Tips, Tricks, Tools & Techniques

for Internet Business, Life, the Universe and Everything

RSS Feed



Category: Security

Another Good Reason For Upgrading WordPress

8 April, 2008 (08:48) | Security, WordPress | By: Nick Dalton

Technorati has stopped indexing blogs that run WordPress versions prior to 2.3.3. They cite the numerous security issues as the reason. It reflects poorly on Technorati if a user clicks through to a blog through them and that blog infects the user’s computer with a virus.

Google does something similar with their “This web site may harm your computer” warnings. Although Google only does it when a web site has been infected. Technorati assumes that old WP blogs will be infected, it’s just a matter of time, so why not block them right away…

So if you haven’t yet upgraded to 2.3.3 (latest version in the 2.3 branch) or the brand spanking new 2.5, then your blog will no longer be updated in Technorati.

Although Technorati is no longer a “must-have” for bloggers, they still send some traffic.

Don’t Get Caught By These Phishing Attempts

3 March, 2008 (10:50) | Security | By: Nick Dalton

Phishing attacks are getting more and more sophisticated. In the beginning you could spot the phishing emails a mile away by the spelling and grammatical errors; the emails just didn’t look like something your bank would send out.

But bad guys are fanatical tester too, and over time they have improved significantly. Here’s a recent one I received from “Chase”.

Phishing email targeting Chase

Here’s another one from “PayPal”.

Phishing email targeting PayPal

Both emails have authentic images in them, and in the case of the PayPal logo it is served by PayPal’s own servers. If you click on some of the images you will be sent to the authentic Chase/PayPal site. But if you click on the “money link” you will of course end up on a phishing site. I haven’t examined these particular sites, but on this front they are also getting more sophisticated. For example the “Resolution Center” link goes to a domain called paypal-secure-login.com, which almost sounds like it could be an official PayPal site.

Neither email was caught by spam filters.

These emails are both in English. Recently there have been ads on underground message boards looking for people with specific language skills. Soon you will see phishing emails targeting specific countries in their native language.

Does anyone fall for these phishing scams? If it costs $100 to send out one million of these emails, and we assume that 1 in a 100 is sent to a recipient who actually has an account with the target bank. If the proverbial one-in-a-million falls for the scam, then the scammers would have to clean out $10,000 from that bank account to break even. After many years of testing and tweaking I’m sure the bad guys have achieved much better conversion rates than my conservative estimates, making it a very profitable business.

Here are some tips to spot phishing attempts and to avoid getting robbed:

  • Banks never send out emails asking you to confirm your account information.
  • Never click on a link to login to your bank account. Always type in the URL into your browser every time.
  • Don’t trust the phone. Using cheap VoIP technology phishers are now asking you to call a phone number to verify your account information. There are also reports of outbound calls.

Should you report these phishing emails to your bank? I don’t think that’s a worthwhile effort. According to a recent security report, shutting down individual phishing sites is as futile as the whack-a-mole games at amusement parks.

Update: For more details on this particular PayPal phishing email see: F-Secure and thoughts.com.

Has Your WordPress Blog Already Been Hacked? (Do You Know?)

22 February, 2008 (21:15) | Security, WordPress | By: Nick Dalton

There are several exploits targeting WordPress blogs that insert HTML into old posts or into the page template itself. Here are a few procedures that you should follow regularly to check on the health of your blog.

Search existing posts

  1. Goto Manage Posts in the WordPress admin section.
  2. In the “Search terms…” field enter one of the following:
    • iframe
    • script
    • href
  3. Click “Filter”

This will show any posts that contain the above HTML keywords. Unless you’re writing about HTML your posts will probably not contain these keywords. If they do show up in a post and it’s something that you wrote, don’t worry about it. The presence of these keywords are an indicator that someone else may have injected something into your posts. But if you wrote it, then you’re fine.

The reason I search for these particular keywords is that an attacker usually wants to gain something from your blog: a way to install badware on your visitors’ computers (iframe), a blanket way to manipulate your blog output (script), or a simple link (href).

Search existing comments

Repeat the above procedure for comments on the Comments admin page.

View HTML

Visit your blog and view the HTML source. Search for the same iframe, script and href keywords on a couple of different types of pages:

  • Home page
  • And individual post
  • Your about page

There will be a lot of matches on the href keyword, but the links should all go to your own blog or other places that you know you have linked to. If you find links to web sites that hawk various body enlargement pills, then you have probably been compromised.

Google AdWords and other advertisement networks often use JavaScript includes. So does BlogRush. If you trust the network, then there is no reason to worry about these script statements.

Iframes are sometimes legitimately used by affiliate promotions, for example Amazon product links. Again if you trust the vendor you’re fine. Earlier in the week I wrote about a current exploit which adds an iframe to the wp-stats-php.info site. If you see any such iframes, that’s really bad.

Google Webmaster Tools

Google supposedly marks pages that have been banned from their index due to malware in their Webmaster Tools. You should definitely have a Google Webmaster Tools account to get information on how Googlebot sees your web site and lots of useful search statistics. The banned page indication is an extra bonus.

Repeat Often

You should repeat all the above procedures on a regular basis. I know that’s a pain! But dealing with a compromised blog is much worse. Compared to the countless hours you spend on writing great blog posts and engaging in conversations with your readers, it doesn’t take that much time to keep your blog safe.

An Old WordPress Version Can Get You Banned In Google

20 February, 2008 (10:10) | Security, WordPress | By: Nick Dalton

Imagine if a customer searching for your one of your top keywords in Google, and instead of finding your blog was greeted with this:

Google: Warning this site may harm your computer

Over the past couple of weeks this is what has happened to many WordPress blog owners. Forums are filled with desperate and bewildered bloggers who don’t know what happened or how to fix the problem.

The root cause of these problems is a bug in a WordPress file called xmlrpc.php. This is not the first, nor the last, WordPress security issue. But in this case the bad guys are systematically exploiting the bug.

Automated scripts scan the Internet for vulnerable WordPress blogs. When they find one, a small snipped of HTML is added to an old blog post. This HTML snippet is an IFRAME that retrieves data from a server with the innocent looking name wp-stats-php.info. At first glance this may look like some server collecting WordPress stats. It isn’t. This web site, seemingly based in China, is part of the growing underground economy of badware. Their role in the ecosystem is to install IFRAMES on as many web sites as possible. They will then most likely sell their “iframe service” to another company that wants to install a small piece of bad software on as many computer as possible. Currently it looks like the payload they are distributing is a virus. But it could easily be changed to a trojan keylogger or a program that turns your computer into a node in a botnet. Pretty bad stuff; so Google is right in warning users from visiting hacked sites.

But what does that mean to you as a WordPress blogger?

With the millions of WordPress blogs out there, these criminals have found fertile ground for their exploits. Unless you have updated your WordPress blog to the latest version – 2.3.3 – you are exposed to this threat.

I know that I may sound like yet another security expert crying wolf again. In this case the threat is very real. Just ask one of the many bloggers who have been affected. In the very linked blogosphere it’s just a matter of time before the bad guys follow the links to your blog.

Here are some recent horror stories, should you need more convincing:

Even if the current outfit behind wp-stats-php.info is shutdown, there are others who are gearing up their operations.

What should you do?

  1. Backup your WordPress files and database
  2. Upgrade to WordPress 2.3.3
  3. Check your blog to make sure you haven’t already been infected

If you have done many customizations to your blog (theme and/or plugins) and you’re afraid something will break with the upgrade to 2.3.x, then at least install the latest version of the xmlrpc.php file. You can download it here and just FTP it over the existing file in your root WordPress directory.

More to come on this topic…

Six Tips To Keep Your WordPress Blog From Being Hacked

17 December, 2007 (13:05) | Security, WordPress | By: Nick Dalton

Copywriter Michel Fortin tells a harrowing tale of how his blog was compromised and subsequently blacklisted by Google. This comes on the heels of the highly publicized attack on Al Gore’s web site.

Unfortunately the details on what exactly happened with Fortin’s and Gore’s blogs are scant. But here are some general guidelines for keeping your WordPress blog safe.

Update to the latest secure version

No software is free from bugs and security holes. Make sure that you are running the latest secure version. For WordPress – as of this writing – that means versions 2.3.1, 2.2.3 or 2.0.11.

Since WordPress gives plug-ins and themes full access to your blog, you also need to keep your plug-ins up-to-date. With the latest 2.3 series of WordPress you are notified in the admin screen when the plug-ins that you have installed are released in new versions.

Only download and install trusted code

Just like you shouldn’t click on email attachments coming from people you don’t trust, you shouldn’t install software on your blog from untrusted sources. Only download code from the authors’ web site.

Since WordPress and most themes and plug-ins are released as open source, anyone can modify the code with malicious intent and put up the badware for download to unsuspecting web surfers.

Don’t be the guinea pig for the latest plug-ins. Take a cautious approach and wait until you see a plug-in being used by many other trusted bloggers.

Be weary of JavaScript includes

Many web analytics services and ad networks require you to add some JavaScript to your blog pages. Often this takes the form of a JavaScript include which gives the authors of that JavaScript almost wholesale permission to do anything with your web page. In essence you are trusting the security of your web site to this third party service.

In the case of Google AdSense and Google Analytics, or any of the major and reputable ad networks and web analytics services, I would not be worried. But if some relatively unknown company wanted to place JavaScript on my web site I would run away.

Ad networks also pose another problem if you don’t have control over who is allowed to advertise on your network. Google applies the guilt by association principle: If you are advertising for a site that has badware on it, your site may be blacklisted too.

Write-protect your themes directory

There appears to be an exploit going around that modifies installed WordPress themes to add spam links or malicious iframes. One way to make this exploit more difficult is to modify the file permissions of your WordPress themes directory to 755. The drawback is that you will now have to ftp modified files to your web server each time you want to make changes to your theme.

Unfortunately you cannot apply the same write protection to the plug-ins directory since many plug-ins write data to the directory where it’s installed.

Use strong passwords

This is an obvious good security practice, but too often forgotten. Make sure all your passwords are strong: your admin account, the ftp account and any other WordPress accounts that have any edit privileges.

There are numerous articles online about selecting good passwords so I won’t repeat that information here. Just make sure that you follow the advice in these articles and don’t copy the actual passwords they list.

View the HTML source of your site often

You should view the HTML source of your web site often. If you find chunks of encrypted JavaScript, or hidden links to sites you don’t know, then your blog may have been compromised. The reason to do this often is so that you can discover any issues before Google does and blacklists you, or any of your readers get infected by malicious software distributed by your site.

Should you abandon WordPress?

I love the WordPress platform because it’s so powerful, flexible and extensible. The downside to all these extensions is that it only takes one weak link to compromise your blog. Even though the core WordPress developers mostly follow good security practices for the code they write, that cannot be extended to all the thousands of WordPress theme and plug-in developers.

Since WordPress is the most popular blog platform, they suffer the same problem as Microsoft does with their products: they’re also the most popular target for security exploits. Therefore we are going to have to live with constant security vigilance. If you are not willing to at least follow the six steps in this article, then WordPress is probably not the best blogging platform for you.

Are you practicing safe blogging?

More On WordPress Security Issues (a.k.a. The Al Gore Hack)

28 November, 2007 (12:05) | Security, WordPress | By: Nick Dalton

The Symantec Security Response Weblog has a good writeup about the climatecrisis.net hack and the elaborate network scheme behind it. Their conclusions mostly match those in my post yesterday.

I still haven’t been able to track down the exact exploit used to compromise all these WordPress blogs. All the compromised blogs that I’ve examined run older versions of WordPress (<= 2.0.6). There are several older vulnerabilities that allow an attacker to assume admin privileges.
With admin privileges the attacker can use the Theme Editor to add their spam links to the footer template. Using the Theme Editor gets around the problem of knowing which file to edit since each theme is installed in a separate directory. If the attacker only had access to the file system (e.g. via ftp), then there is no easy way to know which is the active WordPress theme.

In a most likely unrelated note, GigaOM has a post about security issues in WordPress Themes. It turns out that some bad guys are taking free WordPress themes and modifying them slightly so that they can run arbitrary code on each web server running that WordPress theme. This is a huge security risk!

Follow the basic security rule: Don’t download files from untrusted sources. Just because someone is advertising their free WordPress template site on AdWords doesn’t mean that the site is legitimate.

The reason I say that the two security issues are unrelated is because the compromised blogs do not share a common WordPress theme.
If anyone who has been compromised would be willing to share their web access logs, I would be very interested in examining them.

Update:
When looking at the HTML source of web pages that have been compromised I noticed that not only did the attacker add their spam links, they also added an AdSense block. First I thought that each blog just happened to have their AdSense JavaScript in the same position at the bottom of the page. But when I saw the AdSense code on climatecrisis.net I figured that something was wrong. Why would climatecrisis.net have AdSense on their site?

After closer examination I realized that all compromised sites had the exact same AdSense code:
getme('http://pagead2.googlesyndication.com/pagead/show_ads.js? 636D6071685F676C255D5A68385E565D545C612E64334D100E4D5 45652090A0E5252564840083D414A4641354C0FF83E3E3C32F306');

Someone at Google should be able to find out who is benefiting financially from that AdSense code. Money always leaves a trail.

Don’t Get Hacked Like Al Gore – Keep An Eye On WordPress

27 November, 2007 (22:10) | Security, WordPress | By: Nick Dalton

A story has been making the news today about Al Gore’s web site being hacked. (Original story broken by Stuart @ Earners Blog.) Actually it was a blog on climatecrisis.net that appears to have been forgotten – the last post is from September 2006. Nevertheless the blog has a PageRank of 5 which is an attractive target for link hackers.

The site has been cleaned up now, but you can view a cached version of the compromised page courtesy of Yahoo. (In IE you need to view source to see the links. In my Firefox they show up as grey text links at the bottom of the page.)

The attack has at least three steps:

  1. A blog at westmont.edu was compromised and several pages were added promoting Viagra and other related pills.
  2. Several other blogs were compromised and links to the first site was added at the bottom of each page. The latter is what happened to climatecrisis.net/blog. Al Gore’s site is probably the best know of the compromised sites, but there are many more: The Cynical Traveller, Mickipedia, Astroport Le chant du pain, The Next New Networks, Librarian Activist. Just to list a few. Hopefully the site owners will see these backlinks and be able to clean up their blogs.
  3. In order to not leave a trail to their own doorstep there appears to be no outbound links on the westmont.edu blog that goes to any web site where you can actually order the drugs. Instead there are links to google.ru with queries like “Purchase Prilosec”. Presumably the perpetrator of this attack is among the first search results for these queries. By using the indirect link through Google it makes it very hard to find and persecute the guilty party. Using Google to cover your tracks is getting increasingly popular.

All the compromised sites are blogs that use WordPress 1.5 – 2.0.6. If you are running these very old versions of WordPress be sure to upgrade to the latest secure release. And regardless which software you’re using for your web site you should regularly view the HTML source of your site to make sure that you’re not serving up spam links.

Do You Reuse Your Passwords? Are They Being Recorded As You Type?

16 November, 2007 (19:16) | Security | By: Nick Dalton

My favorite tech columnist Bob Cringely has an interesting post this week about reusing passwords across multiple sites. Conceptually we all agree that using the same username and password to login to your bank as you do for your email account is a bad idea. But in reality we are all lazy and we don’t want to memorize dozens or hundreds of passwords for all the sites we need to login to.

But Bob really drives home the point with the scenario of identity thieves launching a sweepstakes website for a cruise. All you need to do to enter the sweepstakes is to register on the site. A lot of people will use the same login credentials when they register at this site as they do for their bank. And of course registration requires you full name and address which adds up to a rather complete identity profile. Even if you don’t sign-up with suspicious looking websites, one of the sites that you are already registered with may have lax security and your registration data may become exposed.

So heed Cringely’s recommendation: change your passwords NOW.

A few years ago a friend of mine was building his own house. During the construction he had a large amount of money sitting in an account waiting to be portioned out to various contractors and suppliers. To earn maximum interest on the money, he had signed up for an account that could only be managed online. With this setup he was very concerned about a keystroke logger being surreptitiously installed on his computer and capturing his username and password for the bank account.

He was even considering purchasing a brand new computer that he would only use for managing that bank account. No programs would be allowed to be installed on that computer and no web surfing beyond the bank’s website.

I told him he was being overly paranoid.

My sentiments may have been accurate back then, but that is certainly not true today. Read this article series from CIO Magazine about how sophisticated online identity theft is today. Very scary.

In my Digital Security Report I talk about how you should setup your website to avoid having your digital products indexed by search engines. Loosing future sales to free downloads is bad. Having your identity stolen and your bank account looted is a lot worse. Make sure that you follow good password practices, have updated anti-virus and anti-malware software installed on your computer. And sign up for a credit monitoring service. Do it today.

Why should you care about computer security?

16 October, 2007 (10:48) | Reviews, Security | By: Nick Dalton

Computer Security and Penetration Testing by Alfred Basta and Wolf Halton is the scariest book I’ve read since Stephen King’s IT. The book is published by Thomson and is used as a text book at many colleges and universities.

As a course text book it has exercises and hands on projects that describe exactly how to install and run computer programs that crack passwords, sniff network traffic, launching denial of service attacks, and more. Of course this is all done legally (”white hat”) and with the intent to educate and to teach the reader how to deploy countermeasures and improve their security.

Here are a few of the topics covered in the book:

  • Scanning Tools
  • Sniffers
  • TCP/IP Vulnerabilities
  • Encryption and Password Cracking
  • Spoofing
  • Session Hijacking
  • Trojan Horses
  • Denial-of-Service Attacks
  • Buffer Overflows
  • Programming Exploits
  • Windows and Linux Vulnerabilities

Like most security professionals I’m on the side that full disclosure is the best way to improve computer security. You should assume that the bad guys already have this information, and then some. Therefore I welcome this book.

Why would anyone care to target your little web site?

You’re probably not as passionate about security as I am. But is security just for geeks and federal three-letter-agencies? Why would anyone care to target your little web site? People with malicious intent couldn’t care less about your web site. As described in the book they use scanning software to detect computers that are vulnerable. Once a vulnerable computer is found, it is attacked and compromised, and then added to a bot network. This is all done automatically and you will probably not notice anything until you start getting complaints that spam is being sent from your server; or when your web server is shut off by your web hosting company because it is participating in a denial of service attack against someone else.

If you have read any of my previous reviews you know that I’m a harsh critic and I rarely endorse other people’s products. This is a book that has my full recommendation. Your web master or IT department needs to have this book. Not on their bookshelf – it needs to be put into practice to be useful.

One of the book authors has a free newsletter called Secret2Security. When you sign up you get the first chapter of the book for free. Here’s the URL: http://networkdefense.biz/list/?p=subscribe&id=1

Guidelines on Securing Public Web Servers

15 October, 2007 (12:13) | Security | By: Nick Dalton

I just came across this very comprehensive PDF from NIST (National Institute of Standards and Technology). It’s a 142 page document that covers everything from securing the operating system and the web server to securing web content. This document is part of NIST’s Special Publications (800 Series) – documents of general interest to the computer security community. Highly recommended.

The guidelines are extensive but pretty high level. It mentions robots.txt and ensuring that search engines don’t follow certain links. But it doesn’t specifically address the problems of selling digital products through ClickBank, PayPal and other payment processors. To ensure that your digital products are not indexed by search engines and downloaded for free, I still recommend my Digital Security Report.