Tag Archives: security

Heartbleed OpenSSL Bug – List of Affected Sites

by in Security

The following list shows the current statuses (as of April 10,2014) of sites we felt our clients would be most interested in knowing about. If you have accounts at these sites, it is highly recommended you update your passwords. 

(Learn more about the Heartbleed OpenSSL bug.)

Vulnerability Status key:
Yes – site has at some point been, or is currently, vulnerable
Likely – site was likely vulnerable but cannot be confirmed
Possibly – site may have been vulnerable but cannot be confirmed
No – site was not vulnerable

List of Popular websites and Heartbleed vulnerability status:
Updated April 11 3pm CST

Apple: Not affected
Amazon: Not affected
basecamp: Not affected
Disqus: Yes (now safe)
Doteasy: Likely (now safe)
Dropbox: Yes (now safe)
eBay: Possibly
Etsy: Yes (now safe)
Github: Yes (now safe)
Godaddy: Yes (now safe)
Google: Yes (now safe)
Hotmail: Possibly (now safe)
Intense Debate: Likely (now safe)
istockphoto: Likely
LinkedIn: Not affected
Lunarpages: Yes (now safe)
Marketo: Likely (now safe)
myspace: Possibly
Office Autopilot: Likely (now safe)
Paypal : Not affected
Pinterest: Yes (now safe)
Siasto: Yes (now safe)
Siteground: Yes (now safe)
Slideshare: Not affected
Skype: Likely (now safe)
Twitter: Yes (now safe)

 

More info:

Is there a site you don’t see here but are interested in? Here is a great resource to check out the vulnerability status of any site:
http://filippo.io/Heartbleed/

Here’s a secondary resource, though not one I’m putting a lot of stock in because their testing method just isn’t quite thorough enough to detect the vulnerability.
https://lastpass.com/heartbleed/

 

Action item:
Change passwords for any site that is now safe. Changing passwords at sites that have not yet been patched will be without reason, as they will need to be changed again after the patch has been applied. We will update this list as we get new information. However, sites that cannot be confirmed may never have a status of “Now Safe”. In that case we recommend updating passwords anyway, to be extra diligent – it never hurts to update anyway. Don’t forget about your personal accounts as well (credit cards, bank accounts, etc.)

 

TrekVisual Clients:
We work hard to protect your website’s integrity. We’ll update TrekVisual client data once servers have patched their software, and we’ll notify you of any information you need to be aware of. Please email us with any questions you have.

How Does the “Heartbleed” Open SSL Bug Affect Me?

by in Security

“Heartbleed” is a newly discovered security bug that affects OpenSSL encryption software across the web. This bug is estimated to have effected about 2/3 of sites on the web that encrypt data.

 

What is SSL encryption?

When you sign in to a secure site, you’ll notice a ‘lock’ icon in your address bar, or the https: (vs http:). That means that the site you’re signing in to uses SSL to secure the transmission of private information like passwords, credit card and account numbers, etc. The software the website uses to run SSL may be OpenSSL. OpenSSL is one of the most widely used SSL software programs today.

 

What does the Heartbleed bug do?

The Heartbeat bug allows an attacker to extract 64k of data from a servers working memory at a given time. The attacker doesn’t know what that 64k will include – but since these attacks are generally run by computer programs that can repeat the process over and over quickly, there’s a great potential for a lot of sensitive data to be compromised.

 

What can I do to protect myself from the Heartbleed bug?

Change your passwords. Creating strong passwords is a good habit to make – read more about how to create strong passwords you can remember. It has been reported that Apple, Google, Microsoft and major banking services have not been affected. It does appear that Yahoo has been targeted, so I advise changing any Yahoo passwords you have. To be diligent, any password you enter on any secure sites you visit should be changed over the next few days. 

Because we’re not sure when websites are patching their software to fix this bug, changing your password prematurely is possible. I recommend changing passwords to your most important secure sites ASAP, and again in about a week to allow for the possibility you may be changing passwords before the website has updated their OpenSSL software to patch the bug.

 

What about my WordPress password?

This is the kind of bug that will not directly affect your WordPress install, but it can potentially trickle down if the server has been compromised. If you’re hosting with TrekVisual, or we’re managing your website, your passwords will be changed over the course of the next week. This should not affect your normal day-to-day operation. We’ll contact you with updates as they happen.

Security Plugins Every WordPress Website Should Have Installed

by in Plugins, Security, WordPress

If you run a website, then website security is probably on your mind regularly. As technology becomes more integrated with our lives, news about security breeches, DOS attacks and hacks has become more frequent. The need for being proactive about protecting your website has never been stronger. Here are some of my favorite security plugins, most of which are free, even if the free version is limited is definitely something every WordPress website should have installed. Check back as I’ll keep this list updated as things change, plugins are added or in the case any are sadly removed!

A Simple Captcha Can Help Deter Attacks.

Brute Force Attacks occur no matter what host you’re with, and no matter how strong your password is. The first step to protecting your website from a successful brute force attack is setting up a strong user name and password.
(Helpful articles: Is my password strong enough? and How to Create a Strong Password You Can Remember)

Step two in protecting your website from brute force attacks is adding an extra layer of difficulty to the bot attempts at cracking your login is adding a Captcha, which can be as simple as a basic math question (or not so simple if it’s before coffee). I recommend the Captcha by BWS plugin, which will add a simple captcha form to your login page. You can learn more about it here: BWS Captcha plugin and download from WordPress repository, here.

Secure your Login.

Adding a captcha to your login page is good, but what’s even better is limiting the number of login attempts anyone tries making to get into your WordPress admin area. For this I highly recommend Login Security Solution. This plugin logs IP addresses of attempted logins, and will systematically slow down the login process to those IPs. The delay is a ‘survival of the fittest’ method, meant to deter attackers, steering them away from your site to move on to the next one that may be an easier target. The beauty of this plugin is, if they DO manage to break in, the plugin recognizes the user as a miscreant and kicks them out, anyway!

Stay in Control of Your Site Security.

As an added measure of security, I also recommend using the WordFence plugin. It works well especially if you set it up to work in conjunction with Login Security Solution. This plugin offers lots of options, and while it has some great pro-active features, some features come in very handy during an attack.

Proactive features I’ve found most useful are the ability to block aggressive search engine spiders like Baidu and Sogou, which can be resource hogs.

There is a live traffic tab that will allow you to see current activity on the site, and if you’re undergoing a brute force attack, you’ll be able to see the IP addresses of the attackers. Combined with the tab to manually block an IP or IP range, you can do something about it.

Scan your site for Potential Problems.

If you’re running a free theme and want to check for possible exploits in the code, you should definitely install and run the “Exploit Scanner” plugin, written and maintained by Donncha Ó Caoimh, a highly respected WordPress developer. This plugin runs a deep scan of your database and will give you a lot of detail about anything suspicious. It can be overwhelming and not every warning is an indication that you have malicious code, and may require a more trained eye to work with, but is a great and powerful tool.

Compromised Website? Get Help Sooner Rather Than Later.

Sometimes you don’t need to run a scan – you notice things like advertisements for the latest variety of Viagra or similar being prominently displayed on your site, or maybe just the mobile version of your site. If you want to run a test to be sure, here’s a site that will let you run a scan of your site to check for malicious activity or malware. Be patient, it takes awhile to complete. (It took about 5 minutes for my test to run).

Viruses, especially database injection viruses, can get evil and messy very quickly. If you suspect your site has been compromised and you don’t have the technical know-how to fix it, it’s better to get help from someone who does sooner rather than later. Every moment your site exists with a virus allows that virus to propagate through your site and make it harder to clean later on, so consider it important to treat this as an urgent matter.

To get help from TrekVisual for an infected website, visit our webmaster services page or contact us.

Is my Password Strong Enough?

by in Security, website-tips, WordPress

Username: admin
Password: admin

You know that’s really not bright, but why? First, I’ll answer the question –

Why do I need a strong password? 

It may not be obvious, but a strong password will help prevent a successful brute force attack on your account (whether this is your FTP account or your WordPress website).

“(A brute force attack) consists of systematically checking all possible keys or passwords until the correct one is found.” (wiki) You’ve seen it in movies, a computer screen cycling through characters one by one until each one is a hit and ‘locks’. This is the basic concept behind

Give it a go, at this Brute Force Space Analysis calculator. Enter admin as a password. This is an accelerated test, with the smallest scenario showing how fast a password could be cracked with 1,000 attempts per second (3.43 hours). Now try a password like adm1n:) and it now estimates a successful crack would take centuries.

You should be aware that this calculator doesn’t tell a complete story. Many brute force attacks are ‘password dictionary’ attacks, meaning a dictionary of common passwords are tried. Admin, 123456, Password are some of the more common (obvious) dictionary passwords.

How do I create a strong password?

The strongest password should be as long as possible (if you’re allowed to use 24 characters, use them), with a minimum of 8 characters. Your password should include numbers and be MiXeDCase (using upper and lower case letters). Most importantly, special characters should be interspersed among numbers and letters.

1Password! is an example of a password that includes all of those recommendations, but is definitely not a strong password, because it’s obviously a commonly recognizable word that begins with a number and ends in a (meaningful) special character. You should avoid common words, and I’d even suggest avoiding the use of the number 1 and the exclamation point.

To create a completely random password, you can use a site like random.org. If you’re super careful bordering on paranoid, you can use two or more password generator sites and combine parts of the generated password from each. I can’t guarantee this method will create an easy to remember password, though. For ideas to create a strong password you can remember, check out How to Create a Strong Password You Can Remember.

*Funny note: While writing this blog entry we got an automated notice from our TrekVisual security program to notify us that one of our sites was undergoing a brute force attack. Username they tried? admin

How to Create a Strong Password You Can Remember

by in Security, website-tips, WordPress

Long gone are the days when you could create a password by spelling your name backwards. Or using your numeric birth date.

To create a strong password, many websites now offer a ‘strength meter’ when you choose a password to show you how strong your password is as you create it. Long, meaningless strings of caps and lower case letters mixed with numbers and special characters make an awesome password – but trying remembering it without writing it down can mean lots of wasted time going through the ‘Lost Password’ process to recover and recreate another long, complicated password you won’t remember next time. The cycle continues.

Adding to that complexity, we need passwords for just about everything we do today online – and they should all be different. I haven’t ever actually counted my passwords, but as a rough estimate, I know I have over 300 different passwords.

Kind of reminds me of Susan Powter back in the 90s, yelling “Stop the Insanity!”

Here are some ideas for creating strong passwords you will actually remember.

  • Choose a favorite quote, or passage from a book or poem you love.Add special characters and numbers throughout as they make sense. For this example, I chose the following quote:

    “Know or listen to those who know.”

    You can turn that into a password like this:
    Kn0w,0rListen!2Th0seWh0Kn0w?-Gracian

    I converted each letter o to the number zero, changed the word ‘to’ to a number two, and added punctuation that I can remember in places that make sense to me. I also attributed the quote at the end with a dash followed by the last name.

  • Use that favorite quote, passage or line from a poem and create an acronym to use as a password:
    Using the example above, the password acronym would be K,0L2Twk-G 
  • Create a sentence that integrates the name or purpose of the website to make it unique
    Know,OrListenToThose(likeTrekVisual!)WhoKnow.

  • Make a tagline for your experience on that particular website and run with it in creating a strong password. For example, if I were creating a password for logging in to my Chase bank account where my house mortgage is held, I might come up with something like:

    S0m3d4y,1w1ll0wn*Ur*House,Chase! (Someday, I will own your house, Chase)

    (Note that some sites won’t let you use certain special characters, like the asterisk)

It doesn’t have to make sense to anyone but you…and better if it doesn’t! Be creative.

Finally, I’m not a big fan of electronic keychains or password collection apps. I recommend keeping your passwords written down in a secure location which doesn’t exist on any electronic device – ie., on paper. I know it’s a bit old-fashioned, but if it’s not anywhere you can access digitally, it’s not anywhere a hacker can access it digitally, either.