It has been noted that in the past week we have seen two prominent skeptic websites attacked: Jo Nova and The GWPF, the latter of which has been overtaken, and a message from the attackers replaced the home page.
I won’t give any publicity to the attackers by showing that screen, but suffice it to say it was ugly.
This is just friendly warning message for the skeptical blogging community at large to say that you should immediately take steps to improve your security. Here are some suggestions.
1. If you operate a private server, rather than be hosted on WordPress.com or blogspot or typepad or similar service, you are most vulnerable to attack. These suggestions below are for those running private dedicated/leased servers.
a. Close any unused ports on your system that are not necessary for regular operations. For example, if you don’t use FTP, turn it off. Likewise for Telnet, SSH, and other remote access methods if you don’t use them. There are ways to close broad swaths of port numbers (there are thousands) and these can be used to exploit systems, especially if there’s an unused application or service that is installed but not configured. For Linux see: http://www.linuxquestions.org/questions/linux-security-4/close-unused-ports-and-ssh-503929/page2.html
For Windows Server: http://searchsecurity.techtarget.com.au/news/2240020779/Five-ways-to-harden-Windows-Server
b. Be sure security patches for your operating system and applications are up to date.
c. Run a security scan using your antivirus program for your server. If you don’t have an AV/anti-malware program for your Windows-based server, you are asking for trouble. Linux, not so much, but you need to tighten port security as in point a.
d. If you have other applications installed, such as PHP, MySQL, etc, make sure those applications are patched/up to date. It is easy to say “if it ain’t broke don’t fix it” but security exploits accumulate with time. You best defense is keeping up to date and apply new patches. Like climate, servers are not static entities.
2. Passwords are your weakest point of failure. Make sure you have a strong password. Any password that is a simple English language dictionary password is easily exploited with a password grinder. You need complex passwords with many character combinations like this:
Evil$narkBunny111709!
Don’t use street addresses, telephone numbers, SSN’s, birthdays, or family/pet names as part of the password as these are discoverable. If your password has been around for more than a year. Change. it. now. Read what happened to a prominent WIRED journalist who got sloppy, plus the hacker was helped along by incompetent security protocols at Apple and Amazon.
Likewise, your other apps like MySQL and PHPadmin also have passwords. Some people never even change the default passwords, and that’s an invitation for trouble. Change. it. now.
3. Consider moving off a private server to a service like wordpress.com, where WUWT is hosted. There are migration tools for many of the other blogging platforms to make this easy. The value of wordpress.com is that they take care of all of the heavy-duty security for you. DDoS attacks, exploits, malware, port attacks, SQL injections, etc. are all handled for you. Plus you get cloud service to handle massive bandwidth, all for free. WUWT is hosted on WordPress.com and every time I think about the trade offs of getting a private server to get a few mores features like comment editing or sidebar widgets, I think of the management hell that The GWPF, Jo Nova, and Lucia have gone through with their private server setups. Staying on wordpress.com is a no-brainer for the security and bandwidth alone. Extra features aren’t worth anything if your website is hosed.
Jo Nova is now frequently offline with DDoS attacks, and she has no good strategy for dealing with it in a single server box. Cloud servers on wordpress.com with frontline router security solve this issue with ease.
4. Remember when Climategate broke? Climate Audit, then on a private single box server running wordpress software from wordpress.org crumbled under the load. WUWT remained running, because it was on the cloud based wordpress.com We’ve since migrated Steve McIntyre’s CA website from a private box in a Sacramento CoLo to the wordpress.com cloud system, and haven’t had any trouble since.
If you have a breaking story that needs wide exposure, the last thing you want is a private server that hits capacity in the first hour. Climategate taught Steve McIntyre and I this lesson very well.
Good luck.
http://attrition.org/errata/charlatan/
Steve Gibson, listed about a dozen down. Was wondering why the name seemed so familiar…
=8-)
All this talk of password protection kinda makes me re-think the all.7z file hoopla again. Has anyone tried Evil$narkBunny111709! for the password yet??? :->
@Dodgy Geezer
“Why does writing a password down make it useless? We’re talking about home-operated equipment here…”
Funny story time, or perhaps not. And bare with me a bit.
So, did you hear about the case of the guy in the UK who operated a TV redirection site? He didn’t actually host anything himself, he simply offered a redirection site, other people offered links, which were checked by other members for quality. And in turn, posted. Now the sites themselves were all over the world, run by other people.
This fellow, put his house up on the market and had his equipment in a similar situation as you. A “prospective buyer” who was actually an undercover police officer, came in gleaned all the account info of his site, and were able to sting him down. In turn, they arrested, charged, and shut him down with a conspiracy to defraud. Now that’s not what would happen to you, but, it does show that having something written down in plain site isn’t exactly the best security option.
Some info on that case here:
https://torrentfreak.com/surfthechannel-owner-found-guilty-of-conspiracy-to-defraud-120627/
clipe says:
August 18, 2012 at 1:54 pm
As for remembering…
Funny how the mind works. Seeing “remembering” made me think of Greenland for some reason, couldn’t figure out why at first.
Anagrams!
berg in memer
berger in meme
Bimmer Green
@ur momisugly MattB says: August 18, 2012 at 2:23 pm
Gee . . . I thought that part of what the entire “Patriot Act” was about . . . . Which really turns into a Catch 22 if you do not know the pass word . . .
It’s also why . . . many people will not touch or get involved with computers . . . forget pass words for a moment . . . let’s talk about “terms of service” and “privacy policies”!
FTC Approves Final Settlement With Facebook
http://www.ftc.gov/opa/2012/08/facebook.shtm
Then there is: Google Will Pay $22.5 Million to Settle FTC Charges It Misrepresented Privacy Assurances http://www.wired.com/business/elsewhere/google-will-pay-22-5-million-to-settle-ftc-charges-it-misrepresented-privacy-assurances-20120809/
Can you imagine what is happening within the whole anonymous hacktavist . . . “culture”!
Oh and my favorite . . . terms of services . . . . for example . .
Indeed (they say) is the #1 job site worldwide
Ownership and Rights to Use Materials
If you post content or submit material, you grant Indeed a nonexclusive, worldwide, perpetual, irrevocable, royalty-free, sublicensable (through multiple layers of sublicensees) right and license to make, use, sell, sublicense, reproduce, distribute, perform, display, prepare derivative works from and otherwise exploit all such content and materials for any purpose without restriction.
http://www.indeed.com/intl/en/tos.html
http://www.indeed.com/intl/en/about.html
Indeed is the #1 job site worldwide, with over 60 million unique visitors and 1 billion job searches per month. Indeed is available in more than 50 countries and 26 languages, covering 94% of global GDP.
Since 2004, Indeed has given job seekers free access to millions of jobs from thousands of company websites and job boards. As the leading pay-for-performance recruitment advertising network, Indeed drives millions of targeted applicants to jobs in every field and is the most cost-effective source of candidates for thousands of companies.
Indeed is a privately held company founded by Paul Forster and Rony Kahan, with investors including The New York Times Company, Allen & Company, and Union Square Ventures. Indeed has offices in Austin, TX, Dublin, IE, London, UK, Mountain View, CA, New York, NY, and Stamford, CT.
http://www.indeed.com/intl/en/ourcompany.html
So, what do you think about the “laissez faire” approach to business’s that behave badly?
So one may feel secure in whatever they want, but it may only be false security . . .
Every engineer I have ever been exposed to understands the necessity of good and great rules and enforcement of those rules . . . and has an appreciation for the good and great processes that have developed for adjudicating them thereof!
More on what yoshisen says: August 18, 2012 at 2:40 pm
SEC shuts down $600M online Ponzi scheme
Court freezes remaining assets of ZeekRewards.com
http://articles.chicagotribune.com/2012-08-17/business/chi-sec-shuts-down-600m-online-ponzi-scheme-20120817_1_investors-net-profits-rewards-pointsCourt freezes remaining assets of ZeekRewards.com
Former Councilman Accused Of Running Ponzi Scheme Pleads Guilty
http://www2.wspa.com/news/2012/jul/30/14/former-anderson-co-councilman-plead-guilty-ar-4222671/
This has all been made so much easier . . . with the advent of the internet and the innovations in technologies that make this kind of networking possible . . .
So, I am hoping that I am addressing issues with “hue”mans that understand the need for regulations, whether the regulations affect public behaviors and suedo private behaviors!
If it were to become a reality . . . that simply referencing a link . . . would be punishable by fine or law or both . . . an intense deep freeze would be the new climate on the internet !
Evil$narkBunny111707! says host your site on a computer with nothing else on it. Best would be to never telnet in, etc. Computers are inexpensive enough and whatever you do don’t do your banking on the same system