39,59 €
Mehr erfahren.
- Herausgeber: Packt Publishing
- Kategorie: Wissenschaft und neue Technologien
- Sprache: Englisch
Most likely – today – some hacker tried to crack your WordPress site, its data and content – maybe once but, with automated tools, very likely dozens or hundreds of times. There's no silver bullet but if you want to cut the odds of a successful attack from practically inevitable to practically zero, read this book.
WordPress 3 Ultimate Security shows you how to hack your site before someone else does. You'll uncover its weaknesses before sealing them off, securing your content and your day-to-day local-to-remote editorial process. This is more than some "10 Tips ..." guide. It's ultimate protection – because that's what you need.
Survey your network, using the insight from this book to scan for and seal the holes before galvanizing the network with a rack of cool tools. Solid!
The WordPress platform is only as safe as the weakest network link, administrator discipline, and your security knowledge. We'll cover the bases, underpinning your working process from any location, containing content, locking down the platform, your web files, the database, and the server. With that done, your ongoing security is infinitely more manageable.
Covering deep-set security yet enjoyable to read, WordPress 3 Ultimate Security will multiply your understanding and fortify your site.
Das E-Book können Sie in Legimi-Apps oder einer beliebigen App lesen, die das folgende Format unterstützen:
Seitenzahl: 541
Veröffentlichungsjahr: 2011
Ähnliche
Table of Contents
WordPress 3 Ultimate Security
WordPress 3 Ultimate Security
Copyright © 2011 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.
First published: June 2011
Production Reference: 1070611
Published by Packt Publishing Ltd.
32 Lincoln Road
Olton
Birmingham, B27 6PA, UK.
ISBN 978-1-849512-10-7
www.packtpub.com
Cover Image by Duraid Fatouhi (<[email protected]>)
Credits
Author
Olly Connelly
Reviewers
John Eckman
Kevin Kelly
Hari K T
Acquisition Editor
Usha Iyer
Development Editor
Susmita Panda
Technical Editor
Dayan Hyames
Project Coordinator
Vishal Bodwani
Proofreader
Joanna McMahon
Indexers
Tejal Daruwale
Monica Ajmera Mehta
Production Coordinator
Aparna Bhagat
Cover Work
Aparna Bhagat
About the Author
Olly Connelly was conceived in the Summer of Love and likes to think that he's the reincarnation of some dude who copped it after a Woodstock head-banger.
Born in Windsor, England, he's no relation. Olly lives with Eugenia, just off a beach in Valencia, Spain.
His background is broadcasting and satirical journalism and his experience includes serially annoying the BBC, Bloomberg, and MTV.
Web-wise, Olly's a freelance content producer, web developer, and system administrator. His site vpsBible.com guides Linux newbies to set up and maintain their own unmanaged VPS boxes. At guvnr.com, meanwhile, he chats up the Web and tries equally to demystify the complex. You can also catch @the_guv on the mighty T where he tweets tech 'n tonics:
He likes kite-surfing, George Norey's CoasttoCoastam.com, ranting about (what's censored on) the news and, failing all that, a damn fine pint.
Acknowledgement
Other than thanking Eugenia, a.k.a. she who must be obeyed and without whom this book would still be a tree, there are a great many other people to whom I wish to express my gratitude.
The Automattic crew makes a fair start, as does the exceptional WordPress community and, beyond that, the wider open source fellowship, from the tech-headed coder to the pyjamaland blogger, those folks who, day by day, teach and inspire us to make much more than just money.
Then there are the unsung heroes of the Web, the white hats who police security, quell the fires, and build the fences that this book merely refers to. Without these guys and gals, we'd all be toast.
Ironically perhaps, I'd like to thank Microsoft too, but don't have a cardiac. Thing is, without all the blue screens, I'd never have had my defens-ucation. Like they say in Yorkshire, where there's muck, there's brass. So cheers Bill, and sorry if I knocked a couple of points off the share price.
Then there are the lads: Javier who's a bit of a git, but who tagged me with WordPress, Marc for prompting me to search-replace Windows for Tux, Piers for just being Piers. And my late dad and my mum, in case she's feigning interest and reading along, just because they're my parents.
Apparently there's been a rumor going around the vpsBible forums that I'd caught a killer virus, else had been run down by a system bus. I'd like to say that, hey, you're a top lot, IOU, and I promise to make it up to you. I've no plans to write another book for at least a couple of weeks.
I'd like to thank the decent, patient, and hard-working people at Packt Publishing for cueing me up on this project. In security spiel, you could say, they took a risk with an unknown threat tapping out his first book. I don't know everyone who's worked on this, but would like to thank the crew backstage as well as those folks I've personally dealt with—Sayama Waghu, Usha Iyer, Priya Mukherji, Vishal Bodwani, Susmita Panda, Dayan Hyames and, especially, Patricia Weir ('cos she's in charge of the cheques)—as well as the work's Technical Reviewers John Eckman, Kevin Kelly and Hari K T. Thank you, one and all. You cut me a break. You also nearly killed me. Thank you.
I had some great advice before signing up for grey hair; Leon Sterling and Steve White from the LinkedIn-based Certified Professional Writers Association and Rupert Heath from his namesake, London-based literary agency. You were right. Blood and guts! It had to be done. Thank you.
Finally, I'd like to thank whoever invented ground coffee, English tea, warm beer, and Scotch whiskey. Writing this last paragraph now, I kid ye not, it sure is time for a wee dram.
About the Reviewers
John Eckman has more than a decade of experience designing and building web applications for organizations ranging from small non-profit organizations to Fortune 500 enterprises. Currently a senior practice director at Optaros, John works with clients to develop and execute complex revenue-producing web applications. Prior to Optaros, he was director of development at PixelMEDIA, where he was responsible for managing application development, creative services, project management, web development and maintenance teams, as well as providing strategic leadership to teams on key client accounts. Previously, he was a principal consultant in software engineering with Molecular, Inc.
He received a Bachelor of Arts from Boston University, a Masters in Information Systems from Northeastern University, and a Ph.D. from the University of Washington, Seattle. John is an active contributor to a number of open source communities, a founding organizer of WordCamp Boston, and the lead developer of the WPBook plugin for WordPress. He blogs at www.openparenthesis.org and tweets as @jeckman.
I'd like to thank the broader WordPress community—users and developers—without whom none of this would be possible.
Kevin Kelly has been a Web Developer for 5 years. He has produced sites on both the client and server-side. He has worked on sites from national magazine companions to Fortune 500 company internal sites. Along with experience in PHP, ASP and JSP development, he has 2 years of WordPress experience to go with his other years of CMS usage. He has also worked with Sharepoint, Teamsite, and Prism CMS. In his 5 years of experience, he has assisted a variety of companies with their web solutions, such as design firms, financial advisory insitutions, and small multimedia shops.
He is also a Program Advisory Committee member of the Web Design and Interactive Media program at Humber Institute of Technology and Advanced Learning and a member of the Digital Arts and Technology Association of Toronto (DATA). Nowadays, he is taking his craft towards the rules of Interface Development. When he is not coding, he is understanding the benefits and deficits of social media.
He has also worked on a few chapters for HTML Essentials.
I would like to thank Packt Publishing for the opportunity to work on this project. I would like to thank my immediate family for their encouragement. I would also like to thank LinkedIn's development team for giving professionals a chance to connect with like-minded people. Without them, this review wouldn't have been possible. Also, I wanted to give a shout-out to WordPress' core development team for their continuous effort in enhancements on their solid CMS platform. I want to thank my professional twitter followers. And also: Tom Green (the Adobe fellow), James Cullin, Greg Goralski, Jaemeel Robinson, Sheraz Khan, Charles E. Brown, Yoko Reynolds, Deepika Riyat, Sunil Boodram, Ola Fatogun, Paul De La Merced, Michelle Kelly, Joallore Allon (ICE), Chris Jones, Dwight Richards, Al Augustin, and Casey E. Palmer.
Hari K T completed his BTech course in Information Technology from Calicut University Institute of Engineering and Technology in the years 2003-07. He is an open source lover and GNU / Linux user working on PHP and web-related technologies for more than 3 years. He loves to share what he has learned with the community, so he used to blog at harikt.com and devzone.zend.com.
You can see him on #li3 channel ( http://lithify.me PHP 5.3 RAD framework ) of irc.freenode.net. You can also reach him on Twitter or Identi.ca via @harikt. He has also worked as a technical reviewer of the book PHP5 CMS Framework Development.
I would like to thank Packt Publishing and the whole team for giving me an opportunity to review the book, family, friends, and all my well-wishers who supported me.
www.PacktPub.com
Support files, eBooks, discount offers and more
You might want to visit www.PacktPub.com for support files and downloads related to your book.
Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at <[email protected]> for more details.
At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.
http://PacktLib.PacktPub.com
Do you need instant solutions to your IT questions? PacktLib is Packt's online digital book library. Here, you can access, read and search across Packt's entire library of books.
Why Subscribe?
Free Access for Packt account holders
If you have an account with Packt at www.PacktPub.com, you can use this to access PacktLib today and view nine entirely free books. Simply use your login credentials for immediate access.
For Eugenia
Preface
Most likely, today, some hacker tried to crack your WordPress site, its data and content. Maybe that was just a one-off from some bored kid. Just as likely, it was an automated hit, trying dozens of attacks to find a soft spot. Then again, quite likely it was both.
Whether you've been successfully hacked already, else want some insurance, Welcome.
Let's be frank, up front. Web security has no silver bullet. The threatscape is simply too vast, the vulnerabilities too numerous. Your risk stretches from the keyboard at your fingertips, through and out the back of your local machine, buzzing around its network, maybe through your phone, into the router, hopping across your web surfing, into the remote server, buzzing around that network and jumping all over WordPress.
Gee whiz!
In other words, changing the admin username, mashing a new password, and swapping the table prefix doesn't address much, important as these things are. They, and pretty much all the Top Tips guides, combine limited security with a false sense of security.
Place your bets. Your site, whatever its hosting type, is only as safe as the weakest local-to-remote link, and then some. You can shore up WordPress, and you must, but if some Joe Hacker comes along, physically or technically, and grabs a password from your local machine, else bothers to profile you online, then, a few tools later, I'd back the black hat.
I'm sorry if that scares you. The intention is to emote you, to induce you to read not just Chapter 6 plus maybe a bit of 7, but to read the lot. I'll try to keep you awake. That being done, I'm also sorry to break this but that's not it. Security is like dogs and Christmas, it's a life-long deal. Fortunately, even though the hacks get better, your security management gets easier and, maybe this author's just a bit sad but, really, hacking the security war is quite good fun.
Sold?
Whether you are or not, read Chapter 1. Then see what you think.
What this book covers
Chapter 1, So What's the Risk? sets the scene by outlining the vulnerabilities of WordPress, both directly and indirectly, coupled with the threats seeking to manipulate those frailties and ultimately helping us to weigh up the risk to our sites and blogs.
Chapter 2, Hack or Be Hacked practises our newly-gained theoretical awareness, giving us the hacker's mindset, the methodology, and the toolkit to flag vulnerabilities with WordPress, its server, its network, and contingent devices.
Chapter 3, Securing the Local Box does just that, taking a potentially flaky working environment and reinforcing it with a best of breed anti-malware solution to give us a solid foundation from where to administer the site.
Chapter 4, Surf Safe plugs us tentatively into the wall, and the web, throwing up the problems we face while pinning down the solutions we need to navigate securely this perilous minefield of malicious intent.
Chapter 5, Login Lock-Down maps out the web's mass transport system, its protocols, directing their correct use for securely delivering data while armour-plating precious destinations such as the Dashboard, the server, and phpMyAdmin.
Chapter 6, 10 Must-Do WordPress Tasks gives the platform teeth by addressing common shortcomings with a heap of tips along the way to secure administration and, also for example, setting up an automated off-server backup system.
Chapter 7, Galvanizing WordPress sets out numerous advanced techniques to defend against hackers, scrapers, and spammers while again advising on a range of admin issues such as a security-assistive local development strategy.
Chapter 8, Containing Content addresses ours, explaining the law and our copyright options, showing how to benefit from managed reuse and setting out tools and strategies to defend, track, and regain control of copy and media.
Chapter 9, Serving Up Security boots us into our site's security-interdependent hosting assessment, demystifying least privilege user and file protection while tracking malicious activity with the correct use of logs.
Chapter 10, Solidifying Unmanaged takes due care to harden server and control panel access, to isolate web and server files, to protect PHP and databases, and to firewall the lot with an extensively tweaked network configuration.
Chapter 11, Defense in Depth fortifies the site and server with kernel and memory patching, a web application firewall, simplified logs management and host-, network- and rootkit-based detection systems.
Appendix A, Plugins for Paranoia is my personal pick of the protective plugin pack, with each and every one thoroughly tested and listed on merit.
Appendix B, Don't Panic! Disaster Recovery sequentially orders a strategy to protect our site users, our reputation, and SEO before finding and rectifying problems to get the site back online in the quickest possible time.
Appendix C, Security Policy provides a working document template setting out a framework strategy to pre-empt and future-proof your ongoing security concerns.
Appendix D, Essential Reference pools security's big gun websites including blogs, forums, hacking tools, organizations and, oddly enough, WordPress resources.
What you need for this book
It might be useful if you've got a WordPress site. Unless you're assessing the platform, that is, in which case, fair enough.
Otherwise, reflecting marketshare, desktop computers, which are referred to throughout the book as being local, tend to center on Windows machines while servers, which are referred to as being remote, center exclusively on Linux. Local Mac and Linux users, by the way, can apply many of the remote techniques we cover to their local machines.
Regarding the server, if VPS or dedicated plan holders have any problems using the guides, this will most likely be due to the differences in package management between the Linux distributions. These tutorials have been prepared using Debian-based systems which use the DEB package format. Those with other distributions will want to tweak the commands to reflect their distro which, for the Red Hat forks CentOS or Fedora, for example, would be the RPM package system equivalents. Similarly, this guide uses the Debian-happy aptitude package manager so either swap that for apt-get or, again for example with Red Hat systems, switch to the equivalent yum commands.
Pretty much everything else should be standard across the board. The notable exception is those who've shunned Apache in favor of, say, Nginx. You folks would need to translate the security rules stated here, for example the htaccess rules, for equivalent use.
Of course, there's a bucket of code here, so you'd do well to trundle off to this book's online home to grab a copy of that, saving bags of time and maybe a few syntax errors:
Probably lots of coffee will help too, plus a thick skin if you work for Microsoft.
Who this book is for
WordPress 3 Ultimate Security is designed for security novices and web pros alike.
From site and server owners and administrators to members of their contributing team, the mission of this project has been to take a complex and, for most people, an utterly dull subject and make it accessible, encouraging, and sometimes remotely fun. Sort of.
Even a total security and WordPress newbie can cut the odds of a successful attack from practically inevitable to practically zero. Practically.
In other words:
Conventions
In this book, you will find a number of styles of text that distinguish between different kinds of information. Here are some examples of these styles, and an explanation of their meaning.
Code words in text are shown as follows: "Short of devoting this entire tome to further authentication modules, which by and large, work the same way as mod_auth and mod_auth_digest, it would, nonetheless, be amiss not to mention a few of them."
A block of code is set as follows:
Any command-line input or output is written as follows:
New terms and important words are shown in bold. Words that you see on the screen, in menus or dialog boxes for example, appear in the text like this: "As shown in the image, you should choose WPA2, sometimes marked as WPA Personal, along with AES encryption".
Note
Warnings or important notes appear in a box like this.
Tip
Tips and tricks appear like this.
Reader feedback
Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or may have disliked. Reader feedback is important for us to develop titles that you really get the most out of.
To send us general feedback, simply send an e-mail to <[email protected]>, and mention the book title via the subject of your message.
If there is a book that you need and would like to see us publish, please send us a note in the SUGGEST A TITLE form on www.packtpub.com or e-mail <[email protected]>.
If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide on www.packtpub.com/authors.
Customer support
Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.
Downloading the example code
You can download the example code files for all Packt books you have purchased from your account at http://www.PacktPub.com. If you purchased this book elsewhere, you can visit http://www.PacktPub.com/support and register to have the files e-mailed directly to you.
Errata
Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you would report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/support, selecting your book, clicking on the errata submission form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded on our website, or added to any list of existing errata, under the Errata section of that title. Any existing errata can be viewed by selecting your title from http://www.packtpub.com/support.
Piracy
Piracy of copyright material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works, in any form, on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.
Please contact us at <[email protected]> with a link to the suspected pirated material.
We appreciate your help in protecting our authors, and our ability to bring you valuable content.
Questions
You can contact us at <[email protected]> if you are having a problem with any aspect of the book, and we will do our best to address it.
An overview of our risk
Let's take a WordPress site, highlight potential vulnerabilities, and chew over the threats.
Note
WordPressis aninteractivebloggingapplicationwritten inPHPand working in conjunction with aSQL databaseto storedataandcontent. Thesize and complexityof this content manager is extended withthird party codesuch aspluginsandthemes. The framework and WordPresssitesare installed on aweb serverand that, the platform, and itsfile systemareadministered remotely.
WordPress. Powering multi-millions of standalone sites plus another 20 million blogs at wordpress.com, Automattic's platform is an attack target coveted by hackers. According to wordpress.org 40% of self-hosted sites run the gauntlet with versions 2.3 to 2.9.
Interactive. Just being online, let alone offering interaction, sites are targets. A website, after all, is effectively an open drawer in an otherwise lockable filing cabinet, the server. Now, we're inviting people server-side not just to read but to manipulate files and data.
Application, size, and complexity. Not only do applications require security patching but, given the sheer size and complexity of WordPress, there are more holes to plug. Then again, being a mature beast, a non-custom, hardened WordPress site is in itself robust.
PHP, third party code, plugins, and themes. Here's a whole new dynamic. The use of poorly written or badly maintained PHP and other code adds a slew of attack vectors.
SQL database. Containing our most valuable assets, content and data, MySQL, and other database apps are directly available to users making them immediate targets for hackers.
Data. User data from e-mails to banking information is craved by cybercriminals and its compromise, else that of our content, costs sites anything from reputation to a drop or ban in search results as well as carrying the remedial cost of time and money.
Content and media. Content is regularly copied without permission. Likewise with media, which can also be linked to and displayed on other sites while you pay for its storage and bandwidth. Upload, FTP, and private areas provide further opportunities for mischief.
Sites. Sites-plural adds risk because a compromise to one can be a compromise to all.
Web server. Server technologies and wider networks may be hacked directly or via WordPress, jeopardizing sites and data, and being used as springboards for wider attacks.
File system. Inadequately secured files provide a means of site and server penetration.
Administered remotely. Casual or unsecured content, site, server, and network administration allows for multi-faceted attacks and, conversely, requires discipline, a secure local working environment, and impenetrable local-to-remote connectivity.
Note
We'll spend the rest of Chapter 1 expanding on these overall concerns. First up, let's set the stage with the main players in the security scene, the hackers.
Meet the hackers
This may sound like anathema, but a hefty chunk of this book is devoted to cajoling your angelic innocence into something more akin to that of a hacker's savvy.
This isn't some cunning ploy by yours-truly to see for how many readers I can attain visitor's rights, you understand. The fact is, as we practise in Chapter 2 and as any crime agency would explain, to catch a thief one has to think like one.
Besides, not all hackers are such bad hats. Far from it. Overall there are three types—white hat, grey hat, and black hat—each with their sub-groups.
White hat
One important precedent sets white hats above and beyond other groups: permission.
Also known as ethical hackers, these decent upstanding folks are motivated:
So when we're testing our security to the limit, that should include us. Keep that in mind.
Black hat
Out-and-out dodgy dealers. They have nefarious intent and are loosely sub-categorized:
Botnets
A botnet is a network of automated robots, or scripts, often involved in malicious activity such as spamming or data-mining. The network tends to be comprised of zombie machines, such as your server, which are called upon at will to cause general mayhem.
Botnet operators, the actual black hats, have no interest in damaging most sites. Instead they want quiet control of the underlying server resources so their malbots can, by way of more examples, spread malware or Denial of Service (DoS) attacks, the latter using multiple zombies to shower queries to a server to saturate resources and drown out a site.
Cybercriminals
These are hackers and gangs whose activity ranges from writing and automating malware to data-mining, the extraction of sensitive information to extort or sell for profit. They tend not to make nice enemies, so I'll just add that they're awfully clever.
Hacktivists
Politically-minded and often inclined towards freedom of information, hacktivists may fit into one of the previous groups, but would argue that they have a justifiable cause.
Scrapers
While not technically hackers, scrapers steal content—often on an automated basis from site feeds—for the benefit of their generally charmless blog or blog farms.
Script kiddies
This broad group ranges anything from well-intentioned novices (white hat) to online graffiti artists who, when successfully evading community service, deface sites for kicks.
Armed with tutorials galore and a share full of malicious warez, the hell-bent are a great threat because, seeking bragging rights, they spew as much damage as they possibly can.
Spammers
Again not technically hackers but this vast group leeches off blogs and mailing lists to promote their businesses which frequently seem to revolve around exotic pharmaceutical products. They may automate bomb marketing or embed hidden links but, however educational their comments may be, spammers are generally, but not always, just a nuisance and a benign threat.
Misfits
Not jargon this time, this miscellaneous group includes disgruntled employees, the generally unloved, and that guy over the road who never really liked you.
Grey hat
Grey hatters may have good intentions, but seem to have a knack for misplacing their moral compass, so there's a qualification for going into politics. One might argue, for that matter, that government intelligence departments provide a prime example.
Hackers and crackers
Strictly speaking, hackers are white hat folks who just like pulling things apart to see how they work. Most likely, as kids, they preferred Meccano to Lego.
Crackers are black or grey hat. They probably borrowed someone else's Meccano, then built something explosive.
Over the years, the lines between hacker and cracker have become blurred to the point that put-out hackers often classify themselves as ethical hackers.
This author would argue the point but, largely in the spirit of living language, won't, instead referring to all those trying to break in, for good or bad, as hackers. Let your conscience guide you as to which is which instance and, failing that, find a good priest.
Physically hacked off
So far, we have tentatively flagged the importance of a safe working environment and of a secure network from fingertips to page query. We'll begin to tuck in now, first looking at the physical risks to consider along our merry way.
Note
Risk falls into the broad categories of physical and technical, and this tome is mostly concerned with the latter. Then again, with physical weaknesses being so commonly exploited by hackers, often as an information-gathering preface to a technical attack, it would be lacking not to mention this security aspect and, moreover, not to sweet-talk the highly successful area of social engineering.
Physical risk boils down to the loss or unauthorized use of (materials containing) data:
Password-strewn sticky notes aside, here are some more specific red flags to consider when trying to curtail physical risk:
This list is not exhaustive. For mid-sized to larger enterprises, it barely scratches the surface and you, at least, do need to employ physical security consultants to advise on anything from office location to layout as well as to train staff to create a security culture.
Otherwise, if you work in a team, at least, you need a policy detailing each and every one of these elements, whether they impact your work directly or indirectly. You may consider designating and sub-designating who is responsible for what and policing, for example, kit that leaves the office. Don't forget cell and smart phones and even diaries.
Note
Refer to Appendix C's Security Policy as a template to start working on yours.
Social engineering
This is the age-old practice of conning naturally trusting people into doing something under false pretences. The extraordinarily effective techniques can be played out in person or online. Here are some confident examples.
Phone calls
Individuals or company employees may be targeted with a call from someone pretending to be a fresh-faced co-worker, an irate boss, a record-keeping human resources manager, or a concerned IT administrator, for example. The engineer may plead for, else demand, sensitive information such as a name, contact, a username, or a password. They may be phoning from, say, your workplace reception area or could be using a spoof caller ID service to give them internal credibility while actually calling from an outside line.
Walk-ins
The walk-in alternative of, or extension to, the phone call scam, sees a social engineer pose in one of many possible roles to gain entrance to a building, to gain people's confidence, and ultimately to steal something sensitive such as network credentials.
Enticing URLs
Here moving into a technical vein, an attractive link, perhaps added to a site without the owner's knowledge, grabs your attention so you click it. Bam! You've been subjected to a Cross Site Scripting (XSS) attack. The retrieved site is malicious but it's unlikely you'd suspect that. You could be lured to download malware if you'd not already done so when resolving the page, else to provide some sensitive data. This is a commonplace scenario.
Phishing
These prolific e-mail scams, again, often try to tempt you to some site where you're liberally scalped. Alternatively you could receive a spoof e-mail that is apparently from a known contact who has kindly sent you a file. Duly executed, the Trojan rootkit now provides the hacker a controlling backdoor access to your PC and its network.
Social networking (and so on)
Here's the growth market. Splashing around your sensitive data, trusting any old social application, and friending strangers on traceable online profiles is begging for trouble.
Engineering social networks is like shooting fish in a barrel, but there's also low hanging fruit to be had in forums, on personal or business sites, on blogs and wikis, and in newsgroups where, for instance, your new IT recruit may be asking what's the problem with that vulnerable old version of something like, well, WordPress for example.
Protecting against social engineering
Social engineering is invariably tough to tackle, but what we can do is to create general awareness and set down a policy of what team members can and cannot divulge to anyone without a proven identity. That policy should extend to the use of network kit, of any type, that leaves the office and, sadly, may have to extend to internet use as well.
Note
Again, refer to Appendix C's Security Policy as a help in setting up security rules.
Bear in mind that the guy who's copying that joke to your thumbdrive could be uploading a worm as well, the girl who's borrowing your wireless may be infiltrating the network, or the colleague who's fawning over your new phone could be tapping your data. You have to be ultra-careful who you trust and, for those working for you, you should give them the excuse to blame their refusal on strictly enforced default-deny guidelines.
Note
Technically risky
Let's advance to this book's core task, assessing and protecting those technical risks to your site and, by relation, to network assets also affecting its security.
We'll slice and dice the broad scope of the subject by starting locally with the PC and winding up in the guts of the site and server. First we'll assess the broad risk and, throughout the ensuing chapters, reflect that with our end-to-end solutions.
Weighing up Windows, Linux, and Mac OS X
Let's be clear, no system is immune to virus threats, not least of all because we remain equally capable of being socially engineered, of being duped into running malware. Then again, if you're serious about security, then use a system that's designed around security. In other words that's Linux-based or, to a lesser extent, a Mac. So why?
Note
For the ultimate in security, we'd run a BSD system such as PC-BSD. The downside is reduced usability and a more limited community to help. This book therefore looks at systems requiring less of a brain tease. Then again, decide for yourself:
The deny-by-default permission model
Windows has long been a hacker's target of choice due to its popularity. There's another reason too. Up until Vista, Windows systems have been far easier to hack due to the allow-by-default permission model where a standard user—including an interloping hacker using your rights—needs no administrative privileges to execute a script. The script could be a friendly program executable. It could also be a virus.
Compare that to the deny-by-default policies of Macs and Linux: neither we nor anyone else can execute files without first escalating user rights to those of an administrator. When you hear these systems' users saying they don't run anti-malware suites—which is not recommendable by the way—yet have never been hit, this is the main reason why.
Note
There's another reason. Hackers haven't been hitting Linux or Macs. With Windows 7 proving a tougher target, they're now beginning to, particularly against OS X, and the myth that these two systems are "secure" may finally be broken.
Meanwhile, hacked to a pulp, Microsoft eventually wised up with the security U-turn that was Vista which adopts deny-by-default. They dub it User Account Control. Vista, otherwise, was a pig's ear of a pear shape. Windows 7, on the other hand, is a very decent system offering security as well as prettiness. After 20 odd years of Microsoft, well done!
Note
So what about Windows XP? After all, it has almost as many users as all the other operating systems combined. Well, in terms of their scope for exploitation, the malware magnets that are XP and earlier may be reliably compared to Swiss cheese. Chapter 3's solutions will help ... as will trundles of maintenance time.
The open source advantage
Like WordPress or server-side apps such as Apache, MySQL, or PHP, Linux is open as opposed to closed source, so what the bejeebers is that?
Take Windows. This is closed, proprietary software, meaning that only a relatively tiny team of talents can develop it, for instance smoking out bugs before pushing out patches.
Compare that to most Linux systems. Being open, they can be tweaked and tested by anyone working in a strict hierarchy of users and geeks-on-high to ensure quality control.
OS X, meanwhile, has a proprietary user interface and applications, but sits on an open source kernel, the system core which, in this case, is a fork from BSD.
So this is a numbers game. Do the math. Aside from being free, open source software is more thoroughly tested and, finding a bug, the patch rollout is often dramatically faster.
System security summary
At the risk of further fanning the flame wars, of the more user-friendly systems, the open model of Linux gives it the security edge. That said, Macs aren't far behind and Windows 7 is worthy of praise. This is very much IMHO
