check again, since that will probably be a different ISP and so different DNS servers.

 

If my reading is right, then your organization is still exposed, even if Dan's tool shows ok for your setup, since it is your customers' and donors' DNS servers (probably provided by their ISPs, not yours) that could be compromised.

 

That is, if Dan's testing tools shows that all is well for you, it tells you that, when you browse to to your website at www.yourNGO.org (or www.redcross.org, etc.), you'll see the real thing.

 

It doesn't tell you that your donors/customers will see the real thing when they go to www.yourNGO.org

Does anyone know of examples
Submitted by Avi Kaplan (not verified) on Tue, 07/29/2008 - 3:54pm.

Does anyone know of examples of nonprofits who have had this kind of unfortunate experience?

I'd be interested to know how they responded and communicated and apologized for the situation to their constituents.

Thanks for the warning!