Mostly Harmless

Interesting to see this post from WP developer Donnacha, on removing various popular nasties from a wordpress install after it has been hacked or compromised.

At work we often see instances where it is not possible to simply return a user’s CMS install to a pre-hack backup and then upgrade (the safest course of action) because of

1. Confusion over when the hack(s) / compromises first occured.
2. Confusion over what legitimate content / changes have been made since.
3. No obviously clean recent backup exists.

So we’re often left with a script / CMS install that needs to be cleaned up and upgraded. Where suspicious files have been uploaded, these are often easy to locate because of the sheer number of requests to these, for example from vulnerable PCs that have been tricked into trying to download a virus or trojan loader. Malicious javascript added to core or template files can be more difficult to spot in this manner as are disguised files referenced from the CMS’s database.

It would be helpful if the development / security investigation teams of most major CMS’s published these sorts of guides. Thanks Donnacha!

Rowan :: Jun.17.2008 :: Security, Support, Web Apps, Web Hosting :: No Comments »

A couple of weeks ago I was wondering on what happened to Anonym.OS. After a little searching around I came across xB Machine.

Xerobank appear to be one of those “secure browsing for a fee” organisations offering browser plugins and networks in order to protect your privacy while on the web in exchange for a fee. xB Machine can operate over this commercial network or over the free to connect Tor Network.

There is however one very important difference, whilst Anonym.OS ran as a live CD, xB Machine is only currently available as a set of images that reside on your hard disk that must be run through VMWare or Qemu (I didn’t have the familiarity to get it going in the latter and precise instructions aren’t currently available on the site). In order to alleviate concerns about this, the user session takes place within an encrypted container and there is a “self destruct” routine which can supposedly wipe this. Full details however on how these two aspects operate do not currently appear to be available on the download page or support wiki entry.

Those wishing to try the software should beware of the fact that it is a development pre-release, that does not appear to be open sourced or have undergone peer review. That said, it is good to see a tool like this released freely, even if it is ultimately supported by the option to use commercial networks.

Rowan :: Jan.23.2008 :: Internet Anonymity, Security :: No Comments »

I’ve been a reader of Bruce Schneier’s CRYPTO-GRAM newsletter for some years now and it always inspires mixed feelings. Schneier writes with authority on security, terrorism and the psychology of both. At the danger of being misrepresentative, here’s a quote

“We worry about airplane crashes and rampaging shooters instead of automobile crashes and domestic violence — both far more common”

Depending on the issue, you might feel safer after reading but generally you come away worrying about people’s ability to be duped over what is and isn’t an actual probable risk to them. You’ll worry about politicians taking advantage of these as easy emotive issues rather than focusing on more likely ones that are harder to “sell” and you’ll worry about the media herding people in the direction of their statistically improbable fears rather than acting as a responsible platform.

“I tell people that if it’s in the news, don’t worry about it. The very definition of “news” is “something that hardly ever happens.” It’s when something isn’t in the news, when it’s so common that it’s no longer news — car crashes, domestic violence — that you should start worrying”

On the good side, it’ll help you be more rational about the security threats that are actually likely to effect you. I’ve scared the crap out of my partner on more than one occasion by arguing that if someone really wants to get to you or the contents of your house, the lock on the door and the burglar alarm are really only a formality. They stop people wandering in but they won’t stop someone breaking in (unless they’re inept…which is another story). So what really determines if you should be scared of burglary is the amount of attractive swag you have in your home and how many people know you’ve got it.

It’ll also remind you that security theatre like a burglar alarm is still worth it so you don’t have to get up every time the freezer clunks in the hall, one thing I really like about Schneier’s writing is he doesn’t belittle people for being people (and that must be oh so tempting when you’ve been working in the field as long as he has).

The newsletter is perhaps over long for the “average” reader, but for every single intelligent person I’d advise having a read, it just might help you feel more rational and clear headed about what you ought to be spending your valuable time worrying about

Rowan :: Jun.18.2007 :: Personal Entries, Security :: No Comments »

Looks like one of the worst things that can happen to a web app project has happened to wordpress - one of their releases was compromised by a “cracker”

http://wordpress.org/development/2007/03/upgrade-212/

I was in the “at risk” group of recent installs so have upgraded as soon as I saw the news post. The difficulty for server admins of tracking down vulnerable web apps installed on their service is worth a bit of further examination.

Continue Reading »

Rowan :: Mar.03.2007 :: Security, Web Apps, Web Hosting :: No Comments »