Tag Archives: security holes

Who’s attacking your website?

ImageWith the explosion in web creation tools owning a website is no longer the domain of a select few.  Whether you have an online store, a “business card” site or a fan site for your passion setting up a website can be done by almost anyone with a need and a little patience.

What many people fail to realize is that, just like your home PC, a little care is needed if you are to avoid having your website taken over and either vandalized or used as a springboard for spreading viruses.  After all which of your friends wouldn’t download something from a website they knew you created?

Think people aren’t attacking your site?  A quick look at the sites I have set up showed, without exception, every one of them had logged attempts to log in using brute force password cracking.  I know this because I have software installed on these sites that tracks failed attempts to log in and, if they occur often enough (10 tries in my case) then my site will automatically  block access from those IP addresses with increasingly long lockouts and sends me a note to let me know about it.  Here’s a sample from one of the sites I take care of:

IP Tried to log in as

 

As you can usernames like admin, administrator, root, and variants of the URL (starred out for privacy reasons) have all been tried.  It’s one of the reasons I NEVER use those as either a user id or a password.

Attacks mostly seem to come from the Czech Republic, the Republic of Korea, Ukraine and so on.

Why those places and what are they doing?  Who cares?  The important thing to realize is that even the website you put together as a memorial to your beloved dog can, and will, be attacked.

The site i pulled the lockout information from is only special to the people that use it.  It doesn’t get millions of views, isn’t a political or controversial group, and doesn’t contain any secret information.  In fact everything on the site is public.  So if they are being attacked then it’s a very good bet that your website is too.

So what can you do about it?

Well you can’t stop people attacking you, but you can make life difficult for them by taking some simple steps.

  1. The most obvious, and easiest, thing to do is to make sure that you don’t use any common user names  or passwords.  If your website providers sets up a default user such as Admin when your site is built, change it!  Passwords don’t have to be long and hard to remember – two random words like BlueDriver or NotedMarketer will keep people guessing long enough to make them bored.  If you use Admin and password because they are easy to remember then you deserve what you get.
  2. Install software that can lock out repeated login attempts.  There are many of these around and they are often free.  Install them for some peace of mind and sleep easily knowing that someone isn’t bombarding your website with thousands of login attempts.
  3. Make sure that you keep your website software up to date.  As the HeartBleed bug showed us, no website is foolproof, so make sure that vulnerability are patched regularly.

Those three simple steps alone should keep the vast majority of people at bay.  Sure there are are few highly skilled people out there that could get in if they wanted to, but with so many juicy targets for their talents why would they waste their time on your cooking blog?  Nope…it’s the equivalent of the thug with a brick that we want to stop and the steps above are the equivalent of a spray can full of mace to those guys.

 

Leave a comment

Filed under Computers, Online Security, Web Design

How to Steal Passwords Saved in Google Chrome in 5 Simple Steps

passwordIf you use Chrome as your browser you should know that it’s surprisingly simple to access all of a person’s passwords saved in Google Chrome. Another surprise: Google’s well aware of this fact, and the company is not planning to do anything about it.

For the full story read : How to Steal Passwords Saved in Google Chrome in 5 Simple Steps | CIO Blogs.

This should be especially worrying considering how many people use the same password for almost all accounts, so even if you don’t use Chrome to store your bank account password you might still be showing more than you bargained for.

After reading the full article you might find yourself wanting to delete the passwords stored in Chrome or make sure that your PC is always locked when you leave it  (Windows key – L is a nice shortcut for that).  If you decided on the former then may I suggest using Lastpass as a more secure alternative to writing your passwords on post it notes.

3 Comments

Filed under Computers, Free Software, Online Security, Technology

iPhones can auto-connect to rogue Wi-Fi networks, researchers warn

iphone_pwSecurity researchers say they’ve uncovered a weakness in  iPhones that force users to connect to Wi-Fi networks that can then steal passwords or other sensitive information.

AT&T iPhones instruct the devices to automatically connect to a Wi-Fi network called attwifi when the signal becomes available, a service designed to speed up browsing.  But attackers can set up their own rogue Wi-Fi networks with the same name and collect sensitive data as it passes through.  AT&T are not the only company that are doing this, so don’t be smug if you have another carrier.

Researchers tested their hypothesis by setting up several Wi-Fi networks in public areas that used the same SSIDs as official carrier networks. During a presentation on Wednesday at the International Cyber Security Conference, the Skycure researchers set up a network that 448 people connected to during a two-and-a-half-hour period. 

The most effective way to prevent iPhones from connecting to networks without the user’s knowledge is to turn off Wi-Fi whenever it’s not needed. Apps are also available that give users control over what SSIDs an iPhone will and won’t connect to.

via iPhones can auto-connect to rogue Wi-Fi networks, researchers warn | Ars Technica.

1 Comment

Filed under Computers, Free Software, Online Security, Technology, Virus

Hackers attack WordPress ‘Admin’ accounts

ImageOver the past couple of weeks websites using  WordPress have been under fire from a very sophisticated brute force attack involving over 90,000 IP addresses. 

Some hosting providers handled this better than others.  

The best ones experienced  some slowness and minor outages while others simply went down for a couple of days.

While it has subsided the attack is still ongoing so here are a few steps that you should consider taking to help shore up your defenses.

  1. Make sure that your plugins are up to date.  Often plugin updates are released precisely because they have security holes and leaving these unattended for a long time is an open door to hackers.
  2. Don’t use administrator accounts called ‘admin’.  This is akin to using a password of ‘password’.  Some hosting vendors created these by default on installation.  If you have one of these then create another administrator account, log in using that one and delete the ‘admin’ account.
  3. Create strong passwords.  Ideally at least 8 characters and with a mixture of letters, numbers and special characters such as ^%$#&@*.  If you have too many passwords to keep things straight then consider using something like Lastpass.

These three simple steps won’t keep you totally in the clear but, like an alarm on your car, it should move the troublemakers on to an easier target.  

 

Leave a comment

Filed under Free Software, Online Security, Virus, Web Design