According to this nakedsecurity blog post, “A recent investigation has concluded that 73% of the 40,000 most popular websites that use WordPress software are vulnerable to attack.” Vulnerability researchers EnableSecurity carried out the study and was reported by WordPress security firm WP WhiteSecurity. The investigators qualified their statistics a bit with this statement: “The tools used for this research are still being developed therefore some statistics might not be accurate.” Nevertheless, it warrants your attention if you are running WordPress.
Here are ten steps that Sophos recommends to bolster your WordPress security:
- Always run the very latest version of WordPress
- Always run the very latest versions of your plugins and themes
- Be conservative in your selection of plugins and themes
- Delete the admin user and remove unused plugins, themes and users
- Make sure every user has their own strong password
- Enable two factor authentication for all your users
- Force both logins and admin access to use HTTPS
- Generate complex secret keys for your wp-config.php file
- Consider hosting with a dedicated WordPress hosting company
- Put a Web Application Firewall in front of your website
No matter how much we would like to think it’s possible, perfect security is unattainable. Install a moat and 40-foot high walls around your village and the enemy will use trebuchets to throw fireballs at you. Build a stronger lock and someone will come along with stronger bolt cutters. Install the latest firewall and IDS and hackers will use social engineering to attack you from inside the perimeter. No matter what security measures you employ, someone will come up with a way to defeat them. There is no such thing as perfect security.
There is, however, such a thing as effective security for a given situation, what I call Minimum Effective Security (MES). I define MES as follows:
Minimum Effective Security is that set of surveillance, barriers and countermeasures adequate to protect against known threats that could reasonably be expected to be leveled against the protected assets.
If you think about it, the key word here is “adequate.” But adequate against what? You have to identify the threats that you could reasonably expect given the value of the assets. So, you first have to establish the impact a successful attack would have: Minor inconvenience, or major loss?
You probably wouldn’t be too concerned about putting up video surveillance cameras to monitor your backyard tool shed nor would a perimeter wall be necessary. Depending on the value of the contents, you might want to install an inexpensive audible alarm and/or motion sensor lights. More than likely, however you’ll simply have good hinges and a strong hasp with a sturdy lock. Adequate.
On the other hand, you would equip your home with a robust, monitored security and fire detection system and you would probably have at least a camera at the main entrance.
How about your home network? You certainly don’t need an expensive commercial grade firewall and IDS; a good consumer grade NAT router with built-in firewall features would probably be adequate. Of course, keeping your system and applications up to date with security patches would have to be part of that mix to qualify as adequate security. Of course, you’ll want a good backup strategy.
If your home network is also part of your business, you’ll need a bit more than the above to qualify as adequate security. You would probably want to encrypt critical data and you’ll certainly want multiple backups with at least one stored offsite.
You get the idea. You have to take a good look at the types of threats you can reasonably expect given your circumstances and then work out what would be adequate. Naturally, there is nothing wrong with going beyond adequate; it won’t hurt a bit to put stronger measures in place if that makes you feel more comfortable.
Just make sure you always achieve and maintain Minimum Effective Security.
According to USA Today, The NSA and its British counterpart, the Government Communications Headquarters (GCHQ) have cracked encryption codes and have inserted secret “back doors” into security software through covert partnerships with technology companies and ISPs.
Perhaps I’ve gotten numb over all of this because I am not surprised.
Our friends at LastPass, however, want to make it very clear that they will have nothing to do with these shenanigans. In fact, they will shut down their service before cooperating with the government goons. Here’s an excerpt from a September 10 blog post:
With news that the United States National Security Agency has deliberately inserted weaknesses into security products and attempted to modify NIST standards, questions have been raised about how these actions affect LastPass and our customers. We want to directly address whether LastPass has been or could be weakened, and whether our users’ data remains secure.
In short, we have not weakened our product or introduced a backdoor, and haven’t been asked to do so. If we were forced by law to take these actions, we’d fight it. If we were unable to successfully fight it, we would consider shutting down the service. We will not break our commitment to our customers.
This is right in line with the way I feel about covert government operations and is one of the big reasons I will continue to stick with LastPass. They conclude with this:
We have built a tradition of being open and honest with our community, and continue to put the security and privacy of our customers first. We will continue to monitor the situation and change course as needed, with updates to our community when necessary.
Microsoft’s Patch Tuesday will be a big one, with 14 patches, eight of which address remote code execution holes.
The biggest patch is Bulletin 3, rated critical, addressing remote code execution vulnerabilities in all versions of Internet Explorer from IE 6 on Windows XP to IE 10 on Windows 8, including Windows 8 RT. This patch requires a reboot.
In addition to remote code execution (RCE) vulnerabilities, the patches also address privilege elevation and denial of service flaws.
I’ve written a lot about passwords in this blog and for many security and tech bloggers, it remains and evergreen topic. For all its problems, the password still holds sway as the primary authentication method. But with attacks becoming ever more sophisticated and predictable use of weak, guessable passwords, one has to wonder how long can we really keep on using them?
In theory, a password is an ideal authentication token, assuming knowledge of it resides only in the mind of the owner and it is securely stored on any other systems only in encrypted form. Practically, however, we know that this is rarely the case.
So what does the future hold? How can we replace the ubiquitous password with something more secure and less vulnerable to attack?
In life, we authenticate each other mainly by facial recognition, sometimes by voice (as in over the phone). Faces and voices are all unique and probably impossible to duplicate, though a voiceprint pattern could probably be altered by physical surgery. How about some combination of facial recognition combined with a spoken passphrase? That would give you three factors: face, voiceprint, passphrase.
Palmprints, fingerprints, iris scans could all be used to capitalize on the uniqueness of these things to authenticate you and various combinations of things could be devised.
The problem with these things, however, is that the hardware and software necessary to implement them effectively presents costs in terms of both money and system overhead. Facial recognition and voiceprint could be easily implemented using web cam and built in microphones on laptops and other smart devices.
Without a doubt, we eventually will see the password replaced by better methods. What do you think those methods will be?
Time to lighten up a bit. This hokey “PSA” about phishing is really true, but the payoff in hilarity comes at the end. Pay careful attention to the “date” that Bob managed to finally get from that online dating site.
Hope your July was great and here’s to a fantastic month of August!
One more on the dangers of the internet and this one is the best yet. Good tips wrapped up in a credible story.
- Confront it. Be proactive. Go after the attackers and fight back. Bullies and cowards – which comprise most of the script kiddie population – will turn tail and run if you let them know you’re going to fight back. Even the few organized criminal elements, unless they have some political agenda and can use you to forward it, will give up easily in the face of a determined counter attack.
- Neglect it. Let them play around and waste their time as long as they aren’t doing any real damage. Just make sure that they can’t get beyond your sandbox or firewall. Sooner or later, having not obtained anything of value, they’ll give up.
- Turn in your resignation and run screaming out the door because you failed to put adequate security measures in place. Don’t laugh: It has happened.
By far, the best approach is to confront the threat and engage in an active counter strike. This can be done by immediately implementing logging of all attack traffic and engaging law enforcement to help trace the attack back to its source. The bad guys want to remain anonymous: Do everything you can to make them visible.
Do you agree, or disagree? Comments, please.
Every day, I see student computers and laptops infected with malware. Every day, I see questionable posts made by people who think only their friends can see what they write. That’s what “Sarah” thought and this video is a reminder that the internet is a very dangerous–and public–place. Please impress upon family, friends and co-workers that prudence is the best approach.
Call it poetic justice. Call it criminal stupidity. Call it what you want. I call it hilarious. I got a good laugh out of this at a time when I certainly need some laughs. From Sophos’ Naked Security blog:
A US child abuse image collector turned himself in to local police earlier this month, after ransomware hit his PC and showed messages warning him that the FBI were on to his nasty activities.
Jay Matthew Riley, 21, of Woodbridge, Virginia, was apparently hit by the ransomware attack while surfing the web to add to his collection of unsavoury images.
As is usual with such malware, he was shown a warning demanding cash in return for keeping quiet about his suspicious activities.
He fell for the scam. Good for him. Maybe he’ll turn his life around.
The problem is that regular, law-abiding netizens get this ransomware, too, and those that fall for it and pay the bogus “fine” end up a few hundred dollars lighter in the wallet. Oh, and their banking information is probably comprised, too, so the losses can end up being much greater.
Law enforcement, especially the FBI and other three-letter agencies, do not enforce the law by such means, so NEVER comply with any directive to pay “fines” or “penalties” when such things pop up on your screen. Best to call your favorite Geek and have him/her clean the malware off your machine.
On the other hand, if you are a pedophile or sexual predator, feel free to head down to the local police station, where they should be able to help you out with three hots and a cot for a long time.