Time to man up and swallow my pride

Well, this is embarrassing. I left a gaping security hole right here in my own author website. I buried my head in the sand and planted a “kick me” sign on my butt. I dodged a bullet because, as you’ll see below, nobody visits my website yet. But, since I tell people to adopt the motto, care and share to be prepared, I need to swallow my pride and share how I messed up and what I did to fix it. Learn from my mistake. And it’s okay to call me a dork on this one. I deserve it.

A few days ago, my buddy from Ukraine, Ihor (prounced Ee-gore) messaged me.  Ihor is a web developer and he taught me how to use Javascript to make a selection list many years ago. We hadn’t talked in a while and I was eager to show him my new author website.

He asked if he could try to hack it.  I laughed and told him to go right ahead, just tell me what he uncovered so I can fix it. I was confident he wouldn’t find anything. I am a security professional, after all. Too cocky for my own good sometimes.

Take a look at the page views for August 2, 2017.  That was all Ihor. He was thorough. And it didn’t take him long to find problems.

First, he tried to login and change my admin password. I saw the audit trail, and WordPress even emailed me a notice that somebody was trying to mess with my password.

I look forward to the day when thousands of people visit this site every day and I need commercial hosting. But for now, it lives inside a virtual machine in my basement, and since I’m the only one who edits it, I was thinking about restricting access to my local network anyway.  But even with access to the login screen granted to the entire Internet – as are most WordPress websites – Ihor was unable to get in. I was feeling smug.

And then he nailed me.  Take a look at the screenshots of shame Ihor sent me:

       

                    

He was able to look at directory listings of my website, which is about as bad as it gets. And he let me have it. Here are a few of his comments:

Greg )
Man
Why? )))
come on ))))))))))
I think that’s only the beginning )))))))))
no no ))))))))))))))))
Greg ))

Ihor’s native language is Ukrainian, not English. This was his way to tell me I was sloppy and should have known better. He was right. I hung my head in shame and wallowed in self-pity for a few minutes.  I’m a busy guy. I don’t have time for this. Why is the world picking on me?

And then I forced myself to swallow my pride and find and fix the problem.  This gets technical.

First, I compared this website with other WordPress websites I’ve built.  None of them allowed directory listings.  What was different about this one?  With this one, I put the website underneath the standard httpd directory tree, at /var/www/html.  I might build a network of future websites, and it’s convenient to put them all in this directory tree. I never considered a network of websites with my earlier ones. I put them all into the WordPress standard location, /usr/share/wordpress. That was the only difference I could find.

How did putting this website into a different directory tree enable directory searches?  It was this section in the standard configuration file, /etc/httpd/conf/httpd.conf:

<Directory "/var/www/html">
    Options Indexes FollowSymLinks
.
.
.
</Directory>

“Options Indexes” above means allow directory searches in the directory tree, /var/www/html.  It was an ugly default setting from the Linux distribution I’m using. But it’s my fault for trusting factory default settings and not testing. The cure was to insert this into the configuration file specific to this website, which overrides the default setting:

<Directory /var/www/html/wordpress>
    Options FollowSymLinks
.
.
.
</Directory>

I want to thank my friend, Ihor for doing a great penetration test for me. Care and share to be prepared. I would rather be embarrassed than penetrated. I hope my mistake helps others.

Your own worst enemy

When you wanna cry to your worst cyber-security enemy, hold up a mirror

In a July 20, 2017  interview with New York Times columnist Bret Stephens in a room full of very important people at the Aspen Institute, new CIA Director, Mike Pompeo, said, “WikiLeaks will take down America any way they can, and find any partner they can to help achieve that end.”

When I saw the quote, I wanted to barbecue him. Yet another Trump appointee who doesn’t know what he’s talking about with a knee-jerk reaction to cyber-security enemies.

Well, no, not this time.

This time, I had the knee-jerk reaction.  Pompeo is wrong about Wikileaks, but he’s right about lots of other things and I’m glad I listened to the whole conversation. I need to work on my own biases before I start barbecuing other people for theirs.

It’s an hour long conversation.  Go to the 26:01 mark to hear the quote out of context.  But invest the hour and listen to the whole conversation – you’ll be glad you did.

I did more homework on Pompeo. Here is what he said about cyber-security in this article, and he’s right.

“It is the next frontier of warfare. It’s not new in the sense that threat to America’s intellectual property has been out there for quite some time,” told the Wichita Eagle. “We now see hacking taking place by foreign governments and by private individuals all around the world. America has to invest more and be more prepared. And we all have an obligation to be more secure in the way that we handle our own private information. There is a role there for the government to play, but a lot of this is going to be done by private individuals and private entities in America taking upon themselves of keeping their information more secure.”

But he is wrong about Wikileaks. Unlike many people, I have first-hand experience with Wikileaks. It goes back to 2009 and the aftermath from the Norm Coleman for Senate campaign in Minnesota, when Coleman treated my personal information recklessly and got caught. Wikileaks emailed me with details and that was the only reason I found out about it. Although the Coleman camp didn’t like it, Wikileaks performed a service for me and the country that day. I wrote all about that episode, right here.

I will not defend what Wikileaks subsequently did with Bradley Manning (now Chelsea Manning), Edward Snowden, Reality Winner, or any of the other incidents where Wikileaks published classified information.  Those were mostly wrong.  But Wikileaks is a shade of grey, not black and white.

Wikileaks does not want to take down America.  Julian Assange might be a snake, but he’s not stupid.  If the United States falls, Julian will find himself in a world of hurt from other countries that don’t have the same view of justice as the United States.  No, Wikileaks does not want to destroy the United States, Wikileaks wants to enrich Wikileaks. Wikileaks is no friend of the United States, but it’s not a cyber-security enemy either.

Who are the United States’ real cyber-security enemies? For a hint, take a look at just a few headlines between July 19 and July 24, 2017:

5,300 University of Iowa Health Care records exposed for two years

Millions of SSN across 10 states leaked in Kansas Commerce Dept. breach

Chipotle data breach leads to illegal ATM withdrawal

Thieves find a new way to hack and steal Teslas

Inappropriate Access to Patient Records Spanned 14 Years

Sweden Grapples with Sensitive Data Leak Scandal

IoT Security Cameras Have a Major Security Flaw

Every one of these stories involves Americans exposing private information or losing it to potential attackers. Even the story from Sweden, which shows that Americans have plenty of sloppy company. I could have found many more.  And those five days are typical.

Beyond those headlines, the sorry list of recent cyber-attack victims reads like a who’s who in American industry. And, rubbing salt in the wound, too many of our leaders become unwitting partners with cyber-crooks because they’re embarrassed to be caught with their pants down.

Read about sloppy management and the sorry response at the United States Office of Personnel Management when it allowed the Chinese to steal details on everyone who applied for a security clearance, right here.   How many people died because of that fiasco? Read about hundreds of thousands of American identity theft victims because they filed their taxes electronically right here.  And here.  And here.  Read about Minnesota law enforcement officials abusing driver’s license records right here.

Closer to where Mike Pompeo works these days, how does the US Government justify at least a ten year history of questionable cyber-activity?  Read about Stuxnet, the cyber-attack against Iran to stop its nuclear program, right here, and think about what might happen when the Iranians turn that weapon against us.

To find our real cyber-threats, look in a mirror.  We are our own worst cyber-security enemies.  Not Russia. Not China. Not North Korea. Not the criminal underground. Not Wikileaks. Us. We, the people. The good guys.

But wait – maybe the examples I cited above are just sensational headlines and don’t reflect everyday reality.  Well, not so fast. Here is a taste of my everyday reality.

Consider the bank vice-president who refused to understand the difference between his bank’s website and the bank internal network. Or the dentist who told me he didn’t need computers to practice dentistry – but had no answer when I asked him what would happen when his antiquated Windows XP computer “server” finally died.  Or the business owner who didn’t want to listen to the Internet threats she was up against because the port-scan report I showed her was a bunch of numbers on a computer screen.  Or the medical clinic spewing data to who-knows-where that didn’t want to call law enforcement because the top managers didn’t want the publicity.  Or the nonprofit CFO who didn’t want to listen when I told him he needed an antivirus solution. Or the car dealer who insisted his antivirus solution was just fine, even though it crashed both computers where we tried it.

Just a few anecdotal stories I’ve been part of, first hand.

For busy people with no time to absorb details, here are six words that everyone who uses the Internet should take to heart.  This is everything you need to know about Internet security. It took me three years to come up with this. Here it is:

Care and share to be prepared.

Care enough about security to educate yourself.  Share what you learn and expect everyone to share with you.  I have plenty of mini-seminars that go deeper.  Here is one.

I wish Mike Pompeo the best in his tenure as United States CIA Director. I hope he helps all of us open our eyes.