It has been noted that in the past week we have seen two prominent skeptic websites attacked: Jo Nova and The GWPF, the latter of which has been overtaken, and a message from the attackers replaced the home page.
I won’t give any publicity to the attackers by showing that screen, but suffice it to say it was ugly.
This is just friendly warning message for the skeptical blogging community at large to say that you should immediately take steps to improve your security. Here are some suggestions.
1. If you operate a private server, rather than be hosted on WordPress.com or blogspot or typepad or similar service, you are most vulnerable to attack. These suggestions below are for those running private dedicated/leased servers.
a. Close any unused ports on your system that are not necessary for regular operations. For example, if you don’t use FTP, turn it off. Likewise for Telnet, SSH, and other remote access methods if you don’t use them. There are ways to close broad swaths of port numbers (there are thousands) and these can be used to exploit systems, especially if there’s an unused application or service that is installed but not configured. For Linux see: http://www.linuxquestions.org/questions/linux-security-4/close-unused-ports-and-ssh-503929/page2.html
For Windows Server: http://searchsecurity.techtarget.com.au/news/2240020779/Five-ways-to-harden-Windows-Server
b. Be sure security patches for your operating system and applications are up to date.
c. Run a security scan using your antivirus program for your server. If you don’t have an AV/anti-malware program for your Windows-based server, you are asking for trouble. Linux, not so much, but you need to tighten port security as in point a.
d. If you have other applications installed, such as PHP, MySQL, etc, make sure those applications are patched/up to date. It is easy to say “if it ain’t broke don’t fix it” but security exploits accumulate with time. You best defense is keeping up to date and apply new patches. Like climate, servers are not static entities.
2. Passwords are your weakest point of failure. Make sure you have a strong password. Any password that is a simple English language dictionary password is easily exploited with a password grinder. You need complex passwords with many character combinations like this:
Evil$narkBunny111709!
Don’t use street addresses, telephone numbers, SSN’s, birthdays, or family/pet names as part of the password as these are discoverable. If your password has been around for more than a year. Change. it. now. Read what happened to a prominent WIRED journalist who got sloppy, plus the hacker was helped along by incompetent security protocols at Apple and Amazon.
Likewise, your other apps like MySQL and PHPadmin also have passwords. Some people never even change the default passwords, and that’s an invitation for trouble. Change. it. now.
3. Consider moving off a private server to a service like wordpress.com, where WUWT is hosted. There are migration tools for many of the other blogging platforms to make this easy. The value of wordpress.com is that they take care of all of the heavy-duty security for you. DDoS attacks, exploits, malware, port attacks, SQL injections, etc. are all handled for you. Plus you get cloud service to handle massive bandwidth, all for free. WUWT is hosted on WordPress.com and every time I think about the trade offs of getting a private server to get a few mores features like comment editing or sidebar widgets, I think of the management hell that The GWPF, Jo Nova, and Lucia have gone through with their private server setups. Staying on wordpress.com is a no-brainer for the security and bandwidth alone. Extra features aren’t worth anything if your website is hosed.
Jo Nova is now frequently offline with DDoS attacks, and she has no good strategy for dealing with it in a single server box. Cloud servers on wordpress.com with frontline router security solve this issue with ease.
4. Remember when Climategate broke? Climate Audit, then on a private single box server running wordpress software from wordpress.org crumbled under the load. WUWT remained running, because it was on the cloud based wordpress.com We’ve since migrated Steve McIntyre’s CA website from a private box in a Sacramento CoLo to the wordpress.com cloud system, and haven’t had any trouble since.
If you have a breaking story that needs wide exposure, the last thing you want is a private server that hits capacity in the first hour. Climategate taught Steve McIntyre and I this lesson very well.
Good luck.
Discover more from Watts Up With That?
Subscribe to get the latest posts sent to your email.
I’m a senior IT technician and these are some of the usual suggestions I make to my clients:
1. PRIORITY GOLDEN RULE NUMBER 1! DISABLE THE “GUEST” ACCOUNT!
2. Create a new account that is completely unassuming (eg: Jon) and give it full admin right. Disable the Administrator account.
3. Store your website files on a completely different partition to the OS and completely lock down the OS partition so only the administrator account (that you made in 2 above) can access it.
4. If you have the resources, put your database on a separate server and lock that server off from any internet access. A second firewall between the web and DB server works well here.
5. DB: you only need two accounts. The admin account (with a really tough password) and a writer account (which your web server uses to access it). DO NOT UNDER ANY CIRCUMSTANCES ALLOW YOUR WEB SERVER TO USE THE DB ADMIN ACCOUNT!
6. As well as AV on the web/DB servers, if you can have a different server scan those directories across the network.
7. Find a really good log file analyser that includes auto-scanning and notification of abnormal activity. Setup your log files as specified by the analyser and run it at least once per week.
8. Backup your log files and database to an external location every 15 minutes. Log files are one of the first things pro-hackers delete/modify to hide their activities.
These are just some of the usual things you can do to help protect yourself.
Get used to using pasword card for gawds sake.
http://www.passwordcard.org/en
Jus type “SQL injection” into your favorite search engine and look at how many sites will teach you how crack a SQL database
Block known .tor ip’s
DShield, amongst others, can help you maintain the ip filtering on your firewall. You do have one don’t you?
https://isc.sans.edu/dashboard.html
C’Mon guys. With all the sceptical thinkers hanging around here, I’m amazed there enough naive people getting hacked, infiltrated or are vulnerable!
#1….you honestly thought the eco-cultisits/cAGW/warmistas/one world gubermint/Agenda 21 people would play fair with billions of bucks for their pockets and supreme control involved?
#2….small c conservatives…failing to show up to defend ourselves is a failed policy.
#3….if us skeptics/provers of AGW being a scam have not yet realized this is a war……wellll…if you do not recognize this by now…we WILL fail.
#4….you do not,under any circumstances,play fair with bullies,unless you like having your face re-arranged.
#5…..turning the other cheek only shows your rear end,which is prime kicking material.
Very very simple as there are simple tools in wordpress.com that handle all posts, pages and comments.
My advice: create an empty blog right now on WordPress.com and then use the import utility in the Dashboard.
When you’ve moved then you can redirect your domain to WordPress.com
Limitations: there are a lot of themes on wordpress.com but there may not be the one you’re currently using. Themes are not as easy to customise.
My advice: do it now. You won’t regret it.
Oh I forgot to include in my recommendations above, don’t use some 3rd party connection software to connect to the server (like “Log me in” or “VNC”). Use the OS’s included connection software (RDP in the case of Windows) and on the firewall only allow your IP address to connect through that port. The reason is because most 3rd party connection software uses port 80 which is open to everyone (to browse your site of course).
Dave Hayes: “Up until recently the “idiot, anti-science, blowhard, non-consensus” blogs were of no concern to “real” scientists and governments. Someone has taken notice and probably HIRED the attacks. If you can’t figure out statistics, trends, and real data, you are not smart enough to proffer web based computer attacks on your own. ”
Too far, I think. Lots of people have their place in the world, society, and their moral framework attached to the idea that they are a DC Comics Superhero by consequence of avoiding the purchase of carbonated drinks. It’s little wonder that unruly children will take the opportunity to stick it to the “Carbon Fascists” by defacing websites if they can make use of canned script-kiddie tools. The whole recent nonsense of Gleick’s escapades are just an example of the same.
There’s no shortage of high-strung loons and bored children out there. Which is all the reason one needs to practice locking the front door at night.
Yes ROBUSTNESS is a word.
Read Nassim Nicholas Taleb, for instance his soon (November) to be released Antifragile: Things That Gain from Disorder. In The Black Swan: Second Edition: The Impact of the Highly Improbable: With a new section: “On Robustness and Fragility”, he argues that “antifragility” is stronger and preferable to robustness.
strongly agree about the length. Any computer character is a choice of a collection of 256 variations of 8 bits. It doesn’t matter whether they are meaningful or not. The longer they are, the longer it takes to work through all the posibilities which, on average, will take half the time indicated in the cartoon.
MAYBE they object to the use of the word “denial” twice on the main page?
Just sayin …
.
Nick says:
August 17, 2012 at 3:01 pm
…. C’Mon guys. With all the sceptical thinkers hanging around here, I’m amazed there enough naive people getting hacked, infiltrated or are vulnerable!
==================================================
“Everybody’s ignorant. Only on different subjects.” Will Rogers
Be on guard. Not everyone is as ethical as you are.
Lots of good advice is being put up here by people that are not ignorant of computer security issues.
Heed it, especially if you are running a blog.
@Kretchevov & Gunga & IAN. Great ideas. Here’s why it won’t work.
I have over 120 passwords. Banking, credit cards, amazon, ebay, email server, online stores, twitter, dept stores, itunes, website, FTP, health insurance, cell phone company, home phone, electric provider, tolltag, paypal, online backup, various forums, plus (because I’m a CPA) state comptrollers, IRS e-services, secretaries of state, you get the point.
I don’t figure I’m atypical in the amount of my online interactions.
There is no way a typical individual can have a UNIQUE, LONG (as long as the website allows) and STRONG password for every web interaction and remember them all and change them regularly.
For password security, in my opinion, one MUST have a password manager with double authentication.
Attacks on skeptical blogs = desperation.
I love the smell of desperation in the morning.
Also, having a strong password may not be enough. Consider setting up two factor authentication on your systems.
Steve Gibson of Gibson Research (grc.com) is well known and has been around a looong time …
A number of years ago Steve/his website was the target of a DDOS attack … to make a long story short over time he was able to disassemble/reverse engineer the bots, create a new one of his own, and then use it to gain intel and ‘get close’ to the attackers … he then wrote all this up and it made for a very interesting read:
http://www.crime-research.org/library/grcdos.pdf
Here is a tantalizing from within that pdf file to whet the appetite:
.
For human-derived/entered passwords, one generally limits that ‘collection’ of 256 to a subset consisting of upper and lower case ASCII chars, the ten number chars, the allowed half-dozen or so punctuation symbols …
.
NZ Willy says:
August 17, 2012 at 2:06 pm
“I cater for today’s formidable password requirements by keystroking a little picture or pattern on my keyboard. I have absolutely no idea what my own passwords are, but my fingers have no trouble keying them in.”
Ever had to use a french or german keyboard? I often used patterns until I got a smartphone and then realised I couldn’t find the right punctuation marks because they weren’t where they used to be!
Evil$narkBunny111709!
I’ll go set it up right now – a weird password that I have a chance of finding when I forget it. 🙂
Can you put it in the title for me?
One problem with a service like lastpass is considering what happens if they go out of business. All of a sudden, those random string passwords might not be available.
climatereflections;
If someone tries to attack me tomorrow, why would it be harder for them if I have a new password that I just created last week instead of one I created a year ago?
>>>>>>>>>>>>>>>>>>>>>>>>
If someone has already cracked your password, you may not be aware of it. They may be monitoring your system to collect more information about you without you being aware. Changing your password defends you from the possibility that your system is already compromised, not from being compromised in the future.
You can make an easy-to-remember secure password by simply combining several unrelated words. See this link: http://www.readwriteweb.com/enterprise/2011/01/why-using-2-or-3-simple-words.php
_Jim
Steve Gibson of Gibson Research (grc.com) is well known and has been around a looong time …
>>>>>>>>>>>>>>>>>>>>>>>>>
Agreed. I just wanted to steer people clear of grabbing any tool they find without doing some due diligence first.
great story btw.
Larry Pickering , a cartoonist who has been very critical of Australia`s left wing government has had his site come under sustained DDos attack , Coincidence ?
——————————————————————————————————————-
“pickeringpost.com has been consistently attacked via a DDoS for the past few days. We are now getting a “suspended” notice.
Some of us don’t respond well to criticism…we are doing all we can to persist with free speech. Those who aren’t on the email list can go to lpickering.net (until they get at that site too)”
LARRY PICKERING • 19 hours ago”
———————————————————————————————————————-
http://lpickering.net/
About Larry Pickers cartoons …..”Careful, they`re Starkers”…You`ve been warned
davidmhoffer: “If someone has already cracked your password, you may not be aware of it. They may be monitoring your system to collect more information about you without you being aware. Changing your password defends you from the possibility that your system is already compromised, not from being compromised in the future.”
Fair enough. But what is more likely? In the case Anthony linked to, the guy’s entire digital life was compromised in a matter of hours, certainly within a day or two. So what is a password thief who has just gained access to an important account of mine more likely to do: (a) sit on the password for months in the hopes that (i) they will find more useful information that will be really valuable, and that in the meantime (ii) I won’t discover them, or change the password, or close the account, etc.; or (b) act quickly with the critical information they just obtained to extract what they can?
Also, the “1 year” advice we so often hear is absolutely arbitrary. If changing passwords is really that much more secure, then why not make it every 6 months, or every month, or every week?
I agree that changing passwords often could provide a small incremental amount of security — the digital equivalent of constantly living on the run from the bad guys. But it comes with its own baggage that is not only a big headache, but for many people causes worse security issues than it was designed to solve.
climatereflections;
Fair enough. But what is more likely?
>>>>>>>>>>>>>>>>>>>>>
Security is a balancing act. You have to ask yourself what the target is, what the value of the target is, and who is targeting it. Y
For example, you need not change the password on your banking card very often, because to use it against you the hacker has to have both the password and the card (two factor authentication). In that example, if someone got your card and your password, yes they would empty your account as fast as they could because their window of opportunity is limited.
Suppose instead we’re talking about your email account. Someone who hacks that doesn’t have the immediate pay off that the guy with your bank card does. But what they do have is a record of all your communication, and you will reveal all sorts of information about yourself that you assume is private. Different kind of hacker, different target, and so different behaviour. That hacker will lurk as long as possible collecting information in order to hack something else entirely.
Sorry, but there is no straight answer. Systems with two and three factor authentication need not have their passwords changed often. Same for systems that are not easily accessed. My desk top computer is fine (in my opinion) with 18 months. My laptop however is a 3 month cycle precisely because it gets to go out in public while my desk top doesn’t. Then there’s the value of the target to consider. Launch control for nuclear missiles requires a higher level of rigour than my laptop does. But you are also correct in that there is such a thing as changing your password too often. The more often you change it, the more often you are likely to make a mistake and lock yourself out of your own data. Worse, the more often you change passwords the more likely people are to write them down to remember them, which introduces a whole new risk. Same goes for “strong” passwords. The “stronger” they are the more likely they are to be written down in order to remember them.
Alas, the answer to all easily understood computer questions must begin with the words “it depends….”
Anthony,
I somewhat agree with most of your security advice. I don’t categorically agree with your reliance on “cloud” based systems. It is true that information can be handled in this nebulous cloud in such a fashion to make attacks harder to execute. Reliance on WordPress or such web sites is fine provided that they don’t shout you down should you cross their politics. It happens. Twitter shut down an NBC reporter for criticizing the London Olympics. Google gerrymanders it’s search result priorities to reflect their politics. Facebook…OMG….Your site was blocked by both The Globe and Mail and wiki for a long time and links were erased. (I know since I tried to link to your site)
and then there is wikipedia….lots of bandwidth there but just try and have an opinion that strays from the editors’ viewpoint.
I say slave your work to the cloud but maintain a redundant authenticated source, well password protected in the event that the anti-free speech activists monkey with either the hosting service or your server.
So long as WordPress remains agnostic about content you will be ok. I have little faith in that.
I have no doubt wordpress can be breached, but this site is probably under more threat from wordpress itself than hackers. Such of the price of success when you resist the establishment.