Deerfield Hosting, Inc.

High Performance Web Hosting

Web Site Security

Anti Virus Software

by

A dirty little secret – Antivirus software is nearly useless.

You haven’t heard this before because there is no money to be made telling people not to buy stuff.   Also, the big powerful companies who sell AV software may come down on companies who say this.  Speaking up could cause public relations problems.

There is essentially no evidence that antivirus software makes you safer and growing evidence that it makes you less safe.  Yes, scans sometimes find viruses old enough to be in a database.  The problem is, they never find new ones.   It’s trivial for a criminal to modify virus code slightly, recompile it and release it again into the wild.  It will have a new signature and anti-virus scans won’t see it.  The better scanners are capable of considering signatures based on fragments, but this is not reliable.

It is becoming more clear that antivirus software makes you less secure.  If you want technical details, take a look at some of Googles’ Project Zero.  Or how it can make your browser less secure.  Basically, this is because anti-virus software runs with escalated privileges and injects itself into running software.  If you are skeptical, run a search for, “antivirus software vulnerabilities“. Or check out the vulnerabilities database directly. You will find hundreds of entries.

Marketing material for AV software sometimes implies that it will work in ways which are impossible.  The statements made to sell it are not flat out lies, but close.  Windows has antivirus built in for free, Windows Defender.  Since it’s free, the little bit of good it might do is worth the price.   The virus signature database it uses has been shown to lag slightly behind the others, but the difference is so small that it’s irrelevant.  None of them manage the impossible task of staying totally up to date.

Having AV software running on your computer may make you feel safe, like it’s watching out for you.  That is a false sense of security and that’s dangerous.   No software is capable of stepping in as needed to keep you out of trouble.  It won’t stop you from doing something unsafe and it’s unlikely that it will notice when you have.

There is no way around it.  You need to have a basic understanding of security to keep yourself safe online.   It’s about the same as driving a car safely.   It’s easy, but you will run off the road if you don’t pay attention.  Keep the software you are running up to date.  Keep the operating system on your computer up to date.   Never open attachments you are not expecting.  Never go to web sites you are warned away from.  Use decent passwords.  If you are unsure you know enough, here is a page which talks about how to stay safe at length.

If you uninstall your AV software you will not only be more secure, you will probably find that everything runs faster.

The sky is falling!

by

First two pages of the 1840 children’s illustrated book: The Remarkable Story of Chicken Little, who sounded the alarm for all to hear.

If you are running Windows 7 or worse yet Windows XP – You need to upgrade!

In the last few days we have had several incidents where customers have lost their web sites and identities by ignoring security warnings.  You wouldn’t leave your car running in a busy place.  You wouldn’t wander around with your eyes closed on a busy highway.  Why would you leave your wallet open on the desk by running outdated software?

The retort I have heard is, “I’ve been running that for years.  I don’t believe that it suddenly became insecure.” – This is true!  It didn’t suddenly become insecure.  It always was insecure.  What changed is that criminals learned how to take advantage of it.

And no.  I am not chicken little.  But the sky will fall on you if you pay no attention to security.  Sooner or later.  Usually sooner.  It’s a fact.

If you can’t afford the (yes, ridiculous) price of Windows software, run Linux.  It’s FREE.  Most people don’t need to run anything which requires Windows.  The vast majority of the Internet runs on open source software like Linux not because it’s free, but because it’s better.  It is virtually always more secure due to it’s development history.

A Denial of Service Attack

by

 

Online Security

On Friday, October 21 an exceptionally large attack was launched which affected a huge number of sites on the Internet.   Some prominent sites were affected including PayPal, Amazon, NetFlix and Twitter.  No sites we host were affected, although some sites using PayPal as a payment gateway did have some trouble.

To get some sense of the scope of the attack, you can take a look at downdetector.com and Threat Post.  This incident has yet again pointed out that security on the Internet is a mess.

You may have unwittingly participated!

As is usual with slightly technical information, the news media reports of the incident were roughly 75% factually inaccurate.  It is exactly the general ignorance of security which enables this kind of attack so this is unfortunate.  It’s not difficult to understand what happened and how you may have participated.   If you are among those people who often use the acronyms, DR, TL, get a clue.  Didn’t Read; Too Long isn’t a reasonable attitude in this case.  If the Internet is to continue to be useful, we all need to take some responsibility for it.  That’s just how it works.

How the Attack Works

When your computer (or phone or any Internet capable device) wants to connect to a web site or other service on the Internet, the first step is to get the numerical address of the service.  It’s basically a 3 step process.  It gets the address by using what is called DNS, Domain Name Service.  There is a centralized repository which exists for the purpose of translating domain names (paypal.com, netflix.com, amazon.com, etc.) into numerical addresses.  The first step is to query the repository for a list of servers which have the wanted address.  In step 2, your device uses the domain name to connect to one of those servers and get the numerical address (called the IP address).  The last step is using the address to connect to the service.

In many cases, the news media reported that web sites and services were hacked or were not functioning.   This is sloppy reporting and is not correct.  Sites and services were not even attacked.  What was attacked was DNS service.  This means for example that while NetFlix was up and running with no trouble, a lot of people couldn’t find out where to connect to it.  They couldn’t get the address using the DNS system.

As I write this, a very large DNS service provider dyn.com continues to be under attack.  For many sites a quick fix was put in place, adding DNS service based with other providers.  The DNS system is very resilient.  When your machine can’t get an answer from one DNS server, it will try the next and the next until it either gets an answer or the list of servers to try runs out.  By extending their DNS server lists, many sites and services were able to quickly restore availability.  But that isn’t the end of the problem.

The attack is a distributed denial of service attack.  Essentially, the service provider is flooded with so many requests for service that it can’t answer them all quickly enough.  The usual way to deal with attacks like this is to identify the source as an attacker and then ignore any further connection attempts from that address.  The problem is volume.  Each connection attempt has to be read at least to the point where the source address is found and that address compared to a list of addresses to ignore.  This takes resources.  As the list of blocked addresses gets longer, the time it takes to check it also gets longer.  For technical reasons, when you double the size of the list, the time it takes to do a lookup more than doubles.  The increase is at best logarithmic.

cropped-6575

 

In a DDOS attack,  resource availability at the service provider is usually the biggest problem, but it can get worse.  As it was in this case, the volume can be so great that there is not enough space on the wire (bandwidth) for all the data coming in.  There isn’t enough left to use for answers.  The service is hosed.

This attack is being perpetrated by what is called a bot net.  The participating devices are running compromise software called Mirai.  A bot net is a collection of compromised computers being controlled remotely and acting in concert.  By some estimates, more than a million devices are compromised in this way.  This is the distributed part of the attack. By instructing potentially tens of thousands of devices to do DNS requests at the same time and keep doing them, huge amounts of traffic can be generated.

Who is Behind the Attack

No one knows who is controlling the botnet(s) doing this attack.  Some news reports are quoting “authoritative” sources who are giving definitive answers.   It doesn’t take a great depth of technical understanding to see that there can’t be a general definitive answer.   Anyone who says otherwise is unequivocally wrong.  There are sometimes some clues and the dumbest botnet operators get caught.  The smarter ones use a chain of compromised computers to issue their orders.  You would have to solve every compromise in the chain to lead back to someone.  That’s nearly impossible.

Some people have been making the case that attacks like this are state sponsored.  That may well be part of a larger picture.  The article contains some misinformation, but Bloomberg has some theories and a bit more analysis.

Some security people such as Brian Krebs believe that this problem is just getting started.  If you can’t pull up that link, the likely reason is that it is currently under attack.

The outlook for stopping this activity in the short run is bleak.  There are simply too many vulnerable devices and the compromise is too easy to pull off.  Your local service provider is probably failing to do their part.   At Deerfield Hosting we have long had countermeasures in place.  We often speak with customers who have, unfortunately, been affected by them.

If you have a vulnerable device (such as a router or a security camera from Best Buy), complain to the vendor and manufacturer.   If you have a device which still has the factory password and you can change it, change it!   The Internet is a peer to peer network.  That means almost no matter where you think you are, you are everywhere.  So are the criminals.  They will find it.

It wouldn’t be out of line to complain about the sloppy reporting.  Service providers (like Time Warner and Comcast) generally make no effort to block outbound attack traffic, inform customers that they are compromised or help their customers avoid getting compromised in the first place.  They should be doing these things.  They can afford it.  It’s cheap.   It wouldn’t be out of line to complain to them that they are not.

The problems are endemic to the entire Internet and need to be addressed broadly.   That means all of us.

Expecting someone else to keep us safe is not realistic.   It’s no different than not leaving the keys in your car when you’re out shopping.  It’s common sense.

Privacy on the Internet

by

Normally I try to avoid warnings which you might call Alarmist.  People tend to get numb to them so it’s best to save them for special occasions.   This is one of those occasions.  Actually it’s not so much an occasion as a sudden realization that it’s time to speak up.

The Problem

There has been a steady erosion of privacy on the Internet over the last 5 years.  Most people I’ve asked have shrugged it off as not important.  When pressed, I get responses like, “Oh wow!  I didn’t know that.  That’s creepy”.  Most people seem to have no idea what’s happening, how it works and how it affects them.

When I went looking for graphics for this post, I clicked on the little “i” next to the URL in the address bar. Cookies: 17 from this site, 45 from other sites. Try that a few times. You’ll be surprised.  That 45 from other sites? It is bits of marketable information, where you’ve been, what you’ve looked at, what you’ve clicked on.  It’s for sale.

Every tiny little bit of improvement in targeting translates into reduced cost per sale.  The reason is that conversion rates are almost always low.  For example, you might be selling widgets by paying 25 cents every time someone clicks on an ad and goes to your site.  If 1% of those people buy your widget, it costs $25 per sale.  But what if you could buy better targeted clicks for 35 cents and 4% buy your widget?  Now your cost per sale is $8.75.  The companies selling information about you are making serious money by doing so. Very serious money.   It’s not just Google either.

Should You Care?

Those 45 cookies told a bunch of other companies when and where I was and what I was doing.  I have no idea where it went and what it will be used for.  My ability to manage my identity was taken away.  This happens all the time.  Bit by bit, you get revealed and exposed.  So much information spills out that a fine grained portrait of you gets created and you have no control over what it looks like.

That’s just the marketing side, the growing ability to heard the sheep toward the most expensive pastures.   Try doing a search for, mining big data.  The potential for abuse is gigantic.  Information is power.  What gets revealed about us and the conclusions drawn from it is going to shape the future.   Do we really want to passively give the future away to the highest bidder?

Do you care?  This is avoidable.  Stopping the leaks takes some effort.  Is it worth it?  Does it matter?  I’d really like to hear what you think!

Keeping Your Site Safe

by

After a site has been compromised, we often get criticized for, “Not keeping my site safe”.  It’s not a reasonable criticism.  There isn’t a magic bullet to use against attackers.

We do scan every web server request for something like 10,000 known attacks using the web server plugin mod_security.   The rule set for scanning is updated daily to stay on top of the most recent kind of attacks, both generic and specific.

Every request also has to pass through 2 firewalls.  The first of these examines every packet, checking whether it came from a known bad actor IP address or is malformed in any way, which is a clue that it may have a bad intent.  The second firewall watches activity, looking for patterns typical of compromise attempts.  A simple example is repeated login attempts with different user names and passwords.  This is called a brute force login attack.

Yes, it would be possible to expand the screening to improve safety more.  The trouble is, the list grows exponentially as you expand it.  If we attempted to include anything like all possible attacks, web pages would never appear.  The servers would be too busy with screening to get around to sending them.

So why isn’t that enough?  The usual problem is the web scripting language PHP.  Sadly, it is vulnerable to attack by default.  Unless the programmer using it is aware of possible ways to compromise it and takes steps to prevent those compromises, a script will be vulnerable.  When you install a set of scripts on your site (such as WordPress) you have placed your security in the hands of the authors of the script.  There is no getting around this.

It is critically important to keep your site running the most up to date software available.   Even a short delay in updating can be fatal.  The more popular the software you are using, the more important this becomes.  We deal with WordPress compromises every day which should not have happened.

Using HTTPS

by

OR: How Do I Change My Site to Use HTTPS?

Now that you have an SSL certificate installed on your site, the natural question becomes how to make use of it.   Just because it’s available doesn’t mean somehow magically it will be used.  You need to take some steps to get it into use.

Search Engines

You don’t want to lose any of the page ranking gains you may have made.  Google regards different URLs as different sites.  The URL http://www.YourDomain.com is different than https://www.YourDomain.com, which is different than http://YourDomain.com.  Among the first steps whenever you change a basic URL like this is to make sure Google understands that these are actually the same site.  You can let them know by using the web master tools as described here:

https://support.google.com/webmasters/answer/83106?hl=en&ref_topic=6029673

Yahoo and Bing have similar tools which you most likely will want to use as well.

Apache .htaccess Files

RewriteEngine On
# Force www
RewriteCond %{HTTP_HOST} !^www.domain.com [NC]
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301,L]
# Force HTTPS
RewriteCond %{HTTPS} !=on
RewriteRule https://%{HTTP_HOST}%{REQUEST_URI} [NC,R=301,L]

Replace domain.com with your domain name. The first rewrite condition and rule make sure that the site has been accessed using the www prefix. The part in brackets, R=301,L is what fires when the rule is matched and tells the web server to issue a 301 redirect to the https version of your site with the www. The “L” means “last rule”. The second part will fire if the site has been accessed using www, but not HTTPS.

Note: A 301 redirect is a permanent redirect.  A 302 redirect is a temporary redirect.  You may want to use 302 here during testing and change to 301 later.  Browsers remember a 301 and will make the substitution before trying to access anything.  This can cause a lot of confusion when minor mistakes are present.

Together, these rules will cause all accesses of your site to occur as https://www.YourDomain.com. Google recognizes a 301 redirect as a site URL change. This causes pages they have previously indexed which fall under the same URL to use the new one instead.

WordPress

Virtually all WordPress sites will want to have a 3rd section the .htaccess file above to allow for pretty URLs, using post names as access instead of numbered posts.  If those rules are present, make them the last rule set.

If you are setting up a new WordPress site, get your certificate in place before installing WordPress!  Doing so will save a lot of time later on.

Switching an existing wordpress site from http to https can be a challenge.  The first step is to change the URL, which you can do in the settings section.  But WordPress also embeds the URL in many places in posts, which sometimes leads to redirect loops getting set up.  There are scripts available to go through the WordPress database, changing all occurrences of http to https.

Internal Page References

When you hand write or edit html code to include links to other pages on the same site or resources such as images, you don’t need to include a protocol specification such as
http:// or https://.  Browsers understand that the reference is to the same site.

The main reason the protocol is sometimes specified is to make clear that the reference starts at the root of the site.  Then if pages are moved around, no editing needs to be done.  But even in those cases, you still don’t need the protocol.  The reference can be written as for example:  href=”//page.html”.  By using 2 forward slashes, you are telling the browser to use the protocol it has been using to access the page, starting at the topmost level.  This also makes the development process easier.  Without a domain name and protocol, all the code is much more portable and reusable.

Take Credit Where Credit is Due!

At some appropriate place on your site, let your visitors know that you are enhancing their privacy by encrypting your site for them. Awareness of security on the Internet is rising, but is nowhere near where it should be. Any little boost you can give it is a good thing. You deserve credit for doing your part.