November 14, 2018

Online Security Attacks

wordpress-logo-stacked-rgb[1]We are interrupting our series on Office 365 this week to talk about 2 news articles this past week that require attention by Onsite Logic clients.

The first relates to an impending “botnet” attack involving WordPress accounts.  WordPress is an amazing system that enables the creation of websites that are easy to develop, that are easy to update and change and that look great.  All of our websites are created in WordPress.  If your site was created in the past couple of years, odds are it is, too.

That popularity has led to the attention of hackers who are currently attacking WordPress installations worldwide.  This is not anything negative about WordPress, it is simply a reflection of its popularity.  Basically, according to a report by Dan Goodin in Ars Technica,  unidentified hackers “are using more that 90,000 IP addresses to brute-force crack administrative credentials on vulnerable WordPress systems.”  For Star Trek fans, this is the equivalent of the Borg.  The apparent goal is to create an even larger “botnet”.  A botnet is basically an assimilation of code running on thousands of systems capable of being combined and controlled for a single purpose.  This is creating an Uber-Computer that can be used for cyber-crime, shut down systems (or countries) through denial of service attacks, or used to crack even larger and more complex (top security) systems.

According to a Forbes article here are the key things you should do immediately to avoid being part of this problem:

  1. Avoid Obvious Passwords: A simple check of the security requirements recommended by WordPress will make brute force attacks much more difficult. As Mike Isaac points out in All Things D, “Hackers go after the low-hanging fruit, which is most often found in the novice Web users who don’t take the time to switch from their default login information.” A secure password is a mix of at least eight upper and lowercase letters, numbers and the kinds of ‘special’ characters used to depict curse-words (^%$#@*)!
  2. Ditch The Admin Username: The attackers are in possession of 90,000 IP addresses from which they are trying to crack the default “admin” accounts on WordPress installations. So if you are still using “admin,” create a new user with admin privileges (you will need to use a different email address than the one attached to the current admin) and give it a strong password as defined above. Then log back in as the new user and delete the old admin account and assign all of the posts in that account to the new user. Five minutes, tops.
  3. Use Two Factor Authentication on WP.com: If you have a WP.com account, take advantage of their two-step authentication which assures that you are a human logging in, not a bot.
  4. Update WordPress: Many hackers exploit holes that have been identified in older versions of WordPress, so keeping your install up to date is another easy way to avoid trouble, though this is not as immediately relevant as the above two action items. WordPress founder Matt Mullenweg advises that if you do these first three “you’ll be ahead of 99% of sites out there and probably never have a problem.”

 

The second article is a wake-up call to those who have the view that they can avoid being a part of identify theft and online threats by not putting their information online (e.g., those who don’t provide their credit card online, etc.).  Global Payments announced that through a security breach over 10 million credit card numbers had been compromised.  Global Payments specialized in serving small merchants, like mom-and-pop businesses and local retailers.  This followed an article in the fall of 2012 that 3.6 Million Social Security Numbers had been stolen from the state of South Carolina including 387,000 credit card numbers, affecting over 75% of the residents of the state.  There was no indication that South Carolina was more vulnerable than other states, but simply that it was targeted and found the breach.

We don’t write this article to incite fear, but to promote awareness and attention.  It is virtually impossible for an individual to protect their private information.  Early detection and advanced planning are the only viable approaches.  As business owners we also have the responsibility to take steps (such as WordPress security) so that our systems and accounts do not become part of the problem.