All posts tagged ‘Security’

File Under: Blog Publishing, Web Apps

Massive WordPress Attack Targets Weak Admin Passwords

Image: CloudFlare

If you’re using the popular open source blogging tool WordPress to power your website, you may be vulnerable to a new web-based attack.

If your WordPress admin pages suddenly become sluggish, unreachable or you’re unable to log in there’s a good chance your site is being attacked.

According to CloudFlare CEO Matthew Prince, the attack is using brute force against WordPress’ admin pages using the old default username “admin” and then trying thousands of passwords. There’s nothing new about that approach, but what makes this attack different, and particularly potent, is that the attackers have some 90,000 unique IP addresses at their disposal.

For its part CloudFlare has pushed out an update that “detects the signature of the attack and stops it.”

Popular WordPress Host HostGator reports that it too has “seen over 90,000 IP addresses involved in this attack.”

WordPress creator Matt Mullenweg has also weighed in, pointing out that it’s been over three years since WordPress used the username “admin” as the default for new installations.

However, there are no doubt a great many sites that still have — whether they use it or not — the “admin” user account hanging around in WordPress. It’s also worth noting that, while this attack appears limited to trying the “admin” username, a more sophisticated approach could do the same thing, but with unique usernames — for example, find the most frequently used account name on the public site, assume it’s an admin account and run the same attack against the admin pages. So far that hasn’t happened.

“Here’s what I would recommend,” writes Mullenweg on his blog, “if you still use “admin” as a username on your blog, change it, use a strong password, if you’re on WP.com turn on two-factor authentication, and of course make sure you’re up to date on the latest version of WordPress.”

Unfortunately, given the number of IP addresses that seem to be at the attackers’ disposal, other common security measures — like tools that limit logins by IP address — aren’t going to be terribly effective against this attack. Short of getting rid of the default “admin” account (if it still exists), there isn’t a whole lot you can do to stop the attacks (unless you want to use a web application firewall like CloudFlare or ModSecurity). Be sure to contact your hosting company if you think your site has come under attack.

File Under: servers, Web Basics

What to Do When Your Website Is Hacked

All it takes is one open lock. Photo: David Bleasdale/Flickr

One drawback to the otherwise awesome sauce of the do-it-yourself web is that you’re also responsible for fixing it yourself when something goes wrong — call it the FIY corollary to the DIY web.

For example, what happens if the bad guys attack your website?

In some cases your web hosting service may be able to help, but most of the time undoing the damage is your responsibility. Websites are attacked every day; well-tested though they may be, frameworks and publishing tools inevitably have security flaws and eventually you may be bitten by one. Or it might not even be the tools that end up being the problem, it might be something far less obvious. Developer Martin Sutherland’s server was recently hacked because one file on a shared server had the wrong file permissions.

Sutherland’s write-up of how he discovered and fixed the attack on his server is well worth a read and makes an excellent primer on how to handle being hacked. While Sutherland’s situation may be specific to the attack that his site suffered, his diagnostic steps make an excellent starting point even if you use a completely different publishing system. (Sutherland uses Movable Type.)

Sutherland’s strategy (once he realizes he’s been hacked) is to scan through all the files on his server to see which ones had recently been changed. He then filters that list, ignoring files that should have changed (log files, etc.) and narrowing it down to suspicious file changes.

How much this approach will tell you if your own site has been hacked depends on what the attacker has done and what your server setup looks like, but it should help you get moving in the right direction. Read through the full post for the specific command line tools Sutherland uses to inspect his files. If you’re not comfortable on the command line or don’t have shell access to your server you may be able to use something like Exploit Scanner (if you’re using WordPress) or a similar tool for your publishing system.

Once you know what happened and which files were affected it’s just a matter of rolling back the changes using your backups. You do have backups right? As Sutherland writes, “it’s not a matter of if something goes wrong, it’s a matter of when.” Remember: backups are only useful if you have them before you need them.

We sincerely hope your site is never hacked, however, it does happen all too frequently. As Sutherland’s write-up illustrates, one of the keys to making sure that you recover quickly is to have good backups. Do yourself a favor and spend a few minutes creating an automated backup system before something goes wrong. Now excuse me while I go make sure my pg_dump cron script is running properly.

File Under: Identity, Web Standards

New Privacy Icons Aim to Save You From Yourself

A few of the proposed privacy icons

Mozilla has taken the lead among browser vendors to make a site’s privacy settings more explicitly visible. It’s doing so by proposing visual cues in the browser that indicate what level of privacy you’re currently browsing at, and what pieces of your personal data the site you’re currently visiting is sharing with the rest of the web.

Earlier this year, Mozilla’s head user experience designer Aza Raskin proposed creating a set of icons to denote the privacy policy of a website. Now, after getting feedback from a wide range of interested groups — from the Electronic Frontier Foundation to the Federal Trade Commission — Raskin has drawn up a new and improved icon set.

The idea behind Raskin’s proposal is that the browser is the most logical place to display identity and privacy information to the user as they click around on the social web. The end goal is to produce a set for warnings similar to the way that Firefox (and other browsers) currently handle phishing attack warnings, using visual icons and simple language to explain what you’re getting into when you load a page with a different level of privacy or security.

For the active social web user, keeping track of which bits of your data are public and which are private on different sites is a chore. Some websites share your photos, status updates, your list of friends, who you’re following and other data default. Some share nothing. The rest are somewhere in the middle.

Part of the problem is the privacy policies themselves. They are complex, mind-numbingly long legal documents. We routinely ignore them, breezing past them by clicking “I agree.” Once clicked, your rights are compromised, and you may not be able to fully restore them.

A set of icons in the browser, to quickly and easily allow users to know what will happen to their data, means that users don’t need a law degree to know what’s happening to their images, status updates and other data.

The big difference between privacy icons and the phishing warnings your browser already offers, is that these icons are targeted at the websites themselves. The biggest counter-argument to Raskin’s proposal is that there’s nothing stopping a site from displaying these icons and then doing the opposite.

Raskin’s solution is to make the privacy icons supersede the written privacy policy. “When you add a Privacy Icon to your privacy policy,” writes Raskin, “it says the equivalent of ‘No matter what the rest of this privacy policy says, the following is true and preempts anything else in this document…’”

In other words, sites using the icons maliciously would face legal consequences. Of course differences in international laws mean enforcing such violations would be complex.

Still, as Raskin points out, privacy policies are fast becoming a selling point for many sites. Nearly every site we’ve tested lately has some sort of large, obvious banner that proudly proclaims the site will never share your data. Those are the kinds of sites, says Raskin, that would adopt privacy icons.

But it’s still unlikely any site would ever adopt the negative icons. If you’re sharing everything users give you with anyone who pays for it, you probably don’t want to advertise that. So the privacy icons actually become most useful when they aren’t present. Of course, as Raskin writes, “people don’t generally don’t notice an absence; just a presence.”

The solution to that problem is to make the privacy icons machine readable. The workflow would be something like this: You visit a website and decide to sign up. When Firefox encounters the sign-up form, it looks for the privacy icon. If it finds it, Firefox displays it. If Firefox doesn’t see an icon it warns you that your information may be shared using the negative icon. Either way, you know where you stand.

For now the privacy icons, good idea though they may be, are a long way from reality. Raskin calls the current mockups an “alpha” release and since Raskin is leaving Mozilla, the future of the project is unclear. If you’d like to get involved, head over the Mozilla Drumbeat Privacy Icons project page.

See Also:

File Under: Browsers, Security

Secure Firefox With New HTTPS Everywhere Add-on

Earlier this year, the Firefox add-on Firesheep created quite a controversy by making it easy to capture unencrypted web traffic.

Firesheep sniffs unencrypted cookies sent across open wi-fi networks. That means anyone with Firesheep installed can watch your browsing sessions while you lounge at Starbucks and grab your log-in credentials for Facebook, Twitter or other popular sites. Armed with those credentials, anyone using Firesheep can essentially masquerade as you all over the web, logging in to other social sites, blogs and news sites using your Facebook or Twitter username and password.

None of Firesheep’s mechanisms are new. But Firesheep made sniffing web traffic point-and-click simple — it was suddenly dead easy to do something that used to require a good bit of hacking knowledge.

The best way to protect yourself from Firesheep is simply avoid connecting to unencrypted sites when you’re on an open wi-fi network. That means making sure that you connect over HTTPS rather than HTTP everywhere you surf. But sadly, doing so is complicated and depends on which site you’re trying to connect to.

That’s where the Electronic Frontier Foundation’s HTTPS Everywhere Firefox add-on comes in. The extension makes it easy to ensure you’re connecting to secure sites by rewriting all requests to an HTTPS URL whenever you visit one of the sites it supports.

Of course if the website you’d like to visit doesn’t support HTTPS, there’s nothing the add-on can do, but for many big sites — Twitter, Facebook, Google, PayPal, The New York Times, Bit.ly, Amazon — HTTPS Everywhere automates the process for you.

With HTTPS Everywhere installed, if you type “twitter.com” in the Firefox URL bar, the browser will automatically connect to https://twitter.com rather than http://twitter.com.

That’s a good start, but it won’t completely protect you from anyone sniffing with Firesheep. The latest beta release of HTTPS Everywhere, released over the long weekend, improves the add-on’s protection against Firesheep, but you’ll need to do some extra stuff.

First, head the HTTPS Everywhere preferences (Tools -> Add Ons -> HTTPS Everywhere -> Preferences) and check the “Facebook+” rule. Then install the Adblock Plus extension and use it to block the insecure http:// advertisements and tracking sites that Facebook (and other sites) sometimes include. There are more instructions on the EFF’s site.

Now you can browse Facebook at the coffee shop in relative peace. Certain parts of Facebook may not work properly — some applications can’t use HTTPS, and the chat app won’t work — but at least you aren’t broadcasting your login credentials to anyone who wants to listen. The EFF says it has alerted Facebook to the incompatibilities, and that it’s waiting for Facebook to fix them.

See Also:

File Under: Glossary

PGP


Pretty Good Privacy is a flavor of algorithmic encryption that uses two cipher keys, one public and one private. Anyone can use a public key to send a scrambled message to the receiving party. The private key is then used only by the receiving party to unscramble incoming messages. The two-key system was developed by RSA Data Security, Inc. and PGP is the most popular type of two-key encryption available for public, non-commercial use.