Blog : Posts tagged with 'security'

*

Defence In Depth

In which we discover we’ve been bad, and have a rant about why


A couple of weeks ago, I discovered that my site had, apparently, been compromised, but my hosting company had handled it. WordPress had been broken in the process; but I’m not entirely surprised. Nevertheless, I thought everything was now happy.

This morning, though, a letter from Google lets me know: it hadn’t been fixed. My site has, for the past fortnight, been serving up crap to any passing search engine. This can’t be good. I don’t blame my hosting company: what they did do was above and beyond the call of duty, and they can’t be expected to understand and trace every twisty little maze of code paths in WordPress that might result on something being sent back to the client’s screen.*** What it does make me want to rant about, though, is PHP.

PHP is – if you’re not a geek and haven’t heard about it – by far the most common “web-programming” language around today. Its modus operandi is: you intersperse chunks of programming code in and around the static content in your web pages. When your webserver reads a page, it will run the chunks of code as a program. In WordPress’s case, the chunks of code run off to a database and fetch my posts, your comments, and so on, from it, and send them back to a client. Thus, one web page can output many posts, managing them is much easier, and so on. All well and good.

PHP, though, is … well. It’s not exactly the best language for the job, which is being polite about it. I’ve been doing lots of programming in it myself lately, for our Office Intranet, and it’s just not as rigorous as other languages. The syntax doesn’t somehow seem as thorough. Apart from the little differences you always get between languages,* it has little corners that feel slightly wrong when I use them, as if I’m transgressing the boundaries between types of programming object in a bad and dirty way.

That’s just a minor thing, really, just me quibbling. What my big problem is, what makes PHP an utterly unsuitable programming language for its job, is one particular feature much adored by people who want to take control of your website and use it to advertise pr0n and drugs. It’s a feature which is unutterably stupid, so stupid I can’t believe anyone thought it should have been created. PHP will, if you like, go and read a file from anywhere on the internet, and run it for you. Which means that a shifty-looking programmer who gets illicit access to the files on your website only has to add a couple of lines of code, to get complete control of everything. Bang. Like that.

Now, you could say: well, FP, you shouldn’t have been using FTP. And you’re right.** My hosts offer SFTP instead, and I should have been using that. There’s no good reason to use FTP either if you have an alternative available. But that doesn’t mean that the next hole along the line shouldn’t be blocked either. It’s called: defence in depth. At work, we have a high fence round the whole site, and an alarm system just inside it; but that doesn’t mean that we leave the office buildings unlocked. Security shouldn’t be brittle; ideally it shouldn’t be thin either. Once you’ve breached the first layer, the tools to complete the job shouldn’t be left lying around.

* The difference between ‘elseif’ – which is a PHP keyword – and ‘elsif’, Perl‘s spelling of the same thing – will forever damage my brain.

** I have a good story about how weak FTP can be – but it can wait for another time.

*** and, indeed, it’s my own fault; I should right away have compared the live files with my known-good backups.

2 comments so far. »

Keyword noise: , , , , ,

*

Bad news

In which we get hacked


It’s never a good sign when you come back from tent-shopping (a story for another day), check your email and find an emergency security alert from your web-hosting people. It’s an even worse sign when it says: your site has been compromised. Ah. Oh dear.

My FTP details had been compromised, apparently. This is intriguing, because my FTP password is unique, unrelated to any other I have, and stored solely inside my head. Either some sort of network-sniffing was going on – entirely plausible with the entirely insecure FTP* – there’s some flaw in my hosts’ FTP daemon, or the fault lay elsewhere.

Anyway, it’s prompted me to upgrade myself to WordPress 2.5, released recently. Upgrading WordPress is one of those jobs which I tend to put off and put off, for no good reason because it’s really not that painful; and there’s a good chance that WordPress was the loose link here. Old versions do have known holes, and if I’d upgraded sooner, the break-in might never have happened.

* I nearly said “FTP protocol” there. But that would be “File Transfer Protocol protocol”, which is Just Wrong.

8 comments so far. »

Keyword noise: , , , , , ,

*

Things I don’t need to write

In which this site’s posts are superfluous


I was thinking of writing an exciting political post* about last week’s terrorist alerts, and how I was a mite suspicious of them. But, of course, this being the internet, lots of people have done it already, wondering if it really was necessary to jump so suddenly. Chris from qwghlm.co.uk, particularly, was very suspicious of the vagueness of the reports, and apparent lack of hard evidence so far.

Hard evidence may well turn up, eventually. Or, more likely, it may turn out that the plotters hadn’t even made their bombs yet. The government are starting to have a bit of a Boy Who Cried Wolf problem. The more times the police raid innocent houses, or paralyse air travel, especially if it comes at politically sensitive times, the less we are going to believe them.

* well, OK, not that exciting

One comment. »

Keyword noise: , , , , , , , , ,

*

Security (redux)

In which we would like to hack


Via Boing Boing, I’ve discovered a Wired article on RFID hacking, and how it can be used practically for breaking and entering. I can virtually see your eyes glazing over already: but, see, this is important to me at least. The security technologies described in the article are suspiciously like the ones which have recently been installed in the office at great expense.

Now, it is possible that our security consultant has installed the extra-secure encrypted systems described in the article, that are much harder to break into. Given that I’ve had to work with him, though, I’d be surprised if he even realised the difference between the two. I really must show this to Big Dave, and see if we can get our hands on the RFID-reading kit described, if only because it will really irritate Security Man.

No comments yet. »

Keyword noise: , , , ,

*

Security (part two)

In which a contractor doesn’t do the job properly


So, as I explained yesterday, the security contractor at the office has saddled us with three “incompatible” security systems, two of which probably are compatible after all, it’s just that he doesn’t know how to get them to work together. We complained to the office manager about it. “Well, if that’s what the contractor said, that’s what’s going to happen.”

The next day, our boss comes through to visit. “What’s this about us needing three different tags for the alarms?”

We told him what we’d been told.

“It’s a bloody stupid idea. I thought they were all going to work together.” Yes, so did we. “I don’t want to have to carry three tags on my keyring.” And he wanders off, grumbling about it.

The following day, we notice the Managing Director stalking about in our part of the building, looking at the security gadgets and making “hmmm…” noises. The office manager is following him around, trying to explain how wonderful these expensive systems we’ve commissioned are.

“…you’ll have one tag for these doors, one tag for the outside doors and gates, one tag for…”

“Why do we need three different tags for everything? Why can’t we just have one?”

“The contractor says that they won’t…”

“Well, I thought we were just going to have one tag that would do everything. I don’t want…”

I tuned out, but it was clear the way the conversation was going. What makes me sigh isn’t that we always prefer contractors who have worked for us before, even when their track record is hardly promising.* It’s that the management should have spotted this coming. The contractor did give the office manager a nice thick specifications document – did the manager bother to read it at all? Didn’t he bother to ask questions about the vague parts?

* This isn’t the first time the security contractor has fitted something and then not set it up properly, because although he’s agreed to fit the system we wanted he’s not willing to learn how to configure it.

One comment. »

Keyword noise: , , , , , , , , , , , ,

*

Security

In which we debate incompatibility


As part of all the building work that’s been going on at the office, we’ve been getting the security systems upgraded. A new alarm system, new motorised front gates,* and new electronic locks on most of the internal doors. All to be worked by RFID tags, kept on our keyrings and carried round all the time.

Now, being logical and sensible, we assumed that the company had specified either a single system, or compatible systems, so that we could use one single tag to unlock everything. And, as the contractor** started to install the hardware, we spotted that all the sensors we could see came from the same manufacturer. Very sensible.

We each get a tag the other week, and start using it to open and shut the front gates. Three days ago, the contractor pops his head round the door to say he’ll be issuing us with the rest of the tags, the ones for the indoor locks, soon.

“The rest of the tags? We’ve already got one.”

Apparently, we need separate ones for the outdoor locks, the indoor locks, and the alarm system itself. Because “the systems are from different manufacturers.”

“But they’re not from the same manufacturers! We’ve seen them, and they’re identical! If you hold an outdoor tag up to an indoor sensor, it recognises it!”

“No it doesn’t.”

I held my “outdoor tag” up to the newly-installed sensor by the office door. It bleeped, and flashed a little green light at me.

“Well, I can try to set it up so that that tag unlocks this door,” the contractor said. “But it won’t work.”

(to be continued, otherwise this post would get a bit long)

* Which is a Good Thing, because guess who’s job it is to unlock and open the old front gates every morning.

** Our usual security contractor, a friendly chap, who is very anal about making sure his cabling is put in and terminated neatly, but isn’t very good at setting up the security systems themselves properly.

Next part »

Keyword noise: , ,

No comments yet. »

Keyword noise: , , , , , , , , , , , , ,

*

Viruses, and other geekery

In which we still have no satellite internet, and encounter a virus


Quite a few people, recently, have come to this site looking for information on Aramiska, the European satellite ISP which apparently collapsed last week. Sadly, there doesn’t seem to be any information, anywhere. The company promised to release a statement on January 30th; it never appeared. Their disappearance is still a mystery.

Moving on, this email came in to one of our work addresses yesterday:

I noticed whilst browsing your site that there were problems with some of your links, when I tried again with Internet Explorer the problems were not there so I assume that they were caused by me using the Mozilla browser.

Very nice and helpful, you might think.* However, if you read on, you might get a little more suspicious…

I have enclosed a screen capture of the problem so your team can get it fixed if you deem it an issue.

Hah. If you’re not suspicious yet, you probably shouldn’t be allowed near the internet. If you look a little closer, the attachment is a .scr file – which could, I suppose, look like “screenshot” to the non-technical. If you try to open it,** then: congratulations, you have a virus, one known as W32/Brepibot. Well done.

I thought I’d mention it here, because it’s the most believable virus-spreading email I’ve come across; and I’m someone who is used to all this. To someone who is less cynical than me, it looks entirely believable. So watch out. And, even people like me can be infected by viruses. In fact, like lots of other blogs, this site has been infected by one itself.

Blog.Worm

However, this virus is cute, green, and slightly silly.***

* As our work website was designed by an apparently-clueless PR chap with no previous knowledge of website design at all, it is also entirely believable.

** and you’re using a Windows computer, and don’t have up-to-date virus protection

*** Although it has been pointed out that this virus could potentially be a genuine security risk. Especially if you still use Internet Explorer and your computer isn’t completely up to date. It isn’t actually dangerous, at all as far as I can tell, but you still need to be wary when it comes to things like this.

3 comments so far. »

Keyword noise: , , , , , , , , , , , , , , , , , , ,

*

Search this site

*

Contact

E: feedback [at] symbolicforest [dot] com

IM: Ask me if you'd like to know

*

Post Categories

Artistic (118)
Dear Diary (349)
Feeling Meh (48)
Geekery (109)
In With The Old (34)
Linkery (37)
Media Addict (164)
Meta (79)
Photobloggery (94)
Political (113)
Polling (7)
Sub category (19)
The Family (31)
The Office (70)
Unbelievable (53)