Apr.27

A Private Network for IoT Devices

Cloudflare has just announced an interesting and potential game changer for IoT-based threats:

“Orbit sits one layer before the device and provides a shield of security, so even if the device is running past its operating system’s expiration date, Cloudflare protects it from exploits. And while devices may be seldom patched, the Cloudflare security team is shipping code every day, adding new firewall rules to Cloudflare’s edge. Think of it like changing IoT to I*oT — devices can still access the Internet, but only after passing through Cloudflare where malicious requests can be filtered.

For the last year, Cloudflare has been working with a number of IoT vendors to develop Orbit. Already more than 120 million IoT devices are safer behind Cloudflare’s network. Lockitron is one of the IoT companies using Cloudflare. “Keeping our products and customers secure is our primary concern,” says Paul Gerhardt, co-founder of Lockitron. “Cloudflare provides an extra layer of security that allows us to keep our devices continually updated and ahead of any vulnerabilities.””

Source: https://blog.cloudflare.com/orbit/

Security,News

Apr.26

Misunderstanding APT Indicators of Compromise | Threatpost

A really interesting piece on IOCs (Indicators of Compromise) and how the term is often misunderstood and used in ways which are misleading for marketing from security vendors.

It also makes use of a great definition from MITRE on what the difference between ‘Observables‘ and ‘Indicators‘.

Observables are stateful properties and measurable events pertinent to the operation of computers and networks. Information about a file (name, hash, size, etc.), a registry key value, a service being started, or an HTTP request being sent are all simple examples of Observables. […] Indicators are a construct used to convey specific Observables combined with contextual information intended to represent artifacts and/or behaviors of interest within a cyber security context. They consist of one or more Observables potentially mapped to a related TTP context and adorned with other relevant metadata on things like confidence in the indicator’s assertion, handling restrictions, valid time windows, likely impact, sightings of the indicator, structure test mechanisms for detection, suggested course of action, the source of the indicator, etc.”

MITRE also defines several interrelated terms that address higher-level constructs and organizational objectives: Incidents; Tools, Tactics, and Procedures (TTPs); Campaign, Threat Actor, and Course Of Action (COA).

Source: Misunderstanding APT Indicators of Compromise | Threatpost | The first stop for security news

Security,News

Mar.20

Website Updates – Security & Performance

I’m making some changes to the hosting and configuration of this site, you can see the rough goals below:

  • Changing hosting provider from a legacy shared server to a cloud hosting provider with better security and high availability.
  • Adding stricter (and end-to-end) encryption to the entire site using a combination of CloudFlare and LetsEncrypt.
  • Changing the sites security / performance configuration to support and enforce:
    • Content-Security-Policy
    • X-Frame-Options
    • X-XSS-Protection
    • X-Content-Type-Options
    • Strict-Transport-Security
    • HTTP Strict Transport Security (HSTS)
    • Authenticated Origin Pulls
    • HTTP/2 + SPDY
    • IPv6 Compatibility
    • Scrape Shield

Using various tools this should actually be quite straightforward. I plan to detail the main stages / steps in some later posts.

Website,News

Mar.05

Password Complexity vs. Password Length

It has become far more common these days to hear ‘normal’ people talk about password security, previously it was exclusively IT professionals and enthusiasts who would say things like “you need at least a number and symbol in your password for it to be secure”. Fortunately we’re moving towards a future where more and more nontechnical or home users are actually understanding the reasons for ensuring a password is strong and hard for another person to guess.

Unfortunately there is increasingly complex advice when it comes to choosing a secure password which leaves people confused or following practices which are not as useful as others.

This post will focus on the two main pieces of advice for choosing a secure password, explain the reasons why you should choose one or other (or combine them) and finally give recommendations aligned with other best practises and also simple to remember and repeatable method for having secure and hard to guess passwords every time. So firstly lets define what complexity and length mean when discussing passwords.

Complexity:

Passwords are almost always made up of a combination of letters, numbers and symbols. The complexity comes in when you substitute or add combinations of all three to create a hard to guess (and in many cases hard to remember) password.
An example would be taking the name of your favourite book (Data and Goliath), film (Fight Club) and tv show (Grimm) and using just the first letters of each to form something like this: “dagfcg”. Now this is a completely random and hard to guess (for a human) password. However, it is only 6 characters long and simple for a computer to work out, after all computers can guess passwords at a rate of millions a minute and therefore would make short work of a password like “dagfcg”.
In this case some advice would tell you to make it complex and therefore make it far harder to guess. Take the password and now add a number and a symbol to it. We’ll use the number 5 and the dollar symbol ($). So “dagfcg” becomes “5dagfcg$”. Instantly you have a harder to guess password (for a human or computer) and it’s now 8 characters long, which is at least better than 6! The next technique take a different approach, and favours length over complexity.

Length:

The average password is often between 6-9 digits in length and (hopefully) contains a mix of letters, numbers and symbols. The ‘complex’ method above when in isolation and with short passwords (under 12 characters) actually proves to have limited effectiveness in keeping your accounts and computers secure. Due to the huge scale passwords are attacked and guess by computers these days it is important that passwords are also longer (at least 12 characters) in length.
This presents a problem, while our above example of “dagfcg” was easy to remember (book, film and tv show) we need to add twice as many memorable things to our password method to meet the 12 character minimum. Fortunately, while short passwords should NEVER contain simple words or sequences of numbers (like ‘Batman’ or ‘123456’), longer passwords can have simple words strung together which actually creates a long and strong password.
Using our above example, “dagfcg” could become something like this: “DataFightGrimm” which is 14 characters, easy to remember and meets our requirement of being 12 characters or more. A computer could easily guess any of those words in isolation as a password, but together they create a unique and very hard to crack password.

Complexity & Length:

Having a simple long password which is easy to remember is better than the earlier short but complex password. However. to really ensure your password is secure it should incorporate both techniques. So taking what we have learned from each of them we could create a password like this: “5DataFightGrimm$”. This password is now 16 characters long, contains lower and upper case letters, a number and a symbol. This is the ideal type of password, because you can easily recall the primary words (just think, favourite book, film and tv show) and then remember you started it with a number five (5) and ended it with a dollar symbol ($).

We have now created a great looking password, however we now have a problem. If we use it on every website and service we have it increases the risk of that website being compromised and the password being leaked. Now, this ’shouldn’t’ ever happen, but it does. Whether it’s Evernote or Target, these companies cannot guarantee that the database which contains your complex and long password won’t make it’s way out onto the internet via some hacker forum. Therefore we need a way to ensure we use a different password for every different website or service we use. With many online users having 100’s of online accounts this would be highly challenging to use the above methods and also maintain complicity and length.

Therefore we use a variation technique which works like this. You take your ‘root’ password, which should be both long and complex (just like our one above) and then add a slight variation for every different account you have. An example for the BBC website would look something like this: “5DataFightGrimm$BBC” or like this for the service Twitter: “5DataFightGrimm$TWIT”. This instantly ensures that your password will still be easy to remember as you have one ‘root’ password with slight variations based on the account your logging into. All you need to do is say the name of the service or website in your head and you then know the additional letters at the end of your password. You could also place them at the start of the password or middle. As long as your method is consistent you can have 100’s of variations to your password but be able to remember them each time you need them.

Summery:

There are two primary lessons to remember:

  • Length First, Complexity Second:
    Although complexity does boost the security of a password, the length of a password is of greater importance, specifically ensuring the length is 12 or more characters.
  • Use Variation
    Never use the same password (strong or not) on multiple websites, you don’t know what they are doing with them and don’t know if they are stored safely. Therefore use a variation of your ‘master’ or ‘root’ password on each site by adding the letters, acronyms or syllables to the password per account you need to have a password for.

Note: This was first authored (by myself) for a small blog/project which is now shutdown and I wanted to keep the content.

Security,Resources

Mar.05

Improving WordPress Security

WordPress is an awesome and increasingly powerful tool for both launching and maintaining websites and enabled even more functionality with the several thousand plugins and themes. However, with popularity (at least 75 million sites) comes the attention of the hacking community, both sides (white and black) of which have many reasons to probe and search for security vulnerabilities to the world’s largest content management system (CMS).There are many guides on securing your own WordPress installations, some of which are over 50 pages long; so the following post aims to outline some of the ‘biggest hitters’ which provide the highest levels of security for the time you spend implementing them.

As ever, before making any changes to your WordPress implementation you should do a full backup of the WordPress files and database. Also, if your site is a ‘production’ or ‘live’ site, maybe perform the changes during the time period you receive the least amount of traffic to your site and therefore least impact if something does go wrong.
It’s also worth pointing out that while most of this advice is worded as if you were making these changes on a ’new’ install of WordPress they should also work on a site which has been up and running for years. I assume your WordPress installation is up to date (as of writing version 4.2.2), and if it’s not, update it! This is the biggest thing you can do to help secure your site!

  • Never Use ‘admin’ Accounts
    The administrator account should never be named ‘admin’. This is the first username hackers and bots will use when trying to brute force their way into your site. Use something you’ll remember, but which is hard to guess.
    Example: For Cyber Killed the Cat we might have “god-cktc” as our main administrator account.
  • Install Akismet (Anti-Spam Plugin)
    The world most popular WordPress plugin, free for personal or non-commercial use. Checks through your comments for spam type abuse and allows you to report any it misses to its automatic tool.
  • Install Jetpack (Multifunctional Plugin) 
    This is the primary offering of WordPress.com which offers a large selection of features via its plugin ‘Jetpack’. The ones we’re interested in from a security perspective are:

    • Photon – Content Delivery Network (CDN) which cuts down on your bandwidth by using a distributed network.
    • Protect –  Secures against traditional brute force attacks and distributed brute force attacks.
    • Stats  – Lets you know how many visits your site gets, and what posts and pages are most popular.
    • Monitor – Keeps tabs on your site, and alert you the moment that downtime is detected
  • Install Backup Tool(s)
    Keeping an external copy of your site is very important, even the most secure setups can be compromised, therefore you should ensure there are regular backups being performed. There are many different ways to back up your site, below cover two free tools which we have found useful which remove the manual steps required:

    • WPB2D (Dropbox) – This plugin links to a Dropbox account and can be setup to provide a full backup (database and files) every day, week or month.
    • BackWPup (Cloud / Email / FTP) – This expands your options to the top cloud providers (Dropbox, S3, Backspace) as well as via email and FTP. It also backs up both the database and files of your site.
  • Install Google Authenticator (Two-Factor Authentication)
    This is an absolute must for your administrative account (and all privileged account) if you take security seriously. This enables two-factor authentication (2FA) on your WordPress installation and will serve as an excellent layer of securing your privileged accounts.
    The plugin recommends using the accompanying ‘Google Authenticator’ mobile app to store and use your 2FA code, however this can present issues if you don’t have your mobile or need to move handsets. I recommend Authy, as a cloud based 2FA app, it works on what ever platform you need it to and stores your 2FA ’seeds’ in the cloud.
  • Enable CloudFlare Protection (SSL / CDN / Anti-DDoS) 
    This seems very complex, but is actually easier to implement than you think (for the most part). First of all, CloudFlare is a global provider of website protection technologies and content distribution. It’s strategically positioned to provide huge (and I do mean huge) resources to mitigate and protect it’s customers from attack and legitimate traffic spikes. It should be noted there are a couple of WordPress plugins which can help integrate your site with CloudFlare (CloudFlareFlexible SSLWordPress HTTPS)
    The main services we’re interested in are:

    • Content Delivery – Using their hosted CDN minimises both bandwidth costs and also adds a layer of security between your site and prospective bots and hackers.
    • Site Wide SSL (Encryption) – CloudFlare provide a free option for adding SSL to your website, using their ‘Flexible SSL’ option encrypts the website traffic from your visitors to their server before being forwarded to your server.
      It should be noted that the traffic from their CDN to your server isn’t encrypted until you get your own SSL certificate and then enable ‘Full SSL’. Regardless this means that you protect them against man-in-the-middles attacks at their end of the connection. It also improves your search engine ratings!
    • DDoS / Attack Protection – As a huge amount of the world internet traffic is routed via CloudFlare’s data centres they receive an unprecedented amount of intel about attack types, vectors and are able to ’train’ their system to block out and mitigate many of the attacks before they go anywhere near to your server. Also during DDoS type attacks they can be engaged to sinkhole the attack traffic enabling your site to remain up.
  • Install Easy Updates Manager
    This keeps your WordPress site up to date with the latest releases of the core installation, themes and plugins. It allows you to fine tune which types of updates you want to be automatic and which you just want to be notified about. You should always be careful with automatically installing updates incase they ‘break’ your site. Try different setups and find the balance that works for your site.
  • Install Cookie Control
    This is less about the security of your site and more about promoting an open and clear internet. This plugin helps you be inline with EU Law about the use of and notification to your visitors about the use of cookies, it also gives your users a chance to ‘opt out’. It’s one of many plugins which gives you users a ‘one time’ pop up about your sites policies about cookies. You will need a (free) account with civicuk.com to generate your API key.
    Also this site can be used to generate a basic privacy policy for free.
  • Install WP-reCAPTCHA
    This integrates Google’s ‘reCAPTCHA 2.0’ into your site. Great for detecting bots and automated spammers on your site. You will also need a private and public key from Google.
  • Install iThemes Security
    This offering from iThemes offers a huge amount of configuration changes and settings to harden and monitor the security of your WordPress installation. Below covers some of the settings I have successfully used in many WordPress implementations over the years (explanations of each one can be found within the plugin itself:

    • Enable Automatic Blacklisting / Lockouts
    • 404 Detection
    • HackRepair.com Blacklist
    • Brute Force Protection
    • Hide Login Area
    • Enable Malware Scanning (VirusTotal)
    • Strong Password Enforcement
    • Protect System Files
    • Disable Directory Browsing
    • Filter Request Methods
    • Filter Suspicious Query Strings
    • Filter Long URL Strings
    • Remove File Writing Permissions
    • Disable PHP in Uploads
    • Remove WordPress Generator Meta Tag
    • Remove the RSD (Really Simple Discovery) Header
    • Disable Trackbacks/Pingbacks
    • Disable Login Error Messages
    • Change WordPress Salts
    • Change Database Prefix

(Note: If using CloudFlare to implement SSL on your site, disable iThemes Security first while performing all the configuration, it can interfere with it. Once enabled and tested, re-enable it) 

Lastly a few more general tips for keeping your WordPress installation secure:

  1. Remove unnecessary users from the system.
  2. Remove unused or outdated plugins and/or themes.
  3. Check backups to ensure they are functioning correctly. 
  4. Keep a list of what steps you have taken to secure your site, including configuration changes. 
  5. Stay up to date with emerging news to do with WordPress to ensure you’re as secure as possible. 

Hopefully you have found this post useful, if you have any tips or questions please let me know on Twitter!

Note: This was first authored (by myself) for a small blog/project which is now shutdown and I wanted to keep the content.

Security