Category Archives: Computer Security

WordPress Name+Number Login/Registration Attacks

I’ve been seeing brute-force login attacks on another of my WordPress sites, but instead of targeting typical usernames like admin or extracting post authors, they’re random name and number combinations like Emanuel95A. What use could that possibly be? You’re not likely to hit on an existing user that way.

It turns out it’s not a dictionary attack after all. It’s not really a login attack either, at least not deliberately. It’s actually a bot trying to register new usernames (maybe for spam, maybe in preparation for a privilege escalation attack, who knows?), which explains the name and number combination: they’re actually trying to get a username that’s not already in use.

The bot hasn’t figured out that registration is turned off, so when WordPress redirects it to the login form, it keeps trying to register…in the login form…over and over until it gets locked out. (On a related note, if you don’t have something like the Limit Login Attempts plugin on your site, install one now.)

Because registration was off and repeated logins were blocked, it wasn’t currently a threat, but the alerts for all the lockouts were getting a bit annoying. I decided instead of nicely sending the “user” to the login page, I’d kick back a 403 error instead. Rather than hack WP or write a plugin, I just added a mod_rewrite rule:

# Broken register bots are repeatedly trying to log into the site.
RewriteCond %{QUERY_STRING} (registration=disabled|action=register) [NC,OR]
RewriteCond %{HTTP_REFERER} registration=disabled [NC]
RewriteRule ^wp-login.php - [F,L]

That leaves the form active under most circumstances, but stops everything if it’s been redirected from the registration page.

What’s Wrong With Facebook Updating Itself on Android?

Yesterday, my phone suddenly started downloading something called “Facebook build (somethingorother).” It didn’t show any progress, wouldn’t go away, and I worried that maybe it was a piece of malware or something buggy. A quick search turned up nothing. A later search found other people asking what this was. Late last night, there were articles about “Hey, why is Facebook updating itself!”

It turns out that yes, Facebook is now downloading its own updates on Android phones and tablets instead of just pushing them out through the relevant app stores (Google Play and Amazon, mainly). I’m sure they thought it was a great idea — web browsers like Firefox and Chrome have been doing this for several years on the desktop.

The problem is that it violates expectations of what the app will do, and where your software is coming from.

Imagine your car’s manufacturer issues a recall. Now imagine three scenarios:

Scenario 1: You receive a notice of the recall, asking you to make an appointment to bring the car in for maintenance. (For those of you who don’t drive, this is how it normally works.)

Scenario 2: You receive a notice offering to send a technician out to do the repairs at your home or workplace. (This would be awesome, but impractical.)

Scenario 3: You’re sitting in the living room when you hear a noise from the garage. You go out to investigate and find someone messing with your car.

That’s what this feels like.

It’s one thing to offer software through third-party channels. The fact that it’s possible is one of the reasons I prefer Android to iOS. In that case, notifying me of updates, maybe even simplifying the download would be very convenient — if I know ahead of time that it’s going to happen. And if they’re not switching channels on me. A download coming from some new location, but claiming to be a familiar piece of software, and a notice telling you to install it? That’s how trojans work.

In short, it’s a violation of trust…and if there’s one thing we’ve learned about Facebook over the last few years, it’s that the social network has enough problems with trust.

Backup Lesson from the Emerald City Comicon Hack

Emerald City Comicon’s website was hacked and deleted this week…along with all their backups.

Ouch.

Ticketing is all handled offsite by EventBrite, so tickets and financial info are safe. They’ve redirected their URL to the Facebook page while they rebuild their website.

Lesson learned: Isolate your backups.

I don’t just mean physically. Yes, you need to keep some offsite in case the reason you lost your server is that the building caught fire. But isolate the online access as well. If you back up your site by pushing the backups from your server to a remote location (either self-hosted or cloud storage like Dropbox or Amazon S3), those credentials are stored on your server somehow. What could an attacker do with them?

Consider: If someone breaks into your web server, what else can they do in addition to vandalizing your site? Can they access other databases? Can they hop onto your internal network? Retrieve or alter private files? Can they get at your backups? If so, can they get at all your backups including private documents?

The answers are going to depend on your network and backup setup. But they’re questions you need to start asking.

Recent Links: Comic Strips, Moon, Hotspot Safety, Flash Forward and More

Comic strips and art:

Sci-fi and fantasy:

  • Keeping Up With the Cardassians. For months, this is what I heard every time someone mentioned the Kardashians. (What can I say? My brain is more attuned to Star Trek than to reality TV.)
  • Author Robert J. Sawyer answers pointed questions about Flashforward and the TV adaptation, including what went wrong. I have to agree that it was really hurt by focusing too heavily on the conspiracy arc.

Coolness!

Tech stuff:

Recent Links: Books, Comet Photos, Language and More

Catching up on linkblogging.

Comic Strips

  • I found a printout of this User Friendly comic strip while cleaning out my old desk last month. Ah, tech support! Help, I can’t send e-mail!
  • XKCD on spambots vs. constructive comments (warning: language)
  • Two comic strips about book collections: Wondermark and Girl Genius. I stumbled on the Wondermark strip at Long Beach Comic-Con (write-up should be done today is online) and it really hit home, between the fact that I grew up loving books for exactly this reason, and the impending arrival of the next generation. As for Girl Genius, I think Castle Heterodyne’s library could give the Beast’s a run for its money.
  • Fake Science explains the difference between regular and decaf coffee. Insert obligatory “It was ground this morning” joke.
  • C-Section Comics shows the difference between iPhone, Android and Blackberry users. For the record: Android user, picked up the link from an iPhone user. Hmm…

Photos

Other Stuff