Category Archives: Internet Security

Internet security information

Why Is A DMZ Important

It has for many years been risky to connect computers to the Internet. In most cases, some kind of firewall is used to protect the computers behind the firewall. A more sophisticated way of protecting computers is to use a Demilitarized Zone (DMZ), sometimes also called perimeter network.

Servers that need to communicate with both internal and external computers create a security problem for companies. Placing such computers in the internal network, behind the firewalls, means that the firewalls need to allow a lot of traffic through. On the other hand, if the computers are placed outside the firewalls, they are very vulnerable for attacks. The solution to this dilemma is generally a DMZ, a zone between the Internet and the company’s internal network.

A DMZ can be designed in a number of ways but typically, a DMZ is placed outside the company’s (internal) firewall but has a firewall (external) between itself and the Internet. This means that the internal firewall, will only let through traffic from hosts in the DMZ, generally also restricted to specific ports from specific hosts. The external firewall will only let through traffic to the servers in DMZ, also that generally limited to specific ports for every server.

This way, the company’s internal network is relatively well secured at the same time as it is possible to reach some of the company’s computers from the Internet. Obviously, a DMZ can be implemented in many other ways but the basic principles are the same. Although not as secure, it is possible to let the same physical firewall be both the external and internal firewall. Nowadays, most companies have much more complex solutions for DMZs. It is quite common to have multiple DMZs.

It is worth remembering that a DMZ’s purpose is to protect the internal company network from the untrusted Internet, or any other untrusted network. Threats from the inside are seldom covered by a DMZ.

It is very common to place servers such as mail, DNS and http (web) servers in the DMZ. For example, incoming mail is delivered to the mail server in DMZ which will forward the emails to the internal mail server. This makes it easy to configure the firewalls for email. Often one additional connection is allowed, so that it is possible to manage the mail server in DMZ from the internal network. By having a DMZ, DNS often becomes relatively small security risk. The DNS server in DMZ does only need to know a few servers in the internal company network, therefore there is not much gained if someone manages to compromise the DNS server. The sensitive DNS data is stored on the DNS servers behind the internal firewall.

Do you need a DMZ for your home network? Probably not unless you have servers at home which must reached from the Internet. If the traffic is just outgoing, a firewall/router with NAT (network address translation) is a relatively secure solution.

Brute Force Attacks on wp-login.php

If you administer WordPress web sites you have probably noticed that your sites are being attacked every now and then. It looks like WordPress sites have become a very popular target for automated attacks and probes. Most of the attacks are very basic and should not be successful against a site with a reasonable level of security. But the number of attacks seems to be increasing which makes it prudent to make sure that your sites are well protected against the most common attacks.

There are plenty of ways a WordPress site can be attacked but one of the most common and which is easy to automate is a brute force attack on wp-login.php. This means that the attacker is trying to find a valid username/password combination for the site. Such attacks are easy to detect if you check your log files. If the wp-login.php file has thousands of hits, your site has been attacked.

Unfortunately, by default WordPress is not able to tell you much about what happened. But you have a number of useful plug-ins which can be used for both logging failed login attempts and if not completely preventing brute force attacks at least slowing them done. Nowadays it is a good idea to use a plugin that temporarily blocks further login attempts from the same IP address after a couple of failed login attempts. One of the most popular is the login lockdown plugin.

Unfortunately, it is easy to change your IP address. An attacker can use proxies to make it look like your site is being attacked from several different sources. Still, by temporarily blocking login attempts from specific IP addresses, you slow down an attacker. If you install a plugin that logs what usernames have been tested, you will most likely detect the user “admin” is used in 99% of the cases. In other words, one of the first things you should do is to create a new administrator with another login name, for example mike or john. Then remove the admin account. If you are installing a new WordPress blog, avoid calling the administrator account admin. Of course, what ever you call your administrator account, always use strong passwords.

If you are using a static IP address, you can limit access to the wp-admin files, which includes wp-login.php by editing the .htaccess file for the web site. For example you can put the following into your .htaccess file. (Note, replace aaa.bbb.ccc.ddd with your IP address)

RewriteCond %{REQUEST_URI} wp-login|wp-admin
RewriteCond %{REMOTE_ADDR} !^aaa.bbb.ccc.ddd
RewriteRule . – [R=404,L]

But that means that you can only access your site from the given IP address which often complicates things. Another solution is to password protect your wp-login.php. If you have more than one WordPress site in your hosting account, you can create a .htaccess file in your home directory which will protect all your WordPress blogs.

Unfortunately, in order to create this extra level of protection, you need to create a password file which contains the username and the encrypted password. But if you don’t know how to do this, you can use one of the free htpassword generator available on the Internet, just search for htpasswd generator. The user name is not really important, user0, is sufficient if you just want to block automated brute force attacks from reaching your wp-login.php. A simple password is OK, we only want to prevent brute force attacks on wp-login.php. Never use the same password as the administrator account on your blogs. The file looks similar to the following:

user0:RwzaR7erWUpdd

The part up to the colon, is the username (user0 in this case) and the part after the colon is the encrypted password. Put this into a file in the home directory of your hosting account.

You also need to modify (or create) the .htaccess file in your home directory. Put in the following lines:

ErrorDocument 401 “Unauthorized Access”
ErrorDocument 403 “Forbidden”
<FilesMatch “wp-login.php”>
AuthName “Authorized Only”
AuthType Basic
AuthUserFile /home/username/.wppass
require valid-user
</FilesMatch>

You need to change /home/username/.wppass to the name (including full path) of the file containing the username and encrypted password.

Note that while this will stop automated brute force attacks trying to log on to your site, it will not protect you against other kind of attacks and not help against any security flaws in WordPress or the plugins you are using. To feel a little bit more secure, you should back up your wordpress sites regularly and store the backups on your local computer.

DNS Security Overview

Without DNS, the Internet would not work but most people don’t know what DNS is. DNS stands for Domain Name Services and provides the mapping of IP names to IP addresses as well as some other mappings. DNS automatically converts the names we type in the address bar of our web browser to the corresponding IP addresses. In order to find a web server, IP addresses are used but humans prefer to use host names which are much easier to remember.

DNS has no central database, instead it is made up of thousands of DNS servers which are responsible for the IP addresses of one or more subnets. This is a very flexible solution which works very well for a huge network like the Internet. But it also has a number of potential security issues.

In the good old days, security was seldom a problem on the Internet. Most services and protocols were designed without paying any attention to security. DNS was no exception, it had virtually no security in the early days. BIND, Berkeley Internet Name Domain, was the most widely used implementation of the DNS protocol. BIND is still used today and fortunately, it has become reasonable secure.

But the first versions of BIND did not really have any security at all, it was first in the mid 1990s that DNS security become an urgent issue. In the early days, it was easy to get the complete zone from a DNS server, giving an attacker the names and IP addresses of all computers in a network. The name server trusted everyone, something that made DNS cache poisoning very easy. The DNS server would accept any DNS information it received, regardless of source or if it had asked for the information or not.

DNS cache poisoning was first used as a joke by some technically gifted students but it could also be used for criminal purposes. It is easiest to explain by using an example, let’s say you need to pay a bill and your bank is mybank.com. You open an Internet browser and go to mybank.com. In order to find the site, your computer needs the IP address for mybank.com so it asks the DNS server. In this case, a DNS cache poisoning attack requires two things, a fake record in the DNS cache giving a false IP address for mybank.com and a site that looks like real mybank.com site.

Your computer gets the false IP address from the DNS server and your browser goes to the false mybank.com site. The site looks real so you log in and your login credentials will be recorded by the attacker. Now the attacker has got what he wanted and he may now redirect you to the real mybank.com site and log you in automatically, minimizing the chance that you get suspicious. But DNS cache poisoning can also be used to install malware on your computer. You may think that you are downloading patches or updates from Microsoft but instead you are downloading from a bogus site which installs additional software onto your computer.

Nowadays, DNS servers are not that gullible but DNS cache poisoning is still a threat. One reason for this is that many DNS servers are still running old DNS software which is not as secure as the latest versions. It is also possible to poison the cache on your personal computer. This is not as efficient as attacking a DNS server since only one computer will be directed wrongly. But it can still create a lot of trouble for individual computers and users.

WordPress Security Overview

WordPress has become tremendous success. It is a very good for building websites, especially for beginners, and it is free. The huge number of WordPress sites on the Internet has also made it an interesting target for attacks. If you administer a WordPress site, you need to know about WordPress security, otherwise your site could become a victim of an attack.

The number of attacks on WordPress sites has increased enormously lately. The main reason for this is most likely that software that automatically attacks WordPress sites has become available. This means that it is very important to make sure that your sites are well protected.

Unfortunately, it is impossible to guarantee that a WordPress site, or any other site for that matter, is completely secure against all possible attacks. But that said, you can make sure that your site has a high level of security. Most of the attacks are either brute-force password attacks or looking for sites that have not closed well known security holes. If you make sure that your site is safe against such attacks more than 99% of all attacks will not be able to penetrate your site.

First of all, make sure that you don’t use the standard admin account. Virtually all brute-force attacks are trying to guess the password of the admin user. Always change the administrator user account to another username and delete the admin user. There is no good way of hiding usernames from a sophisticated attacker but simple brute-force programs don’t investigate, they always attack the admin username. So by simply changing the username of the administrator account you have managed to protect yourself against most of the attacks.

But you should make sure that all usernames have strong passwords. If the only account is the administrator account, then this is easy. If you have several user accounts, you can use a plugin that forces the users to use strong passwords.

Even with strong passwords and no admin user, you should not let attackers try thousands of login attempts on your site. Install a plugin that limits the number of login attempts from the same IP-address. Such plugins will block additional login attempts after for example three failed logins from an IP-address for a specified amount of time. Just be careful that you don’t set the limits to strict so that you block yourself out for several hours just because you typed the password wrong once. Also be aware that by using proxies an attacker can easily change his IP-address.

It is also possible to limit access to the login page, and all administration pages, but that is only useful if you are always working from the same IP-address. There are also ways of hiding the WordPress login page.

You need also to make sure that your plugins are up-to-date. Fortunately WordPress will automatically check new versions of your plugins, themes and WordPress itself. Also be careful with having a lot of active plugins, this can slow down your site and there is always a risk that a plugin has a security hole.

Given that it is impossible to guarantee that a site, WordPress or not, is hundred percent secure, you should back up your WordPress sites regularly. Also for this you can install a plugin which backups up the site and lets you download the backup to your local machine.

The First Internet Worm

In the early days, the Internet was a peaceful place. Almost only universities were connected and online transactions were still a couple of years down the line. Of course some computers got attacked once in a while. But that was isolated incidents and very little damaged was caused. There was very little need for strict security and few worried about IT security. Much changed after the so called Morris Worm in November 1988.

The creator of the worm was Robert Tappan Morris, a Cornell graduate student in computer science. The worm may have managed to infect up to 20% of all computers on the Internet. This made the worm very successful but also short-lived. The worm infected the same computer multiple times, overloading many computers. The rapid growth of the worm forced system administrators to quickly find ways to kill it.

With today’s standard, the worm code was very basic. But back in those days, security was lax so the worm spread very quickly despite that it was taking advantage of security flaws that in some cases had been known for years. Nowadays security is much tighter, such basic attacks would not cause any significant damage today. The code of the worm was an interesting mix of some sophisticated parts combined with a couple of basic flaws.

The worm was not created to cause damage, it was more an attempt to create something that would travel around in the network. But Morris misjudged the success of the worm, far too many systems had basic security holes. But the worst damage was done because the worm infected the same computer multiple times. Some computers got infected with so many copies of the worm that the systems got overloaded and crashed. It became, by accident, the first known Denial-of-Service attack, things simply went out of control.

Exactly how many computers were infected is not known. Some estimations indicated that 20% of all computers on the Internet were infected. But many think that the number was much lower, probably less than 10%. The worm targeted only two types of computers, VAXs running BSD Unix and Sun-3 computers, also running a BSD-like UNIX version. Back in 1988 these computers were very popular on the
Internet.

The worm tried four different attacks. Three of them tried to exploit known security flaws in UNIX while the fourth was trying to take advantage of weak passwords. But as mentioned, the worm did not do any damage to the system, except for overloading the systems by infecting the same system multiple times. It did not try to gain root privileges, which is needed to alter or damage a UNIX system. Its only purpose was to infect new systems.

The Morris Worm changed the Internet, but slowly. Before the incident, computer security had not been much of an issue. Some people would say that the Internet community was trusting and naïve. After that so many computers got infected so easily, computer security became more important. Some people called it a wake-up call. But pretty soon most of the Internet society forgot all about potential security problems. It would take quite some time before Internet security become a hot topic. One reason for this was that back in 1988, the Internet was mainly an academic network with no commercial traffic. Once the Internet started to get commercial traffic, security became a priority.

How to protect your email account

Email has become very important for most people. Even a lot of sensitive data is nowadays handled over email. Unfortunately, almost everyone is receiving a lot of unwanted emails marketing useless products as well as fake emails trying to fool people to disclose passwords or install malware on their computers. Safe-guarding your email account has become very important. Here is a short article explaining how to protect your email account.

First of all, try to keep your email account secret. It is virtually impossible to avoid spam but by not publishing your email account, the daily amount of spam can be kept to a minimum. Be aware that a lot of spammers are searching the Internet for email addresses, so never put your primary email account onto a web page. This also includes posts to social media, don’t put your email address into the post itself and don’t have it in your signature. If you want to sign up for freebies on the Internet, create a second email account and use it when signing up for lists. It is generally best to use one of the big web mail providers, such as gmail or yahoo, for such email accounts. They have good spam filters which automatically forward suspicious emails into the spam folder.

Needless to say, you should always you strong passwords for your email accounts. Don’t be lazy, use long passwords, containing special characters and digits. You should also use unique passwords for your accounts. This includes accounts to social media, ebay and other web sites. Many programs let you save your login details but never save your passwords in the email clients or web browsers. If someone gets hold of your computer, they can access your accounts. Obviously, if you are using a shared PC for reading your emails, make sure not to save any account information, and erase any cached information. Better still, don’t use shared computer to access your emails.

Also make sure to change your passwords regularly. Many email programs still send login details, including passwords, unencrypted across the networks. This has never been a good idea, and in unsecured WiFi networks it is definitely not advisable to login on to email servers that don’t support encryption. Many places, such as hotels, bars and pubs, offer free WiFi access for their customers. But security is often poor, nothing prevents a hacker from running a sniffer program which collects login details. If you are sending login details, make sure that the connection from your laptop is encrypted. If you are using a web browser, this means you should use the https protocol, rather than the standard http protocol. Fortunately, most of the popular Internet sites, such as yahoo and facebook are using the https protocol for logins by default. Note that this is a problem also for smartphones, checking your emails on your smartphone using an unsecured WiFi network sends the login details across the network unencrypted.

Unfortunately, it is very easy to send faked emails. Most people get emails pretending to come from UPS, IRS, FBI, CitiBank, PayPal etc. Sometimes the emails include links that are supposed to be used to login and verify your account details. But the link does not go to the real web site, instead the hackers have set up a web site that looks the same as the real web site, for collecting the login details. Other emails contain attachments which are supposed to include important information. Instead, it contains malware. Never execute any files that you receive by email, unless you are 100% sure who sent you the email. You should use a virus scanner, they are not foolproof but they will recognize virtually all known threats.

You should backup your emails regularly. This protects you not only against hackers but also against hardware failures. Here you can learn more about how to back up your computer.

PKI, Public Key Infrastructure, Overview

Secure encryption has until lately relied on secret keys. The encryption is typically very strong, the problem is how to securely distribute the keys. This is already difficult if only two parties are involved, with more than two parties the risk that the key gets compromised increases drastically. Public key encryption has no secret key that needs to be distributed. This has made public key encryption very popular on the Internet.

Public key encryption uses two different keys, one public key and one private key. Like the name implies, the private key is kept secret and is only known by the owner. The public key on the other hand, can be freely distributed. That the public key is known by third parties does not pose a security problem. This makes it very easy to distribute the public key, all that is needed is a public key infrastructure. Despite that the public key is not secret, some management of the keys is necessary. It must be possible to identify the owner of the private key and the owner may need to revoke a key.

In public key encryption, one key is used to encrypt the message and the other key is used to decrypt the message. The two keys are mathematically related. If the private key is used to encrypt the message, it can be decrypt with the public key and you know that only the owner of the private key can have encrypted the message. If the public key is used to encrypt the message, only the owner of the private key can decrypt the message. It is also possible to both sign and encrypt a message that you send. You simply sign the message using your private key and then encrypt the message, including your digital signature, using the recipient’s public key.

A private key infrastructure needs some kind of trusted authority. This authority tries to verify the identity of the people who request keys from them. Users want to be sure that they are communicating with their bank and not with a fake site that has created a certificate with the name of the bank. The central authority can also revoke keys. This is very important in case a private key has been compromised. At the same time it is very important that no malicious revocation of private keys is allowed. The system would quickly collapse if one person could revoke keys he does not own.

The most widely used PKI standard is X.509 which was created back in 1988 by the ITU, International Telecommunications Union. The standard belongs to the X.500 family of protocols. The X.509 standard has a hierarchical system of certificate authorities. This hierarchical system has later on been replaced with a structure that supports other topologies as well.

The certificate authorities manage the digital certificates. The digital certificates are based on public key encryption. They contain the owner’s name and public key plus some other information, such as an expiration date. The digital certificate also contains information about the issuer, the certificate authority, also known as the CA.

SSL (Secure Socket Layer) certificates are used to ensure that the data you send to a website is encrypted and that you are communicating with the right website. SSL certificates are issued by CAs and placed on the webserver. This allows browsers to verify that they are communicating with the right site and to encrypt the communication between the browser and the website.

Note that all browsers come with the public keys of several CAs. The browser will always trust certificates issued by these CA. If your browser did not have any pre-loaded CAs it could trust, it would not be possible to verify if an SSL certificate was real or not. If the website you are visiting has a certificate issued by one of the CAs your browser trusts, it will also trust the website. But if certificate is issued by a CA that your browser does not know, it will check the certificate of that CA. If it has been issued by one its trusted CAs, your browser will trust this CA as well.

What is Botnet

Botnets are a sophisticated form of malware. A botnet is a group of computers controlled remotely by an attacker. The computers are typically distributed all over the Internet making them difficult to track down and almost impossible to shut down. It is believed that most botnets are operated by criminals for financial gains.

The early computer viruses were mostly made for fun or fame. Many of them could be annoying but did not do any real damage, a few were harmful but they did seldom survive for long. But none of them brought in any money for the creators. Things have changed a lot since the good old days, nowadays malware can be a very lucrative business. And the most lucrative of all malware are botnets.

So what is botnet? Botnets are a collection of computers that have been infected so that they can be controlled remotely. Botnets can be made up of a huge number of infected computers, the largest botnets are made up of hundreds of thousands of computers. The person controlling the botnet is known as the botnet operator or the bot master.

While many viruses are easy to detect, sometimes unfortunately after they have damaged the computer, botnets are very difficult to detect. The whole point of a botnet is to control as many computers as possible for as long as possible. This can only be achieved by using stealth, making the malware as unobtrusive as possible. The infected computer is only used for small tasks which don’t put much load on the computer.

The main use of botnets is to send spam emails, everything from promoting overpriced products to phishing for login information. But botnets can be used for many other purposes. DDOS, distributed denial of service, attacks are often suspected to come from botnets. They can also be used to generate fake web traffic and so called click fraud. The botnet software can also include spyware used for identity theft.

Controlling a huge number of computers all over the world can be profitable. It is believed that many of the largest botnets are controlled by organized crime. These organizations can pay for skillful programmers, which explains why many botnets are very sophisticated, far beyond the level of normal computer viruses.

Botnets used to be controlled from one central point, this made it easy for the botnet operator to control the infected computers. But it was also a single point of failure and made it relatively easy to detect and destroy a botnet. That said, often the infected computers in a botnet that has been shut down can be taken over by the same operator, using a new central server. The botnet operators realized quickly that if the botnet was controlled from one single computer, the whole network was very vulnerable. Therefore, nowadays centralized botnets are often managed by a few computers, giving the bot master the possibility to control the network even if one of the central servers is compromised.

But botnets that are managed from a few servers are still relatively easy to block. To make it more difficult to destroy botnets, peer-to-peer (P2P) botnets have been developed. In these networks, every peer, that is every computer, can act as a control server. Such botnets are much harder to detect and shut down, there is no single point of failure.

Protecting yourself against botnets is done in the same way as against standard computer viruses. Make sure that you install all security patches and use anti-virus software. But botnets often use a number of attacks. Often they scan networks for vulnerable computers which can make it very difficult to get rid of a botnet if it gets inside your network.

Anti-virus programs are good at removing botnets from your computer but botnets have started to become polymorphic, making it more difficult for virus scanners to detect them. The problem with botnets has become so large that ISPs are cooperating to block the control traffic.