It has been noted that in the past week we have seen two prominent skeptic websites attacked: Jo Nova and The GWPF, the latter of which has been overtaken, and a message from the attackers replaced the home page.
I won’t give any publicity to the attackers by showing that screen, but suffice it to say it was ugly.
This is just friendly warning message for the skeptical blogging community at large to say that you should immediately take steps to improve your security. Here are some suggestions.
1. If you operate a private server, rather than be hosted on WordPress.com or blogspot or typepad or similar service, you are most vulnerable to attack. These suggestions below are for those running private dedicated/leased servers.
a. Close any unused ports on your system that are not necessary for regular operations. For example, if you don’t use FTP, turn it off. Likewise for Telnet, SSH, and other remote access methods if you don’t use them. There are ways to close broad swaths of port numbers (there are thousands) and these can be used to exploit systems, especially if there’s an unused application or service that is installed but not configured. For Linux see: http://www.linuxquestions.org/questions/linux-security-4/close-unused-ports-and-ssh-503929/page2.html
For Windows Server: http://searchsecurity.techtarget.com.au/news/2240020779/Five-ways-to-harden-Windows-Server
b. Be sure security patches for your operating system and applications are up to date.
c. Run a security scan using your antivirus program for your server. If you don’t have an AV/anti-malware program for your Windows-based server, you are asking for trouble. Linux, not so much, but you need to tighten port security as in point a.
d. If you have other applications installed, such as PHP, MySQL, etc, make sure those applications are patched/up to date. It is easy to say “if it ain’t broke don’t fix it” but security exploits accumulate with time. You best defense is keeping up to date and apply new patches. Like climate, servers are not static entities.
2. Passwords are your weakest point of failure. Make sure you have a strong password. Any password that is a simple English language dictionary password is easily exploited with a password grinder. You need complex passwords with many character combinations like this:
Evil$narkBunny111709!
Don’t use street addresses, telephone numbers, SSN’s, birthdays, or family/pet names as part of the password as these are discoverable. If your password has been around for more than a year. Change. it. now. Read what happened to a prominent WIRED journalist who got sloppy, plus the hacker was helped along by incompetent security protocols at Apple and Amazon.
Likewise, your other apps like MySQL and PHPadmin also have passwords. Some people never even change the default passwords, and that’s an invitation for trouble. Change. it. now.
3. Consider moving off a private server to a service like wordpress.com, where WUWT is hosted. There are migration tools for many of the other blogging platforms to make this easy. The value of wordpress.com is that they take care of all of the heavy-duty security for you. DDoS attacks, exploits, malware, port attacks, SQL injections, etc. are all handled for you. Plus you get cloud service to handle massive bandwidth, all for free. WUWT is hosted on WordPress.com and every time I think about the trade offs of getting a private server to get a few mores features like comment editing or sidebar widgets, I think of the management hell that The GWPF, Jo Nova, and Lucia have gone through with their private server setups. Staying on wordpress.com is a no-brainer for the security and bandwidth alone. Extra features aren’t worth anything if your website is hosed.
Jo Nova is now frequently offline with DDoS attacks, and she has no good strategy for dealing with it in a single server box. Cloud servers on wordpress.com with frontline router security solve this issue with ease.
4. Remember when Climategate broke? Climate Audit, then on a private single box server running wordpress software from wordpress.org crumbled under the load. WUWT remained running, because it was on the cloud based wordpress.com We’ve since migrated Steve McIntyre’s CA website from a private box in a Sacramento CoLo to the wordpress.com cloud system, and haven’t had any trouble since.
If you have a breaking story that needs wide exposure, the last thing you want is a private server that hits capacity in the first hour. Climategate taught Steve McIntyre and I this lesson very well.
Good luck.
Discover more from Watts Up With That?
Subscribe to get the latest posts sent to your email.
VERY good advice. I’m a bit too small to be on anyone’s radar, but my site was overwhelmed and taken down a few times when ClimateDepot ran a link to the Temperature/CO2 Disconnect page on my site, and having it tweeted may have added to the problem.
The robustness (is that a word?) of WordPress is mandatory for the bigger players like WUWT!!!
PASSWORD CHANGE: Evil$narkBunny111709!
CONFIRM CHANGE: Evil$narkBunny111709!
Got it…
‘Climategate taught Steve McIntyre and me this lesson very well. Not ‘McIntyre and I’.
WUWT is hosted on WordPress.com and every time I think about the trade offs of getting a private server to get a few mores features like comment editing or sidebar widgets, I think of the management hell that The GWPF, Jo Nova, and Lucia have gone through with their private server setups.
So sometimes trading some freedom for some security is worth it?
I know, false choice. You can get more features with a paid wordpress account, which may be affordable when you and your family free up some loose change by overcoming your needs for food and shelter. Freedom is not free.
However, I sure hope you keep WUWT backed up in a way that you could recreate it elsewhere if needed. In case wordpress-dot-com goes down, or someone convinces their management to suspend your account for a Terms and Conditions violation, details of which they’ll reveal to you some month soon…
There’s definately someting amiss.
A while back a character called Albatross on SkS told me he had read my posts here and at the Richard Blacks blog. Given I don’t post here regular, I asked if he knew where I liived. 😉 As an isolated incident I can dismiss this, except a new commenter at Richard Blacks blog Gort2012 seems to have a record of my comments across all blogs going back to 2007, when I wasn’t sure if cAGW was or wasn’t false (I’m still not sure, I lean heavily towward the false side). He said it was a simple google search, but he must have been a good with google
Are there any simple tools to move from privately hosted wordpress.org software onto wordpress.com.
I privately host http://www.realclimategate.com and has a bandwidth probem once or twice.
I have registered realclimategate on wordpress.com, just havent found a tool to move articles,comments, domain url, etc. Is this easy to do as I have very limited time from now on.
This is a classic about Password strength
http://xkcd.com/936/
Well said Anthony.
Security is serious business, also for those of us who merely follow the goings on, think bank account, CCs, and debit cards. Many of us have been victims of exploits.
I’m happy to say that thus far my precautions have prevented my family from suffering through two attempts at online fraud. It is a jungle out there.
If you have any sort of firewall and ‘need’ ftp or ssh, tighten down your source address in your firewall. Usually, ISPs like Charter, Verizon, etc., will have your connection on Dynamic Host Configuration Protocol. Your home router’s IP address may change. But there may be a range you can use at least that is reserved for your area. If possible, just allow ports 80 and 443.
If you wrote code for your site, I am sure there are some Penetration testers within earshot. SQL and SQL injection attacks are one of the more common takeovers.
DDOS… patches on you connections in and your server. And if someone is using a botnet to do it, it then takes money. Big sites have application firewalls AND layer 2/3 firewalls in front of them as well as the ISP also controlling the traffic. WP is a good answer as they have the budget.
Also, you are being attack, DO call the FBI. You may not be a priority 1, but it is still a crime. You could be the one missing connection that puts all the puzzle pieces together (as these folks target more than one person.)
And a recent, not scientific, study has shown that girlfriends tend to stop this sort of activity. So if you have a creative way of distracting the attacker with the opposite sex, that might help too 😉
If you want to test your server (or your home computer for that matter) have a look at http://www.grc.com
Follow the links to shields up .. this is a free checkup and will check your computer for common open ports. If you are running a webserver from your office/home and/or an email server, etc you should expect the relevant ports to be open, if you are not sure there is a list of common ports on the GRC website.
If you have open ports, then look at your machine for programs that are listening to these ports. e.g. Internet Explorer will be listening to port 80 for HTTP or Web connections. Your email program to ports 25 and 110, etc.
Sorry, got a bit of that wrong… Your Webserver not internet explorer will be listening on port 80 for web connection requests and email server for email connections on pop/smtp/imap
Planet3.0 has had repeated hack attempts this week from a Ukranian IP address.
I’ll counter with this bit of password entropy:
https://xkcd.com/936/
The biggest problem with complex passwords that include randomization of oddball characters is, people will write it down somewhere, either on their computer, cell or at their desk. Making it useless. And someone with enough drive will find a way to exploit that, the best passwords are the ones that stick in your head, but still have enough entropy that even a GPU cracker will take 10 or 20 years to break it.
Will Jo Nova be making the move then?
REPLY: I have advised her in the strongest possible way to do so. The choice is hers. – Anthony
Evil$narkBunny111709!
Wow, it worked!
I’d suggest signing up with Cloudflare as a proxy front-end as well.
It’s free for the basic service and filters a lot of the dodgy traffic before it gets to your site.
ZbBlock installed on the server is fairly effective as well, and something Fail2ban properly set-up on the server can a lot of the brute force attacks quite well.
Your want a long password? Make it a sentence or a phrase. Much easier to remember.
What was it Gandhi said? “…then they fight you… then you win…”.
Mashiki
Depends on whether the greater threat is from outside your office or inside.
Having worked for the military; everyone was instructed to use passwords that are made up of the first letters of every word in a long sentence that included numbers and special characters interspersed. The example given here would flunk the strength test.
Thanks for tip Anthony! I must say, I’m pretty incompetent when it comes to these matters.
Do Jo Nova and the GWPF plan to prosecute these cowards if they discover their identities? I hope so!
The attacks on right-wing political sites and blogs in the US has also been trending substantially up lately. It’s a disturbing trend, to say the least.
Shields Up! – Gibson Research at http://www.grc.com has helped me immensely in identifying holes in systems, especially the unnecessary opened ports and unneeded open protocols. Anthony is right, ignoring these subtleties’ will leave your system wide open to unwelcome visitors one day. Gibbs Research has been around for ages and have proved their trust to me over the years. (btw – stealth those ports if possible, it seems better to be totally invisible to the web when ever possible) This is good advice even if your not also a server, you never can be too safe in the wild www.
@chris “Depends on whether the greater threat is from outside your office or inside.”
They’re both equal, the question is difficulty and in gaining access. A well meaning person inside is just as bad as someone on the outside who means you ill. Here’s the example from Defcon: http://nakedsecurity.sophos.com/2012/08/10/social-engineer-walmart/
@Mashiki
“The biggest problem with complex passwords that include randomization of oddball characters is, people will write it down somewhere, either on their computer, cell or at their desk. Making it useless. And someone with enough drive will find a way to exploit that …”
Why does writing a password down make it useless? We’re talking about home-operated equipment here…
I run a couple of web servers on my home network. The servers are simple stripped-down single application machines, on a VPN. They sit, together with my Smoothwall firewall, in a stack in my attic. Because it’s a VPN I can’t operate it from my normal PC or my wireless connection – I have to go up into my attic to gain access to the operator console. On the front of my operator monitor is written the various access codes and other information I need to maintain the system, including passwords. That makes them convenient, but I can’t see how a hacker can gain access to them without breaking into my home and finding where the servers are. And then he hardly needs to know the password, does he, because he has full physical access to the system…