It has been noted that in the past week we have seen two prominent skeptic websites attacked: Jo Nova and The GWPF, the latter of which has been overtaken, and a message from the attackers replaced the home page.
I won’t give any publicity to the attackers by showing that screen, but suffice it to say it was ugly.
This is just friendly warning message for the skeptical blogging community at large to say that you should immediately take steps to improve your security. Here are some suggestions.
1. If you operate a private server, rather than be hosted on WordPress.com or blogspot or typepad or similar service, you are most vulnerable to attack. These suggestions below are for those running private dedicated/leased servers.
a. Close any unused ports on your system that are not necessary for regular operations. For example, if you don’t use FTP, turn it off. Likewise for Telnet, SSH, and other remote access methods if you don’t use them. There are ways to close broad swaths of port numbers (there are thousands) and these can be used to exploit systems, especially if there’s an unused application or service that is installed but not configured. For Linux see: http://www.linuxquestions.org/questions/linux-security-4/close-unused-ports-and-ssh-503929/page2.html
For Windows Server: http://searchsecurity.techtarget.com.au/news/2240020779/Five-ways-to-harden-Windows-Server
b. Be sure security patches for your operating system and applications are up to date.
c. Run a security scan using your antivirus program for your server. If you don’t have an AV/anti-malware program for your Windows-based server, you are asking for trouble. Linux, not so much, but you need to tighten port security as in point a.
d. If you have other applications installed, such as PHP, MySQL, etc, make sure those applications are patched/up to date. It is easy to say “if it ain’t broke don’t fix it” but security exploits accumulate with time. You best defense is keeping up to date and apply new patches. Like climate, servers are not static entities.
2. Passwords are your weakest point of failure. Make sure you have a strong password. Any password that is a simple English language dictionary password is easily exploited with a password grinder. You need complex passwords with many character combinations like this:
Evil$narkBunny111709!
Don’t use street addresses, telephone numbers, SSN’s, birthdays, or family/pet names as part of the password as these are discoverable. If your password has been around for more than a year. Change. it. now. Read what happened to a prominent WIRED journalist who got sloppy, plus the hacker was helped along by incompetent security protocols at Apple and Amazon.
Likewise, your other apps like MySQL and PHPadmin also have passwords. Some people never even change the default passwords, and that’s an invitation for trouble. Change. it. now.
3. Consider moving off a private server to a service like wordpress.com, where WUWT is hosted. There are migration tools for many of the other blogging platforms to make this easy. The value of wordpress.com is that they take care of all of the heavy-duty security for you. DDoS attacks, exploits, malware, port attacks, SQL injections, etc. are all handled for you. Plus you get cloud service to handle massive bandwidth, all for free. WUWT is hosted on WordPress.com and every time I think about the trade offs of getting a private server to get a few mores features like comment editing or sidebar widgets, I think of the management hell that The GWPF, Jo Nova, and Lucia have gone through with their private server setups. Staying on wordpress.com is a no-brainer for the security and bandwidth alone. Extra features aren’t worth anything if your website is hosed.
Jo Nova is now frequently offline with DDoS attacks, and she has no good strategy for dealing with it in a single server box. Cloud servers on wordpress.com with frontline router security solve this issue with ease.
4. Remember when Climategate broke? Climate Audit, then on a private single box server running wordpress software from wordpress.org crumbled under the load. WUWT remained running, because it was on the cloud based wordpress.com We’ve since migrated Steve McIntyre’s CA website from a private box in a Sacramento CoLo to the wordpress.com cloud system, and haven’t had any trouble since.
If you have a breaking story that needs wide exposure, the last thing you want is a private server that hits capacity in the first hour. Climategate taught Steve McIntyre and I this lesson very well.
Good luck.
VERY good advice. I’m a bit too small to be on anyone’s radar, but my site was overwhelmed and taken down a few times when ClimateDepot ran a link to the Temperature/CO2 Disconnect page on my site, and having it tweeted may have added to the problem.
The robustness (is that a word?) of WordPress is mandatory for the bigger players like WUWT!!!
PASSWORD CHANGE: Evil$narkBunny111709!
CONFIRM CHANGE: Evil$narkBunny111709!
Got it…
‘Climategate taught Steve McIntyre and me this lesson very well. Not ‘McIntyre and I’.
WUWT is hosted on WordPress.com and every time I think about the trade offs of getting a private server to get a few mores features like comment editing or sidebar widgets, I think of the management hell that The GWPF, Jo Nova, and Lucia have gone through with their private server setups.
So sometimes trading some freedom for some security is worth it?
I know, false choice. You can get more features with a paid wordpress account, which may be affordable when you and your family free up some loose change by overcoming your needs for food and shelter. Freedom is not free.
However, I sure hope you keep WUWT backed up in a way that you could recreate it elsewhere if needed. In case wordpress-dot-com goes down, or someone convinces their management to suspend your account for a Terms and Conditions violation, details of which they’ll reveal to you some month soon…
There’s definately someting amiss.
A while back a character called Albatross on SkS told me he had read my posts here and at the Richard Blacks blog. Given I don’t post here regular, I asked if he knew where I liived. 😉 As an isolated incident I can dismiss this, except a new commenter at Richard Blacks blog Gort2012 seems to have a record of my comments across all blogs going back to 2007, when I wasn’t sure if cAGW was or wasn’t false (I’m still not sure, I lean heavily towward the false side). He said it was a simple google search, but he must have been a good with google
Are there any simple tools to move from privately hosted wordpress.org software onto wordpress.com.
I privately host http://www.realclimategate.com and has a bandwidth probem once or twice.
I have registered realclimategate on wordpress.com, just havent found a tool to move articles,comments, domain url, etc. Is this easy to do as I have very limited time from now on.
This is a classic about Password strength
http://xkcd.com/936/
Well said Anthony.
Security is serious business, also for those of us who merely follow the goings on, think bank account, CCs, and debit cards. Many of us have been victims of exploits.
I’m happy to say that thus far my precautions have prevented my family from suffering through two attempts at online fraud. It is a jungle out there.
If you have any sort of firewall and ‘need’ ftp or ssh, tighten down your source address in your firewall. Usually, ISPs like Charter, Verizon, etc., will have your connection on Dynamic Host Configuration Protocol. Your home router’s IP address may change. But there may be a range you can use at least that is reserved for your area. If possible, just allow ports 80 and 443.
If you wrote code for your site, I am sure there are some Penetration testers within earshot. SQL and SQL injection attacks are one of the more common takeovers.
DDOS… patches on you connections in and your server. And if someone is using a botnet to do it, it then takes money. Big sites have application firewalls AND layer 2/3 firewalls in front of them as well as the ISP also controlling the traffic. WP is a good answer as they have the budget.
Also, you are being attack, DO call the FBI. You may not be a priority 1, but it is still a crime. You could be the one missing connection that puts all the puzzle pieces together (as these folks target more than one person.)
And a recent, not scientific, study has shown that girlfriends tend to stop this sort of activity. So if you have a creative way of distracting the attacker with the opposite sex, that might help too 😉
If you want to test your server (or your home computer for that matter) have a look at http://www.grc.com
Follow the links to shields up .. this is a free checkup and will check your computer for common open ports. If you are running a webserver from your office/home and/or an email server, etc you should expect the relevant ports to be open, if you are not sure there is a list of common ports on the GRC website.
If you have open ports, then look at your machine for programs that are listening to these ports. e.g. Internet Explorer will be listening to port 80 for HTTP or Web connections. Your email program to ports 25 and 110, etc.
Sorry, got a bit of that wrong… Your Webserver not internet explorer will be listening on port 80 for web connection requests and email server for email connections on pop/smtp/imap
Planet3.0 has had repeated hack attempts this week from a Ukranian IP address.
I’ll counter with this bit of password entropy:
https://xkcd.com/936/
The biggest problem with complex passwords that include randomization of oddball characters is, people will write it down somewhere, either on their computer, cell or at their desk. Making it useless. And someone with enough drive will find a way to exploit that, the best passwords are the ones that stick in your head, but still have enough entropy that even a GPU cracker will take 10 or 20 years to break it.
Will Jo Nova be making the move then?
REPLY: I have advised her in the strongest possible way to do so. The choice is hers. – Anthony
Evil$narkBunny111709!
Wow, it worked!
I’d suggest signing up with Cloudflare as a proxy front-end as well.
It’s free for the basic service and filters a lot of the dodgy traffic before it gets to your site.
ZbBlock installed on the server is fairly effective as well, and something Fail2ban properly set-up on the server can a lot of the brute force attacks quite well.
Your want a long password? Make it a sentence or a phrase. Much easier to remember.
What was it Gandhi said? “…then they fight you… then you win…”.
Mashiki
Depends on whether the greater threat is from outside your office or inside.
Having worked for the military; everyone was instructed to use passwords that are made up of the first letters of every word in a long sentence that included numbers and special characters interspersed. The example given here would flunk the strength test.
Thanks for tip Anthony! I must say, I’m pretty incompetent when it comes to these matters.
Do Jo Nova and the GWPF plan to prosecute these cowards if they discover their identities? I hope so!
The attacks on right-wing political sites and blogs in the US has also been trending substantially up lately. It’s a disturbing trend, to say the least.
Shields Up! – Gibson Research at http://www.grc.com has helped me immensely in identifying holes in systems, especially the unnecessary opened ports and unneeded open protocols. Anthony is right, ignoring these subtleties’ will leave your system wide open to unwelcome visitors one day. Gibbs Research has been around for ages and have proved their trust to me over the years. (btw – stealth those ports if possible, it seems better to be totally invisible to the web when ever possible) This is good advice even if your not also a server, you never can be too safe in the wild www.
@chris “Depends on whether the greater threat is from outside your office or inside.”
They’re both equal, the question is difficulty and in gaining access. A well meaning person inside is just as bad as someone on the outside who means you ill. Here’s the example from Defcon: http://nakedsecurity.sophos.com/2012/08/10/social-engineer-walmart/
@Mashiki
“The biggest problem with complex passwords that include randomization of oddball characters is, people will write it down somewhere, either on their computer, cell or at their desk. Making it useless. And someone with enough drive will find a way to exploit that …”
Why does writing a password down make it useless? We’re talking about home-operated equipment here…
I run a couple of web servers on my home network. The servers are simple stripped-down single application machines, on a VPN. They sit, together with my Smoothwall firewall, in a stack in my attic. Because it’s a VPN I can’t operate it from my normal PC or my wireless connection – I have to go up into my attic to gain access to the operator console. On the front of my operator monitor is written the various access codes and other information I need to maintain the system, including passwords. That makes them convenient, but I can’t see how a hacker can gain access to them without breaking into my home and finding where the servers are. And then he hardly needs to know the password, does he, because he has full physical access to the system…
Liberals are the same everywhere,every occupation. Angry children.
Wow, I should have reread before posting early. I fear the grammar nazi will be stalking my soon.
I meant to also include a plug for Password Safe. Bruce Schneier has been recommending it forever and a few of us use it. It is a great place for your evil snark bunnies and so you can remember their names later.
http://www.schneier.com/passsafe.html
“Evil$narkBunny111709!”
Julian wonders about that, but only in a twee, wabbitish sort of way…
JF
As previously mentioned, Jo Nova should consider adding CloudFlare, which involves changing DNS to use CF’s DNS servers, and might involve changing log formats (to log visitor’s IP addresses rather than only CF’s servers — there is a WordPress plugin). But because the attackers know the current IP address, it might also be a good idea to change the IP address… and soon also to permit only CF’s servers and Jo Nova’s home IP address in to the server.
Most people use the same password, or a variant thereof, for everything. This is highly dangerous because if someone gets that one password, they can usually figure out a ton of sites. Think about how many online passwords you use. Do you want some company to accidentally put your password in the public domain, and thereby give access to all of your banking, credit cards, etc?
@ KyleK: Don’t use passwords with words or phrases, even sentences. These take about 0.006 seconds to hack. The best passwords are completely random strings of upper and lowercase letters, numbers and symbols, as long as the website will allow. And EVERY site or login needs to be unique. The problem is remembering them all.
I use lastpass. I only have to remember one superstrong password (it’s random, but I have a keyboard mnemonic worked out) then lastpass remembers all of the passwords to every other site I use. And I don’t have to write them down. You can also set up lastpass where it will ask you a validation question consisting of what letters appear in a particular spot on a grid that is randomly generated upon your request. Then a hacker will have to possess not only your password, but the physical printout of your unique grid as well. Lastpass is the last passord I will ever need.
I second the “go cloud” comments. There are some things that make no sense at all to put in the cloud, and some things that it makes no sense to put anywhere else BUT the cloud. Hosting a blog is one that just makes no sense anywhere but the cloud.
There were some comments upthread about various tools for scanning your system and getting feedback on actions you should take like closing ports. My recommendation is that UNLESS you know with certainty that those online tools are legit, DON’T! Stop and think about the depth of information you may inadvertantly be handing to someone you absolutely don’t want to have it! Not to mention that these tools are generic, they prevent the weekend hacker from getting at you but a determined and focused hacker who is targeting a specific site for a specific reason is going to be exploiting weaknesses that are unusual, specific to you environment, and unlikely to be caught by generic tools.
FURTHER, security is a full time job. It isn’t something you set up and walk away. It has to be looked at by an experienced professional on a regular basis. Plus experienced professional alone isn’t enough, you need tools like firewall, intrusion detection, and more. If you run your own servers, you need either a competant security person who works for you full time, or a full time expert who comes in monthly. The cost for doing these things on a blog by blog basis just isn’t practical. Take it to a cloud providor who has full time staff and can spread the cost across thousands of blogs.
My husband made the comment that the easiest way to hack a blog is to be come a moderator….
REPLY: All our moderators are heavily screened, and nobody gets admin rights. – Anthony
I’ve just been reading a piece in today’s “The Register” ( theregister.co.uk ) by John Leyden which said that Reuters Blog has been hacked three times in the last fortnight, leaving false information: ironically, it was also suggested a flaw may have been exploited in WordPress, so beware, Mr Watts! 😉
Hardware is cheap. Never ever use a server for anything but a server. Do NOT play WoW on your web server! Ideally, firewall, authentication. presentation, back-end processing, and database should all be on separate systems, e.g. one box for Apache, one box for mySQL, etc. And don’t forget about full disk encryption.
Another system is to use the first letter of each word in an easily remembered sentence. Nukes would have no trouble with “Every freaking sailor loves the freaking Navy” giving EfsltfN (sentence cleaned up since this is a family-oriented website). You do need to work a digit or two into your sentence.
Must admit I’ve never understood the appeal of keeping up a private server. In the ’80s days of Usenet and BBS’s it made sense, but not any more. Let a major ISP handle security. The worst they can do is kick you off, which is much less damaging than a hacker getting into your own box.
OK – this is how I learned to make strong passwords:
1. Think of a poem, or your favorite passage from a book: for example To be or not to be, that is the question…
2. Take 2nd letter from every word: oerooehshu
3. Introduce some substitutions and capitals, but those that you can remember, say first and 5th characters: 0eroOehshu
4. Stick a couple of numbers at the end, say your year of birth: 0eroOehshu01.
Job is done.
Obviously, one can make variations, or if you know any other languages, and poems in other languages, it also helps.
Dodgy Geezer;
On the front of my operator monitor is written the various access codes and other information I need to maintain the system, including passwords. That makes them convenient, but I can’t see how a hacker can gain access to them without breaking into my home and finding where the servers are.
>>>>>>>>>>>>>>>>>>>>>
Ever have a party at your house? A few guests over for dinner? Someone you don’t know very well says “you got a server farm in your attic? That is SO cool! Can I see it?” And so you figure no harm showing it to her…
As soon as you commit the password to paper, it becomes exposed in all sorts of ways that you’d never think of. Further, most sophisticated hackers are very good at social engineering. You figure that nobody goes up into the attic but you, but that isn’t the issue. The issue is that everyone who has access to your house has access to that attic, and may give away the info without meaning to. For example, suppose you aren’t home, but your wife or other family member is. The phone rings and someone asks for you, spins a story about being your insurance agent and can’t get ahold of you and needs some documentation for your insurance policy by some deadline (today) or new rules kick in that will double the price….but yeah, if the person who answered the phone could just take some pictures of that equipment in that attic and send them pronto… A determined hacker gets information in some rather ingenious ways….
On the other hand, this also is true. A system 100% secure is unusable. If you want to use it, there will be some level in vulnerability. Much of security is finding the right balance between security and ease of use. If you aren’t a target, the basis will do. If you are a target, the basics won’t even come close.
I cater for today’s formidable password requirements by keystroking a little picture or pattern on my keyboard. I have absolutely no idea what my own passwords are, but my fingers have no trouble keying them in.
If you’re reluctant to change your password(s) because you don’t want to have to remember a brand new one, make a strong basic one that you can remember then periodically change one or two of the numbers or special characters by advancing through the top row of your keyboard.
” … Planet3.0 has had repeated hack attempts this week … ”
Your pal Frank Swifthack is vacationing in Drogobych and ran out of things to do?
“If your password has been around for more than a year. Change. it. now. ”
Dumb question:
If someone tries to attack me tomorrow, why would it be harder for them if I have a new password that I just created last week instead of one I created a year ago? Is there anything inherent about changing a password regularly that increases the security of the password?
On the other side of the coin, I know for a fact that changing a password regularly can significantly decrease the security of the password. It is much harder to remember a multitude of passwords that are regularly changing, resulting in people writing them down and leaving the information lying about. Or, more likely, they just make the passwords super easy. The prior company I worked at required us to change passwords every 90 days. It was such a royal pain in the neck that many people just threw up their hands and started using obvious passwords — you know, the old ‘password1’ then 90 days later ‘password2’ and so on.
Am I missing something? If I have a good, strong password set up is there some reason that I should change it on a regular basis?
Gee, and here I thought the modern way of making nigh-unbreakable passwords was to just “spk n txt”. You can alternate caps in place of spaces:
OMG4srUcnSCRWmyS2!
See, easy to remember, virtually unbreakable, practically unreadable…
I still wake up in cold sweats. It was no fun, which is why cloud computing hosts like wordpress.com are far better than private hosting, despite their limitations.
I sleep a lot better now.
Interesting times. It makes me think of Ghandi and I know it has been quoted here before but worth another go:
Mahatma Gandhi – “First they ignore you, then they ridicule you, then they fight you, and then you win.”
Thanks for keeping this site going Anthony, and for helping others.
I don’t have a blog (yet) but is there a way to back up all of the files routinely off-cloud? i.e., I would be happy in general to go the WordPress route (thinking about starting a blog somewhere down the road), but I would not want to be 100% under their control if they have a management change, turn Big Brother-ish against dissenting websites etc. I’d want to be able to have my own back-ups somewhere so that I could easily re-start in another venue if WP proved problematic. I assume that ppl like Anthony and Steve M. have solved this issue with all that they’ve gone through……
REPLY: WordPress has an export feature for backups – Anthony
@Mark Wagner (and others who suggest using a completely random string of symbols):
http://xkcd.com/936/
A random string of meaningless symbols is hard for a human brain to deal with, but easy for a machine. Human brains work on meaning and association. Using meaningless symbols makes it hard to remember and we therefore think it must make the password stronger. This is not so. Obfuscating the meaning makes no real difference to a machine since machines are blind to meaning. It just makes the password harder to remember without actually making it stronger.
A password made up of a sequence of unrelated but meaningful words is very easy to remember and strong enough to foil any brute force attack. The most important thing in determining password strength is length. How long is your password? Mine has in excess of 25 characters. Such a password is never going to be forced even though made up of meaningful words.
kretchetov says, August 17, 2012 at 1:43 pm
A lot easier to just go here: http://strongpasswordgenerator.com
If you are using Linux it could also be worthwhile trying to setup (or harden existing) SELinux.
http://en.wikipedia.org/wiki/Security-Enhanced_Linux
Up until recently the “idiot, anti-science, blowhard, non-consensus” blogs were of no concern to “real” scientists and governments. Someone has taken notice and probably HIRED the attacks. If you can’t figure out statistics, trends, and real data, you are not smart enough to proffer web based computer attacks on your own. Good work WUWT, someone is very worried, and should be.
I’m a senior IT technician and these are some of the usual suggestions I make to my clients:
1. PRIORITY GOLDEN RULE NUMBER 1! DISABLE THE “GUEST” ACCOUNT!
2. Create a new account that is completely unassuming (eg: Jon) and give it full admin right. Disable the Administrator account.
3. Store your website files on a completely different partition to the OS and completely lock down the OS partition so only the administrator account (that you made in 2 above) can access it.
4. If you have the resources, put your database on a separate server and lock that server off from any internet access. A second firewall between the web and DB server works well here.
5. DB: you only need two accounts. The admin account (with a really tough password) and a writer account (which your web server uses to access it). DO NOT UNDER ANY CIRCUMSTANCES ALLOW YOUR WEB SERVER TO USE THE DB ADMIN ACCOUNT!
6. As well as AV on the web/DB servers, if you can have a different server scan those directories across the network.
7. Find a really good log file analyser that includes auto-scanning and notification of abnormal activity. Setup your log files as specified by the analyser and run it at least once per week.
8. Backup your log files and database to an external location every 15 minutes. Log files are one of the first things pro-hackers delete/modify to hide their activities.
These are just some of the usual things you can do to help protect yourself.
Get used to using pasword card for gawds sake.
http://www.passwordcard.org/en
Jus type “SQL injection” into your favorite search engine and look at how many sites will teach you how crack a SQL database
Block known .tor ip’s
DShield, amongst others, can help you maintain the ip filtering on your firewall. You do have one don’t you?
https://isc.sans.edu/dashboard.html
C’Mon guys. With all the sceptical thinkers hanging around here, I’m amazed there enough naive people getting hacked, infiltrated or are vulnerable!
#1….you honestly thought the eco-cultisits/cAGW/warmistas/one world gubermint/Agenda 21 people would play fair with billions of bucks for their pockets and supreme control involved?
#2….small c conservatives…failing to show up to defend ourselves is a failed policy.
#3….if us skeptics/provers of AGW being a scam have not yet realized this is a war……wellll…if you do not recognize this by now…we WILL fail.
#4….you do not,under any circumstances,play fair with bullies,unless you like having your face re-arranged.
#5…..turning the other cheek only shows your rear end,which is prime kicking material.
Very very simple as there are simple tools in wordpress.com that handle all posts, pages and comments.
My advice: create an empty blog right now on WordPress.com and then use the import utility in the Dashboard.
When you’ve moved then you can redirect your domain to WordPress.com
Limitations: there are a lot of themes on wordpress.com but there may not be the one you’re currently using. Themes are not as easy to customise.
My advice: do it now. You won’t regret it.
Oh I forgot to include in my recommendations above, don’t use some 3rd party connection software to connect to the server (like “Log me in” or “VNC”). Use the OS’s included connection software (RDP in the case of Windows) and on the firewall only allow your IP address to connect through that port. The reason is because most 3rd party connection software uses port 80 which is open to everyone (to browse your site of course).
Dave Hayes: “Up until recently the “idiot, anti-science, blowhard, non-consensus” blogs were of no concern to “real” scientists and governments. Someone has taken notice and probably HIRED the attacks. If you can’t figure out statistics, trends, and real data, you are not smart enough to proffer web based computer attacks on your own. ”
Too far, I think. Lots of people have their place in the world, society, and their moral framework attached to the idea that they are a DC Comics Superhero by consequence of avoiding the purchase of carbonated drinks. It’s little wonder that unruly children will take the opportunity to stick it to the “Carbon Fascists” by defacing websites if they can make use of canned script-kiddie tools. The whole recent nonsense of Gleick’s escapades are just an example of the same.
There’s no shortage of high-strung loons and bored children out there. Which is all the reason one needs to practice locking the front door at night.
Yes ROBUSTNESS is a word.
Read Nassim Nicholas Taleb, for instance his soon (November) to be released Antifragile: Things That Gain from Disorder. In The Black Swan: Second Edition: The Impact of the Highly Improbable: With a new section: “On Robustness and Fragility”, he argues that “antifragility” is stronger and preferable to robustness.
strongly agree about the length. Any computer character is a choice of a collection of 256 variations of 8 bits. It doesn’t matter whether they are meaningful or not. The longer they are, the longer it takes to work through all the posibilities which, on average, will take half the time indicated in the cartoon.
MAYBE they object to the use of the word “denial” twice on the main page?
Just sayin …
.
Nick says:
August 17, 2012 at 3:01 pm
…. C’Mon guys. With all the sceptical thinkers hanging around here, I’m amazed there enough naive people getting hacked, infiltrated or are vulnerable!
==================================================
“Everybody’s ignorant. Only on different subjects.” Will Rogers
Be on guard. Not everyone is as ethical as you are.
Lots of good advice is being put up here by people that are not ignorant of computer security issues.
Heed it, especially if you are running a blog.
@Kretchevov & Gunga & IAN. Great ideas. Here’s why it won’t work.
I have over 120 passwords. Banking, credit cards, amazon, ebay, email server, online stores, twitter, dept stores, itunes, website, FTP, health insurance, cell phone company, home phone, electric provider, tolltag, paypal, online backup, various forums, plus (because I’m a CPA) state comptrollers, IRS e-services, secretaries of state, you get the point.
I don’t figure I’m atypical in the amount of my online interactions.
There is no way a typical individual can have a UNIQUE, LONG (as long as the website allows) and STRONG password for every web interaction and remember them all and change them regularly.
For password security, in my opinion, one MUST have a password manager with double authentication.
Attacks on skeptical blogs = desperation.
I love the smell of desperation in the morning.
Also, having a strong password may not be enough. Consider setting up two factor authentication on your systems.
Steve Gibson of Gibson Research (grc.com) is well known and has been around a looong time …
A number of years ago Steve/his website was the target of a DDOS attack … to make a long story short over time he was able to disassemble/reverse engineer the bots, create a new one of his own, and then use it to gain intel and ‘get close’ to the attackers … he then wrote all this up and it made for a very interesting read:
http://www.crime-research.org/library/grcdos.pdf
Here is a tantalizing from within that pdf file to whet the appetite:
.
For human-derived/entered passwords, one generally limits that ‘collection’ of 256 to a subset consisting of upper and lower case ASCII chars, the ten number chars, the allowed half-dozen or so punctuation symbols …
.
NZ Willy says:
August 17, 2012 at 2:06 pm
“I cater for today’s formidable password requirements by keystroking a little picture or pattern on my keyboard. I have absolutely no idea what my own passwords are, but my fingers have no trouble keying them in.”
Ever had to use a french or german keyboard? I often used patterns until I got a smartphone and then realised I couldn’t find the right punctuation marks because they weren’t where they used to be!
Evil$narkBunny111709!
I’ll go set it up right now – a weird password that I have a chance of finding when I forget it. 🙂
Can you put it in the title for me?
One problem with a service like lastpass is considering what happens if they go out of business. All of a sudden, those random string passwords might not be available.
climatereflections;
If someone tries to attack me tomorrow, why would it be harder for them if I have a new password that I just created last week instead of one I created a year ago?
>>>>>>>>>>>>>>>>>>>>>>>>
If someone has already cracked your password, you may not be aware of it. They may be monitoring your system to collect more information about you without you being aware. Changing your password defends you from the possibility that your system is already compromised, not from being compromised in the future.
You can make an easy-to-remember secure password by simply combining several unrelated words. See this link: http://www.readwriteweb.com/enterprise/2011/01/why-using-2-or-3-simple-words.php
_Jim
Steve Gibson of Gibson Research (grc.com) is well known and has been around a looong time …
>>>>>>>>>>>>>>>>>>>>>>>>>
Agreed. I just wanted to steer people clear of grabbing any tool they find without doing some due diligence first.
great story btw.
Larry Pickering , a cartoonist who has been very critical of Australia`s left wing government has had his site come under sustained DDos attack , Coincidence ?
——————————————————————————————————————-
“pickeringpost.com has been consistently attacked via a DDoS for the past few days. We are now getting a “suspended” notice.
Some of us don’t respond well to criticism…we are doing all we can to persist with free speech. Those who aren’t on the email list can go to lpickering.net (until they get at that site too)”
LARRY PICKERING • 19 hours ago”
———————————————————————————————————————-
http://lpickering.net/
About Larry Pickers cartoons …..”Careful, they`re Starkers”…You`ve been warned
davidmhoffer: “If someone has already cracked your password, you may not be aware of it. They may be monitoring your system to collect more information about you without you being aware. Changing your password defends you from the possibility that your system is already compromised, not from being compromised in the future.”
Fair enough. But what is more likely? In the case Anthony linked to, the guy’s entire digital life was compromised in a matter of hours, certainly within a day or two. So what is a password thief who has just gained access to an important account of mine more likely to do: (a) sit on the password for months in the hopes that (i) they will find more useful information that will be really valuable, and that in the meantime (ii) I won’t discover them, or change the password, or close the account, etc.; or (b) act quickly with the critical information they just obtained to extract what they can?
Also, the “1 year” advice we so often hear is absolutely arbitrary. If changing passwords is really that much more secure, then why not make it every 6 months, or every month, or every week?
I agree that changing passwords often could provide a small incremental amount of security — the digital equivalent of constantly living on the run from the bad guys. But it comes with its own baggage that is not only a big headache, but for many people causes worse security issues than it was designed to solve.
climatereflections;
Fair enough. But what is more likely?
>>>>>>>>>>>>>>>>>>>>>
Security is a balancing act. You have to ask yourself what the target is, what the value of the target is, and who is targeting it. Y
For example, you need not change the password on your banking card very often, because to use it against you the hacker has to have both the password and the card (two factor authentication). In that example, if someone got your card and your password, yes they would empty your account as fast as they could because their window of opportunity is limited.
Suppose instead we’re talking about your email account. Someone who hacks that doesn’t have the immediate pay off that the guy with your bank card does. But what they do have is a record of all your communication, and you will reveal all sorts of information about yourself that you assume is private. Different kind of hacker, different target, and so different behaviour. That hacker will lurk as long as possible collecting information in order to hack something else entirely.
Sorry, but there is no straight answer. Systems with two and three factor authentication need not have their passwords changed often. Same for systems that are not easily accessed. My desk top computer is fine (in my opinion) with 18 months. My laptop however is a 3 month cycle precisely because it gets to go out in public while my desk top doesn’t. Then there’s the value of the target to consider. Launch control for nuclear missiles requires a higher level of rigour than my laptop does. But you are also correct in that there is such a thing as changing your password too often. The more often you change it, the more often you are likely to make a mistake and lock yourself out of your own data. Worse, the more often you change passwords the more likely people are to write them down to remember them, which introduces a whole new risk. Same goes for “strong” passwords. The “stronger” they are the more likely they are to be written down in order to remember them.
Alas, the answer to all easily understood computer questions must begin with the words “it depends….”
Anthony,
I somewhat agree with most of your security advice. I don’t categorically agree with your reliance on “cloud” based systems. It is true that information can be handled in this nebulous cloud in such a fashion to make attacks harder to execute. Reliance on WordPress or such web sites is fine provided that they don’t shout you down should you cross their politics. It happens. Twitter shut down an NBC reporter for criticizing the London Olympics. Google gerrymanders it’s search result priorities to reflect their politics. Facebook…OMG….Your site was blocked by both The Globe and Mail and wiki for a long time and links were erased. (I know since I tried to link to your site)
and then there is wikipedia….lots of bandwidth there but just try and have an opinion that strays from the editors’ viewpoint.
I say slave your work to the cloud but maintain a redundant authenticated source, well password protected in the event that the anti-free speech activists monkey with either the hosting service or your server.
So long as WordPress remains agnostic about content you will be ok. I have little faith in that.
I have no doubt wordpress can be breached, but this site is probably under more threat from wordpress itself than hackers. Such of the price of success when you resist the establishment.
Some us us don’t need no steenking dynamic content. Or PHP. 😉
Static pages, with everything else turned off and secure permissions in a change-root environment is about the safest configuration, leaving only the HTTP server engine’s vulnerabilities exposed. Of course, a simpler HTTP engine, without any kitchen sinks, is inherently more secure. Some engines offer throttling of content, so you can slow down the ‘bot scans by orders of magnitude when they visit; making your site look like it’s connected to the Internet with a damp string.
I have a few (few) WordPress blogs. Backed up after every significant change.
P.S.: if your HTTP root directory contains a file called “muieblackcat”, it’s a footprint left around by an attack via PHP, notionally, a successful one. Have fun with that. 😉
I would like to add for anyone who does not have a router on their home systems, you really should think about getting one (and dont forget to change it’s password too). While it is not the end all be all of home security it will add a layer of hardware protection between you and the outside world.
As a real life example, I once was off at a training class and took along a system that I was going to reload windows on. Got windows set up, hooked it up to the local internet connection of the hotel I was in, loaded up my antivirus over the net and figured it was a good night’s work and headed off to bed. In the middle of the night the antivirus alarm went off saying I had just picked up one. In this case it was clearly someone snooping around the IP’s of the hotel and found a big enough hole to jump in on my newly loaded up machine (of which there are plenty I know). I would tend to think that had I had a router to act as a firewall there it would not have happened.
“davidmhoffer says:
August 17, 2012 at 1:58 pm
A system 100% secure is unusable.”
If I recall my NT 4 days, for a server to be fully C2 compliant it had to not be connected to a network, which sort of defeats the purpose of a server.
Lots of good comments here too. One which works for me, probably because the way my mind works (Or doesn’t as the case may be) is a word, phase or a bunch of words which are spelled incorrectly, as well as the usual substitution of numbers/characters/symbols in place of letters etc.
[snip -thanks well aware, but I don’t want to give people any ideas – Anthony]
climatereflections;
If someone tries to attack me tomorrow, why would it be harder for them if I have a new password that I just created last week instead of one I created a year ago?
>>>>>>>>>>>>>>>>>>>>>>>>
“If someone has already cracked your password, you may not be aware of it. They may be monitoring your system to collect more information about you without you being aware. Changing your password defends you from the possibility that your system is already compromised, not from being compromised in the future.”
True. It has been years. But it was reassuring to be able to snoop on my teenage daughter’s email and myspace without her knowing. I could probaby get into her current accts today with that ol password.
Interesting since GWPF had a great paper on Wind energy and Jo is always in tune with the fight against Gillard’s Carbon tax and Gillard is getting in election mood…
Some people don’t like really complicated passwords because they’re afraid that they may forget them unless they write them somewhere and then someone might find where they are written and guess that it is a password and then problems begin. This is my personal piece of advice to them, as it works fine for me.
It is easier to remember sentences, word by word, than complicated passwords, especially if those sentences are meaningfull for you. More importantly, you can find a way to make it easy to recall them in the rare case that you forgot some detail, without it being obvious for third parties that the sentence you write somewhere else or take from somewhere where it would be already written, is in fact a key to a password. Examples can be sentences that describe yourself in a way that only some people could recognise, or some sentence that you liked in a given page of your favourite book, or a citation from the lyrics of a song that is special to you in some way, etc. For example, say you are a fan of Terry Pratchett, you may particularly favour some of his quotes like:
“The pen is mightier than the sword if the sword is very short and the pen is very sharp“.
You may have the book where that sentence appears and have the page marked in some particular way just in case you forgot the precise words, or otherwise have the sentence written anywhere else where it looks like nothing especial or out of context. Then if you can memorize the sentence, or at least you have access to it, you can easily convert it to a complicated password by taking the initials of every word and then adding some additional convertions to numbers and symbols and capitals. First the initials:
“tpimttsitsivsatpivs”
Then the conversion:
“tP1Mtt$1t$1v5atP1v5“.
Here I converted initials of all nouns and adjectives to capitals, then all “i” to 1, all S from sword to $, and all other S to 5. Any other kind of conversion you can think of and remember would be fine. And voilà, you have an extremely complicated password that no program would break, and nobody would ever discover provided that nobody knows that that particular sentence is meaningful for you, yet you can remember without difficulty. And this is despite this particular sentence is not the best possible example, given that it repeats many words so it has only a few characters repeated all the time. You could choose far better sentences.
Just my 2 cents.
Timely advice – a pity it’s necessary, but inevitable I guess. I’ll add a thumbs-up for Steve Gibson and his site, he’s been around so long because he’s sound.
It’s not only the server end that needs attention, of course. If you ever want to go to some of the more dangerous backwaters of the net (like Mr. Gibson!), a friend has a suggestion for hardening the machine used for that activity. He used Bart PE to make himself a “live CD” install of XP (on a non-net-connected machine!), and he uses that to boot an old machine with no hard drive, downloading anything he wants onto a memory stick. Anything at all unexpected happens – reset button. If you use a motherboard with a flash bios, then find a mechanical way of disabling the facility, because (like all those autoplay “features” in Windows) there are too many doors left open from top to bottom in modern machines in the name of “improving the user experience” or some such. Some more thoughtful MB manufacturers have a pin header and jumper on the board to allow / disallow flashing, but most don’t. Touch wood (or silicon), he’s never been “pwned” yet.
It’s the paradox of freedom – what to do when some malicious [expletive deleted] abuses it.
REPLY: WordPress has an export feature for backups – Anthony
Which doesn’t work very well. I’d advise using 3rd party software to create archives of the blog posts and comments and graphics and for good measure the external content to the first link depth.
Jo Nova sure does have a plan. (You didn’t ask Anthony.). But she certainly won’t be posting the details of it on a 100,000 hits per day blog.
Security, you know. Some things are better left unsaid.
There’s a lot of it about apparently
http://www.theregister.co.uk/2012/08/17/reuters_blogs_hacked_again/
Any chance the Norfolk Plod will investigate, now they have finished the UEA leaks?
“ANH says:
August 17, 2012 at 11:07 am
‘Climategate taught Steve McIntyre and me this lesson very well. Not ‘McIntyre and I’.”
The plural is where we’re easily mistaken. Change it to singular, and it’s easy to get correct.
“Climategate taught me, Climategate taught Steve McIntyre and me” vs
“Climategate taught I, Climategate taught Steve McIntyre and I”.
I learned this from my brother when he was teaching an adult English class..
“The Norfolk Plod” is a very good description of the speed at which they work. Either that or it’s a dance step.
I know Anthony posted re security advice (and as an ex I.T. pro I’ve desgned access security systems so am interested) but what most intrigues me is the fact that GWPF and Jo Nova were both hacked at a time when important stuff was appearring on their sites.
IMHO, Climategate was undoubtedly an inside job but these are external hacks and obvious denial of service. That they happened at almost the same time is not coincidence.
In the case of GWPF the arabic connection now showing is a diversionary tactic. Instead, any Plod asked to find the culprit (and they should be asked) should not be suprised to find that it is a well known alarmist organisation or maybe a government department.
Question — how do password crackers get by the limitations of signing-on (often 3-5) attempts? It would take a whole lotta attempts to guess a long password.
Yes, I’m no network administrator.
“Your system has achieved a perfect “TruStealth” rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to “counter-probe the prober”, thus revealing themselves. But your system wisely remained silent in every way. Very nice.”
Gotta love Linux…
beng says: August 18, 2012 at 7:47 am
Question — how do password crackers get by the limitations of signing-on (often 3-5) attempts? It would take a whole lotta attempts to guess a long password.
Passwords are stored in a database (a file file) and most websites use these database to store other things. One of the commonest ways is to find a form on the website which the programmer forgot to check and which is added directly into a command string to access the database.
One approach is to take a search string which effectively says: “find the name of the post who’s id =
And the entry from form is changed to read (for the machine)
“dumb” Find password of admin user.
Put together you get:
find the name of the post who’s id = “dumb”
Now find password of admin user.
Now, it may sound difficult to guess what page and what input will work and how … but many website (like the Global Warming Policy Foundation) use publicly available software where someone intelligent enough can look through the code to find these backdoors.
There are also other ways. One is to find a site that allows avatar uploads … but doesn’t check if its the right file type … and then upload a file that effectively allows access to all files.
… and if it’s done well, on a shared server, it may not be your own software which is at fault, but someone else sharing the server.
Oops … some of my bits above were stripped as they were in greater than less than brackets .. but I think it is still intelligible
Using ZoneAlarm under Win98SE I used to achieve the same effect … (ZoneAlarm was also tested by Gibson and was highly rated and recommended, but it’s been a few years now.)
.
Does not bode well for the future . . . I think!
Bicentennial Man movie trailer (1999)
Thought provoking film . . . for me at least!
“Evil$narkBunny111709!”
What’s Eli got to do with this?
REPLY: Eli who?
Re: ChE says:
August 18, 2012 at 9:45 am
Thank you Moderator . . . didn’t come through on my end . . .
ChE: “Inquiring minds want to know”! Is this like a “Who is John Galt” moment?
ChE says:
August 18, 2012 at 9:45 am
“Evil$narkBunny111709!”
What’s Eli got to do with this?
REPLY: Eli who?
>>>>>>>>>>>>>>>>>>>>
Eli Rabbit. Like a couple of others upthread, I thought it was a carefully chosen jibe.
As for remembering user names and passwords. Bookmark the relevant website then edit the URL properties to add a question mark and a clue.
wattsupwiththat.com/?curacoa
If I needed a name and password to post here I’d be using – according to the clue – the naval rank and serial number of an ancestor.
Or, if you’re feeling brave.
wattsupwiththat.com/?username/password
http://attrition.org/errata/charlatan/
Steve Gibson, listed about a dozen down. Was wondering why the name seemed so familiar…
=8-)
All this talk of password protection kinda makes me re-think the all.7z file hoopla again. Has anyone tried Evil$narkBunny111709! for the password yet??? :->
@Dodgy Geezer
“Why does writing a password down make it useless? We’re talking about home-operated equipment here…”
Funny story time, or perhaps not. And bare with me a bit.
So, did you hear about the case of the guy in the UK who operated a TV redirection site? He didn’t actually host anything himself, he simply offered a redirection site, other people offered links, which were checked by other members for quality. And in turn, posted. Now the sites themselves were all over the world, run by other people.
This fellow, put his house up on the market and had his equipment in a similar situation as you. A “prospective buyer” who was actually an undercover police officer, came in gleaned all the account info of his site, and were able to sting him down. In turn, they arrested, charged, and shut him down with a conspiracy to defraud. Now that’s not what would happen to you, but, it does show that having something written down in plain site isn’t exactly the best security option.
Some info on that case here:
https://torrentfreak.com/surfthechannel-owner-found-guilty-of-conspiracy-to-defraud-120627/
clipe says:
August 18, 2012 at 1:54 pm
As for remembering…
Funny how the mind works. Seeing “remembering” made me think of Greenland for some reason, couldn’t figure out why at first.
Anagrams!
berg in memer
berger in meme
Bimmer Green
@ MattB says: August 18, 2012 at 2:23 pm
Gee . . . I thought that part of what the entire “Patriot Act” was about . . . . Which really turns into a Catch 22 if you do not know the pass word . . .
It’s also why . . . many people will not touch or get involved with computers . . . forget pass words for a moment . . . let’s talk about “terms of service” and “privacy policies”!
FTC Approves Final Settlement With Facebook
http://www.ftc.gov/opa/2012/08/facebook.shtm
Then there is: Google Will Pay $22.5 Million to Settle FTC Charges It Misrepresented Privacy Assurances http://www.wired.com/business/elsewhere/google-will-pay-22-5-million-to-settle-ftc-charges-it-misrepresented-privacy-assurances-20120809/
Can you imagine what is happening within the whole anonymous hacktavist . . . “culture”!
Oh and my favorite . . . terms of services . . . . for example . .
Indeed (they say) is the #1 job site worldwide
Ownership and Rights to Use Materials
If you post content or submit material, you grant Indeed a nonexclusive, worldwide, perpetual, irrevocable, royalty-free, sublicensable (through multiple layers of sublicensees) right and license to make, use, sell, sublicense, reproduce, distribute, perform, display, prepare derivative works from and otherwise exploit all such content and materials for any purpose without restriction.
http://www.indeed.com/intl/en/tos.html
http://www.indeed.com/intl/en/about.html
Indeed is the #1 job site worldwide, with over 60 million unique visitors and 1 billion job searches per month. Indeed is available in more than 50 countries and 26 languages, covering 94% of global GDP.
Since 2004, Indeed has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands of companies.
Indeed is a privately held company founded by Paul Forster and Rony Kahan, with investors including The New York Times Company, Allen & Company, and Union Square Ventures. Indeed has offices in Austin, TX, Dublin, IE, London, UK, Mountain View, CA, New York, NY, and Stamford, CT.
http://www.indeed.com/intl/en/ourcompany.html
So, what do you think about the “laissez faire” approach to business’s that behave badly?
So one may feel secure in whatever they want, but it may only be false security . . .
Every engineer I have ever been exposed to understands the necessity of good and great rules and enforcement of those rules . . . and has an appreciation for the good and great processes that have developed for adjudicating them thereof!
More on what yoshisen says: August 18, 2012 at 2:40 pm
SEC shuts down $600M online Ponzi scheme
Court freezes remaining assets of ZeekRewards.com
http://articles.chicagotribune.com/2012-08-17/business/chi-sec-shuts-down-600m-online-ponzi-scheme-20120817_1_investors-net-profits-rewards-pointsCourt freezes remaining assets of ZeekRewards.com
Former Councilman Accused Of Running Ponzi Scheme Pleads Guilty
http://www2.wspa.com/news/2012/jul/30/14/former-anderson-co-councilman-plead-guilty-ar-4222671/
This has all been made so much easier . . . with the advent of the internet and the innovations in technologies that make this kind of networking possible . . .
So, I am hoping that I am addressing issues with “hue”mans that understand the need for regulations, whether the regulations affect public behaviors and suedo private behaviors!
If it were to become a reality . . . that simply referencing a link . . . would be punishable by fine or law or both . . . an intense deep freeze would be the new climate on the internet !
Evil$narkBunny111707! says host your site on a computer with nothing else on it. Best would be to never telnet in, etc. Computers are inexpensive enough and whatever you do don’t do your banking on the same system