cookandkaye

scientific and technical website design projects news

Articles on Web security

Service outages

Evil pixie

At several times last week one of our hosting providers was hit by massive Distributed Denial of Service (DDoS) attacks, which were launched with the expressed aim of extorting money from the provider.

We are very grateful to our host, A2, for the professional way they handled this problem; information was available about the attack as soon as we realised there was a problem through our monitoring software. A2 have contracted for additional capacity to help protect their service in future, and reported the issue to the relevant legal authorities.

We in turn would like to reassure any customers who were effected that, given the nature and extent of the attack, the disruption was kept to a minimum by A2’s actions.

We have nearly a decade’s experience using A2 as a hosting provider, and have been very pleased with the service we have received over this time. We look forward to continuing to work with them in future.

You can help! DDoS attacks, while they are managed by a single group or individual, originate from many thousands of personal computers that have been compromised by downloading malicious software. Take care when downloading any software off the internet, NEVER open suspicious attachments to emails!

WordPress 4

WordPress logo

WordPress 4 is now available, this offers better integration with social media, and improved embedding of video and other content into your posts and pages. There are no known issues with the update from version 3 to version 4 for CookandKaye customers, so as long as you back-up before you start, you can use the auto-update feature to enjoy the improved performance! (Contact us if you need any assistance).

IMPORTANT NOTICE: If your WordPress version is before 3, you may require a couple of tweeks to your database settings to keep plugins running, please contact us before updating!

The cookie crumbles (UK and EU websites)

EC cookieNew EU legislation is to regulate the use of cookies online. Cookies are ubiquitous, but on most sites the use of cookies is quite innocuous, commonly they are used:

  1. To track logged-on members, the cookie identifies your visitor and confirms that they have logged in, and are entitled to view a given page.
  2. To remember what visitors have looked at – allowing the site to maintain a back history (this might be ‘previously you viewed the following items’, keeping track of a shopping basket, or smart behaviour, such as only showing the introduction to a movie or animated display once).
  3. To track what users did on your site, possibly passing this information on to a third party. Whilst the information is ‘anonymous’ – the visitor is usually only identified by their IP address* – with enough linked sites a commercially useful profile of your visitors can be built up.

At CookandKaye we don’t use option 3 above, which is the one that is causing legal concern, unfortunately options 1 and 2 will also be caught by the proposed legislation. As a consequence, you may need to look at your existing web provision. Whilst prosecution is not imminent for any site, we recommend the following policies to cover this possibility:

With login forms: We recommend a comment to be added below the login form, to the effect:

To access this section of the site you must permit us to save a digital key on your computer called a cookie. This cookie will not be used to track your browsing history.

With shopping baskets: ICO says that if a cookie is essential to permit an activity, no consent need be obtained. In spite of this we recommend a comment to be added below the button to the effect:

To save an item to your shopping basket you must permit us to save a digital key on your computer called a cookie. This cookie will not be used to track your browsing history.

Clearly if you do use cookies to track browsing history (not everybody has the refinement to be a CookandKaye client!), the text in italics should be replaced with a statement to that effect! If you are able to add this text, however, then it provides you with an opportunity to re-assure your visitor.

With smart sites: Here the problem is a lot more difficult to solve satisfactorily, as the objective is to help the site run smoothly, not pop up warnings that it is about to save cookies on your browser. Unfortunately these just look like you are trying to do something dodgy, and are likely to damage your relationship with the visitor, rather than match your intent of offering them a tailored service. ICO has not yet published its guidelines, so for the moment we suggest placing a note in your footers to the effect:

Cookies are used on this site to help personalise the browsing experience for you. No information about your browsing history is taken from them.

If you do acquire browsing history, you need to seek legal advice here!

If this proves inadequate in the light of ICO’s final recommendations, then you will need more extensive work on your site. Our work-around at present is to track visitor’s IP addresses rather than use cookies – where this is permitted by your host. When a visitor requests a web page, the page is sent to their IP address, so a record of this is essential. In consequence it is difficult to imagine a reasonable legal challenge to holding this record. It also has the advantage of working whether or not visitors enable cookies! Unfortunately it is more difficult to implement, and there is a small possibility of mis-matching IP addresses and visitors because IP addresses are re-used. As a consequence the time window for tracking is quite narrow – of the order of a few minutes. This is good enough to follow a visitor from one page click to the next, but not safe enough to hold shopping cart information!

We don’t think there is anyone in the web-design industry who supports the new legislation, which, paradoxically, may oblige us to capture more detailed traces of IP addresses, if not actually save cookies on visitors’ computers. In the UK there is some reluctance to introduce the legislation, and a sizeable breathing space is being allowed for us to get ourselves organised to meet its requirements. Unfortunately we have to live with it, and we need to start living with it now. If you need help implementing any of these guidelines on your site please contact us.

More information is available through the BBC – see article linked below:

Websites told to ensure cookies comply with UK law (includes a link to ICO’s current guidelines).

* More clearly private data – linking the IP address/browsing history to a person’s name or physical address, which you might be able to do after your visitor has logged in, is already restricted under the data protection act – there is a good review of this on the BCS website:

Data Protection Act 1998 overview

Cookie crumbs: Update August 2011

WordPress comments are closed!

Spam and chips We’re closing the comments section on CookandKaye.com, because of the volume of spam and phishing attempts we’re getting through it. As Google descends into the morass of social network link-counting, any half way decent blog is getting innundated with linked comments advertising this and that, without usually even a glance at the article to see if the comment is relevant…

Much of this stuff is filtered automatically by Akismet, but we realised last update that we were carrying over 2MB of trash comments in the database, rather outweighing the rest of the blog contents, images and all. It was simply taking too long to work through the comments to pick out the good stuff…

So, sorry to any genuine commenters, but if you really like what were doing, please let others know through the new Twitter link being rolled out on all of the project articles, or through a ping-back from your own blog. We’ll try to reciprocate any pingback that we can sensibly work into our output!

If you want to contactus for more information about anything we’re doing – you’ll find a new email link under each post as well.

WordPress RSS feed hack

It wasn’t how I’d intended to spend my afternoon, trying to fix my WordPress installation from quite an annoying hack. This is one that only appears in the Google RSS feed, which completely threw me for quite a while. It seems to rely on sticking its advertising cack into areas that only Google uses, you have been warned!

In the past hacks have been pretty easy to spot, simply look for a new file or a recently updated file, or failing that, search for the word(s) that are appearing in your feed that you didn’t write in your blog! Unfortunately the hackers are getting sneakier by the day, I still haven’t found the files that were inserted into my installation, so had to replace everything instead (still a little worried that there might be something I’ve missed – I guess I’ll see when this post goes up!). The text search didn’t work either, apparently they’ve started base-64 encoding the names of their pharmaceuticals. You could base-64 encode the name and search, but it is too easy to do something else to hide it – reverse the letters, whatever, there are a lot more places for them to hide than I’ve got time to look.

In fact it looks like this is a hack that focussed on my WordPress database. This is a nightmare, because your posts and site look clean (indeed, ARE clean), and I couldn’t even see the problem in Feedreader, just Google’s Reader!

Anyway, my sequence was:
1) to change the FTP password.
2) to replaced sections of the WordPress installation in sequence, (I didn’t find any bogus files doing this so there’s likely to be a follow up post when I get to repeat this joyous activity sifting for the sh#t).
3) to change the database user and password (maybe should have done this as #2? – Learn from my mistakes guys!)
4) panic to the wife (Archaeogeek), who being a l33t systems admin checks out with the following helpful links:

wordpress-pharma-hack from Pearsonified and
8-steps-to-clean-a-hacked-wordpress-blog from Knowit

I found the first helpful in looking for duff database entries (here I struck gold at least, and the blog hasn’t crumbled since removing the entries). There a lots of possible places where sh#t can get into your database weave though, so I guess we’re going to have to look through more tables for it next time (or even this time)…

Being online is like looking after a creche, I’d rather not have to clean these nappies again, but expect it to happen…

Email phishing – Gmail not the only target!

Recently I got the following email from alertsATmy_domain.

Dear user of the cookandkaye.co.uk mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (my_email_address) settings were changed. In order to apply the new set of settings click on the following link:

http://cookandkaye.co.uk/owa/service_directory/settings.php?email=info@cookandkaye.co.uk&from=cookandkaye.co.uk&fromname=info

Best regards, cookandkaye.co.uk Technical Support.

I knew that this email could not be genuine, but it was very believable.

This phishing attack works on a number of assumptions that people make about email messages and URL’s, assumptions that you must challenge to stop other people assuming your online identity. These are:

  • That the From email address is genuine. In fact it is very easy to set the ‘from’ email address in a message, so email messages are in practice annonymous (you cannot be sure where any message comes from).
  • That a link goes where it says it does the only way you can check this is by looking at the raw code of the message (or web page). On doing this it was apparent that the link was not quite what it appeared – the correct domain was there, but configured as a sub-domain of a site somewhere in the co.kr TLD. Where ‘technical support’ would presumably have taken my email access details.

Configuring the link in this way makes it quite difficult to check by eye in the raw form, and I guess most people don’t do that! – We’re not a big (or particularly prestigious) company, so I don’t think we are high on anyone’s hit list, if we are getting these phishing attacks, the implication is that it is rife…

We hope you don’t get caught out – if you do you should speak to your technical support as soon as you can, perhaps in person…

An anatomy of spam

Spam is one of the really irritating things about modern life, but like its namesake, there is not usually a definable anatomy, never mind an easily identified origin! In this study, however, we get a sneak peak at what drives a spam…

For a number of years we have employed email forms on our websites to combat the worst excesses of spam. This simple system hides our email addresses from being harvested, and allows us both to follow up new enquiries, and to re-direct email easily dependent on who is available to answer it. What it prevents is our addresses being parcelled up and flogged mercilessly by spam robots!

Recently, however, we started getting very similar emails arriving in our in-box, all with random subject lines, and containing 20-30 links to pages within a domain, with a small added random component to each address*. A quick look round the web showed us that the web addresses often appeared in web-blog comments posts. Comments on blogs are intended to permit interested readers to feedback into a story, but have long been used as a means for the unscrupulous to advertise a load of web addresses. These addresses will usually be providing services that cannot be advertised more conventionally because they are illegal, immoral, or offer downloads that might damage or enslave your computer. This is spam; it exists is because there are some things that you simply cannot mount an ad campaign for, after all, it really isn’t that difficult or expensive to get a site noticed, so anyone using this technique for a legitimate product would be just too dumb to breath!

A quick bit of modification to our email form allowed us to pick up the IP address of the robot(s) sending the junk, and this was identified as 83.233.30.159, which appears to be a Swedish IP, advertising a site in the Netherlands (I don’t see any reason to advertise them here! Thanks to ip-lookup for tracing the IP information). Clearly one of the more stupid spam machines had picked up on our contact form, and every two hours was posting us a new set of 20-30 links, without realising that there was no blog behind the form for their advertising to have any effect on…

Hey-ho, at present this is only a minor annoyance, and has even provided some interest in that the activity is regular, and possesses a degree of anatomy that is subject to some analysis. As ever, however, we have to be alert to how efficiently we might block this kind of activity if it were to get more significant.

An obvious contender would be to block the IP address, which has remained constant for the last few days, this can be coupled to an apology and opportunity to contact through snail mail or phone if the IP address later passes on to a genuine person. Alternatively, the industry standard approach has been to deploy Captcha, which asks anyone submitting the form to type in a set of letters and numbers from an image that is doctored to make it difficult for a machine to read it.

Both systems have their advantages and disadvantages: Unfortunately a lot of early Captcha systems have now been broken; on the other hand, IP addresses are pretty easy to spoof or change…

As a final comment, on the mutability of IP addresses, it is quite interesting to probe an access log and watch a more sophisticated hacker ‘at work’. This is characterised by a number of related probes coming in, but with the IP address jumping over a broad range of values. This kind of thing can force you to get quite brutal with IP blocking – but more on that some other time!

*The random components to subject lines and addresses make it more difficult for spam assassin programs to pick out these bad emails.