Archive | security RSS feed for this section
August 31, 2015

Outlook On The Mac Is A Phisher’s Wet Dream


I get quite a few phishing emails on some of my email addresses, partially because I like seeing what is "in the wild".

One of the rather annoying things about Outlook on the Mac in Office 2016 for the Mac is that the email address of a sender is hidden. Sure, you can access it, but you have to dig

So phishers worldwide are probably delighted:


Microsoft probably thinks that doing things this way makes the software more "user friendly", but unless they really want to make it too easy for phishers to target Microsoft users then their assumptions are seriously flawed. Also worth noting that they're able to display the receiving address without any issue..

And here's the payload:


Of course I have a Netflix account so until I looked at the email a bit more carefully it was quite believable.

And if you do click on the link in the email of course you are directed to a dodgy site that the phisher has compromised and is using to collect victims' credit card details:


So Microsoft seriously fix your bloody software!


Related Posts:

April 28, 2015

Irish Water Doesn’t Quite “Get” Online


Over the past year there's been a very heated debacle around the entire subject of water charges in Ireland. Personally I think the government managed the entire thing really badly, but it looks like it's been more or less resolved now. Sure, some people are still very unhappy and are continuing to demonstrate against the charges, but I suspect quite a few people have simply moved on (though I could be wrong).

I registered with Irish Water months ago and opted for the paperless billing. I think I was given the option to sign up for a direct debit at the time, but I wasn't overly impressed with their data protection and privacy.

So today I got my first bill via email:


There's a couple of problems with this email - the very "generic" greeting smells "phishy" and my email client hasn't downloaded a lot of the images (other people reported that their email client flagged the email as spam).

At a technical level neither nor the subdomain they're using for sending the emails have any SPF records, so they might run into issues sending emails to several of the ISPs and mail handlers.

Irish Water have my full contact details so they should be able to email me in a more personalised fashion which would look a lot less "dodgy".

Also - all the hyperlinks were textual ie. you cannot see what domain name you're being sent to until you've actually clicked on them, so it would be quite easy for someone to use this kind of email to phish my personal details. Am I being paranoid? No. Just look at the data.

So I finally get logged in to my account. A relatively nice touch is that they ask you to set a custom question / answer, but of course the question / answer is one of the rather pedestrian set that practically everyone uses so again, it's open to social engineering.

Two factor authentication would have been preferable.

Once logged in I can see how much I owe as well as being offered options to pay.

So since I am likely to overlook a bill (or simply forget to pay it) I set myself up for direct debits.

That was relatively painless.

But of course I still had an outstanding bill:


I took that screenshot just now - which is the problem.

Even though I am able to pay the bill online via credit card they obviously didn't tie their payment system into their billing system properly. So yes, it will take up to three working days for the bill I just paid online to be recognised by their systems.

Considering how much money was spent on setting up Irish Water you'd think they'd get this right!




Related Posts:

August 7, 2014

AIB Irony


AIB is one of Ireland's largest banks. I use it for my personal banking, while the company also uses them for pretty much everything.

I've had my issues with them in the past. Most recently their rather "nutty" handling of phone calls has really peeved me.

You can read more about this here.

Short version - bank rings customer to check if charges are valid, but does so from a hidden number.

I questioned them about this again yesterday and got back a totally useless answer:

Today I was logging in to their online banking and was greeted by this:


So using bank logic we, consumers, should be wary of people calling us up, but it's perfectly ok for the bank to do this?


Related Posts:

April 21, 2013

Dealing With WordPress Hack Attacks


BruteForce1If you follow technology news you'll know that there's been a very large attacking ongoing against self-hosted WordPress blogs. While the worst of the attack may have stopped for now it's still ongoing.

Our technical team released some figures that show the scale of the attack. And we're not that big a hosting provider when you compare us to the "big boys" such as GoDaddy. Their numbers would be several magnitudes higher.

The attack is basically a "brute force attack" ie. using computers / servers to generate thousands of possible username / password pairs in the hope of gaining access to the WordPress control panel. By default when you install WordPress the administrator username is set to "admin", so the hackers only have to work on the password. They've already got the username for most WordPress installs.

And yes, I'll have to admit, quite a few of my WordPress installs were using the default administrator username as well. Fortunately (fingers crossed!) none of my installs had very weak passwords, so, as far as I know, none of them were compromised.

But that wasn't from lack of trying. This site alone has had several hundred hack attempts in the last couple of days that I know of (I started logging failed login attempts a couple of days ago).

If you're running WordPress installs there's a number of things you can do. Some of them will work better than others ..

Obvious things ..

Don't use the default "admin" account. If you have it already then create a new user with administrator privileges and delete the old one. You can reassign all the posts from the old admin user to the new administrator account you've created.

Use a strong password. There are plenty of password generators available online or if you want you can use a password locker to help handle them for you.

There are also a lot of wordpress plugins that can help tighten up the security of your WordPress install by changing some of the default settings. Just bear in mind that some of the more comprehensive tools may impact your site's ability to work with certain themes, plugins and 3rd party services.

And make sure both your WordPress core and plugins AND themes are kept up to date. Seriously.


Related Posts:

October 6, 2012

Mitnick Bio – A Fascinating Read

Free Kevin bumper sticker, advocating release ...

Free Kevin bumper sticker, advocating release of Kevin Mitnick (Photo credit: Wikipedia)

I've just finished reading Kevin Mitnick's biography - Ghost in the Wires: My Adventures as the World's Most Wanted Hacker

While it might be a biography it reads like a thriller.

Mitnick was a hacker, but he broke into systems out of curiosity - not to make money or do harm. The book covers his escapades as well as touching on some of the crazy myths attributed to him.

It's worth reading for a number of reasons, but for me one of the salient aspects was the social engineering techniques he employed. As I read the book I kept finding myself thinking about how someone could use those techniques to do serious damage against a company. And yet as you read the book you find that you cannot but side with Mitnick.

These days, unfortunately, most of the hackers you come across are trouble. They break into systems and do serious damage. Oddly enough Mitnick now works as a security consultant to help companies secure their businesses from attacks :)

Related Posts:

July 7, 2012

Website Traffic And Hacks


A couple of months ago one of the sites I run was hacked via a nasty hole in a plugin that it was using. It took quite a bit of work to find the source of the issue and resolve it once and for all.

Once the hole had been plugged properly the traffic levels returned to normal.

But it's only when you have a reasonable amount of data that you can really see how much impact this kind of issue actually can have on a site's traffic.

Here's what a longer period looks like:

Unfortunately other sites that I run have had issues over the last few months. Some were defaced, others had nasty junk inserted - the list goes on and on.

The key lesson to be learnt from all this is to keep a close eye on your Google Analytics (or whatever you are using)

If you see a dip in traffic overnight it might be caused by Google changing their search algorithms, but it could just as easily be due to something hijacking your traffic or inserting some junk into your site's code.

If you're using WordPress make sure to remove any themes or plugins that you aren't using. If they're not installed they can't be compromised.

Keep an eye on Google Webmaster Tools and make sure all your sites are registered there (I discovered that one of mine wasn't which made removing it from their "bad" list that bit harder)

Keep your WordPress (and other CMS) software installs up to date. Make sure that the themes you are using are up to date as well - a lot of them won't "tell you" when an update has been released, so you'll need to check manually.

Related Posts:

April 28, 2012

Traffic Levels Returning After A Fix

traffic levels growing

It's been a week since I fixed the issue on a site that had been infected by some malware.

As I mentioned in my previous post, the malware was stealing the site's search engine traffic.

And the graphs show very clearly how things have improved in only a few days:

And if you look at that over the course of a week it's even clearer

Hopefully (fingers crossed) there won't be any other issues for a while (I'd love to say ever again, but let's face it there's always something)



Related Posts:

April 22, 2012

Nasty Hacks Hijack Your Site’s Traffic

Alexa clickstream - downstream sites

Any popular content management system, be it for a blog, a website or a forum, is going to be targetted by hackers at some point. They'll try to find ways to exploit any security vulnerability that they can find.

To be honest you could expand that statement and simply say "any popular software".

If the hack is a defacement or similar you'll notice it pretty quickly, but other types of attack are much more subtle.

Instead of visibly changing a site they'll take its web traffic.


By intercepting traffic coming from certain sources. So, for example, if you visit the site by typing the address directly into the address bar you won't notice anything, but  if you follow a link from Google or other search engines you get sent somewhere else entirely ie. they intercept search engine visitors.

This kind of compromise has hit pretty much every CMS out there at some point and it's a hard one to spot unless you take the time to check your web stats regularly. If you notice a sudden dip in traffic then that might be an indicator.

Another way to check, in conjunction with your web stats, is to check Alexa. Yes - Alexa can be useful for something! :)

Here's a screenshot of the stats for a site that was infected by a Vbulletin hack:

Alexa clickstream - downstream sitesThe top two sites are not legit and being used by a number of hacks targeting Vbulletin installs to hijack traffic.

If you're using Vbulletin there are a couple of tools available that can help detect and remove infections. Vbseo has a good thread on a hack that impacted them and also provide both removal and monitoring tools. There's also a plugin that will check your vbulletin install for dodgy code. Most of the vbulletin hacks I've seen hide themselves in the datastore, so reloading it can remove them, though obviously you need to find the point of entry or it'll just get reinfected again.

If your site is setup in Google webmaster tools you can keep an eye out for any notifications there. While Google's tools may not catch all hacks they can spot quite a few and will also do things like informing you of updates to your CMS.

No matter what CMS you are using make sure you keep it up to date AND check for updates for any plugins or extensions you might be using. Remember the TimThumb security issue last year? Thousands of WordPress installs were compromised via a hole in a popular script that was being used by a lot of templates, themes and plugins. Nasty!

Remove plugins and extensions that you aren't using. Even if they're not "active" a malicious 3rd party could exploit them.

If you're running WordPress remove themes that you aren't using. The defaults ones that ship with WordPress will be kept up to date automatically, along with your core WordPress install, but a lot of 3rd party theme developers don't provide notifications or automated updates.

If anyone has any other tips or tricks please share them via the comments.

Related Posts:

January 8, 2012

Working With SuPHP Permissions and Ownership

debian-openI switched one of my web servers over to use SuPHP a few weeks ago, as it's a lot more secure.

However moving from mod_php to suPHP does require a small bit of tweaking of files and directories.

Under mod_php you can easily end up with a lot of files and directories being owned by the Apache user, which on Debian / Ubuntu is "www-data". You'll need to change the ownership of all those files to the website user.

The other thing to watch out for is permissions - setting them to 644 should fix any errors you're getting.

Another issue I ran into was this error in the logs:

SoftException in Application.cpp:564: Directory "/home/www/www.xxxx.xx/web" is writeable by group

Solution is to chmod 755 the web directory.

After doing a default install and configuration of SuPHP you might run into difficulties running PhpMyAdmin, as the standard SuPHP configuration will forbid it.

The fix is to tweak the settings add the following to your main suphp.conf :

<Directory /usr/share/phpmyadmin>
        suPHP_Engine on


Related Posts:

August 7, 2011

TimThumb Updated To Version 2

Just a headsup if you're using a theme that uses TimThumb.

Due to all the security issues with the plugin / script (it's a single file) the developers issued a number of updates over the last few days which culminated in the release of version 2.

You should also update the file in any themes that are not active OR delete the themes, as the vulnerability is potentially accessible even if the theme isn't active.

You can download the latest version here

Enhanced by Zemanta

Related Posts: