Category: Computer Security

Posted on
by

It’s always annoying when someone figures out a way to exploit intentional behavior, especially when it’s a key part of the design.

Sucuri reports on a denial-of-service attack that used thousands of legit WordPress sites to distribute the attack by sending fake pingbacks “from” the target site to all of the reflectors. Those blogs would all contact the targeted site to confirm the pingback and retrieve a title and summary…all at once, overwhelming it and taking it offline.

The quick-and-dirty solution is to remove XML-RPC functionality, but that also breaks certain plugins (like Jetpack) and the ability to connect to your blog using the WordPress mobile apps.

A little background on why Pingbacks work this way:

Waaaay back in the early days of blogging, most bloggers would interact by way of comments. If you wrote a blog post, and I was inspired to write a response, I would then go over to your site and post a comment letting you know about my own post. Two systems were proposed in 2002 to automate this process: pingbacks and trackbacks.

  • Trackbacks sent a complete summary to the remote blog, including the title of your post, the link, and an excerpt (which you could manually craft, or let your software handle).
  • Pingbacks sent a notice — a “ping” — to the remote site with the URL of your post, and then the remote site would retrieve it and extract the title and a summary.

This was also around the time that blog comment spam and spammy blogs were getting to be a big problem. What would happen is a spamming site would send out trackbacks to as many sites as possible claiming that they’d responded to some post, thereby getting backlinks on a zillion blogs and increasing their page rank. Pingbacks had an advantage: Because you were calling back already, your server could check to see whether the other site really had linked to you. It took a long time, but eventually this escalated into spammy blogs creating a temporary post with real links to the pages they pinged, then replacing it with a spam page after a short amount of time.

The problem now is: How do you block abuse of an as-designed behavior? That’s happened before: Back in the early days of the internet, it was considered polite to run your mail server as an open relay and rude to lock it down, but after spammers started massively abusing them, an open relay became a sign of a sysadmin who didn’t know what he was doing.

The comments on the Sucuri article suggest that Akismet, as a collaborative comment-spam filter, might be able to mitigate this type of attack. Wordfence’s collaborative security filter seems like another system well-positioned to detect it. But if that approach fails, pingbacks might just go the way of open relays.

Update March 18: Akismet has released a new version of the anti-spam plugin that mitigates this problem in two ways:

  1. Spam checks on pingbacks are now done before the verification request is sent, so that once an attack is identified, Akismet will prevent blogs from participating.
  2. An X-Pingback-Forwarded-For header is added to the verification request identifying where the pingback actually came from, making WordPress+Akismet a less attractive choice as a reflector by removing the anonymity.

Item #2, IMO, belongs in WordPress itself, not in a plugin, but I imagine this was a way to roll out the feature more quickly, at least to those sites using Akismet.

Update April 8: The X-Pingback-Forwarded-For header has been added to WordPress 3.8.2 and the upcoming 3.9.

Posted on
by

Every time I listen to Vienna Teng’s song, “The Hymn of Acxiom,” it gets creepier. It’s beautiful, it’s haunting…and it’s all about how big data is keeping track of every trace we leave, piecing together a more and more detailed picture of each of us in order to feed us back the perfect, tailored life, and isn’t that what we wanted?

Tracking. Privacy. Social media. Filter bubbles.

And I always think, “I need to post something about this on Facebook…”

And that just creeps me out more.

Posted on
by

I’ve been seeing brute-force login attacks on another of my WordPress sites, but instead of targeting typical usernames like admin or extracting post authors, they’re random name and number combinations like Emanuel95A. What use could that possibly be? You’re not likely to hit on an existing user that way.

It turns out it’s not a dictionary attack after all. It’s not really a login attack either, at least not deliberately. It’s actually a bot trying to register new usernames (maybe for spam, maybe in preparation for a privilege escalation attack, who knows?), which explains the name and number combination: they’re actually trying to get a username that’s not already in use.

The bot hasn’t figured out that registration is turned off, so when WordPress redirects it to the login form, it keeps trying to register…in the login form…over and over until it gets locked out. (On a related note, if you don’t have something like the Limit Login Attempts plugin on your site, install one now.)

Because registration was off and repeated logins were blocked, it wasn’t currently a threat, but the alerts for all the lockouts were getting a bit annoying. I decided instead of nicely sending the “user” to the login page, I’d kick back a 403 error instead. Rather than hack WP or write a plugin, I just added a mod_rewrite rule:

# Broken register bots are repeatedly trying to log into the site.
RewriteCond %{QUERY_STRING} (registration=disabled|action=register) [NC,OR]
RewriteCond %{HTTP_REFERER} registration=disabled [NC]
RewriteRule ^wp-login.php - [F,L]

That leaves the form active under most circumstances, but stops everything if it’s been redirected from the registration page.

Update: Brion sums it up over at Google+:

Malware needs better exception handling 😀

Posted on
by

Have you ever abandoned an email address? Did you make sure everyone switched to your new one? If your old provider has reissued the address to someone new, your old contacts could still be sending mail to someone else with your personal information.

This shouldn’t be a surprise, but InformationWeek reports that Yahoo! users who’ve picked up recycled addresses are getting important mail meant for the previous owner of the email address.

It started off with some stuff from catalogs and clothing companies and I thought, ‘That’s fine, I’ll just unsubscribe.’…But then I started getting emails with court information, airline confirmations, a funeral announcement…

Update: Yahoo! is introducing a “not my email” button to report mistaken deliveries.

Well, that’s an interesting approach to the misdirected email problem. This might even be useful as a general solution beyond recycled addresses. I once ended up receiving someone else’s Sears receipt and promotions, I assume because of a sales clerk’s typo.

But I find myself wondering about the potential for backscatter, collateral loss of mail, and just how people will actually use it in relation to the report spam button.

And that’s just with the honest people who get the reused mailbox!

Update 2: For commercial email especially, XKCD points out the importance of actually verifying that the email address someone gave you is theirs, and not someone else’s address written as a typo, and Word to the Wise highlights some real-world cases they’ve written about in the past.

Originally posted as two link posts on Facebook and one on LinkedIn.

Posted on
by

Yesterday, my phone suddenly started downloading something called “Facebook build (somethingorother).” It didn’t show any progress, wouldn’t go away, and I worried that maybe it was a piece of malware or something buggy. A quick search turned up nothing. A later search found other people asking what this was. Late last night, there were articles about “Hey, why is Facebook updating itself!”

It turns out that yes, Facebook is now downloading its own updates on Android phones and tablets instead of just pushing them out through the relevant app stores (Google Play and Amazon, mainly). I’m sure they thought it was a great idea — web browsers like Firefox and Chrome have been doing this for several years on the desktop.

The problem is that it violates expectations of what the app will do, and where your software is coming from.

Imagine your car’s manufacturer issues a recall. Now imagine three scenarios:

Scenario 1: You receive a notice of the recall, asking you to make an appointment to bring the car in for maintenance. (For those of you who don’t drive, this is how it normally works.)

Scenario 2: You receive a notice offering to send a technician out to do the repairs at your home or workplace. (This would be awesome, but impractical.)

Scenario 3: You’re sitting in the living room when you hear a noise from the garage. You go out to investigate and find someone messing with your car.

That’s what this feels like.

It’s one thing to offer software through third-party channels. The fact that it’s possible is one of the reasons I prefer Android to iOS. In that case, notifying me of updates, maybe even simplifying the download would be very convenient — if I know ahead of time that it’s going to happen. And if they’re not switching channels on me. A download coming from some new location, but claiming to be a familiar piece of software, and a notice telling you to install it? That’s how trojans work.

In short, it’s a violation of trust…and if there’s one thing we’ve learned about Facebook over the last few years, it’s that the social network has enough problems with trust.