Dec 312009

Shamlessly grep’d from the There be good stuff here…

I’ve started attending a social group of bloggers. It’s part of my mandated community outreach ordered by she-who-must-be-obeyed. (“You need to get out of the office more than once a week!”)

The group is primarily a bunch of people who are looking to use their blogs for generating revenue, advertising products, attracting customers, or building an authoritative reputation. In contrast, I’m just a hacker who uses his blog as a writing exercise.

A Different View

The group of 16-20 attendees each month consists of everyone from advertisers (one guy is a reformed mass mailer) to people who run SOHO companies, or have a particular agenda (one woman runs an autism education blog). While there are 1-2 programmers or system administrators present, I’m the only security specialist/hacker. So I always have a different take on things.

For example, one guy asked if anyone used a wiki for their content. He uses a wiki, but nobody participates. A programmer/admin suggested that wikis are frequently used in places where a forum would be better suited. Of course, I immediately jumped to security: public wiki’s are fun because you can impersonate anyone. Wikipedia knows this problem far too well.

Status Quo

Going around the room, we introduced ourselves and said if we had a blog. The advertisers and most SOHO people really had their 20-second intro down. “I am [name], my company is [company name], and my blog is http://[URL].” (My intro was nowhere near as smooth; I need to get out more often.)

As people mentioned their web sites, I brought them up on my netbook. And I was stunned. First, my web site is ugly and needs to be redesigned (I’m open to suggestions and feedback; watch for changes next year). But more importantly, a significant number of people were running default installations without any patches or hardening. While they spent a significant amount of time fine tuning their presentation, content, look, and feel, their blog software itself was simply a case of install-and-go.

(I owe K. an apology. I passed her a note saying that her blog had a security risk and was vulnerable. I didn’t mean to give her a heart attack.)

So I have decided to do a couple of blog entries on how to harden and secure your web site — regardless of whether you run a blog, wiki, forum or just have some static web pages.

Note: These tips only apply to people who installed and run their own web software. If you are using a hosted service, like Blogger and LiveJournal, then this does not apply since you are not responsible for software maintenance.

Security By Obscurity

Security by Obscurity is a term that describes security through secrecy. If you don’t tell anyone that you have a million dollars buried in your backyard, then it is “secure” because nobody will find it.

There’s a saying in the security field: Security by Obscurity (SbO) does not work. If you are vulnerable, then you are still vulnerable. You’re just hoping that nobody discovers the exploit.

In my opinion, SbO does work to a degree. While SbO should not be your only security option, it does deter pre-attack reconnaissance. For example, most automated scanners look for obvious signs that can be used to identify a vulnerable system. If the scanner finds something, then the attack will come later. However, if you remove these markings then the scanners won’t flag your site for an attack. SbO removes the “low hanging fruit”.

The first thing you want to remove is anything that denotes what software version you are running. For example, WordPress is a very popular blog software package. If the bottom of your blog says “Powered by WordPress”, then everyone knows what software you are running. Knowing “WordPress” isn’t that bad. However, WordPress also embeds the version in the HTML content. For example, the “We Love WP” site runs WordPress. If you “view source” of their web page, you will see at the top:

Now we know that they are running WordPress version 2.8.4. If you happen to know of a security vulnerability for version 2.8.4 (such as a XSS or Traceback denial-of-service), then you know that the “We Love WP” blog is vulnerable.

Similarly, the popular vBulletin web forum software includes the version at the bottom of the page and in the HTML meta data. Does the world really need to know that the Graphic Forums uses version 3.6.1?

So the first thing to do (regardless of whether you know of a vulnerability or not): remove all information about software and version from your site. This includes information embedded in your HTML pages and RSS feeds. Where to do the change depends on your software. With blogs, it is usually in the custom template, default template, or PHP/ASP pages. You probably don’t need to change every single web page — but you will probably need to change it in a few places.

This won’t stop someone from attacking you and does not close the security hole. What it does do: this prevents automatic scanners (and casual observers) from quickly determining that you are vulnerable. (Congratulations, you are no longer the lowest hanging fruit and most likely to be attacked.)

For the really creative types out there, don’t just remove it. Change it! Misinformation is far more damaging to an attacker than no information. Rather than removing the “Powered by WordPress”, change it to say “Powered by Serendipity” — a totally different blog package, or just lie: BlogProKit 9.8.1. Now if someone if going to attack you, then they will initially do so with the wrong set of exploits.

 Posted by at 11:27 pm