This is an interesting article that Irish Web Design found on the BBC News Features and Analysis Section.
The subject of securing your systems from outside access applies to virtually every computer.
Those businesses with security systems that can be accessed on the web or by mobile phone should pay particular attention to how their system is secured.
How to hack a nation’s infrastructure
By Mark Ward Technology correspondent, BBC News
I’m watching a live video feed of people visiting a café in London.
It’s a small, busy place and is doing a good trade in tea, coffee and cakes. That woman has dropped some money. A child is running around. Later, another customer thinks they have got the wrong change.
Nothing too gripping, you might think, except that the feed should be private, seen only by the cafe’s managers. Somebody forgot to click a box so now anyone who knows where to look can watch.
That CCTV feed is just one of many inadvertently put online. Finding them has got much easier thanks to search engines such as Shodan that scour the web for them. It catalogues hundreds every day.
“Shodan makes it easier to perform attacks that were historically difficult due to the rarity of the systems involved,” Alastair O’Neill from the Insecurety computer security research collective told the BBC. “Shodan lowers the cost of enumerating a network and looking for specific targets.”
It is not just CCTV that has been inadvertently exposed to public scrutiny. Search engines are revealing public interfaces to huge numbers of domestic, business and industrial systems.
Mr O’Neill and other researchers have found public control interfaces for heating systems, geo-thermal energy plants, building control systems and manufacturing plants.
The most worrying examples are web-facing controls for “critical infrastructure” – water treatment systems, power plants and traffic control systems.
Industrial plant Many industrial systems are networked because they are in remote locations
“There’s a tremendous amount of stuff out there right now,” said Kyle Wilhoit, a threat researcher from Trend Micro who specialises in seeking out those exposed systems and helping them improve their defences.
Mr Wilhoit said such control systems, which often go by the name of Scada (supervisory control and data acquisition), get put online for many different reasons. Often, he said, the elements of such critical systems were in far-flung places and it was much cheaper to keep an eye on them via the internet than to send an engineer out.
It’s not just finding these systems that is a danger. Security experts are finding lots of holes in the software they run that, in the hands of a skilled attacker, can be exploited to grant unauthorised access.
“For attackers, the potential pay-off for compromising these systems is very high,” said Mr Wilhoit.
Governments are turning their attention to increasingly public vulnerabilities in such critical systems. The US Department of Homeland Security has established a computer emergency response team that deals solely with threats to industrial control systems. In the UK, government cash has been made available to help intelligence agencies and law enforcement deal with cyberthreats.
Continue reading the main story
“The threat is there – it might not be biting you yet but you had better be ready for the day it does”
Jeff Parker ICSPA
A Cabinet Office spokesman said cyber-attacks were one of the “top four” threats to the UK’s national security.
“Billions of pounds are being lost to the UK economy from cybercrime each year, including from intellectual property theft and cyber-espionage,” he said. “Industry is by far the biggest victim.”
The spokesman added that government was working with industry to harden critical infrastructure against attack, and had set up a series of initiatives to share information about threats and the best way to tackle them.
The number of web-facing industrial and critical systems that these search engines find is only going to grow. That could introduce a whole new problem if the work of Greg Jones from security firm Digital Assurance is any guide.
Mr Jones bought several smart electricity meters from eBay and took them apart to see how well they protected the information within them. The models he bought are the same as those likely to be used as the UK converts its relatively dumb electricity grid to a smarter alternative.
A few days of work saw Mr Jones and his colleagues extract the passwords from the small chunk of memory inside the meter.
Warning text Many of the systems found by Shodan should have a restricted audience
“They had the same credentials in them – factory default passwords.” In addition, he said, basic steps to stop people fiddling with the hardware, or at least reveal tampering, had not been taken.
The traffic the devices swapped with utilities looked like it would be easy to spoof. If smart meters are rolled out in large numbers this could mean problems as it would give any attacker a way to trick that smart grid into making some catastrophically bad decisions.
“There are some really good standards out there governing smart meters,” said Mr Jones. “Our evidence suggests that those suggestions are not being followed.”
This is despite the government body that advises on security, based at GCHQ in Cheltenham, drawing up standards for validating the security, or otherwise, of the meters. The UK was already supposed to be well on the way to making the grid smarter but the project has been delayed because of worries about the central control system.
What is clear is that critical infrastructure and industrial plant control systems are coming under more scrutiny from both attackers and defenders.
That has its upside, said Jeff Parker, one of the directors at the ICSPA, which advises governments and businesses on cyber-protection.
“Is that a benefit? If it raises awareness of vulnerabilities, then, yes, it can help,” he said. However, it might take a lot of work to harden systems and ensure they were adequately protected.
“The threat is there,” he said, “It might not be biting you yet but you had better be ready for the day it does.”
Read the original article here: http://www.bbc.co.uk/news/technology-22524274
Secure your CCTV – Irish Web Design
As we are currently working on a music website we were especially interested to hear that Google Chrome are about to add an ‘audio icon’ to any tabs that are making noise.
How often does it happen that there are a number of browsers open with multiple tabs on each and you find yourself wondering where the noise is coming from.
Once they release this feature you will be able to tell immediately which tabs have audio running.
The tabs are also designed to tell the Chrome browser which tabs have audio running.
As you may know Chrome closes tabs if it is running out of memory.
With this new feature Chrome will discard the tabs with the audio indicator active last.
So if you’re listening to something in a tab near the back of all your tabs Chrome won’t assume that it is inactive.
This function is already in the latest build of Chrome meant for developers and ‘early adopters’ but at present it’s not always stable.
Expect to see it in an update to Google Chrome in the very near future.
Google Chrome Audio Tabs – Irish Web Design
IIA STATEMENT IN RESPONSE TO TOURISM IRELAND AWARDING CONTRACT TO LONDON BASED COMPANY
In response to the Tourism Ireland decision to spend €2.5million on the development of the new Tourism Ireland website www.Ireland.com the Irish Internet Association on behalf of its members would like to express its serious disappointment that an agency of the state have preferred to employ the services of a London web development company over an Irish one.
There are a number of points that need to be addressed. Firstly, as a country in a job crisis we should be doing everything in our powers to support jobs locally. On principle as well as in practice, this ethos should be of highest importance for government agencies leading by example. In this specific instance, IIA members were shortlisted for this tender and we know that domestic rates are far more competitive that those reportedly paid. In accepting that price is not the only factor and that technical merit was the other criteria used, it is worth noting that on the subjective yet technical issue of design and user experience, the general view is that there are already some basic user experience shortcomings with this site.
Secondly, we must look at the broader ramifications of this decision. The majority of global technology companies have elected Ireland as their European base given the high quality of talent here. Beyond the specifics of this particular case, the political message that this decision is sending out to the world is counter-productive and anti-jobs. On the one hand, we have the IDA and Government Ministers working to increase foreign direct investment with a strong focus on the technology industry. On the other hand, in this single decision, we have a state agency saying that it is not possible to secure high quality and good value web design and development services here.
Tourism Ireland is responsible for attracting visitors to Ireland. Holiday tourism is important but so too is business and education tourism. They are asking people to visit a vibrant and welcoming country but is it also one that is so insecure about itself, so lacking in faith in its own people that when given the choice they will partner with a foreign company rather than an Irish one? The argument that this spend represents less than 10% of its total budget for the year is reminiscent of boom years when pockets were deep. The measure of value in these straitened times should surely not be that they got it for a small % of a large amount but rather that they got it for the very best possible price and in doing so factored in the multiplier effect of keeping those jobs in Ireland and promoting the world class standards that exist within our country.
Tourism Ireland’s new website was designed by Hugo and Cat — a creative agency for a digital world.
To quote their own website:
“Creativity from Insight
Consumer engagement. Conversion. Advocacy. A full house in buzzword bingo – but they’re what our clients come to us for.
We’re a digital creative agency specialising in content marketing, experience design and technology, underpinned by strategic planning. We’re all about big ideas without a big attitude, so you’ll get to know the people creating the work that gets your audience talking.
Why not stop by and say hello?”
Originally published on the IIA website
Bock The Robber had an amusing take on the whole farce:
At first glance it appears that the cat did most of the work, and a very well paid cat he is indeed, while Hugo did most of the talking. But what a talker Hugo is, persuading the Tourism Ireland management that a website should cost €2.5 million to design and build.
How appropriate for this pantomime.
Hugo and Cat
Let’s say the cat is on a hundred grand a year, which is good money by any standards in a time of austerity, especially when all you need to survive is the odd fish-bone. This means that the moggy needed to spend 25 years working on the project, which, you’ll agree, uses up several of his lives.
Two and a half million buckaroonies for a website isn’t chickenfeed. but hold on. A man like Hugo would have no ordinary cat. Any feline in his world would be the very cream of cat programmers, so let’s say he’s on a grand a day, because he’s worth it. That means he spent 2,500 days developing this website. Giving him weekends off to prowl the rooftops flashing the dosh at the lady cats — Loadsamoney!! — he still spent a full ten years on the job. That must be a hell of a website, wouldn’t you think?
Well, yes, you would think so, but you’d be wrong. This is the most confused, ill-functioning website you might ever have seen. It starts nowhere and it goes nowhere. It looks like somebody stole it and crashed it into a wall. If there’s a wrong way to do it, a right way to screw it up, nobody does it like us, and so, in their wisdom, the authorities awarded the contract to a London-based firm, rather than a local developer, even though their tender was not the lowest. Not that there’s anything wrong with a firm simply because it’s based in London, but since there’s no shortage of developers in Ireland, it seems surprising that Tourism Ireland couldn’t find a single one that came within a whisker of Hugo and his feline friend. Nobody was up to scratch.
Of course, the formidable managerial intellects at Tourism Ireland weren’t satisfied with spending the two and a half million on Hugo’s cat. They also decided that they should buy the domain name ireland.com from the Irish Times for half a million euros.
For some reason, they felt it was better to have an American domain representing Ireland than our own .ie extension.
I don’t know. This doesn’t seem like a decision based on professional advice, but of course, as usual, I might be wrong. I’d be very interested to hear what professional advice they had when they drew up the request for proposals. Were any web professionals involved in preparing the tender documents? What factors persuaded Tourism Ireland to award the contract to a company whose tender was not the lowest? What personnel prepared the detailed specification ? Did any external consultants assist in completion of the specification? Did any external consultants assist in evaluation of the completed design to ensure compliance with the brief? If so, who did these consultants work for?
So many questions.
One question has finally been answered, of course.
We now know that a cat can most certainly laugh.
Originally published on Bock
Irish Web Design notes that the website does not perform very well on mobile devices and smart phones.
Irish Web Design are please to announce that they have created a series of packages to provide a high level of security to small to medium business websites.
The packages are designed especially for WordPress based information, blog, news and e-commerce on-line shop websites.
Irish Web Design described the packages as consisting of the three S’s: Scan, Secure Survey.
The website security measures involve scanning the websites for issues, securing the site and finally setting up a surveillance system to monitor the website in the longer term.
It is estimated that hundreds of thousands of websites around the globe that are running the WordPress software have been infected by malicious software.
Some of the software infects the computers of visitors, who may find a realistic looking ‘Anti Virus Scanner’ pop up on their computer.
The owner is informed that his machine is infected and this software will remove the threats and provide on-going security.
This ‘peace of mind’ only costs a very modest amount, typically $10 to $20.
This is a scam, the programme is not real.
What the criminals who are behind the scam want are your credit or debit card details.
They may wait a long time before they use the information gained to empty your account of funds.
There are many variation on these scams, including straightforward blackmail: you want your site back, you will pay.
Irish Web Design have researched the issue and designed a solution to ensure that website owners can sleep at night.
While there can never be an absolute guarantee as situations can change very rapidly the system is designed to provide alerts to any suspicious activity.
Contact Irish Web Design if you want your website audited and secured.
Solutions for Website Security
Little and Large Websites Attacked
The coordinated attacks used to knock a large number of websites offline grew became more powerful in the past months. According to the American company Prolexic who run the world’s largest and most trusted distributed denial of service (DDoS) protection & mitigation service, there has been an eight-fold increase in the average amount of junk traffic used to take sites down.[/two_fourth_last]
Attackers have moved on from just using compromised PCs in homes and small offices to flood websites with vast volumes of traffic, and are now using Web servers, which have vastly more more bandwidth available.
The recent ongoing attack on servers running the WordPress blogging application is constantly seeking new computing power that can be harnessed to form vastly bigger botnets.
Prolexic reported that well-financed attackers are increasingly able to coordinate with fellow crime organizations in the large-scale assaults.
These types of attacks appear to be here to stay and can only be achieved by having access to significant resources including manpower, technical skills and an organised chain of command.
The most prominent targets of the attacks have been the America’s largest banks, including Bank of America, Wells Fargo Bank, Chase Bank which at times have become completely unreachable following the flood of traffic.
Prolexic believes these attacks are not individual youngsters flexing their muscles, because the efforts involved in the harvesting of hosts, coordination, schedules, specifics and the sheer military precision of the attacks suggests the presence of experienced criminals that recruit ‘digital mercenary groups’ to do their work for them.
San Francisco-based CloudFlare’s network was recently bombarded by data sent by more than 80,000 servers across the Internet that all appeared to be running WordPress.
Attackers will enter a legitimate user name along with passwords that are known to be invalid, which, when repeated millions of times overwhelms the servers as they perform database lookups and then report the authentication failure which the system struggles to record it in the internal logs.
The vast increase in applications such as WordPress and Joomla could become to this decade what the early versions of Microsoft’s Windows XP were to the previous decade. In the 2000s it was easy to compromise desktop PCs and turn them into spam-sending engines or botnets to perform various nefarious acts.
Nowadays using a server that is at least ten times as powerful as a desktop computer can do a great deal more damage.
Recent Irish websites that have been attacked include the websites for the Department of Justice and the website of the Department of Finance.
Little and Large Websites Attacked
Irish Web Design continue to monitor developments in the ongoing saga of the many web servers under attack.
The www.arstechnica.com website carried the following story on the subject in its Risk Assessment / Security & Hacktivism section.
The piece is entitled “Admin beware: Attack hitting Apache websites is invisible to the naked eye”
With the sub-heading: “Newly discovered Linux/Cdorked evades detection by running in shared memory.”
“Ongoing exploits infecting tens of thousands of reputable sites running the Apache Web server have only grown more powerful and stealthy since Ars first reported on them four weeks ago. Researchers have now documented highly sophisticated features that make these exploits invisible without the use of special forensic detection methods.
Linux/Cdorked.A, as the backdoor has been dubbed, turns Apache-run websites into platforms that surreptitiously expose visitors to powerful malware attacks. According to a blog post published Friday by researchers from antivirus provider Eset, virtually all traces of the backdoor are stored in the shared memory of an infected server, making it extremely hard for administrators to know their machine has been hacked. This gives attackers a new and stealthy launchpad for client-side attacks included in Blackhole, a popular toolkit in the underground that exploits security bugs in Oracle’s Java, Adobe’s Flash and Reader, and dozens of other programs used by end users. There may be no way for typical server admins to know they’re infected.
“Unless a person really has some deep-dive knowledge on the incident response team, the first thing they’re going to do is kill the evidence,” Cameron Camp, a security researcher at Eset North America, told Ars. “If you run a large hosting company you’re not going to send a guy in who’s going to do memory dumps, you’re going to go on there with your standard tool sets and destroy the evidence.”
Linux/Cdorked.A leaves no traces of compromised hosts on the hard drive other than its modified HTTP daemon binary. Its configuration is delivered by the attacker through obfuscated HTTP commands that aren’t logged by normal Apache systems. All attacker-controlled data is encrypted. Those measures make it all but impossible for administrators to know anything is amiss unless they employ special methods to peer deep inside an infected machine. The backdoor analysed by Eset was programmed to receive 70 different encrypted commands, a number that could give attackers fairly granular control. Attackers can invoke the commands by manipulating the URLs sent to an infected website.
“The thing is receiving commands,” Camp said. “That means that suddenly you have a new vector that is difficult to detect but is receiving commands. Blackhole is a tricky piece of malware anyway. Now suddenly you have a slick delivery method.”
In addition to hiding evidence in memory, the backdoor is programmed to mask its malicious behaviour in other ways. End users who request addresses that contain “adm,” “webmaster” “support,” and similar words often used to denote special administrator webpages aren’t exposed to the client exploits. Also, to make detection harder, users who have previously been attacked are not exposed in the future.
It remains unclear what the precise relationship is between Linux/Cdorked.A and Darkleech, the Apache plug-in module conservatively estimated to have hijacked at least 20,000 sites. It’s possible they’re the same module, different versions of the same module, or different modules that both expose end users to Blackhole exploits. It also remains unclear exactly how legitimate websites are coming under the spell of the malicious plugins. While researchers from Sucuri speculate it takes hold after attackers brute-force the secure-shell access used by administrators, a researcher from Cisco Systems said he found evidence that vulnerable configurations of the Plesk control panel are being exploited to spread Darkleech. Other researchers who have investigated the ongoing attack in the past six months include AV provider Sophos and those from the Malware Must Die blog.
The malicious Apache modules are proving difficult to disinfect. Many of the modules take control of the secure shell mechanism that legitimate administrators use to make technical changes and update content to a site. That means attackers often regain control of machines that are only partially disinfected. The larger problem, of course, is that the highly sophisticated behavior of the infections makes them extremely hard to detect.
Eset researchers have released a tool that can be used by administrators who suspect their machine is infected with Linux/Cdorked.A. The free python script examines the shared memory of a sever running Apache and looks for commands issued by the stealthy backdoor. Eset’s cloud-based Livegrid system has already detected hundreds of servers that are infected. Because Livegrid works only with a small percentage of machines on the Internet, the number of compromised Apache servers is presumed to be much higher.”
Further relevant articles can be found on the website: http://www.arstechnica.com
The Log Holder Company
Name Seamus Connolly
Equity sought 20%
Investment sought €20,000
Seamus Connolly from Athy, Co Kildare from The Log Holder Company, he is looking for €20,000 for 20% in his company which designs a range of Victorian style log holders which allows your fuel to dry out.
The Dragons check out Seamus’ designs. Barry asks what the costs are to manufacture, Seamus tells him it costs €40 to make one and he sells it for €100. Gavin tells him the costs put him off and asks can he get it down, Seamus tells him he could if he was to produce in bulk. He has sold 70 units to date and hopes to sell 400 in year one with a net profit if €20,000. Barry tells Seamus he doesn’t think the company is scalable so opts out. Sean also tells him he thinks it doesn’t need an investor so opts out. Ramona is the last Dragon to opt out.
Irish Web Design created the Log Holder Company e-commerce website
YouTube Dragons Den Interview by Log Holder Company on RTE Television
Website Photography Training for e commerce web owners
Learn the essentials of creating photos for your own web site or blog with Website Photography Training
Workshops to teach you how to create professional quality images for your Irish shop website
Quality internet photography at a low cost
Learn the basics of photography and advanced techniques to ensure top quality images for your website
For further details of one day, half day workshops and courses for individuals and groups Contact Irish Web Design
Courses include hands on seminars, workshops and all kinds of one to one training course.
One of the most popular content management systems in use on modern websites is WordPress, found on more than 60 million websites around the world.
WordPress has been in the news recently as the subject of a large-scale attack from a huge number of computers from across the internet. This automated botnet attack was attempting to take over servers that run WordPress websites.
Many experts believe that this current attack is a relatively small scale version of a botnet that will infect computers in the future. The next attack may be vastly stronger and more destructive than what we have seen recently.
Running on the servers that have bandwidth connections that are hundreds or even thousands of times faster than machines in homes and small businesses.
The enormous popularity of WordPress shows its vulnerability in a situation like this, as a result of it’s ease of use is weak security by users.
This typically means that users continue to use the word ‘admin’ as a user name, as this is the default administration account that’s created when you first install WordPress.
Weak passwords may be guessed by the ‘brute force’ attack of a botnet, able to try vast numbers of password combinations in a short space of time.
For the moment every WordPress user should disabled the default ‘admin’ account in their installation, and replace it with something else. This may take you out of the immediate danger from the current the attackers.
To create a strong password you need to use at least ten characters with a combination of upper and lower case letters along with some numbers and even some extended characters
The recent attack serves as a reminder to everyone that that security for your WordPress blog or website is something you do need to continue to work on.
What follows is Irish Web Design’s advice on what can you do to make your site more secure. These actions will help to deter such attacks in the future.
Update to the latest WordPress (currently version 3.5.1)
If there is an administrative user called ‘admin’.
Create a new account with a different name, unconnected with the name of your website. Give it administrative privileges.
Give it a strong password you have never used before.
Write these details down in at least two different places.
Sign out of the account.
Sign in as the new user.
Delete the old ‘admin’ user account.
During this procedure, you’ll be asked by what account should you assign posts to created by ‘admin’ to.
Choose the new account name you just created.
You should also enable ‘two-step verification’ for each user in your WordPress account. As this is a more complex process with additional implications we will carry an article on the subject in the near future.
Irish Web Design would also recommend changing all passwords connected with access to the site, server and database on a regular basis.
As a matter of course Irish Web Design also recommend that all users should install a number of security programmes on all WordPress websites to prevent them being hacked.
In our view, if you adhere to minimum standards of security for your WordPress site it will give you a good level of security and will make it more difficult to hack into your site.
Don’t let the spammers, hackers or botnets destroy your presence on the web. Your site or blog can be secure with a little thought and effort.
Title of article: Protect Your WordPress Website published by Irish Web Design