Archive | security RSS feed for this section
August 7, 2014

AIB Irony

AIB is one of Ireland's largest banks. I use it for my personal banking, while the company also uses them for pretty much everything.

I've had my issues with them in the past. Most recently their rather "nutty" handling of phone calls has really peeved me.

You can read more about this here.

Short version - bank rings customer to check if charges are valid, but does so from a hidden number.

I questioned them about this again yesterday and got back a totally useless answer:

Today I was logging in to their online banking and was greeted by this:

aib-security-warning-phone

So using bank logic we, consumers, should be wary of people calling us up, but it's perfectly ok for the bank to do this?

*sigh*

Related Posts:

April 21, 2013

Dealing With WordPress Hack Attacks

BruteForce1If you follow technology news you'll know that there's been a very large attacking ongoing against self-hosted WordPress blogs. While the worst of the attack may have stopped for now it's still ongoing.

Our technical team released some figures that show the scale of the attack. And we're not that big a hosting provider when you compare us to the "big boys" such as GoDaddy. Their numbers would be several magnitudes higher.

The attack is basically a "brute force attack" ie. using computers / servers to generate thousands of possible username / password pairs in the hope of gaining access to the WordPress control panel. By default when you install WordPress the administrator username is set to "admin", so the hackers only have to work on the password. They've already got the username for most WordPress installs.

And yes, I'll have to admit, quite a few of my WordPress installs were using the default administrator username as well. Fortunately (fingers crossed!) none of my installs had very weak passwords, so, as far as I know, none of them were compromised.

But that wasn't from lack of trying. This site alone has had several hundred hack attempts in the last couple of days that I know of (I started logging failed login attempts a couple of days ago).

If you're running WordPress installs there's a number of things you can do. Some of them will work better than others ..

Obvious things ..

Don't use the default "admin" account. If you have it already then create a new user with administrator privileges and delete the old one. You can reassign all the posts from the old admin user to the new administrator account you've created.

Use a strong password. There are plenty of password generators available online or if you want you can use a password locker to help handle them for you.

There are also a lot of wordpress plugins that can help tighten up the security of your WordPress install by changing some of the default settings. Just bear in mind that some of the more comprehensive tools may impact your site's ability to work with certain themes, plugins and 3rd party services.

And make sure both your WordPress core and plugins AND themes are kept up to date. Seriously.

 

Related Posts:

October 6, 2012

Mitnick Bio – A Fascinating Read

Free Kevin bumper sticker, advocating release ...

Free Kevin bumper sticker, advocating release of Kevin Mitnick (Photo credit: Wikipedia)

I've just finished reading Kevin Mitnick's biography - Ghost in the Wires: My Adventures as the World's Most Wanted Hacker

While it might be a biography it reads like a thriller.

Mitnick was a hacker, but he broke into systems out of curiosity - not to make money or do harm. The book covers his escapades as well as touching on some of the crazy myths attributed to him.

It's worth reading for a number of reasons, but for me one of the salient aspects was the social engineering techniques he employed. As I read the book I kept finding myself thinking about how someone could use those techniques to do serious damage against a company. And yet as you read the book you find that you cannot but side with Mitnick.

These days, unfortunately, most of the hackers you come across are trouble. They break into systems and do serious damage. Oddly enough Mitnick now works as a security consultant to help companies secure their businesses from attacks :)

Related Posts:

July 7, 2012

Website Traffic And Hacks

A couple of months ago one of the sites I run was hacked via a nasty hole in a plugin that it was using. It took quite a bit of work to find the source of the issue and resolve it once and for all.

Once the hole had been plugged properly the traffic levels returned to normal.

But it's only when you have a reasonable amount of data that you can really see how much impact this kind of issue actually can have on a site's traffic.

Here's what a longer period looks like:

Unfortunately other sites that I run have had issues over the last few months. Some were defaced, others had nasty junk inserted - the list goes on and on.

The key lesson to be learnt from all this is to keep a close eye on your Google Analytics (or whatever you are using)

If you see a dip in traffic overnight it might be caused by Google changing their search algorithms, but it could just as easily be due to something hijacking your traffic or inserting some junk into your site's code.

If you're using WordPress make sure to remove any themes or plugins that you aren't using. If they're not installed they can't be compromised.

Keep an eye on Google Webmaster Tools and make sure all your sites are registered there (I discovered that one of mine wasn't which made removing it from their "bad" list that bit harder)

Keep your WordPress (and other CMS) software installs up to date. Make sure that the themes you are using are up to date as well - a lot of them won't "tell you" when an update has been released, so you'll need to check manually.

Related Posts:

April 28, 2012

Traffic Levels Returning After A Fix

It's been a week since I fixed the issue on a site that had been infected by some malware.

As I mentioned in my previous post, the malware was stealing the site's search engine traffic.

And the graphs show very clearly how things have improved in only a few days:

And if you look at that over the course of a week it's even clearer

Hopefully (fingers crossed) there won't be any other issues for a while (I'd love to say ever again, but let's face it there's always something)

 

 

Related Posts:

April 22, 2012

Nasty Hacks Hijack Your Site’s Traffic

Alexa clickstream - downstream sites

Any popular content management system, be it for a blog, a website or a forum, is going to be targetted by hackers at some point. They'll try to find ways to exploit any security vulnerability that they can find.

To be honest you could expand that statement and simply say "any popular software".

If the hack is a defacement or similar you'll notice it pretty quickly, but other types of attack are much more subtle.

Instead of visibly changing a site they'll take its web traffic.

How?

By intercepting traffic coming from certain sources. So, for example, if you visit the site by typing the address directly into the address bar you won't notice anything, but  if you follow a link from Google or other search engines you get sent somewhere else entirely ie. they intercept search engine visitors.

This kind of compromise has hit pretty much every CMS out there at some point and it's a hard one to spot unless you take the time to check your web stats regularly. If you notice a sudden dip in traffic then that might be an indicator.

Another way to check, in conjunction with your web stats, is to check Alexa. Yes - Alexa can be useful for something! :)

Here's a screenshot of the stats for a site that was infected by a Vbulletin hack:

Alexa clickstream - downstream sitesThe top two sites are not legit and being used by a number of hacks targeting Vbulletin installs to hijack traffic.

If you're using Vbulletin there are a couple of tools available that can help detect and remove infections. Vbseo has a good thread on a hack that impacted them and also provide both removal and monitoring tools. There's also a plugin that will check your vbulletin install for dodgy code. Most of the vbulletin hacks I've seen hide themselves in the datastore, so reloading it can remove them, though obviously you need to find the point of entry or it'll just get reinfected again.

If your site is setup in Google webmaster tools you can keep an eye out for any notifications there. While Google's tools may not catch all hacks they can spot quite a few and will also do things like informing you of updates to your CMS.

No matter what CMS you are using make sure you keep it up to date AND check for updates for any plugins or extensions you might be using. Remember the TimThumb security issue last year? Thousands of WordPress installs were compromised via a hole in a popular script that was being used by a lot of templates, themes and plugins. Nasty!

Remove plugins and extensions that you aren't using. Even if they're not "active" a malicious 3rd party could exploit them.

If you're running WordPress remove themes that you aren't using. The defaults ones that ship with WordPress will be kept up to date automatically, along with your core WordPress install, but a lot of 3rd party theme developers don't provide notifications or automated updates.

If anyone has any other tips or tricks please share them via the comments.

Related Posts:

January 8, 2012

Working With SuPHP Permissions and Ownership

debian-openI switched one of my web servers over to use SuPHP a few weeks ago, as it's a lot more secure.

However moving from mod_php to suPHP does require a small bit of tweaking of files and directories.

Under mod_php you can easily end up with a lot of files and directories being owned by the Apache user, which on Debian / Ubuntu is "www-data". You'll need to change the ownership of all those files to the website user.

The other thing to watch out for is permissions - setting them to 644 should fix any errors you're getting.

Another issue I ran into was this error in the logs:

SoftException in Application.cpp:564: Directory "/home/www/www.xxxx.xx/web" is writeable by group

Solution is to chmod 755 the web directory.

After doing a default install and configuration of SuPHP you might run into difficulties running PhpMyAdmin, as the standard SuPHP configuration will forbid it.

The fix is to tweak the settings add the following to your main suphp.conf :

<Directory /usr/share/phpmyadmin>
        suPHP_Engine on
    </Directory>

 

Related Posts:

August 7, 2011

TimThumb Updated To Version 2

Just a headsup if you're using a theme that uses TimThumb.

Due to all the security issues with the plugin / script (it's a single file) the developers issued a number of updates over the last few days which culminated in the release of version 2.

You should also update the file in any themes that are not active OR delete the themes, as the vulnerability is potentially accessible even if the theme isn't active.

You can download the latest version here

Enhanced by Zemanta

Related Posts:

March 4, 2011

Checking Which Ports Are Doing What On Linux

From time to time it's handy to be able to see exactly which process is using a particular port on a Linux system - especially if you're debugging issues.

This command will let you see exactly what's going on - you simply change the port number:

lsof -i:80

If you need the standard port numbers you can check this list

Related Posts:

  • No Related Posts
January 9, 2011

Fine Gael New Website Defaced

Fine Gael's new website has been defaced.
Screenshot below:

fine-gael-defaced.jpg

They were the only major political party to still host their website in Ireland up until very recently.

UPDATE 2135: The Fine Gael site is now completely offline with this default holder up instead:

Screen shot 2011-01-09 at 21.37.21.pngBy the sounds of things the defacement was due to bad coding. People were able to post comments including Javascript which was actually executed, instead of being stripped out. As Homer would say - doh!

UPDATE 00:20
There is now a more official looking holder page up:

Screen shot 2011-01-10 at 00.23.55.png

Wait for the wonderfully vague (and inaccurate) excuses and explanation from Fine Gael spokespeople in the coming days ...

Update 0930
The Fine Gael website is back up and running with no evidence of the defacement in sight. It's also not clear whether they have taken any measures to improve the coding of the site to stop the kind of attack that that happened last night. It seems that they had another message on the site during the night which tried to spin the hack (via Kieran Lane) :

fine-gael-spin.jpg
I have a few problems with this message and the total lack of any message on the site at present.
To start with trying to spin the defacement in this manner is really not that bright. Either they think we're all dumb or their spin doctors are more naive than I thought.
Secondly it's not clear if the defacement's attack vector has been patched properly or not. Under normal circumstances I would assume that it had, but considering how simple the "hack" was I wouldn't be overly confident of them having fixed it.

UPDATE 1038:
It now transpires that the defacement was a lot more serious and several thousand people's contact details may have been compromised. No mention of any of this that I can see on the Fine Gael site.. And their WHOIS data doesn't exactly instil any confidence in them ..

UPDATE 1135
the spin continues.
Fine Gael are now claiming that the site was "professionally hacked". Even though several people have pointed out how the site was easily compromised they seem to be ignoring this completely.
They sent the following email to their "supporters" with the subject line: FG Website Professionally Hacked / Authorities Notified

finegael-compromised-data-email.jpg

Update 20:05
At some point today, probably after they sent out the email above (?) the Fine Gael website was taken offline and the following message put up:

Fine Gael holding page - "professional hack"

It's basically the same text as they used in their email.
Some sources are stating that the FBI has now been contacted. This is quite normal and has nothing to do with the site's profile.

Update Tuesday 11 January 19:25

At present Fine Gael does not have a functioning website. The .ie (finegael.ie) which they had been using for years is still redirected to the .com, which has been offline since yesterday. FineGael.com is currently pointing to a default IIS7 page.
So the main opposition party in Ireland is basically "offline"

UPDATE Wednesday 12 January 17:45

While searching for an article related to this incident I got the following (click to enlarge) :

fine-gael-google.jpg

You'll not
ice a couple of things:

  1. Fine Gael are paying for Google Adwords to drive traffic to a holding page. I've no idea how much they're paying per click, but it's a waste of money at present due to the site being completely offline.
  2. The link to Enda Kenny's page on the Fine Gael website no longer works, as they've redirected ALL traffic for *.finegael.ie to the new site, which is still offline. Oddly enough Fine Gael sub-sections in the format www.politicianname.finegael.ie are still working.

According to an article on Forbes the Anonymous group are denying responsibility for the hack and have also given some very plausible explanations as to why they could not have been involved. Worth reading.

UPDATE Friday 14 January 19:00

The Fine Gael website is back online. It's now carrying a message from Enda Kenny about the hacking incident:

A couple of weeks ago I said that I wanted to hear from you and despite the recent interruption to the website, I still do.

You may be aware this website was hacked on January 9, 2011 and Fine Gael is now assisting the relevant authorities in their ongoing investigations. We very much regret that contact data that the public supplied as part of an open and genuine conversation about the future of our country was accessed in the course of this hacking incident. For now we have removed the email and mobile phone sections of the Comment forms but we still want to hear your views, opinions and concerns about the issues facing our country.

This video I recorded at the end of last week was a response to the overwhelming participation on the site, since going live. The message in the video remains the same, even if we have been delayed in posting it to this site.

I am looking forward to hearing your comments on what's needed to change our country once more.

I'm a little confused by the removal of the email and phone sections of the comment forms. Does this mean that they still haven't secured the site completely, or is this some kind of attempt to make people feel that they're being more careful about personal data?

Speaking of Enda Kenny .. ...

Googling for him at the moment gets some rather "interesting" results.

His page on the Fine Gael site is not reachable, as mentioned before. However it is quite easy to get to endakenny.com. You'd think this was either his site or that of the folk singer based in Australia. It's not. It's a Bebo page which is obviously a "spoof site" setup by someone who doesn't particularly like Enda Kenny or Fine Gael ..

Related Posts:

css.php