November 5, 2015 (updated 2018)
Around mid September 2015 while in a campground near Colorado Springs, the back-end of this website became inaccessible. That means you could see the site online as if nothing had happened, but I could not get into the back-end/development end of the LiveLaughRoll.com site. The site was hosted by GoDaddy who, after many phone calls from the road over a period of several weeks and an upgrade to their so-called super support, I received an email (not a phone call) that basically said, they couldn’t help me. That’s it. I paid for hosting but couldn’t access the 3 websites I had with them. No explanation. No apology. No refund. No one at GoDaddy even admitted to any problems or said anything about my site being hacked by a Brute Force attack.
It took extensive Google searches to find out that in mid September 2015, thousands of sites were hacked. This isn’t a new thing but it is the first time in 14 years of developing websites that I was attacked. I thought at first it was a malware attack which is part of what’s called Ransomware. Typically, Ransomware malware encrypts all files on victim’s computer with a cryptographic algorithm, then demands a ransom to be paid in Bitcoin. But I never received any ransom notice (and if I had, well…I would have had a few graphic words for them).
The result is that I moved to another host and completely rebuilt each site from scratch (I didn’t know what malicious code had been embedded so I couldn’t just do a restore), added plug-ins for security, limited login attempts, and changed my login credentials. It cost me hundreds of dollars and weeks of down time. Later I discovered that it may have been a different type of hack–a Brute Force attack. According to Sucuri (security software) brute force login attempts have increased from about 5 million in January 2015 to 48.1 million on September 9 (about the time of my attack) and are now, as of this writing, at 47.8 million. This is a huge increase that happened in just 9 months and should be of significant concern to anyone.
How a Brute Force attack works.
Imagine a home intruder at your door. It’s locked of course but they have a special set of keys–thousands of software based keys (various forms of keyloggers)! Better yet, they have a robot that will stand there in the cold and rain and try every single one of them. Not easy for a real-in-person intruder but simple for a computer using mathematical algorithms.
Why me and this site? Because they could. I believe it began when someone hacked my computer while I was on public WiFi at a campground near Colorado Springs. At the time my 18 Gigs of Verizon MiFi was running low, so I briefly logged into this LiveLaughRoll website using the campsite’s free public WiFi. When I went to log off and shut down my computer it acted differently and a couple of things flashed on my screen and disappeared. At the time, I suspected something had happened, but I was about to hitch up my little mobile office and head to a wild animal sanctuary in New Mexico to do some marketing consulting. A few days later, I discovered the problems.
What’s the business case for hacking and why are they escalating?
The cost, time and organization to do these things is immense so there has to be a big payoff. Basically, a Brute Force attack is the first step–it’s just the method to get into a website. Once in, one of a number of things can happen. A DDOS attack is one outcome. DDOS has a purpose–an attacker networks random computers together, embeds code (that you may or may not notice as a site operator), and then for any number of reasons, orders all those networked computers to repeatedly contact a specific site (typically a target site for hacking like a hospital or a big retailer…or a political organization). This surge in traffic either makes the target site load very slowly, or it completely shuts it down. Some say it’s just about money, extortion, protest, or revenge. People in the real world operate the same way and may go to great lengths and expense to harm a competitor, an individual, or organization they disagree with—we see it all the time now.
Why you should be concerned about my brute force attack.
I bring this to your attention because this isn’t about me or my little site about some extended travel I did in 2015. My site took no credit cards or personal info from anyone, so why was it so interesting for hackers? It’s not – and that’s the problem. My little site at that time was just one of many thousands (maybe millions?) of places to hide code until orders are received from the instigator. You need to know this–because this stuff is not on the nightly news but it will effect you and I don’t mean prevent you from posting on Facebook for a day or accessing your email for a few hours. The problem is much bigger; cyber-security breaches could decimate our way of life. Am I being dramatic?
People who know, know this is getting worse and has now gone much further into our personal data and you don’t need a website to have it happen to you. Anything you have connected to the internet (smart watches, heart monitors, your cable tv router, your Alexa, your mobile phone…) can access your personal information. If you are interested reading more, do a google search about cyber-security because it is changing and accelerating every day.