Getting and Staying Safe

You’ll find lots of places that will advise you on safe computing. Here’s my quick advice.

  • Install all Windows updates
  • Install Microsoft Security Essentials – free antivirus program. If you already have an antivirus program on your computer, and it is current, go ahead and use that. If it has expired, just uninstall it, then install MSE from the Microsoft Protect site (www.microsoft.com/protect) . After installation, get any updates, then do a quick scan of your computer. Do a full scan later; they take a while. If MSE finds anything, delete it. (BTW, some good computer safety tips on that site.)
  • Install Personal Software Inspector from Secunia (www.secunia.com). It’s free. It will keep all of your other programs current. Do a scan, update everything.
  • Uninstall Java. Look for it in Control Panel, Add/Remove Programs. It is probably not needed on your computer. (Some business applications use it; if so, make sure it is updated.)
  • Change all of your online passwords. Don’t use the same password everywhere. Don’t use dictionary words. This is important, especially on financial sites.
  • If you access your financials on-line, don’t do it at a public place. Do it at home, where you have a password for your wireless Internet. (You do have your home wireless password-protected, right?)
  • Be careful about clicking on any links in emails or Facebook or other social sites. Be careful when any place asks you for your user name and password. Make sure it is legit.

So there’s some quick tips about getting and staying safe.

Oh, and one other thing. Your data is important. I use Carbonite to automatically back up all of my data without any effort on my part. Use this link: http://refer.carbonite.com/a/clk/1Tjw3f (Disclosure: I get a finder’s fee if you sign up, but there is no additional cost to you. I’ve been a Carbonite user for more than two years, and am very satisfied.)

More Form Spammer Blocking

A few posts ago, I wrote about a technique to block form spammers. It is very effective, and easy to implement. More details in the post there, or you can see it in action at FormSpammerTrap.

I made a tweak to the program that allows for a resubmit of the form when a correction needs to be made to a field that doesn’t implement the form spammer blocking trick. A small tweak to add the blocking function, but needed on one of the sites that has implemented it.

Full details are found at the FormSpammerTrap site. The technique is still open source, free, no obligation. And it just works. I put it on another site today that was having form spam problems, and the technique stopped the form spam immediately.

Check it out.

Bogus Update Sites

Just found a site that has apparently been hijacked. I used it as a source for some nice wallpaper images (open source) and logos for the Soldiers of Suicide site I built for that organization. I wanted to look for some images for another project, so went to that site again.

When I went to the main page, I got an ‘outdated Java’ warning, with an invitation to click on a link to update my installation of Java. I don’t do that (never install software from a place that ‘helpfully’ alerts you to a needed update, unless it is the actual vendor’s site). So I attempted to close that browser tab, and immediately got additional warning messages, and was unable to close that tab without using Task Manager to kill the browser.

I wanted to notify the site owner about the apparent site hijack, and noticed that the site owner had changed in the past couple of days, to an owner in Indonesia. Another warning sign of a bogus site. Apparently, the original site owner had let their domain lapse, and it was grabbed by a hacker that is trying to push an infected “Java” update.

So, the warning is to be very wary about clicking on links that suddenly pop up with a security update warning. If you need to make sure your software is up to date, use the Personal Software Inspector from Secunia. Recommended; it will ensure all your software (not just OS) are kept current. It is free for personal use. I have used it through several versions, and install it on all of my personal/family systems.

Ultimate Form Spammer Blocking

A while back, I wrote about a technique to block form spammers. I have implemented it on several sites that I have built. In some cases, the site originally didn’t have any protection against form spammers, or used easily-bypassed techniques like hidden fields, silly questions, changing contact page names, or even captchas. Even with those techniques, form spam still arrived.

In most cases, the volume wasn’t enough for me to worry about. Sometimes, a form spammer would find one of my site forms, and start spamming it daily. At that point (when it started getting irritating), I would implement my ‘ultimate form spammer blocking’t technique.  And the form spam immediately stopped; the form spammer never was seen again on that site.

So I have put together a package of files that you can use in your site forms to get rid of your form spam. It’s all open source, and quite clever (he said with some modesty). With just a few modifications of your form, and adding one or two files to your system, you can get rid of your form spammer problem.

The package of files is written in PHP, and requires that your visitor has JavaScript running (not Java). But once you set things up, you will not be bothered by form spam again. Your form spammers will get redirected to my Form Spammer Trap site instead of sending your form spam.

The package includes support for WordPress sites, with the use of a template that you specify for your contact page. No special add-ins needed, although you may need to do some minor CSS formatting changes. Full instructions on how to implement in your site, whether PHP-based or a WordPress site, are included in the package.

So, how do you get it? Well, you use our contact form. Just fill in the form with your name, email address, and comment text of “I want your form spammer blocking package” (along with any other comments), and I’ll get the zip file out to you. Don’t use the comment form on this post, unless you really want to expose your email address.

Our Contact form uses our Ultimate Form Spammer Blocking technique. If you want to see what will happen to a form spammer, just click on the “Submit” button on the contact page (don’t click anywhere else).  We use the WordPress template version of the package, so you can see how it looks with our site theme.

And it is all free, although donations are accepted. If you don’t think you can install it yourself, contact me and we’ll arrange for some help at a nominal fee. Or if you don’t want to use our package, the technique is shown on our previous post about preventing form spam, so you can roll it yourself.

But our ‘Ultimate Form Spammer Blocking’ package will get rid of any form spam on your web site. It really works!

(Added: If you want more details, go to my Form Spammer Trap web site that uses the technique. That site is where form spammers will end up.)

Mail Retention Problems

I manage some other web sites, besides the ones that I create for my own amusement. One of them is for Dr. Jerry Pournelle, a science fiction author and really smart guy. The site, which always have some good commentary on lots of different subjects, is called “Chaos Manor”; the blog site is here at  www.jerrypournelle.com/chaosmanor . Dr Pournelle had a monthly column with Byte Magazine, one of the premier computer magazines. Like a lot of computer magazines that exploded in size and readership in the early days of personal computing (1970’s-1980’s, for those that are interested in ancient history), the magazine is a shadow of it’s former self. Dr. Pournelle was probably one of the first ‘bloggers’ before that term was even invented. In any case, it’s a very interesting site.

He gets a lot of email, which he uses as fodder for his blog. He downloads all of that email to his local computer network’s Outlook installation. The mail is received by the hosting company, then he downloads it to his local Outlook system, with the setting to delete the mails from the hosting system. There are several email addresses that he has used over the years, but all the emails are forwarded on the host system to his primary email address on the hosting system.

And therein lies the problem. When you set up forwarding on just about all hosting systems, the message is retained in the original account. And since messages are only downloaded from the main account, the other email addresses have messages that never get deleted. If you get a lot of email, the number of messages just increases. And when you get a lot of email, the number of message files can add up. In Dr. Pournelle’s case, the file count got over 700K. The hosting company wasn’t happy about that number.

So options are to increase the allowed file count by paying more for hosting, or get rid of all of the old message files manually. All 700,000 of them. That would take quite a while, as in fact it did. I was able to delete about 500,000 of them, but it took many hours (days, actually). And that is only a temporary solution. The file count will only increase, and I will have to do the whole process again at some point.

So I was looking at options. The first would be a setting on the forwarded accounts that would forward and delete. But that option is not available. Well, there is probably some script that could be run to do that, but the ‘googles’ are inconclusive on a known good solution for that.

Another option would be to use a forwarding process only, without an actual email account for the forwarded email. But that doesn’t work properly; mail can get lost. So that’s not a good solution.

So, it looks like a script is what I need to create. I’ve got a good start on it, with the PHP program I wrote that checks sites for changed files (here http://securitydawg.com/?p=109 ). I just need to adjust it a bit to select and delete messages that are xx days old (so as not to delete any mail messages that haven’t been downloaded yet).

But it would be nice if the hosting company had a forwarding process that would ‘forward and delete’.

 

Checking Your Web Site for Changed Files

I manage several web sites. Most of them are for my amusement. A monthly count of visits to some of these sites can probably be counted on one finger of one hand.

I also manage a few WordPress-based sites. Some of them have a reasonable amount of traffic. As with any type of site, there is a possibility of an attack that might insert some malware code into a page.

An example of this is the recent attack against WordPress sites, by trying to log in as the ‘admin’ user using a dictionary attack of passwords. There were many WordPress sites that were successfully compromised due to poor security or password practices. (See this entry.)

Now the WordPress sites that I manage weren’t compromised with this attack. I always create a new admin-level user, select a strong password. I then log in as that new admin-level user, then demote the existing ‘admin’ user to the lowest authority level, ensuring it has a strong (and different) password. That way, that ‘admin’ user is still there, but a successful login of ‘admin’ would not give the attacker any privileges.

Other sites that I have created and manager are written in PHP, and there is the possibility of attacks there,although I do try to write code that prevents exploitation.

But I needed a way to check a bunch of sites, and alert me if files have been changed. There are paid programs to do that, but a well-written custom program would work too. Here are the requirements for such a program.

  • The program should look at all files on the site, and compute a ‘hash’ of some sort.
  • The program should store those file names and hash values in a database table.
  • Each time the program runs, it should compare the current file/hash values with the values stored in the database. If the values do not match, then the file has changed.
  • If there are new files on the site, the program should add those to the database
  • The results of new and changed files should be emailed to me
  • The process should be automatically scheduled to run on a regular basis.

That sounds reasonable enough. Since I am the owner of the site, I should be able to look at the email and determine if there were any files changed or added that I don’t know about. Then I can investigate further to see why the file had changed. it would be a good program to have on a web site to be alerted about changes.

Now, there are probably programs out there that do that – paid or open-source. But it would be a good exercise for me to write one of my own. Of course, there might be some code fragments out there in the ‘googles’ that might be useful and save some programming time. But the result would be something that would be very useful to me.

So that’s what I did. The result is a program I call “HashFiles”. It is a fairly simple process, and will work with small and large sites. And it does each of the items in my requirements list. I am rather pleased with myself for figuring it out.

So I decided that the program might be useful for others. If you are interested (and this is assuming that anyone is really reading this blog besides me – perhaps a generous assumption), please indicate your interest in a comment.

A WordPress Attack

It appears there is an attack against WordPress installations that is placing a phony ‘500’ error page on the site that allows additional commands to be executed. I don’t have all the details yet, but one report indicates that there is a brute-force password guessing attack against the ‘admin’ user of a WordPress site.

The ‘admin’ user is created by default on a WordPress installation; that user has full privileges to the WordPress installation. If the owner has chosen a weak password, or ohe that is easily guessed, then the attacker would get full admin privileges to the WordPress site, including the administrative area.
WordPress login process allows for brute force attacks; an unsuccessful login will just let you try again. There might be some delays if you try brute-force logins, but it is possible to keep on trying a WP login.
The attack will put a phony ‘500.php’ file in your site root (and perhaps other places). So a search for those files might be prudent. Delete any that contain unfamiliar code.
Initially, it looks like many sites that have been successfully attacked are also not current in their WordPress version level. So, prevention would indicate these steps:
1) Create a new ‘admin-level’ user with a strong non-dictionary type password.
2) Log in as that user to ensure that all is OK
3) When logged in as the new admin-level user, demote the user ‘admin’ to the lowest level. Leave the user there just to irritate the hacker.
4) Ensure that your hosting account, and any FTP accounts, have strong passwords. Strongly consider changing FTP passwords.
5) Don’t use an FTP client that stores passwords in plain text. (WinFTP does this.). I recommend WinSCP (open source, free) which encrypts FTP credentials.
6) Ensure your WordPress installation is current. Update all themes and plugins on a regular basis.
7) Check for any rogue user accounts
And the usual precautions on your home computer: Windows updates, Application updates (Secunia Personal Software Inspector is recommended), uninstall Java (if it is not needed; Javascript is OK), don’t clck or open unfamiliar attachments, etc.
As a further protection, consider a program that monitors files for unauthorized changes. I found a concept for a program that stores file names and checksums in a database, then compares those checksums the next time you run the program. Any new or changed filenames are emailed. I am doing some final testing, but it appears to work well.
Be careful out there!

Defeating Form Spam

If you maintain any web site, you probably have a form of some sort where visitors can contact you. And eventually, you will start getting ‘form spam’, which is just what you think it is.

Since I have many web sites (it’s a hobby, with the optimistic theory that one of them will one day be worth millions), the forms on those sites get attacked. The mechanics of the attack are not important here – they are automated form submittals with links. The intent of the spammer is to get those links on your web site, so they can get revenue from the display and clicking of those links.

There are several techniques to block them. Catpchas – those squiggly words and letters – are one, hidden fields are another, but those can get bypassed. Even captchas are being hacked.

One technique I used in the past was to just rename the contact form page (and the ‘process the form’ page) filename, getting rid of the old file on the web host. That would usually buy me a couple of months. Hidden form fields might be another few months of protection. I don’t get many form spam submissions – probably because my sites are not well-read (hello to my three regular visitors).

Then I found another technique. This one has promise. It’s mainly for PHP-language based sites (although it could be modified for other languages), and you do need a bit of PHP programming knowledge. So here’s the basics (mostly for my own benefit, to make sure that I remember how to do it).

First step: create a new file called ‘response.php’ (assuming that you don’t already have a file like that). This looks like a promising name to a spammer; change it if  you wish. Inside that file, enter this line at the top of the page

 

<?php header(‘Location:http://www.formspammertrap.com/’);return; ?>

Make sure it is the very first line of the file. You can put other stuff in the file’s body area, if you want to further obfuscate things. But the main thing is that if a visitor (in our case, the evil form spammer) go to that response.php page, you will immediately get redirected to the site in the command. You can change the ‘location’ value if you want; just make sure it is a real page.

Upload that file to your host, and browse to it to make sure the redirect works.

Next step: edit your contact form page (or whichever page you want to protect). Insert this code just before the “</body>” (end body) code:

 

<script type=”text/javascript”>
var Clicked =0;
var C13379746183901= “”;

var C13379746183902= “”;
var FormName=”the-form-name”;

function CL() {
Clicked++;
if(Clicked > 1) { return; }
eval(“document.”+FormName+”.action='”+C13379746183901+C13379746183902+”‘”);
}
</script>

Replace ‘ the-form-name’ with the ‘name’ value used in your <form> command.  (Inside the ‘form’ code of your form, you have a “action” value. That is the page that processes your form.) Take that value, split it into two pieces, and place the two pieces in the C….01 and ‘C…02’ variables. Make sure you get them in the right order.

What that script does is put the two “C…” variables together, and puts them in the ‘action’ value in the form that is named ‘the-form-name’. That replaces the ‘action’ value in your <form> code with the real form processing page. (If your form page also does the processing, as in “action=’’ ”, just use empty values as the two “C..” variables.)

The third step is to put the fake form name (in our case ‘response.php’ as the ‘action’ value in the <form> code. This will be what the form spammer sees.

The fourth step is to have a required field in your form get this additional code inside the <input> code. Important: do not place this in the first field on the form, since that form field often gets ‘focus’ when you load the page. Also, if you use the same form as a function called by other pages, you will need to add that JavaScript code to the other pages too … and your authorized editor’ need to know that they must click in the field that has the ‘onfocus/onclick’ code, or they will be redirected to the phony page.

onfocus=”CL()” onclick=”CL()”

And the last step is to make sure your <form> has a ‘name’ parameter that is ‘the-form-name’ (or whatever you called the form).

Save your comment form page (make a backup copy of the old one first).

This is what happens when a real visitor fills out your form: when they get to the required field (the one with the ‘onfocus’ and ‘onclick’ code in the <input> statement), the CL() function will grab the two pieces of the real ‘action’ page and stick that in the ‘action’ parameter of the <form> code, replacing the ‘response.php’ fake page name that is in the code. So a ‘submit’ by a real person will get to the real form processing page. The form spammer, with his automated tools, won’t fill out the form normally, so the ‘onfocus’ and ‘onclick’ (both are required) will not happen, so they will use the ‘response.php’ fake page name.

Now, when I first saw this technique, I had to read through it a couple of times (perhaps I am a slow learner), but then it all made sense. We’ve used some JavaScript to replace the ‘action’ value in the form, and the JavaScript function is not executed unless a real person clicks in the required field.

Note that you may have some visitors that don’t have JavaScript enabled (usually, the paranoid types). For them, you just need to put a small notice just above your form:

<noscript>Note: JavaScript must be enabled to use this form</noscript>

You can use a bit of CSS to make that code stand out if you wish.

If you are already getting form spam, you might want to change the name of the contact form (and the processing page) to a new set of names. Delete the old name, and change the contact page value in any links elsewhere on your site. This will prevent the form spammer from using the old-unprotected form pages.

But the result of this technique should be a significant decrease in the amount of form spam that you get. And that’s a good thing!

(Added 22 Sep 2013: If you want more details, go to my Form Spammer Trap web site that uses the technique. That site is where form spammers will end up. And this post about it is more recent.)

Insecure FileZilla FTP Program

I manage several web sites, among them WordPress-based. And other sites I manage/own are PHP-based. So I often need to transfer files from my laptop to the hosting site. To do that, I use an FTP client program called FileZilla.

At least, I used to.

And the reason for ‘used to’ could be helpful to you.

One of the sites I manage has an intermittent problem with some injected malware. Usually, it is a small bit of code that uses an ‘iframe’ (sort of inserted content on a web page) to hide content that does search click-jacking. That’s when the code displays a search results page, then ‘clicks’ links on the page to earn search-click revenue. The actual search page is not displayed, but the ‘clicking’ happens.

So that injected code gets displayed on every WordPress page on the site. Which means that somehow the WordPress code on the site host is being modified by malware.

It’s not clear how the code gets modified, but one way is by a compromised FTP account. The hacker somehow gets the FTP login and password for a site, then looks at that site for PHP files that can be modified with an insertion of the malware code.

And the only way to figure out that the site has been compromised is to take a look at the page code, which can be quite complex. Or you can look at file dates on the host, but that can take quite a while.

Now, I keep my computer systems current with patches. I do Window patches as soon as they are released. I have Secunia’s PSI program which automatically patches my non-MS programs. I’ve got a good anti-virus program.  And I use strong passwords everywhere.

But even these good security practices can be bypassed with a ‘zero-day’ attack. And that’s what I think happened. Some malware got into my system somehow. And this particular bit of malware tries to compromise my FTP program.

And it turns out that FileZilla, the FTP client on my computer, stores FTP user names and passwords in a clear-text file in an easily accessed location.

What. The. ???!!!

Why would they do that?

Yes, the program is open-source, so someone can easily figure out where the FTP user/passwords are stored. But there is no reason not to encrypt the file that contains the passwords.

No reason at all.

It is a major vulnerability. One that the FileZilla developers continue to ignore.

And FileZilla is very popular. Millions of downloads.

Each and every one is vulnerable to malware attack that will get your FTP user credentials.

What. The. ???!!!!

And that’s why FileZilla has been removed from my computer. And banned from any computer I own or manage.

But I still need an FTP client. Yeah, I could do it all manually, but a FTP GUI is just convenient. So I need an alternative.

And that alternative is WinSCP (available here http://winscp.net/eng/index.php ).

It’s pretty easy to use. Has a nice GUI. Allows for multiple FTP site settings. Will save the FTP user credentials. Is open-source, and free (donations accepted).

And has an option to have a ‘master password’, that, if enabled, will encrypt the file that stores your FTP user credentials.

So far, it is working fine, and appears to be a good and secure FTP client.

Which is why WinSCP is on my computer.

And FileZilla isn’t.

I recommend the same conclusion for your computers.

 

(Added 25 May 2012) Note that if you do uninstall FileZilla, the password file is not removed (even after a restart). You will need to remove it manually.