DPP Website Hacked

December 23, 2008
Reported by Ah-Lan

(Information provided through linked URL’s and DPP group.)

The DPP’s Chinese-language website (http://www.dpp.org.tw) was hacked into last night, December 22.  The unknown hacker has inserted three separate graphics of the PRC’s flag across the home page and a false press release claiming that the DPP has apologized for Chen Shui-bian’s actions.  The press release was written in the simplified Chinese characters used in China indicating the suspect’s identity likely to be from mainland China.

Many first reactions was anger and some, confusion.  One reader listed as Kevin, provided with the following comment, “If the Chinese continue attacking the DPP and favoring the KMT, guess who’s winning the next election?  Because no one is going to vote for any party that looks like the Chinese Communist Party’s pet.

Another reader, listed as Sean, describes the fragile security of the website, “To be fair its mainly because the DPP website is has poor security, the servers are often not updated for patches. In other words, if you leave your Porsche unlocked, doors open on the street, don’t be surprised when someone takes it for a joyride.  Two years ago it was because they used a crappy ASP script and people didn’t bother to patch the Windows server.  Today its because they’ve got a custom PHP thing going with an inexperienced coder and webmaster…

Unable to access website (image taken on Dec. 23, 2008)

Unable to access website (image taken on Dec. 23, 2008)

” …if you visit http://dpp.org.tw, you get nothing. You must type in the http://www.  That “requirement” died back in the early 90’s.  The navigation is completely javascript based and leaves nothing so you can’t bookmark pages.  What the DPP should do is act like most tier 1 sites and use a well supported and secure-able PHP content management system. Just compare the track record of the Chen Shui Bian site written in Drupal or the NYTimes website in WordPress, versus the DPP site and I think everyone knows the difference.”

As to the question of tracking the hacker, this may be an impossible task.  Hacking into a website is more of an issue with the server and not the code itself.  If anyone is to come to aid, Drupal and other CMS are out of reach, the instance is “a problem of security.”

Are all sites hackable?  Are they all just as easy?  Is every site and blog waiting for someone to come and alter its contents?  Is there such thing as a safe site?  It simply varies on the service providers.  Hacks, however, may be traceable depending on what they do or do not leave behind.  The easiest way to reamin untraceable is by rename the hacked page to the way it was.  Or another possibility, without using the CMS (Content Management System) but through creating a static website.  The CMS’s are widely recognized and used for their versatility while the static sites, however, do not require log ins, thus, more difficult to utilize the CMS to hack into the server.

From onlinesecurityauthority.com, lists ten ways to protect your website from hackers; here are the following:

1. Protect your files with passwords.
The more complicated the password, the less risk you will have.
2. Secure your e-mail address.
Sometimes, one receives an e-mail address courtesy of his or her online business form, however this may imply that spammers have got hold of your contact information perhaps in the Web or from someone else.  Use or create a separate e-mail address!
3. Don’t leave e-mail addresses anywhere. Use a link back to your blog or site.
4. Secure your source code.
Spammers and hackers are interested in getting your source code to either destroy it or to build a website clone.  Make use of scripts that will allow your source code to remain hidden to Internet users.  Or you can simply make use of external CSS sheets as well as files for Javascript.
5. Check for software patches.
Be updated of all files!
6. Sign up for updates.
Sign up using one secure e-mail address in all of their newsletters and read them!
7. Add a robot.txt.
Robots.txt is a text (not html) file you put on your site to tell search robots which
pages you would like them not to visit. Robots.txt is by no means mandatory for
search engines but generally search engines obey what they are asked not to do.
For more information on robots.txt,
I recommend taking the time to read
through this site.

8. Check the permissions you may have set for your uploaded files.
This prevent anyone from accessing important files. One may confirm by selecting
CHMOD for files located via web hosting server, or an easier way may be
through verify via one’s webmaster.
9. Take away old or unnecessary files.
Search engines tend to keep files from website even past expiration, however, if
removed from the server, they may no longer be accessible.
10. Know your server.
Adjust your security and permission level to the site or blog!

Messages to readers and subscribers: Please be careful with your e-mails, blogs and websites.  I hope that this blog post has helped.  Take care in this Winter season, happy holidays.  🙂


~ by Lan on 2008 Tue+00:002008-12-23T09:05:04+00:00. 15.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: