Beefing up security on skeptical blogs

English: A candidate icon for Portal:Computer ...

A candidate icon for Portal:Computer security (Photo credit: Wikipedia)

It has been noted that in the past week we have seen two prominent skeptic websites attacked: Jo Nova and The GWPF, the latter of which has been overtaken, and a message from the attackers replaced the home page.

I won’t give any publicity to the attackers by showing that screen, but suffice it to say it was ugly.

This is just friendly warning message for the skeptical blogging community at large to say that you should immediately take steps to improve your security. Here are some suggestions.

1. If you operate a private server, rather than be hosted on WordPress.com or blogspot or typepad or similar service, you are most vulnerable to attack.  These suggestions below are for those running private dedicated/leased servers.

a. Close any unused ports on your system that are not necessary for regular operations. For example, if you don’t use FTP, turn it off. Likewise for Telnet, SSH, and other remote access methods if you don’t use them. There are ways to close broad swaths of port numbers (there are thousands) and these can be used to exploit systems, especially if there’s an unused application or service that is installed but not configured.  For Linux see: http://www.linuxquestions.org/questions/linux-security-4/close-unused-ports-and-ssh-503929/page2.html

For Windows Server: http://searchsecurity.techtarget.com.au/news/2240020779/Five-ways-to-harden-Windows-Server

b. Be sure security patches for your operating system and applications are up to date.

c. Run a security scan using your antivirus program for your server. If you don’t have an AV/anti-malware program for your Windows-based server, you are asking for trouble. Linux, not so much, but you need to tighten port security as in point a.

d. If you have other applications installed, such as PHP, MySQL, etc, make sure those applications are patched/up to date. It is easy to say “if it ain’t broke don’t fix it” but security exploits accumulate with time. You best defense is keeping up to date and apply new patches. Like climate, servers are not static entities.

2.  Passwords are your weakest point of failure. Make sure you have a strong password. Any password that is a simple English language dictionary password is easily exploited with a password grinder. You need complex passwords with many character combinations like this:

Evil$narkBunny111709!

Don’t use street addresses, telephone numbers, SSN’s, birthdays, or family/pet names as part of the password as these are discoverable. If your password has been around for more than a year. Change. it. now.  Read what happened to a prominent WIRED journalist who got sloppy, plus the hacker was helped along by incompetent security protocols at Apple and Amazon.

Likewise, your other apps like MySQL and PHPadmin also have passwords. Some people never even change the default passwords, and that’s an invitation for trouble. Change. it. now.

3. Consider moving off a private server to a service like wordpress.com, where WUWT is hosted. There are migration tools for many of the other blogging platforms to make this easy. The value of wordpress.com is that they take care of all of the heavy-duty security for you. DDoS attacks, exploits, malware, port attacks, SQL injections, etc. are all handled for you. Plus you get cloud service to handle massive bandwidth, all for free.  WUWT is hosted on WordPress.com and every time I think about the trade offs of getting a private server to get a few mores features like comment editing or sidebar widgets, I think of the management hell that The GWPF, Jo Nova, and Lucia have gone through with their private server setups. Staying on wordpress.com is a no-brainer for the security and bandwidth alone. Extra features aren’t worth anything if your website is hosed.

Jo Nova is now frequently offline with DDoS attacks, and she has no good strategy for dealing with it in a single server box. Cloud servers on wordpress.com with frontline router security solve this issue with ease.

4. Remember when Climategate broke? Climate Audit, then on a private single box server running wordpress software from wordpress.org crumbled under the load. WUWT remained running, because it was on the cloud based wordpress.com We’ve since migrated Steve McIntyre’s CA website from a private box in a Sacramento CoLo to the wordpress.com cloud system, and haven’t had any trouble since.

If you have a breaking story that needs wide exposure, the last thing you want is a private server that hits capacity in the first hour. Climategate taught Steve McIntyre and I this lesson very well.

Good luck.

Advertisements

  Subscribe  
newest oldest most voted
Notify of

VERY good advice. I’m a bit too small to be on anyone’s radar, but my site was overwhelmed and taken down a few times when ClimateDepot ran a link to the Temperature/CO2 Disconnect page on my site, and having it tweeted may have added to the problem.
The robustness (is that a word?) of WordPress is mandatory for the bigger players like WUWT!!!

Andrew Newberg

PASSWORD CHANGE: Evil$narkBunny111709!
CONFIRM CHANGE: Evil$narkBunny111709!
Got it…

ANH

‘Climategate taught Steve McIntyre and me this lesson very well. Not ‘McIntyre and I’.

kadaka (KD Knoebel)

WUWT is hosted on WordPress.com and every time I think about the trade offs of getting a private server to get a few mores features like comment editing or sidebar widgets, I think of the management hell that The GWPF, Jo Nova, and Lucia have gone through with their private server setups.
So sometimes trading some freedom for some security is worth it?
I know, false choice. You can get more features with a paid wordpress account, which may be affordable when you and your family free up some loose change by overcoming your needs for food and shelter. Freedom is not free.
However, I sure hope you keep WUWT backed up in a way that you could recreate it elsewhere if needed. In case wordpress-dot-com goes down, or someone convinces their management to suspend your account for a Terms and Conditions violation, details of which they’ll reveal to you some month soon

MangoChutney

There’s definately someting amiss.
A while back a character called Albatross on SkS told me he had read my posts here and at the Richard Blacks blog. Given I don’t post here regular, I asked if he knew where I liived. 😉 As an isolated incident I can dismiss this, except a new commenter at Richard Blacks blog Gort2012 seems to have a record of my comments across all blogs going back to 2007, when I wasn’t sure if cAGW was or wasn’t false (I’m still not sure, I lean heavily towward the false side). He said it was a simple google search, but he must have been a good with google

Are there any simple tools to move from privately hosted wordpress.org software onto wordpress.com.
I privately host http://www.realclimategate.com and has a bandwidth probem once or twice.
I have registered realclimategate on wordpress.com, just havent found a tool to move articles,comments, domain url, etc. Is this easy to do as I have very limited time from now on.

AlexW

This is a classic about Password strength
http://xkcd.com/936/

wsbriggs

Well said Anthony.
Security is serious business, also for those of us who merely follow the goings on, think bank account, CCs, and debit cards. Many of us have been victims of exploits.
I’m happy to say that thus far my precautions have prevented my family from suffering through two attempts at online fraud. It is a jungle out there.

George

If you have any sort of firewall and ‘need’ ftp or ssh, tighten down your source address in your firewall. Usually, ISPs like Charter, Verizon, etc., will have your connection on Dynamic Host Configuration Protocol. Your home router’s IP address may change. But there may be a range you can use at least that is reserved for your area. If possible, just allow ports 80 and 443.
If you wrote code for your site, I am sure there are some Penetration testers within earshot. SQL and SQL injection attacks are one of the more common takeovers.
DDOS… patches on you connections in and your server. And if someone is using a botnet to do it, it then takes money. Big sites have application firewalls AND layer 2/3 firewalls in front of them as well as the ISP also controlling the traffic. WP is a good answer as they have the budget.
Also, you are being attack, DO call the FBI. You may not be a priority 1, but it is still a crime. You could be the one missing connection that puts all the puzzle pieces together (as these folks target more than one person.)
And a recent, not scientific, study has shown that girlfriends tend to stop this sort of activity. So if you have a creative way of distracting the attacker with the opposite sex, that might help too 😉

Man Bearpig

If you want to test your server (or your home computer for that matter) have a look at http://www.grc.com
Follow the links to shields up .. this is a free checkup and will check your computer for common open ports. If you are running a webserver from your office/home and/or an email server, etc you should expect the relevant ports to be open, if you are not sure there is a list of common ports on the GRC website.
If you have open ports, then look at your machine for programs that are listening to these ports. e.g. Internet Explorer will be listening to port 80 for HTTP or Web connections. Your email program to ports 25 and 110, etc.

Man Bearpig

Sorry, got a bit of that wrong… Your Webserver not internet explorer will be listening on port 80 for web connection requests and email server for email connections on pop/smtp/imap

Planet3.0 has had repeated hack attempts this week from a Ukranian IP address.

Mashiki

I’ll counter with this bit of password entropy:
https://xkcd.com/936/
The biggest problem with complex passwords that include randomization of oddball characters is, people will write it down somewhere, either on their computer, cell or at their desk. Making it useless. And someone with enough drive will find a way to exploit that, the best passwords are the ones that stick in your head, but still have enough entropy that even a GPU cracker will take 10 or 20 years to break it.

Robert in Calgary

Will Jo Nova be making the move then?
REPLY: I have advised her in the strongest possible way to do so. The choice is hers. – Anthony

kadaka (KD Knoebel)

Evil$narkBunny111709!

Access granted
Hello DrHalpernScienceDefender!

Wow, it worked!

Chuckles

I’d suggest signing up with Cloudflare as a proxy front-end as well.
It’s free for the basic service and filters a lot of the dodgy traffic before it gets to your site.
ZbBlock installed on the server is fairly effective as well, and something Fail2ban properly set-up on the server can a lot of the brute force attacks quite well.

Kyle K

Your want a long password? Make it a sentence or a phrase. Much easier to remember.

Jimmy Haigh

What was it Gandhi said? “…then they fight you… then you win…”.

Chris

Mashiki

The biggest problem with complex passwords that include randomization of oddball characters is, people will write it down somewhere, either on their computer, cell or at their desk. Making it useless.

Depends on whether the greater threat is from outside your office or inside.

BradProp1

Having worked for the military; everyone was instructed to use passwords that are made up of the first letters of every word in a long sentence that included numbers and special characters interspersed. The example given here would flunk the strength test.

J. Felton (the Cowboy)

Thanks for tip Anthony! I must say, I’m pretty incompetent when it comes to these matters.
Do Jo Nova and the GWPF plan to prosecute these cowards if they discover their identities? I hope so!

striptubes

The attacks on right-wing political sites and blogs in the US has also been trending substantially up lately. It’s a disturbing trend, to say the least.

wayne

Shields Up! – Gibson Research at http://www.grc.com has helped me immensely in identifying holes in systems, especially the unnecessary opened ports and unneeded open protocols. Anthony is right, ignoring these subtleties’ will leave your system wide open to unwelcome visitors one day. Gibbs Research has been around for ages and have proved their trust to me over the years. (btw – stealth those ports if possible, it seems better to be totally invisible to the web when ever possible) This is good advice even if your not also a server, you never can be too safe in the wild www.

yoshisen

@Chris “Depends on whether the greater threat is from outside your office or inside.”
They’re both equal, the question is difficulty and in gaining access. A well meaning person inside is just as bad as someone on the outside who means you ill. Here’s the example from Defcon: http://nakedsecurity.sophos.com/2012/08/10/social-engineer-walmart/

Dodgy Geezer

@Mashiki
“The biggest problem with complex passwords that include randomization of oddball characters is, people will write it down somewhere, either on their computer, cell or at their desk. Making it useless. And someone with enough drive will find a way to exploit that …”
Why does writing a password down make it useless? We’re talking about home-operated equipment here…
I run a couple of web servers on my home network. The servers are simple stripped-down single application machines, on a VPN. They sit, together with my Smoothwall firewall, in a stack in my attic. Because it’s a VPN I can’t operate it from my normal PC or my wireless connection – I have to go up into my attic to gain access to the operator console. On the front of my operator monitor is written the various access codes and other information I need to maintain the system, including passwords. That makes them convenient, but I can’t see how a hacker can gain access to them without breaking into my home and finding where the servers are. And then he hardly needs to know the password, does he, because he has full physical access to the system…

pat

Liberals are the same everywhere,every occupation. Angry children.

g3ellis

Wow, I should have reread before posting early. I fear the grammar nazi will be stalking my soon.
I meant to also include a plug for Password Safe. Bruce Schneier has been recommending it forever and a few of us use it. It is a great place for your evil snark bunnies and so you can remember their names later.
http://www.schneier.com/passsafe.html

Julian Lagopus Flood

“Evil$narkBunny111709!”
Julian wonders about that, but only in a twee, wabbitish sort of way…
JF

AnonyMoose

As previously mentioned, Jo Nova should consider adding CloudFlare, which involves changing DNS to use CF’s DNS servers, and might involve changing log formats (to log visitor’s IP addresses rather than only CF’s servers — there is a WordPress plugin). But because the attackers know the current IP address, it might also be a good idea to change the IP address… and soon also to permit only CF’s servers and Jo Nova’s home IP address in to the server.

Mark Wagner

Most people use the same password, or a variant thereof, for everything. This is highly dangerous because if someone gets that one password, they can usually figure out a ton of sites. Think about how many online passwords you use. Do you want some company to accidentally put your password in the public domain, and thereby give access to all of your banking, credit cards, etc?
@ KyleK: Don’t use passwords with words or phrases, even sentences. These take about 0.006 seconds to hack. The best passwords are completely random strings of upper and lowercase letters, numbers and symbols, as long as the website will allow. And EVERY site or login needs to be unique. The problem is remembering them all.
I use lastpass. I only have to remember one superstrong password (it’s random, but I have a keyboard mnemonic worked out) then lastpass remembers all of the passwords to every other site I use. And I don’t have to write them down. You can also set up lastpass where it will ask you a validation question consisting of what letters appear in a particular spot on a grid that is randomly generated upon your request. Then a hacker will have to possess not only your password, but the physical printout of your unique grid as well. Lastpass is the last passord I will ever need.

davidmhoffer

I second the “go cloud” comments. There are some things that make no sense at all to put in the cloud, and some things that it makes no sense to put anywhere else BUT the cloud. Hosting a blog is one that just makes no sense anywhere but the cloud.
There were some comments upthread about various tools for scanning your system and getting feedback on actions you should take like closing ports. My recommendation is that UNLESS you know with certainty that those online tools are legit, DON’T! Stop and think about the depth of information you may inadvertantly be handing to someone you absolutely don’t want to have it! Not to mention that these tools are generic, they prevent the weekend hacker from getting at you but a determined and focused hacker who is targeting a specific site for a specific reason is going to be exploiting weaknesses that are unusual, specific to you environment, and unlikely to be caught by generic tools.
FURTHER, security is a full time job. It isn’t something you set up and walk away. It has to be looked at by an experienced professional on a regular basis. Plus experienced professional alone isn’t enough, you need tools like firewall, intrusion detection, and more. If you run your own servers, you need either a competant security person who works for you full time, or a full time expert who comes in monthly. The cost for doing these things on a blog by blog basis just isn’t practical. Take it to a cloud providor who has full time staff and can spread the cost across thousands of blogs.

Gail Combs

My husband made the comment that the easiest way to hack a blog is to be come a moderator….
REPLY: All our moderators are heavily screened, and nobody gets admin rights. – Anthony

mikemUK

I’ve just been reading a piece in today’s “The Register” ( theregister.co.uk ) by John Leyden which said that Reuters Blog has been hacked three times in the last fortnight, leaving false information: ironically, it was also suggested a flaw may have been exploited in WordPress, so beware, Mr Watts! 😉

DesertYote

Hardware is cheap. Never ever use a server for anything but a server. Do NOT play WoW on your web server! Ideally, firewall, authentication. presentation, back-end processing, and database should all be on separate systems, e.g. one box for Apache, one box for mySQL, etc. And don’t forget about full disk encryption.

Mike G

Another system is to use the first letter of each word in an easily remembered sentence. Nukes would have no trouble with “Every freaking sailor loves the freaking Navy” giving EfsltfN (sentence cleaned up since this is a family-oriented website). You do need to work a digit or two into your sentence.

polistra

Must admit I’ve never understood the appeal of keeping up a private server. In the ’80s days of Usenet and BBS’s it made sense, but not any more. Let a major ISP handle security. The worst they can do is kick you off, which is much less damaging than a hacker getting into your own box.

OK – this is how I learned to make strong passwords:
1. Think of a poem, or your favorite passage from a book: for example To be or not to be, that is the question…
2. Take 2nd letter from every word: oerooehshu
3. Introduce some substitutions and capitals, but those that you can remember, say first and 5th characters: 0eroOehshu
4. Stick a couple of numbers at the end, say your year of birth: 0eroOehshu01.
Job is done.
Obviously, one can make variations, or if you know any other languages, and poems in other languages, it also helps.

davidmhoffer

Dodgy Geezer;
On the front of my operator monitor is written the various access codes and other information I need to maintain the system, including passwords. That makes them convenient, but I can’t see how a hacker can gain access to them without breaking into my home and finding where the servers are.
>>>>>>>>>>>>>>>>>>>>>
Ever have a party at your house? A few guests over for dinner? Someone you don’t know very well says “you got a server farm in your attic? That is SO cool! Can I see it?” And so you figure no harm showing it to her…
As soon as you commit the password to paper, it becomes exposed in all sorts of ways that you’d never think of. Further, most sophisticated hackers are very good at social engineering. You figure that nobody goes up into the attic but you, but that isn’t the issue. The issue is that everyone who has access to your house has access to that attic, and may give away the info without meaning to. For example, suppose you aren’t home, but your wife or other family member is. The phone rings and someone asks for you, spins a story about being your insurance agent and can’t get ahold of you and needs some documentation for your insurance policy by some deadline (today) or new rules kick in that will double the price….but yeah, if the person who answered the phone could just take some pictures of that equipment in that attic and send them pronto… A determined hacker gets information in some rather ingenious ways….
On the other hand, this also is true. A system 100% secure is unusable. If you want to use it, there will be some level in vulnerability. Much of security is finding the right balance between security and ease of use. If you aren’t a target, the basis will do. If you are a target, the basics won’t even come close.

NZ Willy

I cater for today’s formidable password requirements by keystroking a little picture or pattern on my keyboard. I have absolutely no idea what my own passwords are, but my fingers have no trouble keying them in.

Gunga Din

If you’re reluctant to change your password(s) because you don’t want to have to remember a brand new one, make a strong basic one that you can remember then periodically change one or two of the numbers or special characters by advancing through the top row of your keyboard.

RC

” … Planet3.0 has had repeated hack attempts this week … ”
Your pal Frank Swifthack is vacationing in Drogobych and ran out of things to do?

“If your password has been around for more than a year. Change. it. now. ”
Dumb question:
If someone tries to attack me tomorrow, why would it be harder for them if I have a new password that I just created last week instead of one I created a year ago? Is there anything inherent about changing a password regularly that increases the security of the password?
On the other side of the coin, I know for a fact that changing a password regularly can significantly decrease the security of the password. It is much harder to remember a multitude of passwords that are regularly changing, resulting in people writing them down and leaving the information lying about. Or, more likely, they just make the passwords super easy. The prior company I worked at required us to change passwords every 90 days. It was such a royal pain in the neck that many people just threw up their hands and started using obvious passwords — you know, the old ‘password1’ then 90 days later ‘password2’ and so on.
Am I missing something? If I have a good, strong password set up is there some reason that I should change it on a regular basis?

kadaka (KD Knoebel)

Gee, and here I thought the modern way of making nigh-unbreakable passwords was to just “spk n txt”. You can alternate caps in place of spaces:
OMG4srUcnSCRWmyS2!
See, easy to remember, virtually unbreakable, practically unreadable…

John A

Remember when Climategate broke? Climate Audit, then on a private single box server running wordpress software from wordpress.org crumbled under the load. WUWT remained running, because it was on the cloud based wordpress.com We’ve since migrated Steve McIntyre’s CA website from a private box in a Sacramento CoLo to the wordpress.com cloud system, and haven’t had any trouble since.

I still wake up in cold sweats. It was no fun, which is why cloud computing hosts like wordpress.com are far better than private hosting, despite their limitations.
I sleep a lot better now.

Interesting times. It makes me think of Ghandi and I know it has been quoted here before but worth another go:
Mahatma Gandhi – “First they ignore you, then they ridicule you, then they fight you, and then you win.”
Thanks for keeping this site going Anthony, and for helping others.

Skiphil

I don’t have a blog (yet) but is there a way to back up all of the files routinely off-cloud? i.e., I would be happy in general to go the WordPress route (thinking about starting a blog somewhere down the road), but I would not want to be 100% under their control if they have a management change, turn Big Brother-ish against dissenting websites etc. I’d want to be able to have my own back-ups somewhere so that I could easily re-start in another venue if WP proved problematic. I assume that ppl like Anthony and Steve M. have solved this issue with all that they’ve gone through……
REPLY: WordPress has an export feature for backups – Anthony

Ian H

@Mark Wagner (and others who suggest using a completely random string of symbols):
http://xkcd.com/936/
A random string of meaningless symbols is hard for a human brain to deal with, but easy for a machine. Human brains work on meaning and association. Using meaningless symbols makes it hard to remember and we therefore think it must make the password stronger. This is not so. Obfuscating the meaning makes no real difference to a machine since machines are blind to meaning. It just makes the password harder to remember without actually making it stronger.
A password made up of a sequence of unrelated but meaningful words is very easy to remember and strong enough to foil any brute force attack. The most important thing in determining password strength is length. How long is your password? Mine has in excess of 25 characters. Such a password is never going to be forced even though made up of meaningful words.

AJB

kretchetov says, August 17, 2012 at 1:43 pm
A lot easier to just go here: http://strongpasswordgenerator.com

Steve

If you are using Linux it could also be worthwhile trying to setup (or harden existing) SELinux.
http://en.wikipedia.org/wiki/Security-Enhanced_Linux

Dave Hayes

Up until recently the “idiot, anti-science, blowhard, non-consensus” blogs were of no concern to “real” scientists and governments. Someone has taken notice and probably HIRED the attacks. If you can’t figure out statistics, trends, and real data, you are not smart enough to proffer web based computer attacks on your own. Good work WUWT, someone is very worried, and should be.