Archive

Archive for the ‘Security’ Category

Protect Your Websites

February 28th, 2012 1 comment

Unfortunately, a ton of websites get hacked or defaced everyday around the Globe. I’ve seen statistics that state up to 90% of all hacked websites are related to (CMS) – Joomla or WordPress, at least those not related to compromised cPanel logins. And apparently Joomla gets hacked twice as much as WordPress.

I believe all websites are vulnerable to attacks, but Joomla and WordPress more so because of their popularity. There are shell / cracking scripts specifically written for both. These cracking scripts are installed using the default database table prefixes which are jos_ and wp_, and in the case of Joomla, FTP functions which are enabled but never used.

Some recommendations to help protect your websites:

Use secure passwords like 4#gty+TeQ^Rf37! (take the guesswork out of play).

Change your default admin login

Delete all the stuff you don’t use, including templates and plugins. This includes Hello Dolly, twentyten, twentyeleven and ASKIMET.

With WordPress, disallow bots from scanning crucial directories by adding Disallow: /wp-* in your robots.txt file. And CHMOD your wp-config.php file to 640.

Keep your CMS websites updated to the latest version, and recheck your security settings after each version update.

And don’t use anything related to timthumb.

 

Categories: Blogging, Security Tags:

FREE Anti-Phishing Tools

December 20th, 2011 2 comments

I read an article a few days ago describing in-depth comparisons – of the major search engines ability to recognize and combat phishing.  To my surprise, IE ranked much higher than Google, but since I’m always on Google, I thought I should research some third party tools to help secure my online travels.

The following four anti-phishing tools are presented for your review:

  • AVG LinkScanner - AVG LinkScanner is a free must have for computer only running a traditional anti-virus program to prevent you from visiting bogus or infected web sites.
  • TrendProtect - TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages:  Content category, Phishing scam detection, Site reputation and Page reputation.
  • Norton Safe Web Lite – Norton Safe Web Lite provides a safer search experience by warning you of dangerous Web sites right in your search results, so you can search, browse, and shop online without worry. Norton Safe Web Lite is FREE to anyone who wants protection from unsafe Web sites and disreputable online merchants. It’s our way of giving back to the online community.
  • BitDefender Anti-Phishing Free Edition - Committed To Stopping Cyber-criminals In Their Tracks! Whether you’re a current Bitdefender customer or not, our goal is that everyone remains safeguarded from cyber-criminals’ tactics. That’s why we offer free virus removal tools and other free antivirus products, to ensure that every journey online is a safe one!

Categories: Security Tags:

How Important Is Password Security?

November 21st, 2011 No comments

Didn’t your Mom tell you not to play with fire? Weak passwords put your personal identity or business data at risk of being compromised. How important is password security? A simple Google search for password security just now returned over 540 million results – that’s significant! I cannot overemphasize how important it is to use STRONG passwords.

Some guidelines

  • Use at least eight characters, with mixed case letters (upper and lower case)
  • Use a password that can be typed quickly (to prevent over the shoulder spying)
  • Mix alpha numeric characters in a seemingly random manner.
  • Change your password regularly.
  • Do NOT use words that are included in any dictionary – even encrypted, these can be cracked in seconds!!
  • Do NOT use dates
  • Do NOT use information that can be easily obtained about you. This includes your nickname, your pet’s name, your hometown, etc.
  • Do NOT use all numbers or all alphabet characters – mix them!
  • Do NOT reveal your password to anyone!

There are any number of websites that help you understand - how vulnerable your passwords are – one of those is http://howsecureismypassword.net/ Simply enter your password and it will return how long it would take to crack it. Mine was six thousand years, but I could improve that by using a symbol instead of just letters and numbers.

Microsoft also has a password security strength checker - located at https://www.microsoft.com/security/pc-security/password-checker.aspx. Starting at a rating of STRONG, I had to add 10 symbols to raise that level of security to BEST. Going back to HowSecureIsMyPassword, when I typed in Microsoft’s BEST, here is the result I got - It would take a desktop PC about 523 sextillion years to crack your password. Works for me!

Categories: Security Tags:

DDoS Attacks on the Rise

October 19th, 2011 No comments

There are over 500 pages of articles - on Wikipedia related to DDoS attacks, and a quick Google search this morning returned 3 1/2 million results. So what are DDoS attacks and should you be concerned?

I found a great definition of DDoS at TechTarget.com:

A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

In a typical DDoS attack, a hacker (or, if you prefer, cracker) begins by exploiting a vulnerability in one computer system and making it the DDoS master. It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple — sometimes thousands of — compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service.

I’ve read tons of threads about DDoS attacks - on web hosting forums, but didn’t fully realize how destructive they could be, or how hard they are to mitigate. After reading through some articles like the ones below, I’ve come to realize that these attacks can, in fact, cripple a provider’s ability to deliver stable hosting solutions to not just businesses, large or small, but to the infrastructure of governments, as well.

DDoS Attacks On the Rise in 2011

The company’s semi-annual Web Hacking Incident Database (WHID) report found the attacks jumped 22 percent from the first half of 2010, overtaking methods such as SQL injections and cross-site scripting (XSS) attacks. DDoS attacks occupied 32% of attacks while SQL injection and XSS attacks took up 21% and 9% respectively.

Head of Russian Payment Processor held over DDoS-for-Hire plot

 One of the co-founders of ChronoPay (a Russian 3PP – 3rd Party Payment Processor) was arrested on the alleged connection between him and a hacker who was hired to run a distributed denial of service attacks against a business rival. Russian Pavel Vrublevsky who is also an owner in a company called RS-Promotion …

Malware in Recent Korean DDoS Attacks Destroys Systems

 There has been quite a bit of news recently about distributed denial of services (DDoS) attacks against a number of South Korean websites. About 40 sites– including the Presidential, National Intelligence Service, Foreign Ministry, Defense Ministry, and the National Assembly–were targeted over the weekend, beginning around …

WordPress.com DDoS Attacks Primarily From China

 After recovering from the largest Distributed Denial of Service attack in the service’s history (“multiple Gigabits per second and tens of millions of packets per second”) yesterday morning, blog host WordPress.com was attacked again very early this morning, finally stabilizing its …

There is a DDoS mitigation industry devoted to - fighting these attacks, and some companies are better than others. So how would you know which DDoS mitigation company is best suited to minimize your risks? Like every other industry, longevity speaks volumes – how long have they been in business? Some questions to ask:

  • What’s their track record?
  • How many attacks do they mitigate each month?
  • What is their typical “time to mitigate?”
  • How much bandwidth do they have dedicated to mitigating attacks? (DDoS attacks take up a LOT of bandwidth)
  • How is their network globally distributed?
  • Which tools and techniques do they employ to detect, analyze, and mitigate DDoS attacks?
Think a DDoS attack can’t happen to you? Yahoo, Buy.com, RIAA and the United States Copyright Office are among the victims of DDoS attacks, and the list of victims goes on and on.

 

 

Categories: Security Tags:

WordPress Vulnerabilties

October 17th, 2011 No comments

In an earlier article entitled -  ”Are your applications secure?,” I talked about SQL injection threats. It’s a threat that refuses to simply go away.

Just this morning I stumbled upon a thread on a web hosting forum - about an OP (original poster) who had his shared account terminated by his web hosting provider for being hacked twice. He was clearly the victim of the hacks, but the host deemed the OP was responsible for keeping his sites safe, so that his sites would not affect other clients on their server.

The site in question was a WordPress site - with a couple of plug ins activated – nothing out of the ordinary. It was duly noted that WordPress sites attract a lot of hack attempts, and the more popular they are (lots of traffic), the more attempts. Obviously, the OP needs to find another web hosting provider, but his troubles are probably far from over. Should he install the same plug ins on his site at his new host, the hack will most likely reoccur. Why?

One of the plug ins the OP alluded to was - Penny Auction, on which a “hack advisory” was recently issued by ngenuity-is.com.

Recommended plug ins that help fight intrusion attempts:

Login LockDown - Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.

WordPress Firewall 2 - This is an updated version of the popular WordPress Firewall plugin, with fixes for all known bugs and a few new features!

This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. There are a few powerful, generic modules that do this; but they’re not always installed on web servers, and usually difficult to configure.

This plugin intelligently whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.

WordPress Security Scan - checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:

  1. Passwords
  2. File permissions
  3. Database security
  4. Version hiding
  5. WordPress admin protection/security
  6. Removes WP Generator META tag from core code
WordPress Updates Notifier - Sends email to notify you if there are any updates for your WordPress site. Can notify about core, plugin and theme updates.
Monitors your WordPress installation for core, plugin and theme updates and emails you when they are available. This plugin is ideal if you don’t login to your WordPress admin regularly or you support a client’s website.

Features

  • Set the interval of how often to check for updates; hourly, twice daily or daily.
  • Sets WordPress to check for updates more often meaning you get to know about updates sooner.
  • Get emailed about core, plugin and theme updates.
  • Chose if you want to be notified about active only themes and plugins updates.
  • Remove upgrade nag message to non-admin users.
  • For advanced users there are a number of filters and actions you can use. More coming soon.

This plugin is a fork of Update Notifier. This plugin was forked because there seemed to be no further development on the existing plugin and there was no way to contact the original author to ask about taking ownership. WP Updates Notifier has the following improvements over Updates Notifier:

  • Completely rewritten from the ground up using best practises for writing WordPress plugins
  • Code wrapped in a class so better namespace.
  • You can set the cron interval, allowing for more frequent checks.
  • Update checks trigger WordPress internal update check before notification.
  • Allows you to set the ‘from address’.
  • Makes use of the Settings API.
  • A number of available hooks and filters for advanced users.
  • Active support and development.

Categories: Blogging, Security, Support, The Editor Tags:

Free WordPress Themes Often Contain Hidden Dangers

October 11th, 2011 No comments

I just stumbled upon an article at wpmu.org - that addresses the hidden dangers of searching for free WordPress themes. With over 25 million users, WordPress dominates the blogging stratosphere. While most web hosting providers have some form of quick install for WordPress, most do not offer themes beyond the default – so where do you look for a theme that best matches your business culture, mission, services and products (safely)?

Their recommendation:

If you want to test your theme for hidden encrypted or static info, this article does recommend some tools

Useful Plugins

Categories: Blogging, Design, Security Tags:

Phishing

August 31st, 2011 No comments

Surfing the Internet poses some very real dangers - one of those being phishing. The sole purpose of phishing is an attempt by a criminal to trick you into revealing personal information, while appearing to be from a valid or legitimate source, such as your ISP, hosting provider, financial institution or consultant.

I recently took an online test to determine - my ability to recognize phishing emails or websites. I aced it, but I’ve been in this industry for some time. Countless individuals fall prey to phishing schemes everyday.

Identity theft is on the rise. Don’t be it’s next victim! Do NOT give out your usernames and passwords, financial information, PIN numbers, your mother’s maiden name,  Social Security number, birthday, pet’s name or any other personal information that may help identify you. This information is used by phishers in an attempt to steal accounts, money, credit card information or your identity.

Please be wary of any message that asks you for personal information.

Categories: Security Tags:
Privacy Policy | TOS