Yesterday, half the Internet was broken. I knew something was wrong when I couldn’t get into Salesforce to check on a support ticket for my biggest customer. Another member of my team sent us a warning that a big DDoS attack was happening, and not to count on being able to issue very many quotes today. So what, exactly, is a DDoS attack and how do DDoS attacks work?
I suppose there’s another question to ask too: What can you do to avoid being part of the problem? We’ll save that for the end.
“Daniel” from “Microsoft” called me the other day. The number looked halfway legit so I picked up. He out and out claimed to be from Microsoft and said he was getting alerts from my computer. His voice sounded familiar–I think I’d talked to him before.
Someone I know got a tech support scam popup that said their computer was being hacked. I said to bring the computer over. I wanted to see it.
I found the malicious site in the browser history–I’ll tell you how to do that after I finish my story–and pulled the page back up. The computer played an MP3 file with a scary-sounding message and urged me to call an 888 number. So I called. I got voicemail. I left a message.
One of the best things you can do to improve your security in a corporate environment is to limit the use of Java, or whitelist Java. Undoubtedly there will be one or more legacy web applications your company uses that require Java, and it’s almost inevitable that at least two of them will be certified for one and only one version of the JRE, and it won’t be the same one.
Believe it or not there’s a solution to the problem of conflicting JREs, but it took me years to find it, because I had no idea that Oracle called it “Deployment Rule Set.” The secret’s out now. If you run Java, and you want security, you needDeployment Rule Set.
A file change was detected on your system for site URL https://dfarq.homeip.net. Scan was generated on Tuesday, November 3rd, 2015 at 5:25 am
A summary of the scan results is shown below:
The following files were removed from your host:
/var/www/wordpress/wp-content/cache/supercache/dfarq.homeip.net/wordpress/index.html (modified on: 2015-11-03 03:23:52)
The following files were changed on your host:
/var/www/wp-content/themes/twentyfourteen/functions.php (modified on: 2015-08-19 22:24:04)
/var/www/wp-content/themes/twentyfourteen/header.php (modified on: 2015-08-19 22:24:04)
Login to your site to view the scan details.
I didn’t make those changes. Fortunately fixing it when changes appear in functions.php and header.php that you didn’t make is pretty easy.
Aug 2016 update: Back in 2015, some kind of spam bot wormed its way into my site. I quickly cleaned it up, then decoded the attack and posted details here. Not long after, the spambot started directing traffic to this post, because it contains enough of the magic words, I guess. Only instead of serving up spam, it’s serving up my analysis. I’d rather you read this than spam, so I’ve left this page up.
On to the original post…
A few minutes ago I received an alert that some files had changed on my site (thanks to All-In-One WP Security). But I hadn’t changed anything and WordPress hadn’t updated itself.
I’m all torn up this morning. I’m torn up because Microsoft has sued a couple of tech support scam outfits for misrepresenting themselves and violating Microsoft trademarks.
I’m torn up because it’s taken this long. I’m also torn up because this may mean I’ll never get to see what kind of hilarity would ensue by telling a scammer with a fake western name that my name is “Suchita.” In the deepest voice I can muster, of course. Keep in mind that if I sing in falsetto, I’m a tenor. Also keep in mind that nobody wants to hear that.
I can’t imagine needing to take a screen capture of a web site terribly often, but I have had to do it a few times in the past year. I used Snagit to do it, and it didn’t always do the best job–sometimes the program would crash, or the CPU would race and I would have to resort to ctrl-alt-del to get things back to normal–and not get my screen capture.
IE Capt is a small, standalone utility to do just that. Feed it the URL you want to capture, and it uses Internet Explorer’s Trident engine to render the page and outputs it to an image file for you. If you’re comfortable with the command line, it’s a faster, easier way to get your screen capture. And it’s free, which doesn’t hurt either.
If you own a Linksys WRT54GL or EA2700 router, both devices have serious security vulnerabilities. Serious enough that the only way to continue using them safely is to load an alternative firmware such as DD-WRT on them. That’s not entirely a bad thing; DD-WRT is more capable, and unlike most consumer-oriented firmware, allows you to disable WPS.
The EA2700, in particular, is so trivially easy to hack it’s laughable–all it takes is entering a predictable URL into a web browser. That’s it.