Hackers, Bots, and Bores

A few minutes ago, I tweeted “It’s fun using #Wordfence to watch bots try to login as ‘admin’ to my #WordPress sites. I auto-block that ID.” And it is, although the ongoing attempts are both annoying and a waste of bandwidth.  This was a big deal a few weeks ago. In fact, the sheer volume of attempts to login as ‘admin’, over and over again with commonly  used passwords, was enough to bring down several shared hosting sites.

As a hosting server, what can you do?  It seems to me that you should monitor http traffic, looking for multiple login attempts with the ID ‘admin’ and use firewall blocks to throttle traffic from those IP addresses.  I chose to say “throttle” rather than “block” because — just maybe — there might be a real user out there struggling to remember his admin password.

As a WordPress site owner, what can you do?  First, don’t have a user named ‘admin’.  They can’t login on an account that’s  not there! Second, install the WordFence plugin.  On the options panel, enable “Login Security” with fairly agressive settings:

If you want to see if it’s effective, enable WordFence’s “Live Traffic View” and on the Live Traffic panel, click on the “Logins and Logouts” tab

If you set up your WordPress site with an ‘admin‘ user, how do you remove it without breaking the site? 

  1. Create a new user on the site that you’ll use for administrative purposes.  Make sure you give it a strong password and don’t forget to assign it the adminstrative role.
  2. Log out and log back in as the user you just created.
  3. Under “users”, select and delete the orginal adminstrative user, ‘admin’.  WordPress will allow you to reassign content posted by this user to another user.

How else do you secure your WordPress sites?



How Do You Enable Better Security? Two Factor Authentication


What is two factor identification?

Typically, we login someplace with an ID and a password. That combination is good everywhere, everyplace, everytime and is often saved on the device. It’s convenient but if someone knows your ID and password, they can login anywhere and get to all your stuff controlled by that account. If it’s something like a Google account, that might include your email, files, calendar, and sites that let you login using your Google credentials.

With two factor identification, logging in on a new  or untrusted device requires that ID and password, plus a code delivered to an independent device.  Even if someone knows your ID and password, they won’t have access to your device.

2-step verification drastically reduces the chances of having the personal information in your Google account stolen by someone else. Why? Because hackers would have to not only get your password and your username, they’d have to get a hold of your phone.

Here’s what I had to do to enable two step authentication on my Google apps account

  • logged in at https://accounts.google.com/ and went to the account security page at https://www.google.com/settings/security
  • installed the “Google Authenticator App” on my iPhone to receive verification codes
  • set the computer I’m setting this up on as trusted (the default setting). It’s my home desktop and it’s reasonably secure.
  • turned on 2 step verification
  • added backup phones (home phone, wife’s mobile)
  • clicked the button to go forward with creating application specific passwords and to review aplications with access to my Google account — WOW, there are sure a lot of them.
  • at this point, all sorts of unable to login boxes are popping up on things
  • generated and entered app specific passwords for
    • iphone mail
    • ipad mail
    • desktop mail
    • mac mail (had to also enter the password for the calendar app)
    • chrome synch
  • Enabled browser logins to Google services on each device and checked the “good for 30 days” box.

On my account management page, https://accounts.google.com/b/0/SmsAuthConfig, I can disable all of those verification codes. It would be nice if I could see what codes had been used an deactivate individual devices, but in an emergency situation, I suppose its best to disable any device not marked as trusted.

The total setup time, including taking notes and typing really difficult strings was about 20 minutes. I like to think that my 9th grade touch typing teacher, who didn’t see much promise in me or my attitude, would be very proud of me as I typed those 16 character passwords.

The Google Authenticator is interesting – it works like those RSA keys that present a new code every 30 seconds or so.

Current Version of the Application on iPhone
Current Version of the Application on iPhone

Does an iPad need a firewall?

1 Comment

2012-08-18 13.36.50We got into a discussion last night about using an iPad on an unsecured WiFi network, like in a Starbucks or in a hotel.  What does the iPad expose to the network?

I’ve run a pretty intense scan against my iPad using Zenmap and found that the following ports are open:

  • 62078 – This is used for synching over WiFI to iTunes.  Disabling WiFi synch closes the port.  There seems to be some security and authentication protocols involved here.
  • 5353 – MDNS. The iPad is listening for devices advertising via the Bonjour (Avahi) protocol.

So, the question is whether the data sent for synching is encrypted and whether the authentication protocol is reasonably strong.  Unfortunately, I have yet to discover anything definitive about this on an Apple site. This whitepaper from Apple indicates that there’s lots of encryption taking place.   (If you can find a link, please add a comment!)

Here’s a link to someone else who’s looked into this.

Here are the raw scan results

Nmap scan report for
Host is up (0.0047s latency).
Not shown: 1945 closed ports, 53 filtered ports
62078/tcp open  iphone-sync?
5353/udp  open  mdns         DNS-based service discovery
62078/tcp apple-mobdev
Address= fe80:0:0:0:2a6a:baff:fe07:abc
MAC Address: 28:6A:BA:07:0A:BC (Ieee-sa)
Device type: media device|phone
Running: Apple iOS 4.X|5.X
OS CPE: cpe:/o:apple:iphone_os:4 cpe:/o:apple:iphone_os:5
OS details: Apple iOS 4.4.2 – 5.0.1 (Darwin 11.0.0)
Uptime guess: 25.552 days (since Tue Jul 24 00:07:00 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=252 (Good luck!)
IP ID Sequence Generation: Randomized

Who tweets for you? You’d be surprised!

Are you the only person who can tweet on your twitter account?  The answer is probably “no”.

As I checked Twitter this morning, I found a number of tweets from a friend that related to Miracle Berry product. Amazing Weight Loss products have nothing to do with her business.  I sent her the following:

Hi, xxxxx.
There are a couple of posts from you on twitter that point to sites that are inconsistent with your normal tweeting pattern.
Please login to Twitter ASAP to see if these are yours. If not, you can delete the tweets and change your twitter password.  Also, go to your Twitter account settings and see which applications have authority to post tweets through your account. Disable any that you don’t recognize or don’t currently use.  Link is https://twitter.com/settings/applications
Well, that’s probably good advice for me, too. I checked my applications page and found that over the last year or so, I’ve given over 25 applications and services the right to post tweets on my behalf.  In that fine print we all ignore when clicking on the “login with Twitter” button on various web sites, we often grant applications and web sites the right to post items to our twitter feed. It’s a good idea to take a few minutes now, review the list, and revoke permissions for those you’re not currently using or don’t recognize.
How did my friend’s account get compromised? We’ll probably never know.  It could be a rogue application or a non-SSL login on an open WiFi access point. It could also be a password she uses on multiple websites and services, where one was either hacked or was a designed as a password collector.
The key takeways are to keep an eye on your tweets, change your password from time to time, never re-use a password, and review the applications allowed to post on your behalf.
To whom have you given the keys to your Twitter and Facebook feeds?

Internet Neighborhood Watch

nghwatch-150x150As we all know, the Internet is a pretty wild place.  You have to keep your doors locked. The locks include firewalls, enforcement of strong password policies, attention to and fast application of software and system updates.  Another thing you can do is to keep an eye on activities and warn your neighbors.  Please be advised that this site is doing that.

We participate in the following projects:

  • Project Honeypot
    Project Honeypot adds a page to the site that would only be found by automated visitors. That page includes an obscured email address.  If Project Honeypot receives email at that address, it can trace it back to the IP address of the automated visitor that read it here and correlates its activities on other sites. When they have a good case that the IP address is being used by a spammer to harvest email addresses on the web, they take legal action against the spammer.
  • The 404 Project
    The 404 Project is a new security project from SANS that tracks the web pages commonly attacked by scanning tools. When scanners locate these pages on a site, they start a more targeted attack to gain access into the system.  This is similar to SAN’s DSHIELD project, which collects firewall logs from particpating sites.
  • Mollom
    Mollom is a project from Dries Buytaert, creator of Drupal. Mollom analyzes comments posted on Drupal and WordPress sites, blocking spam posts, and creating a database of spammy content and spammer IP addresses.

What do you do to protect your sites?  Do you feel that these systems unacceptably compromise your privacy? Do they make the Internet any safer?

Your comments are welcome!

Anti-Virus on my Mac – Planning for the low probability event

Despite the large number of people who say that (1) there are no viruses targeting the Mac and (2) even if there were, the Mac's near perfection would prevent them from infecting any machines, I believe that there is stuff out there and it's just a matter of time before someone develops a really effective bit of malware targeting Macs.* It's debatable whether one needs an antivirus program on a Mac, but on a cost/benefit basis, it seems to me that one ought to be protected.

I'm currently testing the free Home Edition for the Mac from Sophos.  It seems to have a fairly light footprint and doesn't seem to interfere with normal processing.  I did tell the auto-protect subsystem to ignore the VMWare files. There's no point in scanning those, and I'm using a Windows AV program inside the Windows XP virtual machine.

I had previously tried the Norton Internet Security suite. That stayed on my computer for about 12 hours.  It was intrusive and it noticeably slowed the system.  It was difficult to turn off the parts I didn't want (e.g., firewall) and conflicted with TimeMachine and mail. These problems are not present with Sophos.

The biggest plus I see is that Sophos is very up front about supporting an open user forum.  The first step in the installation takes you to the user forums so you can see if others are having problems before installing.  I learned that there was a problem with TimeMachine, but it was fixed in a recent update. That's good stuff to know.  It also demonstrates that Sophos is staying on top of the user comments and complaints.


* The folks at Sophos, who clearly have something to gain, have several videos detailing existing threats to the Mac environment.  Other warnings are here and here. According to at GigaOm, "The reasons why Macs don’t get many viruses are as much based on luck and market conditions, as they are on inherent security."

Six ways to safer computing

I got an email today from a Yahoo subscriber that had no subject and contained only a link to a website.  The website claims to sell pharma products, but looking more deeply into the page, appeared to try to do a lot more.  There was a lot of JavaScript getting loaded and it wasn't clear what it was about to do. 

At some point, the password for the sender's Yahoo account was compromised.   Although the horse is out of the barn, it's still worth securing the building.

Here are six suggestions to lock the barn:

1)  NEVER EVER login to ANYTHING from a public computer.  You should assume the computer is full of malware and  keyloggers.  Resist the temptation to "just check my mail for a sec."

2)  If you use your computer on a pubic wifi hotspot, only login to websites that start with HTTPS, not HTTP.  HTTPS traffic is encrypted. HTTP is not. Anyone using the hotspot can record all network traffic. There are programs that output Excel spreadsheets of sites, userids, and passwords.  This does not require a sophisticated hacker.

3)  If you read mail in Outlook, Thunderbird, or some other program and you use your computer in a public hotspot, do not read mail unless your mail provider supports encrypted connections. The connection types should be POP3S, IMAPS or there should be a "use SSL" checkbox in the configuration. Check with your provider if you're not sure.

4)  Use a hard to guess password.  Your name is not a good password. What's your favorite line in a movie? I like Citizen Kane and one great line is "I think it would be fun to run a newspaper."  So, for a password, I could use "ITiwbF2ran".  On the piece of paper I carry around to remind me of passwords, I'd have "email psw:  Charles Foster Kane". That will help me, but won't help anyone else.

5)  If you must use Windows, use it safely.  Use Internet Explorer 9 or Firefox as your web browser.  Install a good antivirus. (I like NOD32 from ESET.)

6)  Use different passwords for different services.  Your mail password should be different from your bank password, which should be different from your voicemail PIN, etc.  If you use the same password across systems, everything is only a secure as the weakest one. Do you really know who's running every system to which you login?

Security is Local, the Bad Guys are Global

This server is a very small fish in a very big pond.  This morning, some guy in Vietnam (or some bot running through an IP address there) decided to see if it could hack in by throwing a lot of different login and overrun attempts at the web service.  I have a reasonable set of firewalls between the system and the ‘net, but when you have a web server, you have to keep that port open.  The solution requires real-time analysis and action based on the traffic coming in to the web server.  I’m a little guy and commercial software to do that is expensive.  But there’s a powerful, free, open source solution, OSSEC.

OSSEC is an intrusion detection system and, right out of the box (if it came in a box), it fields an impressive array of analytic tools. It’s default mode is “watch and notify”.  I’ve had it set up that way for several months — that’s how I knew about the attack coming from Vietnam.  After this morning’s event, I’ve changed the mode to “watch, notifiy, and respond”.  OSSEC now has the ability to (temporarily) modify system parameters.  In this specific case, it would have blocked access from the specific IP address(es) running the attack. 

My little server is plugged into a stream that leads to the entire world.  Just like the ecosystem of the Great Lakes is under threat from some fish that can swim up the Mississippi, that little stream both brings opportunity and danger.  It’s necessary to be ready to handle both.

Making it easy for the bad guys

Seveny five percent of all users use the same password for email and social network sites, according to a story in Security Week magazine, citing a study by Bit Defender.  Want to bet a good number also use the same password for their bank accounts, credit cards, Starbucks card, and every other web site?   

We all probably trust the security of our bank, but what about that website where you had to register, then take a survey to get a chance to win an iPod? Who's running that site?  Did they ask you to pick a user ID, enter your email, and select a password?  And did you use your "usual" ones?

When you say it out loud, does it seem like a good idea?

Is your wifi router a talk radio station?

The French National Commission on Computing and Liberty is shocked to find that Google’s street view vans have recorded snippets of wirless traffic, including email content, user ids and passwords. Apparently, the French are easily shocked.  What many people seem to forget is that wifi is radio and they’re running a radio station, starring all of the computers in the network.  Like any radio station, anyone with the right type of radio can listen and record your shows.

There are two things that everyone using wifi should do.

  • First, encrypt your wifi using WPA2.  It’s not foolproof, but defeating WPA2 is difficult and time consuming.  Anyone who’s after you, in particular, may want to invest the time, but the drive-by vans will skip you and read your neighbor’s unencrypted signal.
  • Second, whenever possible, login to websites using SSL.  SSL provides secure encryption from your computer to the server at the other end of the connection.  If you visit websites using “https” instead of “http”, you’re using SSL encryption.

Using SSL is for all data exchanges is critical when you’re on a shared, public wifi network.  Anyone at Starbucks, or the library, or your favorite place to park yourself with your notebook or phone could be recording network traffic.  On such networks, you should have absolutely no expectation of privacy.  It’s critical to encrypt your data before it goes out over the air.

Check with your email provider to find out if they support POPS or IMAPS and Secure SMTP.  The “S” at the end of POP and IMAP means that the connection between your computer and the mail server is encrypted via SSL, too.  All major mail clients support the protocol. If your mail provider doesn’t, it’s time to find a new mail provider.

If you use Gmail, click “Settings”, then “Always use https”.  Gmail will then enforce an SSL connection whenver you access it on the web.