This is slightly off topic, but there are some general implications that photographers need to be aware of.
The Hacker News has a story today about how hackers use pirated CMS themes and plug-ins to gain access to web sites.
A brief primer about Content Management Systems (CMS) for those unfamiliar with that term.
Web servers (the computers that run web sites) usually have either a LAMP or a WAMP setup. The first letter is the operating system used on the computer, either Linux or Windows.
The A is for Apache. This is the software that allows the computer to communicate with other computers.
M is MySQL. This is database software and is used to store information that is later used when someone visits the site with a web browser.
P s for PhP. This is a scripting language. A PhP file is a plain text file saved with a .php extension. The extension tells the server to run the script contained in the file whenever a browser requests a certain web page.
This setup allows a web site to store information in a database and then retrieve that information in the form of a web page when a web browser requests a specified resource (usually a specific web page). A single php file can be used to generate information on multiple pages and all those pages can be edited simply be changing a single file.
Content Management Systems
A CMS is basically just a set of php files that are used together to operate a web site.
There is one set of scripts that controls what visitors see when they visit the web site. There is a second set of scripts used by the administrator(s) of the site.
The advantage of a CMS is that the set of scripts used to administer the site creates a Graphic User Interface that can be used to administer the site without having any coding knowledge whatsoever. The administrator just uses a web browser to visit a specific web address, logs into the site with their credentials and uses the GUI to administer the site.
Plug-ins and Themes
These are additional PhP scripts that can be used to control the appearance of a site (themes) or add additional features. Shopping carts that allow visitors to purchase goods are a fairly common plug-in
CryptoPhP
This is a PhP script that creates a backdoor opening in a web site, allowing hackers to gain access to that site.
Hackers get it installed by inserting the code into copies of legitimate themes and plug-ins that have to be paid for before they can be downloaded, and then offering the pirated copy free of charge. The malicious code gets run every time the server accesses the pirated theme or plug-in.
When placed in a theme that is every time the site is visited. This includes visits made to administer the site.
Implications for Photographers
So why mention PhP based web hacking on a site dedicated primarily to photography?
First, that web site you're visiting might be one of those hit by the hack. What's worse is that there is no way of knowing whether the site you are visiting is one using a CMS, let alone one affected by CryptoPhP. Web pages generated using a CMS have a .php extension. It is common practice to hide this extension as it can be seen as a "hack me" sign to hackers. (Sometimes it pays not to advertise.)
This is one of the reasons you need to be careful when it comes to the information provided to any web site. The only way to ensure your information is to treat every web site you visit as a potential target for hackers.
Second, hackers use the same tactic with other software. Sure, getting a free version of software that costs $100 sounds great, but there is no way to guarantee there has been no malicious code inserted into the program.
The only way to avoid this type of hack is to purchase the software from a reputable source. Go to a store like Best Buy, Office Depot, etc. or download it directly from the company that produces it.
This is especially important for professional photographers.
Not only does a professional photographer need to protect themselves, they need to protect those with whom they do business.
That malicious code inserted into the pirated software you downloaded could wind up infecting a client's computer as well. That isn't going to help your professional reputation.
No comments:
Post a Comment