ebizearnings.com - a SMB’s SEO/SEM web.point

Between Christmas and the New Year, hackers were getting -once again- more active. Or at least some of them hit two of the sites we built and managing. No big deal, just rewriting a forgotten chmod 666 file on a 4 years old (not upgraded) server, then half planet away, doing pretty much same thing on a server host that forbids the account owner to re-chmod folder/file permissions otherwise than 770 for folders and 660 for files. Now wait a minute, what’s all this chmodding blah?

Here’s what chmod is:

chmod (abbreviated from change mode) is a shell command in Unix-like environments. en.wikipedia.org/wiki/Chmod

It’s the way of file access permissions management, like who (owner, group, others) has rights to do something with that file (read, write, execute). Trolls use malicious kits to exploit write permissions —when available— according to chmod settings. One of these penetration kits is password breaking by brute force. Sometimes it’s legitimate to have such a tool if the owner is asking you to help him recover lost passwords protecting his documents. But some other times the person looking to ‘recover’ passwords is NOT called/hired by the owner of the respective documents (or account). This is when we have to deal with an illegal attack by hackers, trolls, whatever their name.

Simple dictionary passwords are no match for such ‘recovery’ applications. A dictionary password is composed of any word one can read in a dictionary. The breaking (recovery) software automatically logs in, trying every word, one after another, at an incredible speed, until the right match grants access in. At this point the security of that account is compromised.

Strong passwords require alphanumerical characters (so mixing up digits with letters), throwing all in a gibberish (no normal word), and best of all inserting some special characters in the mix, such as @^%#){+! and so on… The longer the password the better. This will give a hard time to the breaking/recovery tool. Actually it will take a LONGER time to match it by repetitive brute force logins. If this delay is longer than the server allowed retry interval then the attack fails, running out of time, being rejected by the server after a zillion number of failed logins, or/and after xx seconds since the first login attempt. We have here a pretty decent level of security (password related, because there are other ways of attacking, not the theme of this blog).

Once an account failed victim to such an attack, the first thing to do is go change the old password with a new and stronger one. One client did this and sent it to me by gmail’s chat. Wow! Another old handy (cozy?) way of sharing passwords… And a highly risky one, because instant messaging channels are not encrypting data, and a sniffer (if planted) can read them and deliver your secret new strong (long) passwords to the bad guys. The good news is that so many people are using IM channels just for everything from secret to trivial. This builds a chatter noise akin to Jupiter’s magnetic field, thus involuntarily hiding secrets under stellar piles of shaff. Sleep well only if you’re positive that there’s no foe monitoring you in particular. Similar to IM goes sharing plain text passwords and login data via email. There are rules that forbid emailing of unencrypted credit card data, these apply for passwords as well.
Couple of ways to securely share passwords over the web:

• -use encrypted mail;
• -use WebDAV;
• -FTP up a txt file to a deep non-intuitive sub-sub-folder location and then email the recipient a secured (encrypted) URL, the ones having https:// at the beginning (notice the ’s’ in https://), then tell the recipient to go fetch it right away because you’re going to erase the file in 15 minutes.

And once the recipient will get her secret password by encrypted mail, webDAV or https:// — happily and frantically she will write it down on a note, stick that piece of paper to the monitor for everyone staring at that monitor to read it gently. Doh…

Conclusion: Whatever security technique wrapping passwords, the human brain is the KEY FACTOR in keeping you safe, so don’t rely on the machine to be more aware than you are!

Hideous conclusion: Remember the hackers attacking some of our sites? Well, they re-wrote ONLY files allowing chmod write permissions to ‘groups’ and ‘others’ while not touching any other files which allowed write permissions by ‘owner’. Why this? Because they didn’t ever logged in, as if they were, then they’d had ‘owner’ rights giving them the force to devastate everything in there. This leads the mind to assume that the two files were re-written from outside the account, be it from shared ‘groups’ on the servers or from the wild web which chmod calls the ‘others’. Somehow like in the mystery series LOST.
Heck, what a mystery paranoid world we’re living in…

If you enjoyed this post, make sure you subscribe to my RSS feed!