Raiders of Nairaland’s lost Data. Lessons for we mere mortals

 HackerThat Nairaland was hacked is no longer news. The hacker nicked the entire user database before zapping (/bin/rm -Rf /) the system.

 

Finally, restoration efforts came too late, because Nairaland maintained a backup into a media mounted on the same physical machine. The Site is back to some backup 5 months old. For the largest online rendezvous for Nigerians with over 1 million users, that is a disaster of the scale of 200 times Chernobyl.

I thought it important to make the following post-mortem analyses of the management of Nairaland’s online success, and how to mitigate such disasters in the future.

 

First, is there a reason to hack Nairaland? Yes, plenty of reasons. The number one reason being that the site is the most visited Nigerian website by Nigerians with a decent advertisement revenue. It comes after Google, Facebook, Yahoo, Youtube and Blogspot which are all not Nigerian. Now there are jealous mean guys out there.

 

Second, How easy is it to hack a website? Very easy. Websites Owners are like cats, while Hackers are like rats. When cats sleep rat populations increase, until they are sufficient to run rings around the many cats. Cats should not sleep.

 

Nairaland runs Simple Machines Forum (SMF), a Free Bulletin Board Software that may have been extended by the owner, using paid Indian or Nigerian freelancers.

 

Two possibilities:

 

1. SMF has a number of documented exploits such as: http://packetstormsecurity.com/files/121391/SMF-2.0.4-PHP-Code-Injection.html or even http://www.exploit4arab.net/exploits/685 which is a January 2014 exploit. If the website owner did not patch the site early enough, some badlass may have maliciously run any of these exploits against the site, just for the fun of it.

 

2. By using paid freelance contractors for such a successful website, a renegade contractor may have pulled a snowden-like stunt by actually hacking the site either to use/sell the data on the black market in the future, or to simply embarrass the website owner due to some contractual disagreements.

 

For a successful website that does not use Secure Socket Layer SSL for communications, the administrator password and indeed any privileged user’s password could have been snooped easily due to a man-in-the-middle-attack or even a malicious malware that intercepted login to the popular site. It costs about $10 for the simplest SSL certificate for www.nairaland.com

 

For a popular site like Nairaland, the site could have made use of the Open Standard for Authentication OAuth), which allows users login with their existing Facebook, Yahoo, Gmail or other systems compatible with the OAuth.

 

These will reduce the burden of securing the site using SSL, as authentication will be done by those secondary sites. I confess that the above will still not prevent the user data such as email and phone numbers from being stolen. It just limits exposures due to passwords being stolen. Most people use the same ID and passwords across multiple websites.

 

The owner complained of some difficulty in reaching the web hosts and their lack of response initially. http://www.nairaland.com/1793439/re-concerning-catastrophic-loss-valuable#24368844

 

For a Popular and money making website, I would rather locate the data in a Colo facility that will take me 1 hour by road or Air, at the maximum. There are enough data centers in Nigeria now, with redundant fiber connectivity to the Internet, and competent support staff to meet any hosting requirements. Best, they are not more expensive that the Supposed facilities that claim to be Cloud based or the cloud itself.

 

Lastly, It is hosting today, it may be DNS tomorrow or Domain Jacking. A successful site like Nairaland should think of using a Nigerian domain name ending in .ng so that if anything untowards happens, the site owners will be talking to Nigerians who speak their language and live in their time zone. Thus the resolution may be much faster.

 

In Conclusion, Nairaland owners are feeble and mere mortals like us. They have learnt their lessons, and seen the need to invest more of the revenue from the venture, back into the business to make it more robust and resilient. Seun Osewa’s commitment to transition the venture from an hobby to an enterprise is not in doubt. He deserves our support and continued patronage.

 

Quite a lot of the contents have been indexed by google, and can be reconstructed back from cache. Indeed the Internet is backed up.

 

I cannot but ask … What if Google was hacked?

Facebook Comments Box
%d bloggers like this: