With #OpUSA a little more than a week away, and having seen that the vast majority of hacks and defacements came from last months #OpIsrael were just individual bloggers and small “mom ‘n’ pop” businesses using simple WordPress style sites that were unlucky enough to have “.il” at the end of their domain names, or had FaceBook accounts and pages that showed their location as being in Israel. I have seen some estimates putting the number of small businesses and private bloggers at 100,000.
Looking at the sophistication and targeting used in previous attacks, we can only guess that anyone with a “.com” domain name will be seen as a legitimate target. I haven’t looked at Anonymous’s political reasoning for these attacks, I am sure they have one, but doubt attacking such easy targets could ever be justified.
I wanted to offer 2 suggestions to protect you from this and attacks like this. With any online security, the first line of defense is always the password, it needs to be strong. Sophos provide a great video here which helps you build memorable but complex passwords.
And although this has been around for probably more than 10 years, GRC provides the best password strength meter, as well as some great understanding of what makes them strong.
Something not always thought of, and adds a lot more strength to a password, is actually using a different username for each account, which normally being a password alone, if you have your own domain name with a “catchall” anything@domainname.com setup, although you use info@ or firstname@ for your general email, there is no reason you shouldn’t use wp@ for your WordPress account and fb@ for your FaceBook account. The hacker can try any combination of passwords, but if they don’t know what email address you used, they haven’t got a chance.
A little beyond the scope of this article, but people often ask “how am I meant to remember all these usernames, email addresses and passwords?” Well there are plenty applications and browser plugins that will help you with this, sometimes called password lockers and keychains with options to safely store backups on their hosting service, so leaving you only needing to use one set of credentials to access all. Personally for a few years I have been using an encrypted usb key with a simple text life, which allows me to copy and paste the passwords in when requested, I’m not paranoid, although I get the added protection of being immune to snooping by some keylogger, I just have so many to remember and many were not chosen by me.
The second line of defence on WordPress has got to be making sure your script and plugins are up to date, don’t ignore that nagging little button. There are a number of free plugins available that lock down security, a search when you go to add plugins for the word “security” brings a list up of over a thousand. Install one and enable it. A backup, well as a backup is always a good idea, again there are plenty of free plugins available, but it’s essential once you’ve installed, to actually press the backup button occasionally.
The other target in previous attacks were just taking over FaceBook accounts, this is fairly simple to combat and should be done anyway. Start by going to “security” with is an option on the “account settings” page. Enable the as many of the options as you can, the “login approvals” option gives you very strong protection, but can cause logging in issues if you use multiple devices in different locations. The login notifications will fire of an email to you each time you connect with a new device, with a link that will notify FaceBook if you believe that login was fraudulent allowing you to undo any changes they may have made, they don’t only use password guessing, but try to reset the password using information that’s readily available on your profile.
It’s possible that Anonymous will stick to just targeting major corporations, government and military sites this time which really doesn’t bother me, as they are quite capable of both protecting themselves and following the hackers with a legal process. But the reality is, no legal authority wants to know when a corner store or an individual gets hacked, no one will help, there will be no criminal charges laid or compensation paid, so it’s better you take responsibility yourself.