By

Has security moved from prevention to detection and response?

Recently, Symantec’s senior vice president of information security Brian Dye declared that anti-virus is dead, as told to the Wall Street Journal.

Is it?

Has the security industry moved away from prevention to early detection and quick response?

I know when I started WeWatchYourWebsite back in 2007, I started preaching prevention. However, it became evident that nobody was interested. It appeared that people, even then, were more interested in early detection and quick remediation.

If you look at many of the startups and large security companies, it becomes real clear that most of the industry is focused on early detection and quick remediation. Is this like closing the barn door after the horses are out?

Is this giving up on prevention and focusing instead on early detection? That, to me, is like admitting defeat to the cyber criminals of the world.

Or, is it a different strategy?

In combat, whether your battlefield is on soil or a chess board, one key strategy is to lure your opponent into an area and then close in and destroy them.

Could this work in cyber security?

Of course, we’ll never catch the cyber criminals, unless they’re really lazy, but can we capture their methods? That would be considered a victory.

battleIn the book, “The Art of War” it states:

All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.

If our deception is to lure the cyber criminal into our website, but record and report everything, then we can consider that a victory for the masses. That information can be used to protect other websites and prevent other sites from being successfully breached.

What do you think?

Should focus be placed on detection and response? Is that a sound strategy?

Share your thoughts…

Thank you.

By

Real live password hacking

password

Bad passwords

We recently worked on an infected website that was a bit unusual.

Often times we see websites hacked due to stolen passwords. Some times we remove malware from websites that were infected due to easily guessable passwords. Passwords like:

  • p@ssw0rD
  • pa$$woRd
  • pA55W0Rd
  • etc…

These are all passwords that the hackers try in their “brute force” attacks. In the event you’re not familiar with a brute force attack, it’s essentially the hackers trying thousands or millions of usernames with thousands or millions of passwords.

When the hackers know what the username is, it reduces their attempts, but a strong password always prevails.

In this unusual case, we found the infected code on a cPanel account. That’s not unusual. Not that cPanel is easy to hack – it’s not, but often times the username for a cPanel account is easy to ascertain.

For instance, if you’re main domain for your cPanel account is rumplestiltskin.com and there is no other domain similar to that, you might have a cPanel username of rumplest – or some variation of that.

Knowing that, you can start putting together a list of potential passwords:

  • rump1e$t
  • rumpl3st
  • rump1e5t
  • rumpl3$t
  • rumpl35t
  • rump1es+
  • rump1es7
  • rumpl3s7
  • etc…

Basic premise here is to replace each l (“L”) with either the number 1, or an upper-case I, or the vertical bar (|). The number 3 can represent an e, an s can be replaced with either the $ or a number 5. The letter “t” can be replaced with either the plus sign “+” or the number 7. The letter “a” can be replaced with the “@” sign, etc…

passwords

We’ve seen programs the hackers have that will take a word or phrase and by applying some basic password rules to it, will generate a long list of potential passwords. In this specific case, their program generated 72 different potential passwords.

The infected files we found were in a folder above public_html. So we almost rule out an application type infection. It did not appear to come from an outdated version of WordPress. However, we scanned the log files, which luckily for us, were already activated, and they turned up nothing.

We have files above public_html, no forensic trace in the log files – how could this be?

It seems the customer was using a password that was just an obfuscated version of the cPanel username.

Our conclusion on this one was that since this site had the tools the hackers were using to try and infect other cPanel accounts, we presumed, due to lack of any other evidence, that this one, with it’s password falling into the parameters of the tools hackers use, was infected the same way. Accompany that with where the files were and that the log files looked like they had been tampered with, lead us to believe our conclusion was correct.

Moral to this story is never use easy guessable passwords – never. Don’t think you can get away with just obfuscating the username into a password. Obviously that doesn’t work either.

If you have an infected website and would like to see if we can figure out how it happened, send me an email: traef@wewatchyourwebsite.com. We’ll have questions for you, but we should be able to give you an idea of how it happened.

Go ahead, give a try…

Thank you.

By

Why we don’t have an affiliate program

affiliates-3Quite often after we’ve removed malware from someone’s website, we’re asked, “Do you guys have an affiliate program?”

Many, many internet marketing people have strongly suggested that in order to “get into the big leagues” we need to help other people make money.

We’re asked so often, I thought it needed to be addressed.

I started this business to help people. Not to be the next Internet billionaire. It’s my nature to want to help others.

When you look at affiliate programs, you have to think about where the commission is coming from.

Does the producer, WeWatchYourWebsite in this case, make a lower margin? We try to offer our customers – (you!) the lowest price possible. Many of you are either not making any money with your websites or making very little. Even if your site is making money, everyone is watching their expenses closely.

To be charging larger fees might mean you go without website security. Or maybe you try to remove the malware yourself – either way, it’s probably not what you’re looking for.

Does the consumer, you, pay more so that others can make money? After all, you’re the one with the infected website. Why shouldn’t you pay more?

Somewhere the affiliate commission must be added to the cost.

Are you willing to pay someone else a fee for bringing our service to you?

I’m not against affiliate programs, but I’m just having a difficult time with charging you more money in order for us to bring you in.affiliates

Most of the people we talk with on the phone do not want to be charged a higher fee. The majority of our customers thank us for doing what we do at the prices we ask.

New Product Development

This is why we focused so much time and effort on our VPS and Dedicated server software. We saw that the market for VPS and dedicated servers was growing. The prices were coming down on those. Many of these servers have between 5 and 200 websites on them.

To ask the webmaster to pay for each site, is old-school. We looked at the currently available software like ClamAV, Maldet and other commercial packages. We tested them with our database of over 400,000 infected files. Some are backdoors, some have malicious code injected into them. Others are phishing files.

Our software obviously detects 100%. ClamAV only detected 17%, Maldet, which can use ClamAV was only 17% and other commercially available packages were all under 35%.

You might think that for our price of $199.95 for our software that we would have room for an affiliate commission. However, with all the extra work we do for VPS and dedicated servers, we really don’t.

We could raise the price, but then you’re the one paying for the affiliate commission.

Very soon we will have a few very big announcements. Stay tuned. Until then, if you know how we can spread the word about our service, we’re all ears. We just need to let the public know we’re here, we’re inexpensive and we’re highly effective – and we use tools that we developed!

What do you think? What would you do if you were in our situation? Please share your thoughts.

Thank you in advance.

By

Scams, scams everywhere!

Over the past few days I’ve seen a few scams on the Internet.

But wait!

According to the TV commercial, everything on the Internet is true. How do scams exist?

The first one was a Facebook post featuring Bill Gates:

Facebook scam

While Bill Gates is known for his philanthropy, he does not randomly give away money to increase his Facebook followers.

The second one was also a Facebook scam. I will not post the fake pictures of this one, but it involves Porsha Williams and a supposedly released sex tape. I won’t even go into the details behind this, but needless to say, some people are falling for it.

The original Facebook messages are something like:

OMG Kenya Moore Leaked Porsha Williams SexTape Because of their brawl

porsha is so much angry after watching this

or another one:

OMG Porsha Williams Sextape Leaked by Ex-Boyfriend

People who click on these links will be taken to a fake Facebook page which informs you that you can only view the “restricted” video if you share the link with your online Facebook friends.

If you do follow their instructions and share with your Facebook friends, before seeing the video (part of the tip-off this is a scam), you’re directed to a YouTube page where you’re asked to fill out an online survey before watching the video.

Okay, really?

You can’t be so desperate to see her in a scandalous video that you’d share this with your Facebook friends and fill out a survey all before seeing the video? Come on people.

Why do the scammers do this?

MONEY!!!

How?

It’s all about affiliate commission. They earn money for every completed survey.

When you want to get something to spread across the Internet, make it something scandalous, sexy and secret and it will spread like wild fire. This is something that is spread first and then you still don’t get to see what you thought you might, but you’ve already passed it on.

Sometimes, these scams are also used to spread malware. What if at the end of filling out the survey you were directed to a page that said you needed to install a special video viewer.

Your mind quickly thinks, “I’ve gone this far, why not?”

Similar scams will include the lure of winning iPads, Samsung phones, $500 gift cards or other such highly desirable items.

In the case of the fake Bill Gates Facebook post, the scammers might be getting paid to increase Facebook likes.

One of the merits of social media is that you should be able to “safely” share information with friends and customers. However, in that context, when you unknowingly invite scammers and hackers into your circle of trust by spreading their messages, you open all your friends and customers to their scams as well.

circle-of-trust

Don’t trust everything. With the work we do, I always think, “what’s their motive for publishing this?”

Yes, being doubtful of everyone and everything might mean I miss something. But I know I’ll also miss many opportunities for falling victim to a scam.

My sister-in-law sent me a short video clip of my nephew walking around saying “Battery” with his best James Hetfield (Metallica) voice. I couldn’t watch it because I didn’t have the video player required installed on the computer I was on at the moment. I eventually did see it and was quite proud that my habits have inherited by my nephew.

That’s how I am though. I doubt everyone and everything. This work has made me that way.

Please be careful out there.

Have you come across any scams you want to share? Please post a comment or send an email to me at: traef@wewatchyourwebsite.com