Wallington Gospel Hall

Good everlasting news that God commends His love toward us in that while we were yet sinners Christ died for us

Website Security Advice

May 2014

Gamitin ang Google Translate          Utilisez Google Translate       Nutzen Sie Google Translate       Amfani da Google Translate      Jiri Google Asugharia       Gunakake Google Translate       Za pomoca Google Translate       Utilizati Google Translate        Utilizarel Traductor de Google       Matumizi Google Translate       Çevir Google Kullanin       Lo Google Sélédemírán

Arising from the recent notification of the Wallington Gospel Hall website being hacked, our thanks is to those brothers, nearly all of whom work with IT security, who contributed helpful advice to the following, which some of you will know. Also may the website hacker find God’s salvation.

WEBSITE DAMAGE AND RESTORATION

After the website hacking neither I, nor our competent webmaster, could gain access to the website. He therefore recommended that we register with the reputable Sucuri.net which we did for the fee of $90 which covers the website security for a year and was worth the cost. From the hacking:

  1. We saw that the front page had been defaced and
  2. The website theme and structure had been broken which resulted in a lot of titles appearing on a black background on the home page. Consequently all the Tag Word Titles and Descriptions had been removed from the pages’ “Theme SEO Settings” but not from the “Custom Fields”. As the webmaster knew the website we paid him to do the restoration.
  3. A lot of tag titles and descriptions had been lost.
  4. Sucuri further discovered that the hacker had replaced some modern software with old software, which would have made the website easier to be infected with viruses.
  5. Sucuri were also able to break the changed and locked down username and password and replace it with our choice.

PASSWORDS

The problem was a weak password and the advice is:

  1. Passwords MUST be more than 15 characters to be considered “strong” but also, length does not necessarily equal strength. A radio programme recommended that “safer” passwords need to more than 25 characters.
  2. “Modern computers can try millions of combinations in a second (literally). The hackers’: ‘rainbow tables’ (lists of possible passwords that are beyond huge), algorithms and computer power make it such that any password can be cracked.” What might make that last part of the previous sentence untrue is using the Bible etc as follows:

(a) You can use a password generating program and use characters as the system allows.

(b) When considering the following suggestions ALWAYS IN ADDITION: Randomly use the upper and lower case (e.g. WehaVepeAcewithGoD) and randomly add one, or two or three together, of: colons, semi-colons, commas and the special characters/signs, e.g. £%^@}~_!, and numbers.

(c) You can use the initials of the words of a well memorized Bible verse, hymn or poem with the part reference or author of varying lengths, at the end. {“Out of almost 5,000 hymns, … from the late 1800s to the present.” www.christianitytoday.com}

(d) Or use two or three part verses, from different parts of the Bible and perhaps use different Bible translations. The King James Version has 31,175 verses.

(e) Or mix any of the following: a Bible part verse, with a Bible person, place, animal or plant name, or with part of a hymn/poem line (with perhaps part of the author’s name), or with part of a Bible Commentary comment (with perhaps part of the author’s name), or with part of an assembly/church name. Perhaps use a hymn/poem, Bible Commentary and assembly/church name all from different centuries.

(f) Or mix the words of part Bible verses as e.g. 1Samuel 15:2 “saith the LORD” with Hebrews 13:5 “I will never leave” becomes “IsaithwilltheneverLordleave1Sa15:2He13:5”.

(g) Also use two or three languages from different parts of the world by using Google Translate. {“Over 2,817 languages have Scripture. … a complete Bible, … the New Testament … at least one book.” http://wycliffe.org.uk/wycliffe/about/vision-whatwedo.html}

(h) Change your site’s password every 6 months.

(i) Pray for God’s protection on the website.

OTHER ADVICE

  1. Create a time incremental delay on successive login attempts. Most servers allow for this. A basic windows machine can be set to increment a delay after every failed attempt. For example after the first password attempt you can wait 5 seconds, then 60sec, then 5min etc. Apparently with one website after two failed attempts, the wait is for well over 30 minutes before the next attempt is allowed. This helps to deter hacking. After a certain number of failed login attempts, and you can adjust the number, the system will ban the IP address and stop access from that IP.
  2. It is advised that you do not store your username and password on your PC but keep it only in written form. This is because, while PCs should have decent anti-spyware, protection there may be one that could get through and obtain your username and password. However it sometimes helps to leave a fake username and password file in a default location and have the real ones buried somewhere else. Then you can add 3/4/5 fake extra letters, signs or numbers to the real username and password for extra security.
  3. If you have buried your username and password in some document then add at least two or perhaps three letters or signs or numbers that you know are not part of the username and/or password. You will only copy the correct name but the extra digits will make it more difficult for the would-be hacker.
  4. Always use file level security on password files and any other files that have sensitive information and make sure they are locked down so only the users that need access to them can get to them.
  5. What could be more secure is to use the KeePass Password Safe instead, which is a free, open source, cross-platform  and light-weight password management utility for Microsoft Windows, with unofficial ports for Linux, Mac OS X, iOS, Android and Windows Phone. KeePass stores all usernames, passwords, other fields, including free-form notes, in a securely encrypted database, protected by a single master password or key file. Unlike many other password management tools, by default the KeePass encrypted database is not stored in the cloud, but strictly locally, for added security.
  6. It advised that websites do not expose their contact e-mail addresses on the website. This will help to stop phishing etc.
  7. ALWAYS use a different password when logging onto any new website and DO NOT repeat your personal e-mail password. Using a mobile device in public might mean that security is compromised. Be aware that people also make look-a-like hotspots, called mutant twins, e.g. in cafes, so as to trick you into leaving your login details on their website.
  8. Use SSL (stands for Secure Sockets Layer and is a special cryptographic) for EVERYTHING. No security measures will matter if everything is being sent from clients to server in plain text. Hackers can simply read the traffic being sent back and forth and will basically be handed the passwords.
  9. Use firewalls. If the admins of a site always connect from the same IP addresses or even a range of IP addresses then firewall rules can be setup to only allow those machines access to the server and to drop any other machine trying to connect to the secure area.
  10. Consider using www.spambotsecurity.com/zbblock.php on your website as it can stop spambots and recognises IP addresses used by hackers.
  11. Implement CAPTCHA on any screens that require a user name and password. That’s the funny looking, sometimes hard to read, characters most sites require you to type in before giving you access to secure areas. A good captcha program make characters that Optical Character Recognition programs or OCR cannot decipher. It helps to prove that an actual person is looking at the screen and not some bot program.
  12. If you have a link to a spiritual website which you hear has been hacked then immediately check your link with that website. Experience has shown that possibly the hacker has fixed it so that while you get through to that website you may a second later be forcibly transferred to an ungodly website. This may still happen after the spiritual website has been restored. Obviously delete that link and replace it when the site is properly running again.
  13. ALWAYS ensure that someone has a complete backup of the website.

For three years running the following website say that they have been independently rated as Europe’s easiest church website building system and the only system to gain the coveted 5 star award! The following link gives their security advice:www.church123.com/security_online.htm

 

WEBSITE SECURITY ADVICE given a bit later by Peter Allan (for whom this is his job.)

The initial break in may have happened in one of these ways:
– guessed the password trying online (limited by the rate the site accepts passwords)
– copied the hashed password data and guessed offline (limited only by the computing power the hacker has)

Password cracking, part I: how much has cracking improved?


– observed the password in use (sniffing)
– tricked a user into revealing the password (phishing)
– broken into buggy web software on your site
– forged or accessed your mail and got the web password changed
– accessed the website from your computer
– broken into the server at your provider’s site

On choice of password:
A good password is one nobody can remember.  25 printable characters of randomly mashing the keyboard is excellent.   Write down and store on paper safely and not on a computer.
Using unmixed phrases from books is not so good as the hackers can get the same books.

On changing passwords:
I’m not a fan of changing passwords merely because they are old but all passwords must be changed after a compromise. Not just the ones you think have become known.
Passwords for different things must be unrelated.

Systems that come with default passwords need to have them changed.  Look up the details on the web for your product to make sure you don’t miss any.  This applies to home routers as well as web frameworks.

On email:
This is probably your most important password of all as email can be used to reset all your other passwords.

Have different email addresses for different purposes.  Then when you get mail on your social account claiming to be about the hall website or your tax etc you know immediately without having to examine it that it is bogus.  Strictly
enforce the separation and don’t even tell people about the accounts that don’t involve them.

Legitimate mails include your name and do not start “Dear Customer”.

In an attempt to get past spam filters some mail pretends to be *from* you – that is grounds for deleting it unread and mail software should have tools that allow you to do so.

On SSH keys:
It’s good to allow access only by SSH and to allow access only by keys and not passwords.
PUTTY and WINSCP at the main Windows SSH clients.

On browsing:
Don’t read email in a browser.  If you do at least don’t click links in them – but hover the mouse pointer over the link and read what the browser says it really points to (which may differ from what the underlined text says).

Don’t work on the website at the same time as doing anything else in a browser.
* Clear history and quit browser.
* Start browser on this website.
* Clear history and quit browser.
* Start browser again and resume normal browsing.
That applies to your Gospel Hall website and your bank and anywhere else you’d care about getting hacked.

Get familiar with your browser’s security indicators so you know when a site is not what it is meant to be.  If it’s not right don’t give it your password.

On backups: it’s right to have them and you should also test them.

On software:
Keep it up to date.  If a security improvement is released then everybody in the world who can be bothered to read knows about it but all sites that have not upgraded promptly have the old vulnerable version.  Modern systems usually make it easy to update online.  (Windows XP is old and no longer gets proper fixes.)
I don’t know how much your site is under your control and how much is left to your provider to take care of.

Keep it minimal – the only software that definitely has no bugs is software that’s not installed.

That applies to all software, including your workstation as well as the site you manage.

On web configuration:
Run web services with the minimum access necessary – they should be able to read but not write your web content.  Ideally they should be able to write only to logs and only then to append to them not change anything written before.  To write more specifically would require knowledge of your system.

http://ico.org.uk/for_organisations/privacy_and_electronic_communications/the_guide/cookies
https://www.owasp.org/index.php/Main_Page
https://www.owasp.org/index.php/HttpOnly
http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

On simplicity:
Know what you want and keep it simple.  If you only have a static site then complicated web software introduces dangers without getting you any benefits.

Comments/boards/forums etc:
All kinds of trouble can come from allowing others to write stuff on your site.

I much prefer Unix-based systems over Windows.  That may be a lot to learn for a newcomer though.

Beginner security books include these (I have read only the first):
https://www.schneier.com/book-sandl.html
https://www.schneier.com/book-sos.html
https://www.schneier.com/book-co.html

Thanks.

This is a faithful saying, and worthy of all acceptation, that Christ Jesus came into the world to save sinners..." 1 Timothy 1:15