Thursday, June 25, 2015

BlueHost promotes SiteLock, encourages customers to protect (Wordpress) sites from hacks

Bluehost has offered its Wordpress customers an automated “SiteLock” product  which offers various plans to scan and fix security problems on customer’s sites.  There are “Find”, “Fix” and “Prevent” products under “Basic” and “Premium” plans.  The “Fix” product under “Basic” is quite reasonably priced, but “Prevent” is much more expensive (because it would require more continuous monitoring).

It was not completely clear (to me, at least) whether the product has to be purchased separately for each domain.
There has not been a lot of news coverage of “ordinary” personal or small business sites being hacked.  A few small sites (like restaurants) around the country have been overlaid with radical materials. I experienced a hack on two flat HTML files on an old legacy site in April 2002 (seven months after 9/11).  The overlaying content appeared related to Russian nuclear weapons, of al things!  I did report it to the Minneapolis FBI.  I had my own backups and quickly restored them, and there were no recurrences (amd the ISP tightened Unix security’s Site Command).

Reputable hosting companies do provide backups of sites, but it’s a good idea to have your own copies of content (even offlne on CD’s or thumbdrives, or with cloud backups).  It isn’t that hard to set up your own, just in case.

Note the video below dates to 2012.
I have not heard much (or any) discussion of possible site owner liability for allowing a hack to happen, when the site is hosted with a regular shared hosting company.  The liability risk would seem much less if the site does not host consumer information (but I can still imagine some perils).  The idea of encrypting the entire web (even non-commercial sites) with https sounds relevant, but so does Section 230.  I suppose we could hear talk about this in the future.  Sites could conceivably be overlaid with “illegal” material (or perhaps with no link path for added new material  -- a webmaster can spot check for this by looking at access logs or looking at the site with WS-FTP or similar product), or be used to launch DDOS attacks.  Old legacy sites should be spot checked regularly for any problems. Here’s a typical link; it seems like a gray area now.  The Hacker News has an important piece about Wordpress vulnerabilities here

Wednesday, June 17, 2015

Hack in Major League Baseball seems unprecedented, but not prescient for "home" users

This is a bizarre story for an Internet safety blog. The St. Louis Cardinals (or employees or agents thereof) have been accused of hacking into the Houston Astros’s computer systems to spy on player development and trade possibilities, a kind of Chinese industrial espionage in big league sports.
The New York Times story is here. MLB has a video with comments on the FBI investigation here
The Cardinals have the best record in MLB right now. The Houston Astros were very weak a few years ago but are much improved, having moved to the AL.  I saw a game at the old Astrodome in 1984.
This does sound unprecedented.          
Wikipedia attribution link for picture of Minute Maid Park in Houston by DelayWaves, under Creative Commons Share Alike 3.0 License, here
The park was shown in the movie “Boyhood”.  The upgrade in center field will be removed before 2016, but I think it makes play interesting, like in amateur backyard baseball. 


Thursday, June 11, 2015

AOL prompts subscribers to install Tech Fortress, Webroot says it won't interfere with Secure Anywhere

I am getting prompted by AOL to install Tech Fortress.   I admit I haven’t done this yet.  The produce is now included with AOL subscription (which includes paywall news content, although Huffington often has similar content for free).  To give it credit, some of the content is on particularly edgy or disturbing stories, especially about Internet abuse. 
I checked with Webroot which say it will not interfere but is redundant if I have Secure Anywhere (8.1).
Tech Fortress appears to be cloud-based, like Webroot, and doesn’t need signature updating.  It claims it will block zero-day threats. 


Monday, June 01, 2015

Washington Post runs major series on legacy security flaws in Internet's design

Craig Timberg has written a big series for the Washington Post on the “Net of Insecurity”, a book-length series of articles on why the Internet has so many persistent security problems.  I note this is still with he Post, not Vox; and it looks like it would make a good e-book for Timberg to sell on Amazon.  Illustrations are by Harry Campbell and videos by Jorge Ribas.  The videos are heavily animated. Post videos don’t give embed links.
The best article so far is the second one, today, link here.  Timberg discusses the 1989 idea of Border Gateway Protocol (BGP) as a “quick and dirty” (in workplace jargon familiar to me from my own 30+ years in IT) solution to a long term problem.  That makes the Internet vulnerable to malicious redirection.  Timberg gives an example in 2008 of an incident in Pakistan that shut down a lot of Youtube traffic worldwide for two hours.  In 2008, a Finnish security guru found a vulnerability in the DNS system that led to an emergency conference at Microsoft in Seattle. 

The original focus was on “resistance” rather than actual prevention of a malicious attack.  Also, the net was designed with the idea of an honor system (like UVa’s), and with little grasp that users would attack one another.

But users “attack” for two basic reasons.  One is “inequality”, which leads to ordinary thievery in the digital world, just as it does to carjacking and burglary in the real world.   A second reason is that politicians exploit economic uncertainty.  In many countries, especially those associated with Communism, talented teens and young adults can’t find productive work.  Policies of governments of Russia and China, especially, seem to encourage crime as a way to make a living off the west.   (We’re talking about Vladimir Putin.)