Category Archives: Security

Some Simple Security Advice for Bloggers in advance of #OpUSA

With #OpUSA a little more than a week away, and having seen that the vast majority of hacks and defacements came from last months #OpIsrael were just individual bloggers and small “mom ‘n’ pop” businesses using simple WordPress style sites that were unlucky enough to have “.il” at the end of their domain names, or had FaceBook accounts and pages that showed their location as being in Israel. I have seen some estimates putting the number of small businesses and private bloggers at 100,000.

opusa

Looking at the sophistication and targeting used in previous attacks, we can only guess that anyone with a “.com” domain name will be seen as a legitimate target. I haven’t looked at Anonymous’s political reasoning for these attacks, I am sure they have one, but doubt attacking such easy targets could ever be justified.

I wanted to offer 2 suggestions to protect you from this and attacks like this. With any online security, the first line of defense is always the password, it needs to be strong. Sophos provide a great video here which helps you build memorable but complex passwords.

And although this has been around for probably more than 10 years, GRC provides the best password strength meter, as well as some great understanding of what makes them strong.

Something not always thought of, and adds a lot more strength to a password, is actually using a different username for each account, which normally being a password alone, if you have your own domain name with a “catchall” anything@domainname.com setup, although you use info@ or firstname@ for your general email, there is no reason you shouldn’t use wp@ for your WordPress account and fb@ for your FaceBook account. The hacker can try any combination of passwords, but if they don’t know what email address you used, they haven’t got a chance.

A little beyond the scope of this article, but people often ask “how am I meant to remember all these usernames, email addresses and passwords?” Well there are plenty applications and browser plugins that will help you with this, sometimes called password lockers and keychains with options to safely store backups on their hosting service, so leaving you only needing to use one set of credentials to access all. Personally for a few years I have been using an encrypted usb key with a simple text life, which allows me to copy and paste the passwords in when requested, I’m not paranoid, although I get the added protection of being immune to snooping by some keylogger, I just have so many to remember and many were not chosen by me.

The second line of defence on WordPress has got to be making sure your script and plugins are up to date, don’t ignore that nagging little button. There are a number of free plugins available that lock down security, a search when you go to add plugins for the word “security” brings a list up of over a thousand. Install one and enable it. A backup, well as a backup is always a good idea, again there are plenty of free plugins available, but it’s essential once you’ve installed, to actually press the backup button occasionally.

facebook securityThe other target in previous attacks were just taking over FaceBook accounts, this is fairly simple to combat and should be done anyway. Start by going to “security” with is an option on the “account settings” page. Enable the as many of the options as you can, the “login approvals” option gives you very strong protection, but can cause logging in issues if you use multiple devices in different locations. The login notifications will fire of an email to you each time you connect with a new device, with a link that will notify FaceBook if you believe that login was fraudulent allowing you to undo any changes they may have made, they don’t only use password guessing, but try to reset the password using information that’s readily available on your profile.

It’s possible that Anonymous will stick to just targeting major corporations, government and military sites this time which really doesn’t bother me, as they are quite capable of both protecting themselves and following the hackers with a legal process. But the reality is, no legal authority wants to know when a corner store or an individual gets hacked, no one will help, there will be no criminal charges laid or compensation paid, so it’s better you take responsibility yourself.

German state teaching Hackers that crime pays

Last week, 200 homes of Germans were raided by police across the state of Rhineland-Palatinate, this is being reported. Also reported is that the Government had paid €4m for the data that lead to these arrests. It’s unknown if the person that leaked this information is an insider employee or an external hacker, both equate to the same thing really, either way the data was retrieved illegally.

flagThere would have been no illegal action if this person had advised the police where this data existed and assisted authorities in gathering it, but that’s not what happened, they simply paid for stolen property.

An interesting simple question here is did the government commission this crime, or did the thief go to the government with an offer. Which leads to another question, if the hacker had been caught, would he have been able to plead mitigation as he was stealing with intention to sell to the Government?

Does that mean that any hacker in Germany can penetrate any system looking for information to sell to the government? €4m that’s a big incentive and totally the wrong message to be sending out. This should reinforce the message to everyone is even though you are breaking no laws, strong controls to protect data are essential, and encryption should be the second line of defence with the first being controlling access.