Tag: hackers

Drastically reduce the chance of a successful brute force attack on your WordPress installation’s “admin” account

Not too long ago there was a WordPress exploit running around – the gist was someone was doing brute force attacks on login pages using the default administrator account. The problem, generalized, is that the default administrator account within WordPress is set to “admin” and cannot be changed – all a hacker has to do is use that known username, and then fire password combinations in until one hits the mark.

This is a very easy problem to solve.

Access your WordPress installation’s database – you can do this with phpMyAdmin (which most hosting environments have nowadays), or any other MySQL administration tool that suits you. In the wp_users table you should see the “admin” account – it should be the first record in that table. The user_login and user_nicename fields in that table should contain the word “admin” – change it to something different (but the same for both fields), and save those changes. And…don’t touch the password field – it’s encoded, and any change you make to it will screw the pooch forever.

You can now log into your WordPress installation using that new username, which will still maintain all administrator access rights. Hackers don’t know what it is, but they’ll still think it’s “admin”, making brute force password attempts relatively futile.

MG signing off (to change my default administrator username, since “loudmouthdouchebag” doesn’t work for me anymore)

No steadfast rules for storing/sharing financial data and its offspring online

Living in a user-generated online society, who owns the data and how can it be used have been persistent questions. The debate continues, particularly as data stores grow with more complex (and more personal) information.

Fred Wilson’s Union Square Ventures has invested in a company called Wesabe, which like several others aims to sort through and make sense of your personal financial information. Financial data is probably the most sensitive of all with regard to online conveyance, and individual concern as to how that data is handled is an obvious barrier to acceptance of services like Wesabe. The company has answered the call in part by publishing a “Data Bill of Rights,” the purpose of which is to alleviate anxieties regarding housing personal financial information with them. Mr. Wilson caveats the “press” by stating it’s a good start, and calls out for additional opinion. Mine are as follows (with the disclaimer that said opinions are by no means steadfast rules, nor are they necessarily cost-effectively operationally feasible)…

The Q&A

Who owns the metadata you and others create about the transactions that come into the system?

In the world according to credit card processors and credit reporting agencies, they do, and despite your requests to block its use there is probably a lot of metadata being gathered that doesn’t fall within the two-point type guidelines your creditors periodically send you. They’re likely using it – and you should get used to it. But with regard to opt-in services such as Wesabe, I think there’s a happy median to be had. Clearly, these types of online services see value in said metadata, and allowing you to remove your viewable information shouldn’t necessarily be accompanied by complete removal of the offspring (particularly if the service was offered for free). I believe if personally identifiable and proprietary data elements (meaning data uploaded, imported, or otherwise entered by the user) are stripped away from the metadata, then the result (or what’s left, if anything) should be available to the service provider.

Is it better to let the service do the tagging or is it better to let the community to do the tagging of the transactions?

Both. The services themselves are the machine, and the community is the blood and guts. Algorithms versus psychy, or the two working in harmony and learning from each other. I believe there is a lot of value to be gained from allowing the machine to suggest helpful tag elements to the users, and I believe the users should be ready, willing and able to reciprocate.

Should the tags be shared and if so, when and with whom?

This should depend on the data elements or transactions being tagged and who is doing the tagging. If the machine “suggests” a tag for a personally identifiable element, then the end user should have the option to reject that metadata. But that doesn’t mean the service shouldn’t be allowed to use that metadata in conjunction with non-personally identifiable information to improve itself for the benefit of others in the community. By the same token, user generated tags should be sharable within the community while directly related to said user (or their data) only with their permission, but the “transaction” which resulted in that choice should be something the machine is allowed to learn from.

Where should your login and passwords be stored?

Probably a personal choice issue – there are a lot of folks working on various solutions which include third-party authentication, token exchange, etc., and there is not enough information to make a blanket judgment call on the matter either. I will likely never input my bank, securities, or credit related login information into a third party service, regardless of the level of security assurance the service provides. That is my choice, and the logic is this: a centralized repository of such data will attract threats in direct proportion to the service’s popularity, particularly given the potentially profitable nature of that data. My accounts are spread across numerous vendors, and while the possibility of having my data stolen through phishing attempts and the like increases with each transaction, I personally don’t engage in large numbers of them. I assume the risk is lesser than that presumed in a “large target” stored environment.

The bottom line is that the storage of login identifiers and passwords should be a choice based on convenience versus comfort. If the user wants to store their various account login information in a system for quick and easy retrieval, let them, but the service provider should be prepared to accept the burden of responsibility. If the user values the comfort more than the convenience, give them that option. Unfortunately, we live in world where the easy out is to blame the other guy, and proceed to court. There is simply no easy answer here (yet).

Can these services be hacked?

Of course! The moment someone says something is unhackable is most often immediately followed by a moment of apology over a breach. It is the value of the information housed within that service provider that they and their users need to be cognizant of, as the usefulness of the data within the store for a hacker to garner profit from is directly proportional to the amount of effort they (the hackers) are willing to pursue to break in. If the data is segmented by account type, unbranded, and non-personally identifiable, it’s usefulness goes down tremendously.

Is personal identifiable information (PII) being stored with the data?

This is a tough issue to explain to the end user, particularly if said end user didn’t complete their “Introduction to Relational Databases” and “Networks and Information Systems Management” courses. Consumer end-users assume that if they can see their financial data, that the data must somehow be tied to them. To the layman, that IS personally identifiable information – the numbers are money. But “PII” really means data elements such as name, address, phone number, and most importantly social security or tax identification number – elements that tie the numbers (the money) to the person itself. If a system asks me for such information, I generally stop what I am doing and read their privacy policy carefully before I continue. If that information is being stored for later use, I am somewhere between 99% and 100% likely to put the service in the “potentially more trouble than it’s worth” file. If it’s not, I see the risks as no greater than disclosing the same information to a customer service representative over the phone.

The End Note

Again, these are just my opinions, and offering every nuance of this self-prescribed “perfect world” is impossible and likely unprofitable (or at the minimum, a major pain in the ass for some engineers). There is no way to please every user, and there probably never will be. Nonetheless, we’re talking user inputs, service outputs, and wants and needs which are either presently being breached or are yet unfulfilled. And there are a growing number of solution providers jockeying for position, hoping to provide enough answers to get up front.

A Side Note

I’m presently working on some research related to the login/password storage issue, and am looking for some data. In particular, I’m trying to find statistics on internet usage stratified by user type (i.e. core, casual, convenience only, what-have-you), including the number of sites visited daily, login counts, and time spent on sites thereafter. Site types (including blogs, bookmarking, social networking, and financial) would also be helpful. If anyone can point me to something useful in this regard, I’d greatly appreciate it.

Monday Ugly in tech security

Like “Coyote Ugly,” but actually ugly:

First…hackers busted into the website of the US Consolate General in Russia. As if the US didn’t have enough problems off shore…

“This latest attack highlights the fact that no organization is immune from infection, and that no matter what the size of the company, it must defend its webpages fully to avoid being stung.”

No doubt there – attacks on institutions are commonplace – it’s just that they have good PR teams to keep it hush hush.

Next…a German onion router administrator gets arrested. Clearly not the guy’s problem, but getting arrested highlights the risks of running a Tor server in this day and age (as well as the cluelessness of some politicians regarding technology). What’s Tor? Inquiring minds check here first.

Last but not least… a bunch of laptops were pre-loaded with Vista, as well as a 13-year old boot sector virus. Plenty has already been said on Vista and it’s security. But I can’t help but chuckle.

On Tuesdays, hackers read newspapers and eat Ramen noodles

Not a regular day, and not expected to be a regular post either…

  • It looks like Rupert Murdoch may get the Wall Street Journal, despite the fear that he’ll turn it into Fox News on paper. I don’t know what everyone is scared about – the WSJ already seems to have pretty strong opinions – the fact that they don’t mind expressing them with the latest technology makes me curious as to what News Corp could possibly do to enhance it in the face of such dismal overall newpaper performance. Keep your eyes and ears open on this one.
  • There are at least 20 ways to aggregate all your social networking profiles. That means there are way too many social networking services out there that don’t differentiate themselves enough, and that hackers/identity thieves don’t have to attack near as many places as they did before.
  • And vosnap, the startup company in the freeze-dried, shrink-wrapped package that 70 people took camping for the weekend is making progress. They’ve changed their homepage, added a blog of their own, and are splattering the content with a combination of wit and humbleness in preparation for live time. In my eyes, the latter means a lot – I’d say this one is going places.
  • UPDATE: On a side note, AskTheVC, the online Q&A sessions with Boulder-based Foundry Group‘s gang, has some additional competition. It’s Marc Andreessen, who exploded onto the tech blogging scene just a few months ago. As more VCs open up, it is going to be interesting to see what disagreements arise (as well as whether some decide to “opinionate” in lockstep just before they do deals together).

    UPDATE 2: I’ll repeat: the Wall Street Journal already has pretty strong opinions. But I guess it’s gospel now that Bill Clinton said it.

    Options for iPhone envy

    You don’t have an iPhone. Maybe you are happy with your existing phone. You may have just signed a new contract with another carrier. You can’t afford one?

    Any way you cut it, society is now labeling you LAME! But never fear – you do have options:

    – You can wait for hackers to unlock it (and then pay a $1,500 premium for it)
    – You can adopt one (even though it isn’t real)
    – There will soon be tons of parts floating around for you to buy (saving yourself assembly labor costs)
    – You can buy a knockoff (that isn’t a knockoff)
    – Then there’s just faking it

    Or, you can just read the money quote of the day:

    “This has prompted concerns that the higher than expected demand could lead to iPhone shortages.”

    And wonder who the hell is “concerned” that a there may be shortages of a $600 cell phone besides John Dvorak.

    UPDATE: You can also…win one (not)

    Russians and Mobsters are kissing hacker behind

    Someone once said “keep your friends close and your enemies closer.” But how do you determine which is which? I usually separate the two based on the capability to do me mortal harm. If you’re a hacker, it’s a little more complicated than that. Case in point:

    Experts are warning that Russian terrorists are planning a massive “cyber-attack”. Cyber-attacks usually require the assistance of hackers.

    On a lighter note, hackers are thinking about joining the mob. Interesting career choice of the outsourced, eh?

    I can’t tell by the timing of these warnings whether we should be worried about the Russians or the Mob, but it certainly seems we should stay worried about the hackers.

    They’ve got all the best friends – or is that enemies?

    Google Code Search – a hacker friend?

    According to Network World, Google Code Search is ripe for misuse by hackers looking for code vulnerabilities.

    I find this interesting. I’d love to say more at this point, but last time I did a little Google chuckling, Spamroll’s pagerank mysteriously went from 6 to 0, and I am still trying to figure that one out.

    Do home computers need Ambien?

    There is all this chatter going on about home computers under attack. In 1999 I got a cable connection in the house, and it took about a week to figure out I was getting pinged like crazy – ZoneAlarm to the rescue. This is nothing new, but the scare mongers prevail.

    Now we hear numbers on how much your computer gets attacked at night.

    I am sure we will soon hear anti-virus software companies spewing the pitch – “We protect your computer while you sleep.” It will come from some ad or PR firm, who think they are really cute – you know, the same ones that are pitching the latest drug for your sore pinky.

    I just want to know – has anyone heard of the “sleep” function? Or better yet, the power button? I think those come with computers nowadays.

    The hack won’t always be that easy

    I agree, to an extent, with the commentary over at the Register that paints hackers as casual thugs. It is awfully easy to connect to a free wi-fi hotspot, phish away for a few hours, then disappear into the dark. However, I have a sneaking suspicion it won’t be that easy for that long. Exploits may take strange shapes, but if a guy like Kevin Mitnick (a smart cookie) can get tracked around by cell phone signal (and many years ago to boot) and eventually busted, then I doubt the weekend warrior thief is going to dodge the bullet of the law for too long.

    Of course, with data thieves getting mere slaps on wrist for stealing from internet users, it is no wonder the crime is viewed so casually.

    Bringing new meaning to Infrastructure In-Fighting

    I originally created the “Infrastructure In-Fighting” category at Spamroll as a topic center for the fight between various anti-spam technologies jockeying for position. It soon became a nice spot for all the new products and technologies fighting spam.

    But now that spammers, hackers (whathaveyou) are fighting amongst themselves, I see new meaning in the term.