Category Archives: Secure things

Tweaking My Website Security

WordPress is frequently used for websites and therefore attractive to some unfriendly people. So I reconfigured my WordPress security plugin.
And the mails of failed logins started coming in. It was not me, so someone else wanted to use this web site.

A short history about my tooling
For me web site security is something to review on a regular basis. It all started with an article in a magazine.  I put some elementary stuff in place: limited number of log ins and removed the login from the web site.

Over the months I added extra stuff like SSL. It encrypts the traffic between the browser and my web site. In other words my user name and password are unreadable for interested bad guys
Troy Hunt mentioned SSL in his free web course with the haunting name: Hack Yourself First.  Cheers mate.
In case you missed it SSL can be obtained for free at Let’s Encrypt.

At a regular basis I updated the software for my web site. I thought I was quite good until I changed the settings.

A short note about security
Some people might complain about the default security settings of their web site settings. Believe me things can be improved. If you do not set the WordPress settings right, then the user name is shown instead of your writer’s name on the blog post. Luckily there are plugins. (As a Dutchman I could not ignore the free ones.)

I thought about the default security and try to explain to you. If I buy a house, it has standard locks. If I want to keep the baddies out, I have to use the keys.
There are no special keys and locks involved. In case I need them I have to change them.
My new house has no vault or armed guards. If I need them, then I have to change something.

Shorten my list of security mails
So I had changed something and security mails came into my mail box. I noticed that there were mails with wrong user names and passwords. Not good.

After a few days I expected them to stop. You know: “Oops wrong web site. Sorry for that.” But the flow of failed login attempts did not stop. So I had to change something. Again.

I remembered a firewall in one of my WordPress plugins, so I had my first taste of a firewall. Dry, not shaken.
I had IP addresses of the sources of attack. Courtesy service of one of my WordPress iplugins.
An IP address consists of 4 numbers separated by a dot (.) like the invalid 345 345.345 345.

So I put the most offending IP addresses on the black list.

Three strikes and you are out.

The brute force attacks continued. The following combinations were used:

table with failed login attempts

The  user name is in the heading and the password is  shown in the first column. More details about this teaser will be added in the appendix.

My action did not change the flow. I used the asterix. 345 345.345.*. All people coming from IP addresses starting with 345.345.345 got blocked.

Wrong zone. Offsite. Stop the game.

It looked like I had put oil on fire. My normal mails were somewhere between the security mails.

I also noticed that black listed IP addresses still passed through. So there were apperently some smart guys pick locking the door of my web site. I’ll add some words to this assumption  at the end.

It was time for harsh measures. I was so focused on the mails, that I skipped my notetaking. In my logs other URLs were mentioned.  I clicked on one containing wp-admin and noticed that I saw my login page.
I changed a name somewhere and the security mails did not come in any more. Phew.

Brief briefing about red teaming
My list of WordPress plugins would be quite interesting for the people who really want to block out the intruders. The main reason I do not list them is red teaming. This military term is like give my plan to the red team, who will misuse this knowledge to my full disadvantage. Did you notice that “full” sounds like “fool”?

My steps for red teaming of my web site:

  1. Install the web site with all plugins.
  2. Configure the web site and the plugins.
  3. Look at www.cvedetails.com for any bugs.
  4. Misuse the listed CVE or Common Vulnearbilites  and Exposures.
  5. Go to the subdirectories and look for strange files.
  6. Look whether those files are accessible from the outside.

This reads like the plot of a bad B movie. But it works.

A short note about security
Some people might complain about their default website settings. Believe me things can be improved. If you do not set the WordPress settings right, then the user name is shown instead of your writer’s name on the blog post. Luckily there are plugin.

I thought about the default security and try to explain it to you. If I buy a house, it has standard locks. If I want to keep the baddies out, I have to use the keys.
There are no special keys and locks involved. In case I need them I have to change them.
My new house has no vault or armed guards. If I need them, then I have to change something.

Had a short glance
The days after the intentional reduction of my mail I had another look to my log files. My login page was requested several thousands times in a month. And I can assure you that I was not blogging so much.

There were other pages or URLs which led to my login page. So a check on the hits on my login page would give me the wrong impression of safety. There are people who do not like to use numbers or metrics. Some numbers can be really useful when pondered upon.

Somehow I had not paid attention. Too much focus on blogging. Obviously.

An article of Santosh Tuppad was quite helpful to increase the security. Thanks mate.

I even noticed that wp-content was open. So any pictures of draft blog posts could be viewed before publication. I even discovered a CSS file of a WordPress security plugin, which I could access without logging in. It was like finding a business card of a security team at the doorstep.

Wait a moment.

Let’s turn this into a multiple choice question.
What is the reaction of thieves on the business card?
A. Let’s skip this house.
B. I know how these guys operate. Piece of cake.
C. Look at the big bird and the shield of armor. That is pretty neat. We need 500 of those cards.

Definitely something for an action movie.

Some tips:

  • Read the reviews of the WordPress plugins.
  • Install WordPress plugins from the official site.
  • Write down, what works.
    Some plugins do not mix. This might be the cause of the strange behaviour of my firewall.
  • Make an offline copy of the website before tweaking.
  • Tweak the website security several times a year.
  • Go to your web site on a regular basis and install the updates.
  • Keep on an eye on Social Media.
    Troy and Santosh are great sources.
  • Basically, explore your web site security.

Appendix A bit of data crunching
For my first real life forensic investigation I wanted to use the gathered data. As in Data the Gathering. In order to process my e-mails I used baregrep, vim, Javascript, CSS, HTML.

People had attempted to break in my web site. I expected a concentrated set of failed attempts like
expected heat map

When I looked to the patterns I noticed this:
observed heat map
This is an example of a Blink Test. Lots of info processed in milliseconds and still getting useful info.

Facts:

  • Combinations were entered once.
  • Combinations where user name was the same as the password were frequently used.
  • The same for combination with user name equal to admin

Conclusions:

  • There is a high chance that a group tried to break in. There is a moderate chance that there were more groups which used different lists.
  • A popular user name is admin. See the first column.
  • Single words are favourite, followed by words and numbers.
  • Some user names and passwords were linked to my blog.
  • My blog posts are read.

daD Talk

One of the things I wanted to develop is critical thinking. Not only by myself, but also by my kids themselves. The led to a rather unpleasant start of one of those dad kid conversations.

There was no way back: a subject I tried to delay for a few years:
computer security.

The complaint about a program was packaged as a request:
“I want to have a computer, which can execute [dangerous module] programs without using [dangerous module].”

I exhaled. My kid had absorbed the information and realised that the use could have a severe consequence for the computer. No more computer time. On the other hand the disadvantages were too big to forget about it.

I tried to find a solution, but I could not find one. If a program can change things on a computer, then it can do bad things.

While blogging I realised I was wrong. There was a work around.
There are programs, which can do same things like the original program, but they are built differently. They are called emulators. Some gamers like to play low resolution games on emulators of very old operating systems.
Wow, that’s my kid.

It’s hammer time
“If you have a hammer, then you can use it to break a window. But that’s not right.”
My kid nodded.
“So I program the hammer, so it cannot be used for a window glass. Then I can go to a door and use it to break a lock. I can program it not to break a lock. Then I can use it for a window frame.”

It would be easier to tell the hammer it could only be used on wood. This looks brown and it has grains. But it could be changed, so that everything looks like wood.”
I made a wide gesture with my arm pointing to different objects in the room.

“But I could change the picture. All objects would look like wood. That is not a good idea, so I store the picture in a book. But the picture in the book can still be changed.

Then I could place a lock on it. But the lock could be picked. I could place a better lock on it, but then the whole book could be replaced by another book.

And that’s why it is so difficult to secure things.”

Another unpleasant guest
My kid had seen a cool app. And it should be installed absolutely. So I did my dad thing:  looking at the permissions, which I would grant to the app. It could handle my files. It was just a game and why should game have a peek at my files? Time for the bad news.

So I told my kid, that the app would access files on the phone. The reply was to buy a phone just for games. Then I told that after a while the phone would be also used for other purposes like making pictures. “You don’t want your pictures in someone else’s hands.” There was a lack of nod.

I needed another way to tell the warning. A visual one.
“Suppose someone comes in. He looks television for the whole evening. And he eats the whole fridge empty.

If you protest, he will say:
“You said I could come in.”

The next evening he comes back. He takes the table and the sofa out of the house.

If you protest, he will say:
“You said I could come in.”

Security by Luck

Last week I saw the attack vectors of the most popular attack on
WordPress web sites at the moment.
Just two lines.

Was I prepared? Yep.

In my mail box I had a message, that my web site was updated. It was completely automatic.

I did not even have to press a button. Self service is nice, good service is better. I had the last version of WordPress running. All minor updates are automatically deployed.

Why did I choose WordPress? For one of my test assignments I had to test a WordPress web site. And I did not want to learn another tool to maintain a web site. Sheer luck.

Last year I got an insistent mail from my host provider, that I should upgrade my PHP. The advised version was a safer one.

I dutifully followed the instructions: pressing buttons instead of typing long commands after the prompt. There was nothing scary about.

How did I select my web site host?
I looked for a provider, who provided all kinds of handy services: e-mail, backup, and web site statistics.

“Sheer luck mate. “
“Really? “
“I compared several providers. The one I chose also focused on companies. If I ever would scale up, I had a company, who could help me. “

“Can you be more specific? “

“Sure. I looked for the information on the web site. It was written in a way that I could advise it to a company.

It had also enough tech background information. That was good for my inner nerd. “

“Wait a minute. “
“Yep. “
“You just told, which Content Management System you use for your web site. And that you are using PHP. Are you not exposing too much information? “

“A real hacker can determine this information within seconds. He looks at the source code or using some plug ins.
On my smartphone I have Dual HTML Viewer which is a similar tool. ”
“How did you find that mobile tool? “
“#30daysoftesting

You could call it luck. I prefer to bend it.“

No comments please
Seth Godin once gave the advise to turn off comments in a web site. If the blog post would be interesting enough, then they had to refer to it. Free publicity.

This time saver was a nice advice for me. Yes, I like good comments. Sorry, I focus on writing.

This year I started to test on XSS or Cross Site Scripting attacks. I basically added information to a web site, which changed the behaviour.

If I add html code to a comment, then the comment can be shown in bold or italic. Sometimes it is possible to add extra feature like a window. This can be used to distribute confidential information to other people. Without their permission.

No comment disabled the use of XSS. Luck? Not really.
Seth let me think in another way.

BTW Seth did advise to use comments in the very same blog post.
It is nice to read good things about my blog posts. But for me time is (my) precious.

Don’t be too infectious
One of the criteria to choose my own web site host was full control over the content of my blog. Even I had to pay for it.

There are web sites which provide free web sites, SSL and nice domain names. Their business model or their way to earn money is advertisements on my web site. Of course I can disable it by paying.

On a security conference a Finnish guy showed how advertisements can be misused. He contacted to a web page with a single bad pixel. His system was contaminated within milliseconds. Life on stage.

Reading the right stuff
During one of my visits I saw a familiar computer magazine on the table: “I read it also.”
“It is good.”, was the answer. He also works in the IT, so I valued his input.

Once I read about WordPress tools. There are a lot which are free. So I scheduled my backup and restricted the access with a special tool kit. Sometimes I feel lucky to find easy to use tools.

A Case of Bad Luck
Within two days after pushing my first piece of this blog post on the web I found two annoying items on the web.

Santosh Tuppad had considerable considerations about the use of WordPress by hospitals. And Santosh is a good security tester.

Kristine Corbus, another tester, blogged about the misuse of headers in WordPress.

Then I had a story of Troy Hunt lingering in my memory. He used another Software as a Service for his web site.

“You wrote Troy.”
“It is not a city in ancient Greece, which had the first bad encounter with a Trojan horse.”
“Who’s Troy?”
“It’s the guy who reported about the bleeding cloud and the eavesdropping teddy bears. Troy is a security expert I follow by luck.”

Was I lucky?

Losing gracefully

“Han Toan, something has to be tested.”
I got a short briefing, csv files and decent specifications. A senior tester and I had to test an interface. He started sprinting: opening a csv file and logging bugs. I froze. No time for writing test cases and reviewing them. I confessed to the tester, that I was uncomfortable with the situation. I tested a csv file, but I was losing gracefully.

Theory and practice revisited
The following text is translation of a text I found in a Dutch farm:

“Theory is: if one knows everything and nothing is right.

Practice is: if everything functions and nobody knows why.

In this company theory and practice are combined.

Nothing is right and nobody knows why.”

Learning to win
One evening I was playing Skip-Bo with my wife. My plan was to lose gracefully. So I forced myself to play the wrong cards. Her position in the game improved gradually. She was happy, so was I.

After a while I was holding too many good cards in my hand. There was no way, that I could hide them for long. I would either win or lose awkwardly. The last option was worse than the first one.

In the months after this clumsy situation I tried to repeat the steps during other games. What was the first wrong move I made? What were my following strange steps? Based on my observations I was able to extract a single rule to win or heuristic.

I think, that I might be able to find scientific evidence for my heuristic. But I chose not to, because it worked. That was my goal.

No log in required
During an afternoon session James Bach told about testing without scripts. He was in a hotel lobby and saw a computer. He described the techniques and heuristics he used to get access to this computer. At the end he succeeded.  

I was in the library. Killing my time with browsing newspaper articles. But that was not exciting after a while. I had an appointment within half an hour. In the meantime there should be something to be tested. I was still staring at the computer, when I remembered the story of James.

The computer environment had 2 access levels for normal users. A guest could use only basic functions, which were also limited. I did not have a library subscription, which would grant me a time slot to use standard office software and the browser. I could buy a time slot, but that would lower the challenge.

So I started testing the applications. There were many search engines for news and books. Then I noticed, that I could open the browser. It did not take me much time to go the download area. A document with Resume in the title drew my attention. I expected an error message, when I would attempt to open the file.

Then I actually opened the file. I had access to Word. And to personal data like name, address, birth day, …. I got more information than I had anticipated.

It was time to inform the information desk about this particular situation. One of the women acted adequately:
“Did you log in?”
“No. I did not log in.”
One brief look on the computer screen made her check the other computers in the library. She asked me the steps to reproduce the error. After my answer she continued with:
“After logging out the cache should be cleared. I’ll contact the system administrator about this situation. ”

I went back to the computer, which still showed the resume. I closed it. Then I noticed, that a pdf reader had been installed on the PC. One of the recently opened files contained passport in the name. One click gave me a high resolution full colour scan of a passport including social security number and picture of a fellow citizen.

I had made a little start. To explore in unknown environment. Without a script.

 

Déjà vu

Story number 1
My wife and I were enjoying the sun set. We had settled ourselves on a bench with cushions on the beach. A waiter came in our view:
What would you like to drink?
My wife answered:
“One hot chocolate milk please.”
“With or without whipped cream?”
“Without whipped cream.”
Then it was my turn to order a drink:
“One tea without whipped cream. ”
When the waiter went away, my wife remarked something about my joke.

After a few minutes the waiter came back with two hot chocolate milks without whipped cream.
“I did not order this beverage.”
“You ordered a hot chocolate milk without whipped cream. ”
“I ordered a tea without whipped cream. ”
The waiter was silent for a few moments. Then he offered me to bring me a tea.

Story number 2
When I was looking for a parking space for the car, one of my kids said:
“That car has the same colour.”
I said something like “A huh”.

I parked the car and my wife left to do some fast shopping. I stayed with the kids. After a few minutes I noticed movement in the rearview mirror. My wife had changed her coat, hair colour and glasses. And she had shopped.

“Something is wrong.” flashed through my mind. I turned around to have a good look. The woman looked me straight in the eyes. She was surprised. Her view shifted to the license plate. Then she looked to me with an apologising smile.

She slowly turned around, looking for her car. Then her eyes fell on a car with the same colour, the same model and the same brand. And off she went.

Breakdown
The waiter and the woman have some things in common: first they used the auto pilot (System 1). Then they forced themselves to think (System 2). This leads to the following graph:mindful-tester-deja-vu-systems-timeline

Back to business
The following story is fiction. So enjoy.  

Steve was waiting for things to happen. For more than one hour it was just him and his pen. The other stuff was boring: the same people moving on the screens in the same patterns. He noticed, that a pizza delivery boy parked his car on the parking lot. He just knew, that it was a pizza delivery boy. While many of his colleagues were regarding strangers as potential criminals, he just looked and knew.

The young man came to his desk:
“One large pepperoni pizza for mister Neal.”
“Sorry”, Steve replied. “You are not allowed to deliver, because your delivery is not on the list.”
Then a phone call came in.
“Hi Steve, John here. I forgot to notify you, that a pizza would be delivered.”
Steve checked off the following points:

  • It was the internal phone number of John.
  • He had an American accent with Scottish accent.
  • He was always late with meal notifications.

“Sure, no problem. One pizza coming up.”
“Fine. I’m hungry.”
Steve thought: “He always is.”.
He said to the pizza delivery boy:
“You can go the 6th floor. Mister Neal is wearing a T shirt.”
Steve thought: “He always is.”.
The young man nodded and entered the elevator.

Outside a car stopped. The same man came to Steve’s desk. Steve looked at the first car, which was still parked outside. There was something wrong. The pizza delivery boy looked genuine.
“He’s real.”, flashed through his mind.
Steve asked: “One large pepperoni pizza for mister Neal?”
“That’s right. Can I deliver the pizza?” with the same voice.
Steve looked at the monitor, which showed the same delivery boy in the elevator.

He looked to the pizza delivery boy.
“I have to write down the delivery time.”, while tapping 3 times on his watch. 3 short taps is S in morse: Social engineering threat. He felt 3 short vibrations of his watch. Now Steve had 3 minutes to evaluate the situation, before the alarm went off.

In the meantime another pizza delivery boy with the same face had come to his desk:
“One large pepperoni pizza for mister Neal.”
The same face, the same suit and the same voice.
“He’s not an actor. The body language is from a reluctant man trying to earn extra money for his study.”
Steve looked to the two pizza delivery boys standing for his desk: they looked like twins.

John was a hungry programmer: he ordered at most two pizzas at a time. Steve recalled, that John had ordered just one pizza. He pressed his two hand palms on the desk to push himself up. This way he concealed two small movements. With his right index finger he pushed the Down The River button. People inside the building could only leave the building: elevators would only go downstairs; doors would only open to the hallway. Etcetera etcetera. Annoyance crept in Steve’s mind:
“This is the real thing and my intuition failed me for the first time.”

With his left index finger he locked the control panel in front of him. While Steve was standing at ease, he casually placed his right palm on his watch. The watch scanned his palm and vibrated for half a sec: the alarm was confirmed. He imagined himself as a concrete wall. Now he had to stall, until the backup would come. The guitar music from the opening scene of Pulp Fiction started to play in his head. He defocused to get a better view of the situation. This way he could see the two pizza delivery boys and the entrance at the same time. Then tensome pizza delivery boys entered the building. Packed with pizza boxes. The trumpets in his head began to play harder.