Security Tips for Social Netizens

I’ll admit that I was taken in the first time I got a tweet like this:

“You gotta see this! lolol bit.ly/ZUT…..

I haven’t been fooled since, but I’m sure plenty of people are fooled every day, particularly when the come-on is from a person they know.

The difference between the Nigerian princess plea, the PayPal password reset email and other famous online security scams we know and love is that social networks make it appear as if the requests are coming from your friends. How can you not stop to help out a friend who’s marooned in an overseas village somewhere after his wallet and passport were stolen?

Digital Defense,a security assessment and software firm, has published this free guide to the most common security dangers in social media. While experienced netizens know that you never click on a link without first checking out the URL, for the vast majority of casual users don’t know how to do that (hint: hover over the link). This free download is worth sharing with the people you work with, and any IT organization should make it required reading for users.

Note, you have to fill out a registration form to download it, but the company doesn’t ask for much. Also, I received no compensation for this post.

 

A Quick Fix for the Latest WordPress Virus

I spent several frustrating hours this weekend trying to recover from a nasty virus that has hit WordPress installations on Network Solutions and Go Daddy, which is my hosting service. After wasting many hours fiddling with wp-config files and backing up and restoring databases, I hit upon a simple solution this morning that appears to have restored my three blogs to their former glory. Maybe it will help you.

This virus is characterized by the insertion of a long string of seemingly random characters at the beginning of PHP files like the one depicted below. These files are scattered all over your WordPress directories and there’s no telling how many have been infected. You need to remove the malicious code from every PHP file to restore your system, and there could be hundreds of files.

Rogue code in WordPress

First, the disclaimers: I’m not a programmer and I can’t guarantee that this solution will eradicate the virus once and for all. It’s possible that the creeps who developed it have hidden code somewhere to resurrect it at a later point, so I will post an update few days from now. Also, you should back up your database before attempting any recovery. It’s probably also a good idea to back up the infected files to a safe directory on your computer in case something goes wrong.

That said, here goes. This fix is for Windows, but the Mac version should be pretty similar:

1. You’ll need to download and install two open-source programs –Filezilla and Notepad++ – before you get started.

2. Open Filezilla and connect to the FTP server where your WordPress installation is located.

3. Now you’re going to create a filter in FileZilla to download and upload only PHP files. This will save you a lot of time because you won’t be sending large image and audio files back and forth. Go to “View –> Filename filters..” and choose “Edit filter rules…” Create a new rule called “PHP” or whatever you want. In the “Filter conditions:” drop-down menu, select “Filter out items matching none of the following.”  In the space below that, choose the drop-down menus “Filename” “contains” and type “php” into the box. See screen grab below.

Setting up FileZilla to filter PHP files

4. Then – and this is important – uncheck the box that says “Filter applies to: Directories.” If you don’t uncheck this box, FileZilla will only download files in the root folder and miss all the sub-folders. Click OK.

5. Back in the “Directory listing filters” dialog box, check the boxes next to your new PHP filter name in both the “Local filters” and “Remote filters” columns. Click OK. Your file transfer filter is ready.
PHP filters selected=

6. In the “Local site:” window on FileZilla, create an empty directory on your computer where you can store the PHP files you download. In the “Remote site:” window, navigate to the directory containing your blog. This will be the one with the folders called wp-admin, wp-content and wp-includes. You actually won’t see those folders at the moment because your filter is on. If you want to check, temporarily disable the PHP filter to be sure you’re in the right directory.

7. In the “Remote site:” window, select all files (CTRL-A), right-click and choose “Download.” The PHP files will start downloading into the new directory you created, preserving the file structure of the server. This should be pretty fast, because you’re only downloading text files.

8. Once the download is complete, open an Explorer window and navigate to the directory on your computer where the PHP files are located. Right click and choose “Open with…” and then navigate to the Notepad++ directory and choose the file called “notepad++”.  Select this as the default for opening all PHP files.

Notepad++will open with all the files you’ve selected in separate windows. Flip through the windows until you find one containing the rogue code at the top.

9. Select all the characters between the first two occurrences of the “<?php” characters. Include trailing spaces.
In  Notepad++, choose “Search –> Find in files…” The dialog box that pops up will look like the one below. The text you selected should already be inserted into the “Find what :” field. Delete anything in the “Replace with :” field. Then choose the navigation button to the right of the “Directory :” field and navigate to the folder containing your PHP files. Click OK. The program will respond with the challenge of “Are you sure you want to replace all occurrances [sic] of…” Click OK. Notepad++ will churn away for a few seconds and then show you how many files it has changed. The number may astound you.

10. If all has gone well, you should still see part of the rogue code in the window in front of you. This is because Notepad++’s  “Find what :” field can’t hold all the characters you need to replace. So you’re going to have to run another find and replace. Simply select the remaining bad code and repeat the previous step to find and replace all incidents in the files. If all has gone well now, the file in front of you should be clear of all bad code. Save that file and any files that are open in other windows and exit Notepad++.

11. Go back to FileZilla and upload all the PHP files, being careful to choose the same directory from which you downloaded them originally. When the challenge box pops up, specify “Overwrite” and “Always use this action.”

Try to open your site again. It should be back to normal. If it isn’t, upload the bad files you had stored in a separate directory and try something else, because this obviously wasn’t the bug you had!

If the fix works, be sure to change your database and WordPress passwords. And let me know either way whether this did the trick!

The Crime Economy

From Innovations, a website published by Ziff-Davis Enterprise from mid-2006 to mid-2009. Reprinted by permission.

Is access to your corporate Web server worth $740?  That’s the average price a computer criminal pays today for information about a security flaw at a specific financial institution, according to a new report from Symantec.  While some exploits command as much as $3,000, information about other corporate security flaws are being sold for as little as $100.

That’s not the only example of corporate security on sale.  Hackers can purchase links to webpages that have known security vulnerabilities for about 40 cents per link in bundles of 500.  Or they can buy their own remote file included (RFI) scanner for about $25 and identify those PHP-induced flaws themselves.

This information and much more is contained in a new report entitled “Symantec Report on the Underground Economy” that can be freely downloaded from Symantec’s website.  The 84-page document paints a picture of a vast marketplace that traffics in the tools and the spoils of computer crime, creating a recursive ecosystem that feeds upon its own success.

The report is hair-raising, not so much because it identifies new vulnerabilities in corporate information systems but because it documents the efficiency of the market that traffics in the tools and spoils of computer crime.

In this new underground economy, tens of thousands of anonymous entities advertise tools that can be purchased for modest sums and used to create spam attacks, phishing farms and direct assaults on corporate servers.  The people who buy these tools then sell the spoils of their work to brokers who remarket the information to other criminals.

Those groups may in turn produce bogus credit cards or orchestrate massive credit fraud and identity theft operations that cost businesses billions of dollars in losses.  One estimate put the cost of phishing attacks alone at $2.1 billion for US consumers and businesses in 2007.

Vulnerability for Sale

vulnerability_prices

Source: Symantec

The electronic flea markets that enable this evil are networks of IRC servers and covert websites that  visitors use to bid upon tools and information.  The average price of a botnet, for example, is just $225 and a single botnet can be rented out for used by other criminals to produce an income stream or specialized service. Hackers can buy all the security-busting software they want for less than $500. Who needs to be a technical expert any more?

Skilled professional criminals can rake in unbelievable sums.  Symantec estimates that one organization that specializes in phishing made $150 million in 2006 from stealing bank credentials alone.  Another operation that mass-produced counterfeit credit cards was reportedly earning up to $100,000 a day.

The disheartening message in these statistics is that the enemy of corporate security managers is no longer a script kiddie working in his basement but a vast and faceless network of entrepreneurs and arbitrage experts cooperating in a strikingly efficient marketplace with total anonymity.  In a one-year period, Symantec observed nearly 70,000 advertisers on various underground economy servers hosting more than 44 million messages.  These criminals are so active because the system works.  Computer crime has become, in effect, a vast peer-to-peer network. And as the recording industry has learned painfully, peer-to-peer networks are nearly impossible to stamp out.

If you’re hoping to hear about the magic pill to cure this problem, you’re out of luck. The Symantec report offers no advice, either. Instead, it documents the sophistication of a distributed operation that is financially motivated to constantly attack the institutions of commerce and government. Our only defense is to be buttoned down, well-educated and prepared for a long struggle.

Old PCs Pose Environmental, Regulatory Threat

From Innovations, a website published by Ziff-Davis Enterprise from mid-2006 to mid-2009. Reprinted by permission.

We all know how great it feels to have a new PC plunked down on our desktop or in our briefcase.  But for IT organizations, that exhilaration is increasingly compounded by anxiety.  What should they do about disposing of the computer that’s being replaced?

This issue is gathering importance as the number of old computers grows.  Gartner has forecast that consumers and businesses will replace more than 925 million PCs worldwide by 2010.  And that’s just one category of computer.  Gartner expects another 46 million servers to ship during the next five years, and about one billion mobile phones to be discarded yearly beginning in 2010.

There are obvious ecological concerns that attend this problem, of course. Most personal computers contain chemicals that can poison water supplies and old CRT monitors have lead linings that should never make their way into a landfill.

But the risks to businesses these days can hit even closer to home.  Discarded computers can contain proprietary data that, if disclosed, can open a company to a host of legal and compliance problems. Among the regulations that provide severe financial penalties and even imprisonment for improper data protection are the Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act and Sarbanes-Oxley Act.  There are also a host of local regulations to consider, the result of Congress’s decision many years ago to make environmental rules the domain of individual states

Companies have gotten by for years on ad hoc approaches to computer disposal.  Often, they sell old machines to employees, give them to charities or palm them off on trash hauling business that dispose of the equipment in places unknown. But regulators don’t buy the “out of sight, out of mind” philosophy. Most place the onus of insuring data protection on the original owner. That means that if a PC or cell phone containing protected information turns up in a landfill overseas somewhere, the firm that captured the data is on the hook for any legal obligations.

A particular concern is the trash companies, who often piggyback their computer disposal services on top of their basic business of hauling away Dumpsters full of refuse. While many of these companies are no doubt legitimate, some tried to cut costs by piling IT equipment into containers and shipping them overseas.

In some cases, this equipment is simply thrown into open holes in the ground, causing unknown public health concerns. Many Third World companies also of the have subcultures of entrepreneurs who to disassemble equipment and sell the piece parts on the open market. In 2006, The BBC bought 17 second-hand hard drives in Nigeria for $25 each and recovered bank account numbers, passwords and other sensitive data from them. Under many regulations, the original buyers of that equipment could be liable for any security or privacy breaches that resulted.

Nearly every business should have a plan for disposing of end-of-life computers.  If storage equipment is to be repurposed, it needs to be thoroughly erased. The Department of Defense’s 5220.22-M erasure standard insures that media is completely cleansed of recoverable data. A simpler approach is to take a hammer and smash the storage media into smithereens. Whatever tactic you use, you need to document the data destruction using the appropriate compliance forms.

A new practice has also emerged called IT Asset Disposition (ITAD). ITAD vendors essentially outsource the disposal process and provide tracking, verification and even insurance against liability. Some firms can also remanufacture components and sell them, thereby reducing costs for their customers.  Research firm International Data Corp. has published a good study on the market. The site Greener Computing also has helpful advice.