Categories
Security

Three Incident Response Preparations You Should Be Making

In the context of cybersecurity, the adage “An ounce of prevention is worth a pound of cure” is a massive understatement. Make no mistake, the easiest way to handle a security incident is to prevent it from ever happening in the first place. We continually remind our readers about security best practices because the time spent implementing them is nominal compared to the time that would be spent responding in the aftermath of a successful attack.

This post is Copyright 2018 Defiant, Inc. and was published on the wordfence.com official blog. Republication of this post without permission is prohibited. You can find this post at: https://www.wordfence.com/blog/2018/07/three-incident-response-preparations-you-should-be-making/

The unfortunate reality, however, is that sites continue to fall victim to malicious activity every day. Even perfectly responsible site owners who follow every security guideline in the book need to prepare for the possibility of a critical security incident. Similar to household emergency readiness preparations, like owning an appropriately classed fire extinguisher or keeping a first aid kit, there are a few favors you should be doing for yourself as a site owner to help you get back on your feet in the event of a disaster.

Logs Or It Didn’t Happen

When an owner hears for the first time that their site has been compromised, the first question on their mind is usually the same: How? It’s a natural response, and it’s a question that security firms are commonly brought in to investigate. Forensic review of the breached system can provide answers in some cases, but the efficacy of these efforts frequently hinges on the existence of reliable event logs to be reviewed.

Server logs provide investigators with a dataset they can use to establish a timeline of events leading up to and during an attack. By identifying the activity taking place and its source, it can be possible to determine the scope of the compromise. That intelligence is how you can know whether an attacker had access to your users’ data or if you simply fell victim to a defacement campaign, and being able to confidently disclose these details to your users can be crucial in dampening the impact to your business’s reputation following an attack.

Log retention policies seldom come up in the conversations between new site owners and their prospective hosting companies, so it’s possible to unknowingly be a step behind in this process based simply on your site’s provider. If a host has an opt-in logging policy, or defaults to very short log periods, in all likelihood an inexperienced user will have no usable logs of a security event by the time they’ve been made aware of the issue.

Just how long to retain server logs for security purposes depends heavily on your industry and location. Industry compliance regulations may demand retention minimums or specific destruction timeframes, and regional regulations can introduce their own requirements. If you believe that your site might fall under such restrictions, consult with a legal expert familiar with your particular case. Otherwise, the amount of log history to maintain depends on how closely you monitor your site in other ways. If a site doesn’t see much attention under the hood it’s much more likely that a compromise can go undetected for months, so lower-maintenance sites might opt to retain logs longer to shore up that disadvantage a bit.

If your site is running on shared web hosting, take a moment to identify how your host handles access logging. Standard cPanel-based hosting accounts are becoming more and more common and default to a functional logging policy unless the host enforces changes, but proprietary hosting solutions may not play so nicely in every case. Either way, ensure that you’re able to archive and retain logs for an appropriate amount of time for your needs.

If your site lives on a server you have more direct control over, you can really roll up your sleeves and set up your logging however you like. For example, your run of the mill Linux webserver is probably making use of logrotate to manage the storage and archival of various logfiles. Logrotate leans on a fairly simple scripting syntax to build rotation rules, so it’s easy to configure retention policies for just about any purpose. Windows servers typically handle event logs directly, so there isn’t as much to worry about on a private Windows system in terms of storage and rotation.

If You Have One Backup, You Have No Backups

If the scope of an attack isn’t conclusively determined, or if a compromise has left a site owner uncertain of the continued integrity of their environment, it often becomes necessary to revert to a known-good backup of the site. This also facilitates the process of migrating a site from a compromised server to a new host while minimizing the potential to include infected code in the migration.

Of course, an owner’s ability to restore a site from backup depends entirely on whether they were making the backups to begin with. This, again, is a problem many unfortunate business owners fail to identify until it’s too late to be of use. Maybe they assumed their hosting provider was handling their backups for them, or that their site was so stable that they’d never need backups to begin with. Either way, a site needs backups.

To be clear, we’re using the plural “backups” very intentionally. Your filesystem and database contents are typically changing constantly, especially with a dynamic web application like WordPress running the site, so as backups get older they begin to lose usefulness. At the same time, having backups across a span of time can help ensure there’s a clean backup if a breach went unnoticed for too long.

There’s a commonly repeated guideline for backups called the 3-2-1 rule which suggests keeping three copies of your data, on two different media, with one off-site. It’s a pretty basic guideline, one which has been around for a while and may be due for a revamp in the age of cloud storage, but its basic tenets are sound. You can pull the numbers from the rule and still end up with sound advice: Keep redundant copies of your data, diversify how your data is stored, and make sure at least some backups are accessible regardless of the nature of the disaster.

One point that the 3-2-1 rule does fail to address is the need to test your backups. The aftermath of a cyberattack is the worst possible time for you to learn that your backup script broke five months ago. Periodically check your backups for integrity and watch closely for errors reported by any automated scripts you’re running. For critical systems, consider performing complete disaster recovery tests by spinning up a temporary server and restoring a backup to a running environment.

It sounds boring, but spending the time every now and then to make sure your backups are reliable brings with it a great deal of peace of mind. Simply put, it’s better to have them and not need them than to need them and not have them.

Hope For The Best, Plan For The Worst

While there are precautionary measures in place to prevent fire hazards in an office building, the workers in the building need to know there are fire alarms and an emergency exit plan just in case. By the same token, the members of your organization need to have a security incident response plan in place to ensure the issue is handled appropriately.

Depending on the size of your business, your incident response plan can be as simple as a sheet of instructions or a massive PDF document with diagrams and walkthroughs. Regardless of size, this document should clearly establish at least these few important pieces of information pertinent to the immediate aftermath of an incident:

Who is the person or team in charge of responding to security incidents?
Include any relevant contact information. If you retain the services of a third party team for your security, be sure to make note of who is authorized to contact them.

Which other parties need to be involved in which situations?
Above a certain scale, where your infrastructure relies on multiple teams, the security team handling the incident may not be directly familiar with the affected systems. Identify who needs to be called for each system, so your incident handler knows how to contact your database administrator for a database breach without pinging your entire IT staff.

What defines success in your response?
The key is to have measurable goals. These goals could be to limit service disruptions, or to publish a public disclosure of the event within a certain timeframe, et cetera.

Are there any mandatory steps that need to be taken?
If your region or industry imposes disclosure timeframes or other incident handling regulations, put these in plain language in your plan. Assign ownership of these steps to relevant parties to ensure they don’t slip through the cracks.

Include this information alongside details of where backups and logs are stored, and any other information that may be pertinent to your organization’s response. Having a predefined plan accessible to your team allows your organization to hit the ground running after a successful attack takes place, where time is critical. Even if your team is small and the contents of a plan could probably just be assumed, putting it on paper helps to remove any ambiguity in what is already a stressful event.

Conclusion

A common thread in the world of security advice is that any effort you’re able to give is going to be more effective than not doing anything. Even if you don’t have the capital to implement a redundant and scalable automated backup strategy for your site, you can at least set a reminder to yourself to pull a backup of your site down to a local drive once a week. Just put something into place sooner rather than later, because you can always improve it further down the road.

The post Three Incident Response Preparations You Should Be Making appeared first on Wordfence.

Categories
Security

PSA: Lessons From The Atlanta Ransomware Situation

In the past few days the City of Atlanta has been hit with a ransomware attack. Several major computer systems that provide city services have been encrypted by an attacker. The attacker is demanding $51,000 worth of bitcoin to decrypt the systems, and the city has not yet ruled out paying the ransom. The attack occurred five days ago, and as of this writing, the systems remain inaccessible.

Yesterday, Mayor Keisha Lance Bottoms held a press conference to chat about the problem.  So far the mayor and her team seem to be doing a great job of putting together a coordinated and multipronged response to deal with the incident.

What struck me about the conference is that it was the kind of conference a city holds when dealing with a physical disaster. The mayor actually described it as a “hostage situation” towards the end of the conference. This is the tangible impact of a cyber attack on a local government.

The City of Atlanta is working with the Secret Service, FBI, Department of Homeland Security and academic and private institutions, including Georgia Tech and SecureWorks. They have completed the investigation and containment phase of the incident response and have moved on to the restoration phase where they work to bring critical systems back online, but at this time the affected systems are still encrypted.

Many of Atlanta’s systems have now been down for five days, though critical systems such as police, fire, rescue, 911, water services and airports are operational and continue without interruption. The departments affected include:

  • Department of City Planning and Office of Buildings: Processing times are longer than normal.
  • Office of Zoning and Development: Processing times are longer than normal.
  • Office of Housing and Community Development: Office is unavailable to process disbursement requests.
  • Municipal Court: The Department of Corrections has switched to a manual ticketing system for defendants who have been arrested and taken into custody. No “failure to appear” for court will be generated at this time and all cases will be reset.
  • Department of Watershed Management: Online bill payments and in-person bill payments are down.

Mayor Bottoms has described this as: “Bigger than a ransomware attack. This is an attack on our government, which makes it an attack on all of us.” She goes on to say that “what has been attacked is digital infrastructure. As elected officials, we tend to focus on things people see. But we have to make sure that we focus on the things that people can’t see and digital infrastructure is very important.”

The city does not currently have a time estimate for when they will get all of their systems back up and running. They are working around the clock, and they are actually concerned that some of the team that has responded to this incident may burn themselves out, so they are managing that aspect of the task, too.

They have confirmed that it was a remote attack that compromised their systems. The city was reportedly hit by the SamSam ransomware. This ransomware variant has made the attackers $850,000 since December 2017. According to CSO Online, the city had many services exposed to the public, which could have provided an attacker with a point of entry, including “VPN gateways, FTP servers, and IIS installations.” Many services had SMBv1 enabled, which has known security issues.

One thing I found interesting about the mayor’s comments was an analogy she used. She uses as an example an old truck she had. She didn’t think she had to replace it until she was in a wreck. And then she had to replace it. Her analogy makes it clear that the city should have updated their security posture before this incident occurred, and now that it has occurred, they are forced to take action to resolve the issue and secure their systems going forward, but at great cost and inconvenience.

I think this is a valuable lesson, and something that WordPress site owners should take to heart. It is important to be proactive when it comes to securing your systems and educating yourself about cybersecurity. Don’t wait until you get hacked before you take action. If you have a WordPress website, install a malware scanner and firewall like Wordfence and use our blog, learning center and Wordfence documentation to empower yourself and secure your website. We have also written about ransomware as an emerging threat to WordPress in the past.

Ransomware mainly targets desktop systems. To protect your home or office systems from a ransomware attack, take the following steps:

  • Ensure you have regular backups and that those backups are offline. They must not be accessible from the workstation that is being backed up to ensure that ransomware cannot also encrypt your backups when you get infected.
  • Install the latest security patches for Windows, OSX, Android, iPhone and any other operating system that you use. Along with backups, this is the most effective thing you can do to protect yourself.
  • Install any application updates, especially browser updates. Make sure you are not running an old vulnerable browser, or else simply visiting a compromised website can infect you.
  • Install a desktop antivirus solution and ensure it has updated virus signatures, or alternatively, enable Windows Defender, which is free.
  • Do not open attachments or dowloaded files from untrusted sources. Avoid using file attachments completely if you can, and use cloud services like Google Docs instead.
  • Do not click links in emails from people you do not trust. 

Bringing Cybersecurity Education to Atlanta in April

WordCamp is a WordPress conference that happens in cities around the world throughout the year. WordCamp Atlanta will be held April 13-15, 2018. Our team will be there, and we will be hosting a unique event to help participants learn more about WordPress security and cybersecurity in general.

Our team will be hosting a ‘Capture The Flag’ or CTF event at WordCamp Atlanta. A CTF is a contest where participants have to complete a series of challenges to capture ‘flags’. The challenges range from completing a technical task to solving a puzzle to hacking into a system. CTF’s are designed to teach participants how to secure computer systems better. They get participants to think like a hacker, and in doing so, participants learn how to better defend against attacks.

As far as I know, this is the first time that a CTF is going to be held at a WordCamp. These events are usually found at hacker conferences like DefCon and BSides. The CTF that we are hosting has been created by our top security researchers and is focused around WordPress security. We will also have five of our team members there to help you get started and to chat with you about security, including several senior Wordfence developers.

If you are just starting out in WordPress or security, don’t panic! Our team has worked hard to make sure that this CTF has something for everyone. So visit us at our booth at WordCamp Atlanta and we’ll help you get set up and capturing your first flags in no time at all! You may even win a prize or two!

Our top prize for the contest is a PlayStation 4 with full Virtual Reality setup, including a headset, motion controllers and a VR game. We also have a ton of other prizes I think you’ll really like. If you can make it to WordCamp Atlanta this year to participate, I highly recommend you give the CTF contest a shot. Not only do you have the chance of winning an amazing prize, but participating in the CTF will empower you to secure WordPress and your websites.

If you don’t have a ticket for WordCamp Atlanta yet, I suggest you buy one now if you plan to attend. At the time of writing there were only 87 tickets left, and those will probably go quickly. You can purchase your ticket here. When you arrive, make sure you come over and visit us at our booth and we’ll help you get set up to participate in the CTF.

If you can’t make it to WordCamp Atlanta, don’t despair. We will be hosting future events, and will let you know about them via our blog.

The post PSA: Lessons From The Atlanta Ransomware Situation appeared first on Wordfence.

Categories
Security

Staying Safe: The Wordfence Cyber Security Survival Guide

Occasionally at Wordfence we publish posts that are public service announcements that help the broader online community including your team, friends and relatives. Today I’m publishing a guide that will help improve your overall personal cyber security. This guide focuses on the basics: How to reduce the truly important life altering risks that we face from the cyber realm.

This is a “cyber security survival guide”. In it I’m going to start by giving you a clear picture of the current state of cyber security. Then I’m going to help you prioritize what you should be protecting. In this guide I am focusing on the biggest risks that we are all presented with. This is, after all, a survival guide. Finally I will explain how to reduce risk for each category.

I have written this guide to be as readable as possible. It is designed to be shared with your less technical friends and family. Most of my day is spent focusing on protecting our customer websites from attack. Today I am focusing on the bigger picture, the important basics, like protecting your physical safety and your basic financial means.

“Si vis pacem, para bellum.” ~Vegetius. Circa 4th century.

Translation: If you wish for peace, prepare for war.

The hostile cyber security environment we find ourselves in today would startle even the most cynical predictions of a decade ago. This guide will improve the security posture of anyone who has an online presence, which today means everyone. In addition, today is “Safer Internet Day“, so this is our contribution to helping improve the safety of the online community.

The State of Cyber Security

Your data has a 2 in 3 chance of already having been stolen and it will be stolen again and again. It doesn’t matter if you use secure passwords and have two factor authentication enabled on your accounts. It doesn’t matter if you are old or young, male or female, which country you are based in or which services you use and which companies you do business with.

At various points in your life your data will be stolen. And it will, in all likelihood, be stolen repeatedly.

Today, 64% of Americans have already had their data stolen through data breaches. That is almost 2 out of three people. This percentage is rapidly trending towards 100% of the population in the US alone.

In the past 3 years we saw the first data breach of over 1 billion user accounts with the Yahoo breach. That breach affected 1 in 7 people on planet Earth. In the United States, the OPM breach saw the data of our top spies stolen, including their fingerprints, personal data and their answers to some very personal questions during an interview using a lie detector. Even our intelligence services can’t protect highly confidential personnel data.

Data has been stolen in the hundreds of millions of records from private companies, intelligence agencies and the military. Even companies who are experts in security have had their data stolen too.

Data that has been stolen includes usernames, passwords, email addresses, social security numbers, biometric data, medical records and more.

How Data is Stolen

Even if you use a strong password, two factor authentication and security best practices, your data will still be stolen because the companies whose services you use in some cases will fail to protect their own networks.

The trend at this point is undeniable and the track record so far makes it clear: Companies and government organizations are being breached at an increasing rate and the breaches are becoming increasingly severe.

If you would like a visual representation that illustrates this point, visit dataisbeautiful.com and take a look at their bubble chart visual showing breaches since 2004. As you scroll up through the years, the bubbles become bigger and more abundant until they simply merge into each other.

Prioritizing What We Need to Protect as Individuals

If data breaches are the new normal and if you accept the premise that they are inevitable and unavoidable, the problem we need to solve in our personal and business lives becomes “How do I reduce the risk and the impact of a breach?”

It’s helpful to start this conversation by prioritizing what we need to protect. Once again, in this post I am focusing on the really important items and people in our lives. In order of importance, in the cyber realm we need to protect:

  1. Information about us that may help criminals target us in the real world.
  2. Our financial means. In other words, savings accounts, ability to borrow and our assets.
  3. Sensitive personal information like medical records, tax data and other private data.
  4. Our ability to earn an income through our reputation and our ability to provide products or services, including our own labor, to others.

The above list is, in my opinion, in order of importance.

I think we all agree that our personal safety and the physical safety of those we care about is number one on the list. Most of the items on this list are things that can be fixed or recovered from. A human life is irreplaceable. Reducing the risk of real world targeting by criminals through the cyber realm is therefore at the top of the list.

Financial means is second because without your savings and income, you don’t have the ability to feed, clothe and house yourself and your family. If your savings account is emptied, you may literally find yourself homeless without the ability to fend for yourself.

Sensitive personal data is third on the list. Having sensitive medical data disclosed, for example, can irreparably damage or affect some people’s lives. This is not something that can be repaired or undone.

Fourth on the list is our ability to earn an income. If you are not able to earn an income or damage your reputation, your quality of life and that of your family will be severely impacted.

Preventing Real World Targeting via Cyber

In most developed countries, it is rare to hear stories of real-world targeting of individuals through information they have ‘leaked’ into the cyber realm. Most of the world is still developing economically and has a high disparity in wealth distribution. The reality in many countries that are still developing is that crime is significantly higher than developed countries like the United States, Australia or the United Kingdom, for example.

Kidnapping for ransom, carjacking and robbery is a reality in many parts of the world. In order to reduce your own risk of being targeted if you are in a high risk environment, I suggest the following:

  1. Never flaunt high value items online, including cars and jewelry.
  2. Share your location in general terms and if you want to share a specific location, do it after you have left that location.
  3. Don’t share information that may indicate when you have been paid.
  4. Consider making social profiles only accessible to people you have approved. Your social profile can provide someone with enough data to give you the impression they know you or are a friend of a friend.
  5. If you work in a job with privileged access or access to sensitive data, avoid disclosing who your employer is and your position. This includes disclosure on public websites like LinkedIn.

Protecting Your Financial Means

In this section I’m not concerned with credit card fraud. That risk falls on the vendor and the transactions can be reversed. Instead, I’m focused on the kind of risk that can have a permanent impact on your long term financial well-being.

If an attacker is able to authorize a wire transfer from your savings account, they can empty your bank account and the funds may never be recoverable. This risk applies to savings accounts, checking accounts and investments like brokerage accounts and money market accounts.

If they are able to borrow in your name, it can permanently damage your credit score and your ability to borrow money to buy a home, for example.

I suggest taking the following steps to reduce the risk of large scale financial fraud:

  1. Make a list of savings accounts and investment accounts. Audit each account to determine how you prove your identity when transferring funds and get a clear understanding of what an attacker would need to do to commit fraud on each account. Contact banks, brokerages and lenders where necessary to get the data you need.
  2. Implement any additional security that your bank provides. This may include:
    • A callback to a predetermined number,
    • Authorization from multiple parties required before transferring funds,
    • Two factor or hardware based authentication and
    • Limiting transaction size when you are not at the bank in person to perform the transaction.
    • Your bank may also provide real-time alerts when a transaction is processed.
  3. Monitor your account statements weekly for unauthorized activity. Make this a routine.
  4. If you are in the United States, place a credit freeze on your credit report. This restricts access to your credit report and makes it difficult for thieves to open new accounts in your name which allows them to borrow money as you. You may have a similar option in your own country if you don’t live in the USA.
  5.  Also in the US, you can place a fraud alert on your credit report. This lasts 90 days and forces a business to verify your identity before issuing credit in your name. You can renew the fraud alert every 90 days. Outside the US you may find that your own country has similar protections available that prevent unauthorized borrowing.

In all of the above cases if you are able to choose a password, use a complex password and use a password manager like 1Password to store and manage your long and complex passwords.

Protecting Sensitive Data About You

Sensitive data that you need to protect may include medical records, tax information and your own social security number. There are two surprisingly easy ways you can help protect your own personal data.

Firstly, try to avoid creating data about yourself. If it doesn’t exist, it doesn’t need protection. You will frequently find forms that ask you for your social security number or equivalent. Most of the forms I encounter asking for this don’t actually require that information. I simply don’t enter it and rarely receive a complaint. Skip any optional forms and optional form fields. When entering sensitive data, find out if it is required or optional.

Secondly, the best way to protect data is to delete it. Once again, if it doesn’t exist, it doesn’t need protection. If you have old data on a workstation that is sensitive but that you don’t need to keep, delete it and empty your trash to permanently delete the data. If you have old databases lying around on servers that you don’t need but that present a risk, delete them. Don’t hoard sensitive data.

Where you do need to store and protect data on your own systems, use hard drive encryption if it is available for your operating system. Password protect your devices including your cellphone, tablets, laptops and workstations. Use complex codes, gestures or passwords.

In the medical domain it is difficult to protect your data. You don’t control where the data is stored and who has access to it. Medical data can be shared widely among providers which creates a large attack surface with many potential points of entry. Currently the best approach is to do your best to avoid creating data about yourself in the first place.

Protecting Your Ability to Earn an Income and Your Reputation

Most of us rely on IT infrastructure in some way to make our living. Whether you are an architect, photographer or computer programmer, it is important that you secure the systems you use. Here are a few tips to secure your own systems and the services you use:

  • If you publish a WordPress website, install a malware scanner and firewall like Wordfence to keep hackers out and detect any intrusions.
  • Use a password manager like 1Password to automatically generate and store long complex passwords that are different for each system you access. That way if one provider experiences a data breach, your other accounts won’t be compromised.
  • Secure your phones, tablets and workstations by using disk encryption where available on workstations and use complex passwords, codes or gestures that are required to gain access.
  • Avoid adding data to systems and services that you don’t need to. Once again, the best way to protect data is to delete it or to not create it in the first place.
  • Enable two factor authentication on all services that you use.
  • Consider using a YubiKey for cloud services. A YubiKey is a hardware two-factor authentication device. An increasing number of cloud providers are supporting hardware authentication. Enable this where you can. YubiKey adoption is increasing rapidly as it becomes more popular.
  • Keep backup drives in a secure place and destroy their data if they are no longer needed. Never simply throw backup drives or devices in the trash. They need to be wiped using secure drive wiping software.

Protecting Your Reputation

If you use social media, never simply ‘Share’ or retweet someone else’s post until you have fully read it, understood it and also understand any context around it. If you accidentally share something that is highly controversial without fully understanding what you’re sharing, you may find your professional reputation severely damaged.

Secure any social media accounts that you own. If your account is hacked, it may be used for spam which could damage your online reputation.

Secure any websites that you own. If your website is hacked, it will damage your search engine ranking and infuriate your customers if their data is stolen. This can have a severe impact on your reputation. If you use WordPress, install Wordfence which will help prevent a hack.

Make sure that your email accounts are secure. If your email account is compromised, your contacts list is also compromised. This usually results in your contacts receiving phishing emails that also try to hack their email accounts. They may also receive spam. This will damage your reputation among your contacts. Brian Krebs has a great writeup on the value of a hacked email account.

When installing apps on your smartphone, avoid installing apps that are aggressively viral. Some apps gain access to your contacts list and can SMS, private message or email your contacts a message from you that suggests they also sign up for the service. These messages can be infuriating and won’t help your reputation among your friends and colleagues. When installing a new app, think before you click.

Additional Tips and Techniques

How to Avoid Social Engineering

Social Engineering is what happens when someone phones you and pretends to be an organization or individual that you trust. They will try to get sensitive information out of you including passwords, usernames and a description of systems that you have access to.

This kind of attack is common and is used to commit tax refund fraud. It is also used to gain access to your bank accounts. You will even find attackers trying to get access to your workstation by telling you that they have found something wrong and asking you to install their software to fix it.

To avoid social engineering you can use a simple technique. Usually the individual will claim they’re from a reputable company or organization. Simply hang up, find the organization’s central number, call back and ask for that individual or someone in the same role.

Don’t let the person who called you provide the number you call back. Instead find the central number via Google or elsewhere online and call that instead. If it’s an IRS agent, call the IRS back yourself. Use this technique no matter how friendly, polite, aggressive or scary the person on the other end of the line is.

Using the callback method is an effective way to defeat social engineering.

How to Avoid Phishing and Spear Phishing

Phishing is when someone sends you an email that looks like it came from a bank or service you trust. They try to get you to open an attachment that compromises your device or to click on a web link and to sign in on a malicious website.

Spear phishing is the same as phishing, except the email you receive is especially crafted just for you. The attacker has researched you well and knows who your friends, family and associates are. They may know who you work for and what you are working on. The phishing email received in a spear phishing campaign looks much more authentic, appears to come from someone you know and may refer to something you are working on. Spear phishing attacks have a much higher success rate.

To avoid spear phishing campaigns, follow these two simple rules:

  1. Never open an attachment unless you are 100% sure that someone you trust sent it to you. If in doubt, phone them to verify they sent you the file.
  2. Never click on a website link unless you are 100% sure that the person or organization that sent it to you is someone you trust. When you do open the link, check your browser location bar at the top for the following:
    • The location should start with https://
    • The part after https:// should be the domain name of an organization you trust. For example, it should say paypal.com and not paypal.com.badsite.com. Everything from the first forward slash to the final forward slash in the location should be a name that you trust.
    • The https:// part should be green if you are using Chrome and it should also say “Secure” to the left.

If you receive an email that makes you suspicious in any way, don’t click anything in it, don’t open any attachments, and don’t reply to the email. Instead, contact the person or organization that sent it and ask them what it is about.

Some of the largest data breaches are as a result of spear phishing attacks and the average cost of a successful spear phishing attack is $1.6 million.

Use a Password Manager

I have mentioned 1Password several times in this post as an example of a password manager that helps you use unique passwords across all the services that you use. Using long, complex and unique passwords is one of the most effective things that you can do to protect yourself against future data breaches.

There is an argument that all your “eggs” are in one basket when using a password manager. However, among security professionals it is widely agreed that this risk is outweighed by the benefit of being able to reliably use unique complex passwords across services.

Don’t Create Data You Don’t Have to, Delete Data You Don’t Need

I mentioned this earlier in the post but it bears repeating: to protect yourself from future data breaches, avoid creating data you don’t have to and delete data you don’t need.

Deleting data includes any profiles on websites that you don’t use anymore. If you are on a social media website that you don’t use, delete your profile. The recent MySpace breach that was announced is a great example. Many people don’t use the service anymore, but last year a MySpace breach was announced that affected over 300 million accounts.

Use Backups to Protect Yourself Against Ransomware

One final tip. Ransomware is malware that encrypts your entire hard drive and forces you to pay a hacker to get your data back. Sadly this attack is very effective and many people pay to get their data back, including large organizations. Two thirds of companies that fall victim to ransomware actually pay the ransom.

Use backups to protect yourself against a ransomware attack. Make sure that your backups are not connected to the computer you are trying to protect once the backups have completed or the ransomware may also encrypt your backup drive.

Crashplan is a cloud backup service that can protect you against ransomware. We don’t have any commercial relationship with them but we have heard good things.

Help Keep Friends and Family Safe

I hope this cyber security survival guide improves your security posture online. I have kept it as readable and accessible as possible so that the guide is usable by technical and non-technical readers alike. You can help improve online and offline safety by sharing this with friends and family that may benefit by reading it.

Stay safe!

Mark Maunder – Wordfence Founder/CEO.

 

The post Staying Safe: The Wordfence Cyber Security Survival Guide appeared first on Wordfence.

Categories
Security

Gravatar Advisory: How to Protect Your Email Address and Identity

Update: We’ve added comments at the end of the post pointing out that the National Institute of Standards and Technology (NIST) considers an email address to be personally identifiable information or PII.

Gravatar is a service that provides users with a profile image that can appear on many sites across the Net. It is integrated with WordPress.com (The version of WordPress hosted by Automattic) and is also integrated into WordPress.org, the self hosted version of WordPress. Gravatar is also used by many other popular services on the web like StackOverflow.com.

If you sign up for a website on WordPress.com and publish a blog post, a Gravatar icon appears on your site as your profile photo, indicated by the red arrow below. You can visit gravatar.com to customize that icon and upload a photo of your own.

screen-shot-2016-12-07-at-7-39-14-pm

 

If you use WordPress.org, Gravatars are an option you can enable for your users and they are widely used. It will either show their profile photo if they have gone to Gravatar.com to create one, or it will show a default image. You can select from several kinds of default images.

screen-shot-2016-12-07-at-7-31-37-pm

 

Other services like StackOverflow, one of the most popular sites on the web, also use Gravatar for profile images.

In the HTML source code of your website, Gravatar loads images using a hash of your email address. If you read our post earlier this week where we discuss the problem of malware scanners using weak hashing algorithms, you will have a basic understanding of how a hashing algorithm works. In short, a hash algorithm turns some value into a long number and in theory it is difficult to turn that number back into the original value.

Even if you haven’t signed up for a custom profile image at Gravatar.com, a hash of your email address still appears in the source code of any website that integrates this service.

You can see in the screenshot below how Gravatar loads your profile image using a hash of your email address:

Gravatar in HTML source
The value that appears after /avatar/ above is: fe967ccdc7b3caa33e0480bb95ae6588
That is a number (in hexadecimal) that is a hash of the email address that I used to create a WordPress.com website. The email I used is gravhashtest@wordfence.com.

I can run a PHP instruction to verify that. If I run the following PHP code, it produces the above hash:


<?php

echo md5('gravhashtest@wordfence.com');

This prints the value: fe967ccdc7b3caa33e0480bb95ae6588

Using Gravatar and GPU cracking to steal email addresses

If I want to steal a lot of email addresses, I need to turn those hashes back into email addresses somehow. If I can figure out a way to do that, I can crawl wordpress.com, all the self-hosted wordpress.org websites and a lot of other services like StackOverflow and harvest a huge number of email addresses for spamming. I may also be able to reveal the email addresses of people who want to remain anonymous.

It turns out that someone already thought of this. In 2009 a researcher proved that he could reverse engineer about 10% of gravatar hashes into email addresses.

Then in 2013 Dominique Bongard presented a talk at PasswordsCon in Las Vegas where he demonstrated that he could reverse engineer 45% of Gravatar hashes into email addresses. He targeted a well known political forum in France which uses Gravatar for user profile pictures.

The big difference in Dominique’s approach is that he used Hashcat, which is a password cracking tool. He repurposed it so that he could reverse engineer Gravatar hashes into email addresses. The reason this is important is that Hashcat executes significantly faster because it uses consumer graphics processing units, or GPUs, which are used by gamers to accelerate game graphics performance. Cracking hashes with GPU acceleration increases performance by a factor of several thousand.

At Wordfence we have done a significant amount of experimentation with GPUs and hash cracking and we even provide a commercial service as part of Wordfence Premium that uses a GPU cluster to perform a password audit on your WordPress website. We launched this service over a year ago. The photo below is the password cracking cluster we designed for this service. Those are liquid cooled chrome GPU pipes in the photo. They look even better in real life.

GPUs for password auditing

When Dominique did his talk in 2013 on using Hashcat to turn Gravatar profile hashes back into email addresses, the Nvidia GeForce GTX Titan GPU was released which provided 5045 Gigaflops of processing power.

In May of his year Nvidia launched the GeForce GTX 1080 which comes with 8873 Gigaflops of processing power. In just two years the amount of processing power that is available has almost doubled.

When you consider that 2 years ago a single researcher reverse engineered 45% of gravatar profile photos into email addresses, it’s quite possible that a criminal group armed with a modern GPU cluster, as shown above, could reverse engineer a far higher percentage today. The problem will only get worse.

Email hashes may expose your identity across the Web

The use of email address hashes has a further problem. If you view the source of a website using Gravatar profile photos, extract the hash and then google that hash in quotes, you can find other websites and services that are used by the individual you are researching.

For example: A user may be comfortable having their full name and profile photo appear on a website about skiing. But they may not want their name or identity exposed to the public on a website specializing in a medical condition. Someone researching this individual could extract their Gravatar hash from the skiing website along with their full name. They could then Google the hash and determine that the individual suffers from a medical condition they wanted to keep private.

To demonstrate this issue, we have created the form below which you can use to do a Google search of the MD5 hash of your own email address. We don’t log anything. This simply uses pure javascript to open a new window or tab with a google search of the hash of your email in quotes. Enter your email in the text field below and click the link to do the search. You should note that Google doesn’t index all Gravatar hashes because they appear in page source. But you may find a few interesting results that help illustrate the problem.

Email:
Click to Google an MD5 of your email

The above can be used to Google an MD5 hash of anything. Try entering in your domain name or common passwords (not passwords you actually use). Let us know what you find in the comments.

What to do to protect your email address and identity

To solve the identity and spam problem that Gravatar presents, the most effective option is to use a unique email address to register on each website you are a member of. The email address should be hard to reverse engineer.

If you use an @gmail.com address, Gmail provides a feature whereby you can append a plus sign to your email address and anything after it is ignored. If your email address is yourname@gmail.com, you can change it to yourname+junkGoesHere@gmail.com and you will still receive the email.

What we suggest you do is use a unique gmail address on any Gravatar enabled website when you register. Therefore yourname@gmail.com would become: yourname+2h4J1q9ZuU9@gmail.com. Gmail has documented this feature here. The feature also works with hosted Gmail addresses where you use your own domain. Outlook.com also provides this feature.

Using this technique makes it much harder for a spammer to reverse engineer your email address from a Gravatar hash. Try to make your email address at least 20 characters long and include upper and lower-case letters and numbers in the suffix after the plus sign. If you have uploaded a custom Gravatar profile image, you should note that this has the side effect of not displaying that image on the websites where you make this change. Instead you will get a default profile image.

Receiving extra spam is an inconvenience. It can be a minor inconvenience if you have an excellent spam filter in place. However, having your identity exposed on a website where you assumed your identity was private can be embarrassing at best and have far worse consequences. We therefore suggest that you switch to using a plus-suffix on any website where it is important to maintain your personal privacy. 

What should Gravatar do?

This presents a significant challenge for a service that is as widely used as Gravatar. They can’t simply upgrade their own systems. Web applications that have integrated Gravatar rely on the fact that they can request an image with an MD5 hash of a user email address and get a profile photo in return. These applications all need to be updated too, and there are thousands  – quite possibly tens of thousands of them.

Even if Gravatar switch to SHA-2 or a longer and stronger hashing algorithm, they are still vulnerable to GPU accelerated email cracking attacks. The identity problem will also still exist.

They could consider switching to a more computationally intensive hashing algorithm like bcrypt. That would provide significant resistance to reverse engineering. But it comes with the obvious cost that it is computationally intensive. Gravatar need to generate a lot of hashes to provide the service they do. Developers who integrate Gravatar into their products also need to generate hashes from email addresses. Both will suffer from increased resource usage if they start using bcrypt.  It also doesn’t solve the identity problem.

There are other options available like using a shared secret between developers and the Gravatar servers to generate hashes. These come with their own implementation challenges and performance implications. This option may solve the identity issue because it could generate unique hashes across websites that are also hard to reverse engineer.

A final option is to switch to locally hosted images and move away from hashes or global unique identifiers of any kind. This will introduce more complexity for developers who want to integrate Gravatar into websites, but has the benefit of doing a better job of protecting user privacy and avoids disclosing email addresses.

Further comments on privacy

This is a complex problem and there is unfortunately not an easy fix for Gravatar. In my opinion, the most important issue here is the potential exposure of user identities. I think the medical example that I provided above illustrates how much damage can be done if a user identity is exposed under certain conditions.

That is why the privacy implications of this problem cause the most concern. If you aren’t particularly technical you may simply trust a website owner who says that your full name and personal information won’t be exposed. With the current way Gravatar works, you run the risk of having that information exposed.

As always I welcome your comments below and will respond as time permits.

Update: After publication, one of our senior staff pointed out that the National Institute of Standards and Technology (NIST) considers an email address to be PII, or personally identifiable information. Please see the NIST publication 800-122 “Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)“. PII has a legal meaning in many jurisdictions and is used in the definition of privacy law.

The post Gravatar Advisory: How to Protect Your Email Address and Identity appeared first on Wordfence.