Security

Large Wordpress Hack Hits Major Hosting Companies, twice.

Wednesday, May 5th, 2010

Users with Network Solutions and Go Daddy running WordPress are having a rough time recently. Some security analysts are saying they’re related. The exploit is now being seen on other open source applications.

On April 11th Network Solutions posted an entry that the issue has been resolved and laid blame to a hole in Wordpress. A dev over at Wordpress quickly blasted back at Network Solutions, which made me chuckle.

A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.

I’m not even going to link any of the articles because they have so many inaccuracies you become stupider by reading them.

If you’re a web host and you turn a bad file permissions story into a WordPress story, you’re doing something wrong.

A few days later Go Daddy was hit and less than a week later hit again. The issue is still unresolved at this time. Whats more interesting is its effecting other applications such as Joomla. There was even some speculation that US Treasury websites have been hit with the same attack.

What it does

In all cases so far the database is left untouched. Malicious javascript is injected into .php files that infects the visitors machine. Fresh installs of WordPress will clean up the mess but the site gets reinfected. Users have reported even changing FTP passwords doesn’t stop the attackers from gaining access.

Who it effects

So far its been Linux servers running php on virtualized accounts. Not sure if the Treasury websites are virtualized or not.

How I deal with this

First if your paying $5/month for a hosting service don’t expect allot of support. For starters all of my clients use Liquid Web either on their own account or through me. Having a good data center is key and the guys at Liquid Web are awesome.

The biggest complaint you read about is the tediousness of going through all of your php files looking for some sort of injection. Most of these account holders are actually looking at every single file. Digging through a few hundred files does not sound like fun. Since I run Subversion on everything I touch its pretty simple. Just SSH in and enter. 

svn status

Thats it. If anything has changed I’ll see it. There are other security issues for running SVN on a production site but if you don’t store your passwords in the open and use .htaccess to block any requests for .svn files you’ll be fine.

The cause

Sounds like they still don’t have a good grasp on what is going on here. My guess is it has to do with the server or even the OS setup on these accounts. For now the entrance vector remains in question.

The Solution

Its too early to lay blame on the hosting providers for a bad configuration. Right now it seems like they are just the biggest targets. However, don’t expect quality support from discount providers. They just don’t have the resources to respond to all of their customers. For now their customers are left frustrated with little help or recourse. Its even worse for the development companies that host their clients websites with Go Daddy and Network Solutions.

Given the amount of time this has gone on I would grab my data, clean it and move to another hosting provider.

Tags: , ,
Posted in Security | 2 Comments »

Tier your passwords to protect your identity.

Wednesday, July 22nd, 2009

Safe

How many online accounts do you have? How many of those accounts have the exact same password? Now how many of those accounts are associated with the same email address?

I have well over 100 accounts which is excessive for the average user. For a developer its just part of my daily life. I do not have a unique random password for each online account. I would guess the average user has at least 10 different accounts including, online banking, social websites, email and other services. I guarantee the average user does not have a unique password for each account. Its an unreasonable inconvenience to come up withe a unique login/password combination for every single account.

I work with all sorts of user management systems. Open source, commercial, and even built my own. Its scary to see how some of these systems are put together. There are always security holes but a common point of weakness is the user password. I use to be astonished but anymore I expect to see the same flaw.

When you enter your user name and password to login to a website the form submits that information and looks for a match on the database. If there is a match the system verifies your identity. The problem is there is a high probability that your password is stored on the database in plain text.

What’s the big deal?

System administrators, and in some cases company employees have access to your user information including that password. There is still a common myth that the little black dots on the password box are hiding your password. Those dots are not hiding your password. Preventing the dots from obscuring your password is trivial.

Not only is your information available to the site administrators its subject to being disclosed by a hacker if the site isn’t properly protected. There are always holes and given enough motivation a hacker will find a way in.

What’s the solution?

Minimal protection involves storing the password as a hash. This means your password is saved as group of sudo random letters and numbers. Hashing is often confused with encryption. The big difference between the two is encrypted data can be read, hashed data can not. When a password is stored as a hash it can not be reconstructed. The system can only check if the hashed value matches the plain text value. A hacker or system administrator does not have access to your password.

The bad news is even hash’s can be cracked given enough time and resources. But why make it easy? Storing passwords in plain text is like leaving the keys in the ignition.

So what’s the big deal?

An article on tech crunch lays out a little different twist on how weak password security allowed a hacker access to twitter’s company documents. In this example the hacker exploited the “lost password” feature across multiple accounts to gain access.

If the web application is not secure and your passwords are in plain text it makes it much easier. Take this scenario for example. You register for an account on some random website. You use your email address as the user name, which is common and enter your re-usable password. Is this the same email account you use for your online banking? Is it the same password? You can see where I’m going with this. For every entry vector I can think of I promise someone else has 10. How about the secret questions, “What city were you married in?” How hard would it be to find this information online?

How do I know if my password is stored correctly?

The short answer, you don’t. There are couple tell tail hints that will confirm your password is in plain text. The most obvious is password retrieval. When you click on “forgot my password” does it send you back a password you entered or a random generated password? If it sends you something that you recognize as your password its a guarantee that the password is stored in plain text. If you receive a random password you need to go in and change it. The password could be exposed at any point between creation and mail delivery.

How can I protect myself?

Almost nobody will use a strong unique password for each web service. The best way to implement safeguards in a manner that you will actually use is to tier your passwords. All financial accounts need to have a unique strong password. No exception. For other services I scale my passwords on how much information the website has. A forum might have the weakest password. I might use the same password for all the forums I visit. The same could be true for rarely used backend administration tools. For services that I don’t need critical updates I never use my primary email address. Use gmail or hotmail for these services.

Tags: ,
Posted in Security | No Comments »

Dealing With Email Blacklists

Thursday, March 19th, 2009

In the list of the top three server catastrophes I would put having your IP address blacklisted as #2 just behind total data loss without a backup. In reality having a total loss of data with an off site backup will get your business back to full speed quicker than ending up blacklisted.

Ending up on the wrong lists will result in the loss of your ability to not only send email but receive it as well.

Symptoms of being blacklisted

Having your email end up in others spam boxes is not conclusive that your IP is listed but it is how some hosts deal with shady IP’s. Assuming your emails do not contain content that would flag it as spam you may have some server configurations not set up properly.

Proof positive that your being blacklisted will be a returned email that explicitly says the IP address is blacklisted.

I’m blacklisted now what?

The first step is to find out why. If your on a shared server you need to call your host and have them correct it. Chances are you or somebody who shares your IP has had a security breech. If they are unable or unwilling to correct the problem its time to switch hosts. This type of support is exactly why not all hosts are created equal, you get what you pay for.

If your on a dedicated server or VP package you probably have had a security breech. Two of the most common causes are a poorly written contact form being abused or the attacker has managed to upload and execute a script that is spitting out SPAM. Don’t even attempt to get off these lists until you have found the problem corrected.

The Cleanup

Real Time Blacklists (RBL) come in several varieties. A large portion of these RBL’s publicly list bad servers. A good resource is Mx Toolbox. These lists are probably the easiest to deal with. You can tell exactly who has you listed and how to correct the problem. Each list has their own triggers to determine who is actually sending out spam. Most of these lists talk to each other so by being listed on one you will be listed on several. Its a cascading effect and the longer your problem goes unchecked the more lists you will be on.

For the most part you will be removed after a specific period of time passes and you are not sending out SPAM. Some of these lists have forms you can fill out to expedite your removal. At least one requires a payment to be expedited. If your on these lists it will be at least 3 days until your completely removed in some cases as long as 7. Submitting a removal request when your still spitting out SPAM is only going to make it harder to get off the list so make sure your all buttoned up first.

The more difficult and time consuming lists are the private non published lists that act as firewalls for large companies or government. An example is Frontbridge’s 88.blacklist.zap. and Barracuda. You will get a bounced email with a link to a form where you can request removal. They are generally fairly quick to remove you but you won’t know there is a problem until you get the email.

The most difficult lists to deal with are the individual ISP. They are far slower to remove you. It will require allot of your time to deal with them individually as they come in.

How do I stay off these blacklists?

If your on a shared server its on your hosting service to monitor all the sites on a single IP that you share. Ever wonder why some hosting services cost $5 month for a shared package and others cost $30? In most cases you pay a little more for higher quality. If your host does not allow shell access that is a good sign they take security seriously. The extra cost you pay the host is because they will have to run any higher level commands for you. For anyone who isn’t a server admin its worth it not to deal with this.

If you have a dedicated server or VP package be sure its set up properly. This is exactly why there are such things as server admins. Making sure your not at risk takes daily monitoring and allot of knowledge for the setup.

Other Resources

Tags:
Posted in Security | No Comments »