Category Archives: Defacements

Cyberwar on free speech and small businesses

The last month has seen an major increase in international cyber warfare, first we had North Korea hacking Sony, apart from the embarrassment caused by leaked documents, forced them to shut down their entire network, and they claim still some of their computers don’t work, all at an expected cost of $169m, the stated reason North Korea launched this attack at the time was the upcoming release of the comedy film The Interview which ridiculed their dictator Kim Jong-un, although North Korea never admitted their involvement there is compelling evidence.

Cinemas refused to show the film fearing both for their online and physical security, I am pleased to say that Sony did the right thing and released the film online.

Will Sony be brave enough to take on a film that might upset those that might be offended in the future, that sadly I doubt, and I think we see that all media has now been silenced, we can see this in my next example, only a couple of weeks ago, jihadist attacked the offices of the Charlie Hebdo satirical magazine in Paris, murdering 12 staff, including the 5 cartoonists who’s only crime was exercising their wit with satirical cartoons, but this was not the cyber attack, what followed was 19,000 French websites hacked, the vast majority we’re not targeted and had no connection to Charlie Hebdo, they were mostly just small businesses with lax security.
But what did happen and proved how scared the media were, terrorized even, was the refusal to publish even one of the Charlie Hebdo cartoons that had caused the offence, I understand that they might not normally show this sort of material, but when it is the subject matter of a major news story their absence can only mean that the threats have worked and true freedom of speech is dead, not by some change in the law, but from cyber and physical terrorism.
Cyber Attacks are taking centre stage at the Davos 2015, the World Economic Forum, with “a report that warns failing to improve cyber security could cost the global economy $3tn” While Sony, the blue chips, infrastructure and government are sure to benefit from any investment, I don’t expect to see any help for the small businesses and blogs, and as we have seen with the 19,000 French sites, and although not free speech related, we saw a similar attack last year on a country’s random small vulnerable sites, again mostly small businesses in Israel.
I think Craig Hockenberry‘s recent DDoS attack is an interesting and worrying story and we will be hearing a lot more of these type of cyber attacks in the future, all those country’s/regime’s that that wish to direct all speech to protect its own interests and block access to internet traffic, the way they block their citizens (or if you like prisoners) from accessing certain parts of the internet (I hear Disney is blocked in Iran) is to poison the DNS, so when you type in some restricted site, you are taken to some other place, it could be any site they want taken down, as the effect is a massive DDoS, and as a friend of Craig’s said “They have weaponized their entire population”.

Some Simple Security Advice for Bloggers in advance of #OpUSA

With #OpUSA a little more than a week away, and having seen that the vast majority of hacks and defacements came from last months #OpIsrael were just individual bloggers and small “mom ‘n’ pop” businesses using simple WordPress style sites that were unlucky enough to have “.il” at the end of their domain names, or had FaceBook accounts and pages that showed their location as being in Israel. I have seen some estimates putting the number of small businesses and private bloggers at 100,000.

opusa

Looking at the sophistication and targeting used in previous attacks, we can only guess that anyone with a “.com” domain name will be seen as a legitimate target. I haven’t looked at Anonymous’s political reasoning for these attacks, I am sure they have one, but doubt attacking such easy targets could ever be justified.

I wanted to offer 2 suggestions to protect you from this and attacks like this. With any online security, the first line of defense is always the password, it needs to be strong. Sophos provide a great video here which helps you build memorable but complex passwords.

And although this has been around for probably more than 10 years, GRC provides the best password strength meter, as well as some great understanding of what makes them strong.

Something not always thought of, and adds a lot more strength to a password, is actually using a different username for each account, which normally being a password alone, if you have your own domain name with a “catchall” anything@domainname.com setup, although you use info@ or firstname@ for your general email, there is no reason you shouldn’t use wp@ for your WordPress account and fb@ for your FaceBook account. The hacker can try any combination of passwords, but if they don’t know what email address you used, they haven’t got a chance.

A little beyond the scope of this article, but people often ask “how am I meant to remember all these usernames, email addresses and passwords?” Well there are plenty applications and browser plugins that will help you with this, sometimes called password lockers and keychains with options to safely store backups on their hosting service, so leaving you only needing to use one set of credentials to access all. Personally for a few years I have been using an encrypted usb key with a simple text life, which allows me to copy and paste the passwords in when requested, I’m not paranoid, although I get the added protection of being immune to snooping by some keylogger, I just have so many to remember and many were not chosen by me.

The second line of defence on WordPress has got to be making sure your script and plugins are up to date, don’t ignore that nagging little button. There are a number of free plugins available that lock down security, a search when you go to add plugins for the word “security” brings a list up of over a thousand. Install one and enable it. A backup, well as a backup is always a good idea, again there are plenty of free plugins available, but it’s essential once you’ve installed, to actually press the backup button occasionally.

facebook securityThe other target in previous attacks were just taking over FaceBook accounts, this is fairly simple to combat and should be done anyway. Start by going to “security” with is an option on the “account settings” page. Enable the as many of the options as you can, the “login approvals” option gives you very strong protection, but can cause logging in issues if you use multiple devices in different locations. The login notifications will fire of an email to you each time you connect with a new device, with a link that will notify FaceBook if you believe that login was fraudulent allowing you to undo any changes they may have made, they don’t only use password guessing, but try to reset the password using information that’s readily available on your profile.

It’s possible that Anonymous will stick to just targeting major corporations, government and military sites this time which really doesn’t bother me, as they are quite capable of both protecting themselves and following the hackers with a legal process. But the reality is, no legal authority wants to know when a corner store or an individual gets hacked, no one will help, there will be no criminal charges laid or compensation paid, so it’s better you take responsibility yourself.

Is it ambulance chasing?

Looking at the long list of sites that were attacked during Anonymous’s recent #OpIsrael, reminded me that the vast majority of victims of site defacements are actually just “mama papa” businesses on some $5 a month hosting plan, a few pages of their products, opening times and a map, they probably paid some local “IT Wizard” $200 to personalize a standard template 3 years ago.

defacedWhen they get that phone call from their clients asking “what happened to your site” and they take a look for themselves, they are shocked to see, it’s all gone, replaced by some garish image, a bit of graffiti claiming ownership or if it’s not political or vandalism but commercial defacement, adverts for fake designer goods or some embarrassing “male enhancement” herb.

I’ve helped quite a few clients, both individuals and companies with the clean-up, often as they can’t see anything of their own site, they think the rest of it is gone, only larger companies backup, so these individuals and smaller companies feel hopeless, I feel for them, economy is not good, they will be talking about “rescuing it if it’s worth it”, “maybe we only need a Facebook page”. They often don’t get the instant response they expect from their hosting companies that are not usually helpful anyway, are in a state of panic.

The fact is the vast majority of these defacements are done using automated tools, usually as simple as editing the homepage by adding a couple of lines of code. Each method is different, but the bottom line is that they are nearly always easily recovered.

This brings me closer to my point. When the hackers list their achievements in the defacement archives, which they often do in batches, having used the same script against sites which they have found share the same vulnerability.

And the questions is how ethical is to tout for business by offering to fix these small sites?

I have unsolicitedly emailed random victims, having taken the time to look at their publicly archived site or done a “whois” for contact details, emailing them a whitepaper describing how to fix that particular defacement, and sometimes even telling them the patch they need to apply so it doesn’t happen again.

Half will be appreciative thanking me, sadly nearly always then asking questions like “so how do I edit my default.html file?” which of course is more of a training exercise and would be far more difficult than me just doing it myself, so I don’t reply.

What worries me about offering this “fix defacements as a paid service” is that I can read between the lines that they will never trust that I am not actually the hacker.

Of course I wouldn’t put it past some lawyers to spray the roads with oil.