It has been noted that in the past week we have seen two prominent skeptic websites attacked: Jo Nova and The GWPF, the latter of which has been overtaken, and a message from the attackers replaced the home page.
I won’t give any publicity to the attackers by showing that screen, but suffice it to say it was ugly.
This is just friendly warning message for the skeptical blogging community at large to say that you should immediately take steps to improve your security. Here are some suggestions.
1. If you operate a private server, rather than be hosted on WordPress.com or blogspot or typepad or similar service, you are most vulnerable to attack. These suggestions below are for those running private dedicated/leased servers.
a. Close any unused ports on your system that are not necessary for regular operations. For example, if you don’t use FTP, turn it off. Likewise for Telnet, SSH, and other remote access methods if you don’t use them. There are ways to close broad swaths of port numbers (there are thousands) and these can be used to exploit systems, especially if there’s an unused application or service that is installed but not configured. For Linux see: http://www.linuxquestions.org/questions/linux-security-4/close-unused-ports-and-ssh-503929/page2.html
For Windows Server: http://searchsecurity.techtarget.com.au/news/2240020779/Five-ways-to-harden-Windows-Server
b. Be sure security patches for your operating system and applications are up to date.
c. Run a security scan using your antivirus program for your server. If you don’t have an AV/anti-malware program for your Windows-based server, you are asking for trouble. Linux, not so much, but you need to tighten port security as in point a.
d. If you have other applications installed, such as PHP, MySQL, etc, make sure those applications are patched/up to date. It is easy to say “if it ain’t broke don’t fix it” but security exploits accumulate with time. You best defense is keeping up to date and apply new patches. Like climate, servers are not static entities.
2. Passwords are your weakest point of failure. Make sure you have a strong password. Any password that is a simple English language dictionary password is easily exploited with a password grinder. You need complex passwords with many character combinations like this:
Evil$narkBunny111709!
Don’t use street addresses, telephone numbers, SSN’s, birthdays, or family/pet names as part of the password as these are discoverable. If your password has been around for more than a year. Change. it. now. Read what happened to a prominent WIRED journalist who got sloppy, plus the hacker was helped along by incompetent security protocols at Apple and Amazon.
Likewise, your other apps like MySQL and PHPadmin also have passwords. Some people never even change the default passwords, and that’s an invitation for trouble. Change. it. now.
3. Consider moving off a private server to a service like wordpress.com, where WUWT is hosted. There are migration tools for many of the other blogging platforms to make this easy. The value of wordpress.com is that they take care of all of the heavy-duty security for you. DDoS attacks, exploits, malware, port attacks, SQL injections, etc. are all handled for you. Plus you get cloud service to handle massive bandwidth, all for free. WUWT is hosted on WordPress.com and every time I think about the trade offs of getting a private server to get a few mores features like comment editing or sidebar widgets, I think of the management hell that The GWPF, Jo Nova, and Lucia have gone through with their private server setups. Staying on wordpress.com is a no-brainer for the security and bandwidth alone. Extra features aren’t worth anything if your website is hosed.
Jo Nova is now frequently offline with DDoS attacks, and she has no good strategy for dealing with it in a single server box. Cloud servers on wordpress.com with frontline router security solve this issue with ease.
4. Remember when Climategate broke? Climate Audit, then on a private single box server running wordpress software from wordpress.org crumbled under the load. WUWT remained running, because it was on the cloud based wordpress.com We’ve since migrated Steve McIntyre’s CA website from a private box in a Sacramento CoLo to the wordpress.com cloud system, and haven’t had any trouble since.
If you have a breaking story that needs wide exposure, the last thing you want is a private server that hits capacity in the first hour. Climategate taught Steve McIntyre and I this lesson very well.
Good luck.
Discover more from Watts Up With That?
Subscribe to get the latest posts sent to your email.
Some us us don’t need no steenking dynamic content. Or PHP. 😉
Static pages, with everything else turned off and secure permissions in a change-root environment is about the safest configuration, leaving only the HTTP server engine’s vulnerabilities exposed. Of course, a simpler HTTP engine, without any kitchen sinks, is inherently more secure. Some engines offer throttling of content, so you can slow down the ‘bot scans by orders of magnitude when they visit; making your site look like it’s connected to the Internet with a damp string.
I have a few (few) WordPress blogs. Backed up after every significant change.
P.S.: if your HTTP root directory contains a file called “muieblackcat”, it’s a footprint left around by an attack via PHP, notionally, a successful one. Have fun with that. 😉
I would like to add for anyone who does not have a router on their home systems, you really should think about getting one (and dont forget to change it’s password too). While it is not the end all be all of home security it will add a layer of hardware protection between you and the outside world.
As a real life example, I once was off at a training class and took along a system that I was going to reload windows on. Got windows set up, hooked it up to the local internet connection of the hotel I was in, loaded up my antivirus over the net and figured it was a good night’s work and headed off to bed. In the middle of the night the antivirus alarm went off saying I had just picked up one. In this case it was clearly someone snooping around the IP’s of the hotel and found a big enough hole to jump in on my newly loaded up machine (of which there are plenty I know). I would tend to think that had I had a router to act as a firewall there it would not have happened.
“davidmhoffer says:
August 17, 2012 at 1:58 pm
A system 100% secure is unusable.”
If I recall my NT 4 days, for a server to be fully C2 compliant it had to not be connected to a network, which sort of defeats the purpose of a server.
Lots of good comments here too. One which works for me, probably because the way my mind works (Or doesn’t as the case may be) is a word, phase or a bunch of words which are spelled incorrectly, as well as the usual substitution of numbers/characters/symbols in place of letters etc.
[snip -thanks well aware, but I don’t want to give people any ideas – Anthony]
climatereflections;
If someone tries to attack me tomorrow, why would it be harder for them if I have a new password that I just created last week instead of one I created a year ago?
>>>>>>>>>>>>>>>>>>>>>>>>
“If someone has already cracked your password, you may not be aware of it. They may be monitoring your system to collect more information about you without you being aware. Changing your password defends you from the possibility that your system is already compromised, not from being compromised in the future.”
True. It has been years. But it was reassuring to be able to snoop on my teenage daughter’s email and myspace without her knowing. I could probaby get into her current accts today with that ol password.
Interesting since GWPF had a great paper on Wind energy and Jo is always in tune with the fight against Gillard’s Carbon tax and Gillard is getting in election mood…
Some people don’t like really complicated passwords because they’re afraid that they may forget them unless they write them somewhere and then someone might find where they are written and guess that it is a password and then problems begin. This is my personal piece of advice to them, as it works fine for me.
It is easier to remember sentences, word by word, than complicated passwords, especially if those sentences are meaningfull for you. More importantly, you can find a way to make it easy to recall them in the rare case that you forgot some detail, without it being obvious for third parties that the sentence you write somewhere else or take from somewhere where it would be already written, is in fact a key to a password. Examples can be sentences that describe yourself in a way that only some people could recognise, or some sentence that you liked in a given page of your favourite book, or a citation from the lyrics of a song that is special to you in some way, etc. For example, say you are a fan of Terry Pratchett, you may particularly favour some of his quotes like:
“The pen is mightier than the sword if the sword is very short and the pen is very sharp“.
You may have the book where that sentence appears and have the page marked in some particular way just in case you forgot the precise words, or otherwise have the sentence written anywhere else where it looks like nothing especial or out of context. Then if you can memorize the sentence, or at least you have access to it, you can easily convert it to a complicated password by taking the initials of every word and then adding some additional convertions to numbers and symbols and capitals. First the initials:
“tpimttsitsivsatpivs”
Then the conversion:
“tP1Mtt$1t$1v5atP1v5“.
Here I converted initials of all nouns and adjectives to capitals, then all “i” to 1, all S from sword to $, and all other S to 5. Any other kind of conversion you can think of and remember would be fine. And voilà, you have an extremely complicated password that no program would break, and nobody would ever discover provided that nobody knows that that particular sentence is meaningful for you, yet you can remember without difficulty. And this is despite this particular sentence is not the best possible example, given that it repeats many words so it has only a few characters repeated all the time. You could choose far better sentences.
Just my 2 cents.
Timely advice – a pity it’s necessary, but inevitable I guess. I’ll add a thumbs-up for Steve Gibson and his site, he’s been around so long because he’s sound.
It’s not only the server end that needs attention, of course. If you ever want to go to some of the more dangerous backwaters of the net (like Mr. Gibson!), a friend has a suggestion for hardening the machine used for that activity. He used Bart PE to make himself a “live CD” install of XP (on a non-net-connected machine!), and he uses that to boot an old machine with no hard drive, downloading anything he wants onto a memory stick. Anything at all unexpected happens – reset button. If you use a motherboard with a flash bios, then find a mechanical way of disabling the facility, because (like all those autoplay “features” in Windows) there are too many doors left open from top to bottom in modern machines in the name of “improving the user experience” or some such. Some more thoughtful MB manufacturers have a pin header and jumper on the board to allow / disallow flashing, but most don’t. Touch wood (or silicon), he’s never been “pwned” yet.
It’s the paradox of freedom – what to do when some malicious [expletive deleted] abuses it.
REPLY: WordPress has an export feature for backups – Anthony
Which doesn’t work very well. I’d advise using 3rd party software to create archives of the blog posts and comments and graphics and for good measure the external content to the first link depth.
Jo Nova sure does have a plan. (You didn’t ask Anthony.). But she certainly won’t be posting the details of it on a 100,000 hits per day blog.
Security, you know. Some things are better left unsaid.
There’s a lot of it about apparently
http://www.theregister.co.uk/2012/08/17/reuters_blogs_hacked_again/
Any chance the Norfolk Plod will investigate, now they have finished the UEA leaks?
“ANH says:
August 17, 2012 at 11:07 am
‘Climategate taught Steve McIntyre and me this lesson very well. Not ‘McIntyre and I’.”
The plural is where we’re easily mistaken. Change it to singular, and it’s easy to get correct.
“Climategate taught me, Climategate taught Steve McIntyre and me” vs
“Climategate taught I, Climategate taught Steve McIntyre and I”.
I learned this from my brother when he was teaching an adult English class..
“The Norfolk Plod” is a very good description of the speed at which they work. Either that or it’s a dance step.
I know Anthony posted re security advice (and as an ex I.T. pro I’ve desgned access security systems so am interested) but what most intrigues me is the fact that GWPF and Jo Nova were both hacked at a time when important stuff was appearring on their sites.
IMHO, Climategate was undoubtedly an inside job but these are external hacks and obvious denial of service. That they happened at almost the same time is not coincidence.
In the case of GWPF the arabic connection now showing is a diversionary tactic. Instead, any Plod asked to find the culprit (and they should be asked) should not be suprised to find that it is a well known alarmist organisation or maybe a government department.
Question — how do password crackers get by the limitations of signing-on (often 3-5) attempts? It would take a whole lotta attempts to guess a long password.
Yes, I’m no network administrator.
“Your system has achieved a perfect “TruStealth” rating. Not a single packet — solicited or otherwise — was received from your system as a result of our security probing tests. Your system ignored and refused to reply to repeated Pings (ICMP Echo Requests). From the standpoint of the passing probes of any hacker, this machine does not exist on the Internet. Some questionable personal security systems expose their users by attempting to “counter-probe the prober”, thus revealing themselves. But your system wisely remained silent in every way. Very nice.”
Gotta love Linux…
beng says: August 18, 2012 at 7:47 am
Question — how do password crackers get by the limitations of signing-on (often 3-5) attempts? It would take a whole lotta attempts to guess a long password.
Passwords are stored in a database (a file file) and most websites use these database to store other things. One of the commonest ways is to find a form on the website which the programmer forgot to check and which is added directly into a command string to access the database.
One approach is to take a search string which effectively says: “find the name of the post who’s id =
And the entry from form is changed to read (for the machine)
“dumb” Find password of admin user.
Put together you get:
find the name of the post who’s id = “dumb”
Now find password of admin user.
Now, it may sound difficult to guess what page and what input will work and how … but many website (like the Global Warming Policy Foundation) use publicly available software where someone intelligent enough can look through the code to find these backdoors.
There are also other ways. One is to find a site that allows avatar uploads … but doesn’t check if its the right file type … and then upload a file that effectively allows access to all files.
… and if it’s done well, on a shared server, it may not be your own software which is at fault, but someone else sharing the server.
Oops … some of my bits above were stripped as they were in greater than less than brackets .. but I think it is still intelligible
Using ZoneAlarm under Win98SE I used to achieve the same effect … (ZoneAlarm was also tested by Gibson and was highly rated and recommended, but it’s been a few years now.)
.
Does not bode well for the future . . . I think!
Bicentennial Man movie trailer (1999)
Thought provoking film . . . for me at least!
“Evil$narkBunny111709!”
What’s Eli got to do with this?
REPLY: Eli who?
Re: ChE says:
August 18, 2012 at 9:45 am
Thank you Moderator . . . didn’t come through on my end . . .
ChE: “Inquiring minds want to know”! Is this like a “Who is John Galt” moment?
ChE says:
August 18, 2012 at 9:45 am
“Evil$narkBunny111709!”
What’s Eli got to do with this?
REPLY: Eli who?
>>>>>>>>>>>>>>>>>>>>
Eli Rabbit. Like a couple of others upthread, I thought it was a carefully chosen jibe.
As for remembering user names and passwords. Bookmark the relevant website then edit the URL properties to add a question mark and a clue.
wattsupwiththat.com/?curacoa
If I needed a name and password to post here I’d be using – according to the clue – the naval rank and serial number of an ancestor.
Or, if you’re feeling brave.
wattsupwiththat.com/?username/password