PDG & Associates – Paul D. Gurney – Web Architect What's new in web design and development

10Apr/140

Check your site’s vulnerability to the Heartbleed bug

Posted by Paul Gurney

Visit this site:   https://lastpass.com/heartbleed/

to verify if any website is still vulnerable to the bug. (Remember, not all websites used the same OpenSSL protocol.)

9Apr/140

Be aware of the Heartbleed bug

Posted by Paul Gurney

On April 8 I was notified by WiredTree, our hosting company, that their servers had been patched against a newly discovered (and serious) flaw in the SSL encryption technology which underpins secure browsing over https.

It is called the Heartbleed bug.

Our servers were not affected, as they ran CentOS5 and did not use Litespeed. Other sites which did use LiteSpeed were affected.

Read more at:
http://heartbleed.com/
https://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities

UPDATE

An article on Thursday explains how the bug crept in the Open Source software.

Heartbleed, a “catastrophic” security flaw in the OpenSSL cryptographic protocol that has affected two-thirds of the entire Internet’s communications, was committed at 10:59 pm on New Year’s Eve by Seggelmann, a 31-year-old Münster, Germany-based programmer.

That night, he made an error that has been compared to the misspelling of Mississippi, a careless but almost inevitable mistake that went undetected for over two years.

11Jan/14Off

Target website hiding its data theft warning

Posted by Paul Gurney

Target's had a big red target leveled at its data systems recently; the intrusion and theft of over 100 million consumer credit & debit card information is almost the largest in history.

It's website features a notice to consumers; but strangely, 2 seconds after the home page loads, an ad overlay obscures the warning text and link.

Purposeful or by accident, it's a big oops on top of the disaster.

See the site 1 second after load:

website shows theft message at page load

The Target website shows theft message at page load

And 2 seconds later:

Target homepage after 2 seconds; the warning is covered over

Target homepage after 2 seconds; the warning is covered over

Intentional or by accident?

Does the law require companies to disclose breaches?
As an aside, most States do not require the companies disclose successful network breaches to their customers. A law firm has published a useful chart to track State-by-State requirements.

http://www.perkinscoie.com/statebreachchart/

The write:

Perkins Coie's Privacy & Security practice maintains a comprehensive chart that summarizes state laws regarding security breach notification.  The chart is for informational purposes only and is intended as an aid in understanding each state's sometimes unique security breach notification requirements.  Lawyers, compliance professionals, and business owners have told us that the chart has been helpful when preparing for and responding to data breaches.

Maine has such a disclosure law on its book.

23Nov/130

Website hacks are like lawn dandelions

Posted by Paul Gurney

Google acknowledged (and fixed) a major vulnerability in its google.com and gmail.com domains.

Redirection, cross-site scripting, cross-site request forgery, and SQL-injection vulnerabilities are to websites what dandelions are to suburban lawns. Even sites maintained by experienced and highly vigilant Web developers are likely to suffer from these Web-application bugs.

From ArsTechnica. Read more here.

16Oct/130

Add a password to your Mac Zip File

Posted by Paul Gurney

Apple makes it easy to compress files using the right-click contextual compression command, but it provides no easy way to add a password to the resulting zip file. You can use the Terminal program to add a password, but it's prone to mistakes and more time consuming.

 

Instead, use this program called Keka.

http://www.kekaosx.com/en/

Keka is a free file archiver for Mac OS X. The main compression core is p7zip (7-zip port).

Compression formats supported:  7z, Zip, Tar, Gzip, Bzip2, DMG, ISO

Extraction formats supported:  RAR, 7z, Lzma, Zip, Tar, Gzip, Bzip2, ISO, EXE, CAB, PAX, ACE (PPC)

14Apr/130

Surviving the Latest WordPress Brute Force Attack

Posted by Paul Gurney

If you have a blog, you need to install this plug-in immediately.

http://wordpress.org/extend/plugins/limit-login-attempts/

There is currently a major type of internet attack being waged by botnets against webservers running WordPress. These bots brute-force their way in past your password screen by making thousands of guesses until they gain entry. WordPress currently does not limit the number of incorrect password attempts. Until it does, you need a plug-in that provides the limiting.

There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords. It appears a botnet is being used to launch the attack and more than tens of thousands of unique IP addresses have been recorded attempting to hack WordPress installs.

One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack. These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic. This is a similar tactic that was used to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was behind the large attacks on US financial institutions.

Source: http://blog.cloudflare.com/patching-the-internet-fixing-the-wordpress-br

30Oct/120

The problem with DomainKeys Identified Mail

Posted by Paul Gurney

Wired has been discussing an emerging email security vulnerability this month.

The problem lies with DKIM keys (DomainKeys Identified Mail). DKIM involves a cryptographic key that domains use to sign e-mail originating from them — or passing through them — to validate to a recipient that the domain in the header information on an e-mail is correct and that the correspondence indeed came from the stated domain. When e-mail arrives at its destination, the receiving server can look up the public key through the sender’s DNS records and verify the validity of the signature.

Learn more from the article, and ask your hosting company if they use strong — 1024-bit — DKIM. Why?

A hacker who cracks a DKIM key can use it to send out phishing attacks to victims to trick them into believing that a fake e-mail is actually a legitimate e-mail from their bank or another trusted party. Such phishing attacks can be used to trick users into handing over the login credentials to their bank or e-mail account.

21Aug/120

Never Search For Free WordPress Themes

Posted by Paul Gurney

Great article about risks of free wordpress themes found in the wild...

http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/

A few months ago I wrote about WordPress Security. Now, armed with ...  builtBackwardsTheme Authenticity Checker Plugin and Donncha O Caoimh’s Exploit Scanner, I’m going to take a look through the first page of Google to see just how safe pages ranking for “Free WordPress Themes” are.

21Aug/120

Why you should use Google Public DNS

Posted by Paul Gurney

Why should you try Google Public DNS?

By using Google Public DNS you can:

https://developers.google.com/speed/public-dns/docs/using

Google Public DNS telephone support

  • 877-590-4367 in the U.S.
  • 770-200-1201 outside the U.S.

 

The Google Public DNS IP addresses (IPv4) are as follows:

  • 8.8.8.8
  • 8.8.4.4

The Google Public DNS IPv6 addresses are as follows:

  • 2001:4860:4860::8888
  • 2001:4860:4860::8844

You can use either number as your primary or secondary DNS server. You can specify both numbers, but do not specify one number as both primary and secondary.

You can configure Google Public DNS addresses for either IPv4 or IPv6 connections, or both.

27Apr/120

SSL vulnerability called BEAST

Posted by Paul Gurney

Does it affect your secure webserver?

You should know, if  you accept credit cards or handle social security numbers on your website.

See these two articles for more expert information:

http://arstechnica.com/business/news/2012/04/90-of-popular-ssl-sites-vulnerable-to-exploits-researchers-find.ars

http://luxsci.com/blog/is-ssltls-really-broken-by-the-beast-attack-what-is-the-real-story-what-should-i-do.html

 

Testing:

This company will test your https connection. Here's a example report.

https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Fmillfalls.com&hideResults=on

 

From Lux-Sci: Real-world vulnerability? What is  affected by BEAST?

This problem can affect people browsing secure web sites, allowing eavesdroppers to gain full access to your accounts on those web sites under certain conditions.  It does not affect

It does affect:

  • Accounts you may have with secure web sites that you login to, like PayPal, LuxSci, Gmail, Bank of America, Facebook, etc.

 

Solution:

It is not yet feasible to use a browser or webhost that supports TLS 1.2. For now, here is LuxSci's advice:

The Take Away Message

People should always be concerned and aware of security as the landscape changes constantly.  We think that beyond the need to upgrade and to implement software fixes, consider the following:

  • We should actually use SSL and TLS whenever possible. Insecure sites puts our browser and computer at risk, as we have no control over what malicious third party may inject into our browsing session.  SSL and TLS actually protect us from that threat.
  • When going to secured web sites, it is best to start in a new browsing session or one that has only visited other secure (https://)  sites.
  • Make your home page a secure site and your other secure sites easily-accessed via bookmarks
  • Use a separate web browsers for normal insecure browsing and for access to your secure sites.
  • Keep your software, web browsers, operating system, anti-virus, and other components up to date.