cookandkaye

scientific and technical website design projects news

Articles on Web security

Society for Natural Sciences

Above: A wide-screen view of the home page of the Society for Natural Sciences (taken February 2022).

Having built a small number of custom sites for learned societies, the Society for Natural Sciences was our first ‘off the peg’ society website. It had been requested following our work for the UKSB, a society with which it shares a number of active officers, so shares a common design, though the WordPress block editing system has allowed the two sites to develop some individuallity.

Again the site is based on the popular WordPress content managment system, which allows the society to add and change content both for public consumption, and within its private ‘members only’ area. A custom suite of plugins allows the society to manage its membership, who can pay their subscriptions online through the site, and are sent automated reminders to do so each year. The membership database integrates with the ALO Newsletter plugin, allowing the society to send newsletters to its membership, keeping them informed about events within the Society.

WordPress Security for members data

Generally WordPress sites are subject to a lot of unwanted attention from hackers, and so we include a number of features to protect member’s data. These include hiding the login page, and blocking attacker’s IP addresses after a couple of failed login attempts. More recently we have added 2-part authentication as an option for all administrator logins. The expectation is that this will provide some security even if an administrator’s password is compromised, though we strongly recommend that societys continue to enforce strong passwords for all administrators!

Security bulletin: Fraud against learned societies

Online fraud has hit pandemic proportions over the last two years. The increased volume of attacks is annoying, but profiling techniques are making these attacks a lot harder to spot, and societies are being targetted…

Learned societies face some unique challenges in combating fraud:

  • The executive officers for the society typically carry out their duties in their spare time, and consequently communications between them rely on email …
  • Background details for the executive officers are easily obtained through the society website, their academic website pages and from any social media presence they might have.
  • The details of any conferences or meetings being run by the society are a matter of public record (you are advertising them) – so a short list of likely financial transactions can be compiled.

A recent attack started with a personal email purporting to be from the chairman to the treasurer – apparently harmless, it asked how the treasurer’s family was in passing. This reference encouraged the treasurer to believe that the email address was genuine, while in fact the personal information mentioned in passing had been scraped from social media. Subsequent emails asked about how the society’s audit was proceeding, and finally asked the treasurer to pay the audit team using the bank details provided.

The sum involved was not astronomical, but a nice fee for an hour’s work profiling the executive committee, and a couple of email messages. In this instance the plan was foiled because the treasurer cc’d the chairman’s genuine email account into the last email confirming that he had made the payment. Thankfully the chairman was also working over the weekend, spotted the email, and got in contact in time to get the transaction reversed.

Why did the attack come so close to working?

The attacker used a reasonable email address in the ‘from’ email header. It looked like a genuine University address, but did not actually exist. This email would not be used in any communications with the fraudster as the ‘reply to’ address (which you will often not bother to look at, but it is what your email client will communicate with) was something entirely different. Note some email clients will pick up on this and flag a possible phishing attack.

The attacker inserted some personal details into the email from Social Media that encouraged acceptance of the email at face value. Typically executive officers only meet up a couple of times a year, so the attacker does not need to know the target’s personal life in depth (do you remember what you said to the chairman after the conference in September 2020 anyway;-).

The attacker worked on a weekend. Society executives will typically work weekends, as they are trying to fit Society work around their day job; but this is likely to delay any response from your bank, and increase the chance of the attacker getting away with the cash…

Is it only the treasurer that should be alert?

Generally a fraudster is after money, so the treasurer is the most attractive target within the Society. The Society’s membership details can also be relatively easily monetised, however. Loss of this information would open the Society to the possibility of blackmail, but the information can be leveraged with very little risk by sending your members bogus requests for membership or conference fees…

How would you stop this attack?

To prevent this sort of attack you need a means of confirming the identity of the person you are communicating with. You can go down the root of WW2 spies and issue pass-codes or one-time pads to your executive (there are modern equivalents, for example 2 part authentication, email authentication etc. but they are not as easy to deploy), or you can arrange a brief video call, which raises the bar for any imposter, even in these days of fake news…

It is a very rare occasion that a transaction is so time critical that it cannot wait a couple of days for you to schedule a video call. If it is the chairman will probably want to discuss it face to face anyway!

See also: The other virus pandemic

Barry Kaye, July 22nd 2021

Viruses and viruses

Amongst the unwelcome side effects of the COVID-19 pandemic is an increase in phishing and hacking activity. Perhaps as a result of the reduced opportunities as a consequence of lock-down, smaller websites and companies are finding themeselves on the receiving end of quite carefully targetted phishing and hacking attacks.

To add to the problem, attacks are becoming lot more sophisticated; I was quite impressed by one effort asking me to login to my account at Gooql adwords, to re-activate my account.

Less dangerous, but no less annoying, is the upswing in unsolicited spam. Most of this is now also carefully profiled to match your potential personal interests or business requirements. It almost makes you nostalgic for an invitation to look after a few million dollars from a Liberian Prince…

(When is Elon going to get back to me with those bitcoins?)

Service outages

Evil pixie

At several times last week one of our hosting providers was hit by massive Distributed Denial of Service (DDoS) attacks, which were launched with the expressed aim of extorting money from the provider.

We are very grateful to our host, A2, for the professional way they handled this problem; information was available about the attack as soon as we realised there was a problem through our monitoring software. A2 have contracted for additional capacity to help protect their service in future, and reported the issue to the relevant legal authorities.

We in turn would like to reassure any customers who were effected that, given the nature and extent of the attack, the disruption was kept to a minimum by A2’s actions.

We have nearly a decade’s experience using A2 as a hosting provider, and have been very pleased with the service we have received over this time. We look forward to continuing to work with them in future.

You can help! DDoS attacks, while they are managed by a single group or individual, originate from many thousands of personal computers that have been compromised by downloading malicious software. Take care when downloading any software off the internet, NEVER open suspicious attachments to emails!

WordPress 4

WordPress logo

WordPress 4 is now available, this offers better integration with social media, and improved embedding of video and other content into your posts and pages. There are no known issues with the update from version 3 to version 4 for CookandKaye customers, so as long as you back-up before you start, you can use the auto-update feature to enjoy the improved performance! (Contact us if you need any assistance).

IMPORTANT NOTICE: If your WordPress version is before 3, you may require a couple of tweeks to your database settings to keep plugins running, please contact us before updating!

The cookie crumbles (UK and EU websites)

EC cookieNew EU legislation is to regulate the use of cookies online. Cookies are ubiquitous, but on most sites the use of cookies is quite innocuous, commonly they are used:

  1. To track logged-on members, the cookie identifies your visitor and confirms that they have logged in, and are entitled to view a given page.
  2. To remember what visitors have looked at – allowing the site to maintain a back history (this might be ‘previously you viewed the following items’, keeping track of a shopping basket, or smart behaviour, such as only showing the introduction to a movie or animated display once).
  3. To track what users did on your site, possibly passing this information on to a third party. Whilst the information is ‘anonymous’ – the visitor is usually only identified by their IP address* – with enough linked sites a commercially useful profile of your visitors can be built up.

At CookandKaye we don’t use option 3 above, which is the one that is causing legal concern, unfortunately options 1 and 2 will also be caught by the proposed legislation. As a consequence, you may need to look at your existing web provision. Whilst prosecution is not imminent for any site, we recommend the following policies to cover this possibility:

With login forms: We recommend a comment to be added below the login form, to the effect:

To access this section of the site you must permit us to save a digital key on your computer called a cookie. This cookie will not be used to track your browsing history.

With shopping baskets: ICO says that if a cookie is essential to permit an activity, no consent need be obtained. In spite of this we recommend a comment to be added below the button to the effect:

To save an item to your shopping basket you must permit us to save a digital key on your computer called a cookie. This cookie will not be used to track your browsing history.

Clearly if you do use cookies to track browsing history (not everybody has the refinement to be a CookandKaye client!), the text in italics should be replaced with a statement to that effect! If you are able to add this text, however, then it provides you with an opportunity to re-assure your visitor.

With smart sites: Here the problem is a lot more difficult to solve satisfactorily, as the objective is to help the site run smoothly, not pop up warnings that it is about to save cookies on your browser. Unfortunately these just look like you are trying to do something dodgy, and are likely to damage your relationship with the visitor, rather than match your intent of offering them a tailored service. ICO has not yet published its guidelines, so for the moment we suggest placing a note in your footers to the effect:

Cookies are used on this site to help personalise the browsing experience for you. No information about your browsing history is taken from them.

If you do acquire browsing history, you need to seek legal advice here!

If this proves inadequate in the light of ICO’s final recommendations, then you will need more extensive work on your site. Our work-around at present is to track visitor’s IP addresses rather than use cookies – where this is permitted by your host. When a visitor requests a web page, the page is sent to their IP address, so a record of this is essential. In consequence it is difficult to imagine a reasonable legal challenge to holding this record. It also has the advantage of working whether or not visitors enable cookies! Unfortunately it is more difficult to implement, and there is a small possibility of mis-matching IP addresses and visitors because IP addresses are re-used. As a consequence the time window for tracking is quite narrow – of the order of a few minutes. This is good enough to follow a visitor from one page click to the next, but not safe enough to hold shopping cart information!

We don’t think there is anyone in the web-design industry who supports the new legislation, which, paradoxically, may oblige us to capture more detailed traces of IP addresses, if not actually save cookies on visitors’ computers. In the UK there is some reluctance to introduce the legislation, and a sizeable breathing space is being allowed for us to get ourselves organised to meet its requirements. Unfortunately we have to live with it, and we need to start living with it now. If you need help implementing any of these guidelines on your site please contact us.

More information is available through the BBC – see article linked below:

Websites told to ensure cookies comply with UK law (includes a link to ICO’s current guidelines).

* More clearly private data – linking the IP address/browsing history to a person’s name or physical address, which you might be able to do after your visitor has logged in, is already restricted under the data protection act – there is a good review of this on the BCS website:

Data Protection Act 1998 overview

Cookie crumbs: Update August 2011

WordPress comments are closed!

Spam and chips We’re closing the comments section on CookandKaye.com, because of the volume of spam and phishing attempts we’re getting through it. As Google descends into the morass of social network link-counting, any half way decent blog is getting innundated with linked comments advertising this and that, without usually even a glance at the article to see if the comment is relevant…

Much of this stuff is filtered automatically by Akismet, but we realised last update that we were carrying over 2MB of trash comments in the database, rather outweighing the rest of the blog contents, images and all. It was simply taking too long to work through the comments to pick out the good stuff…

So, sorry to any genuine commenters, but if you really like what were doing, please let others know through the new Twitter link being rolled out on all of the project articles, or through a ping-back from your own blog. We’ll try to reciprocate any pingback that we can sensibly work into our output!

If you want to contactus for more information about anything we’re doing – you’ll find a new email link under each post as well.

WordPress RSS feed hack

It wasn’t how I’d intended to spend my afternoon, trying to fix my WordPress installation from quite an annoying hack. This is one that only appears in the Google RSS feed, which completely threw me for quite a while. It seems to rely on sticking its advertising cack into areas that only Google uses, you have been warned!

In the past hacks have been pretty easy to spot, simply look for a new file or a recently updated file, or failing that, search for the word(s) that are appearing in your feed that you didn’t write in your blog! Unfortunately the hackers are getting sneakier by the day, I still haven’t found the files that were inserted into my installation, so had to replace everything instead (still a little worried that there might be something I’ve missed – I guess I’ll see when this post goes up!). The text search didn’t work either, apparently they’ve started base-64 encoding the names of their pharmaceuticals. You could base-64 encode the name and search, but it is too easy to do something else to hide it – reverse the letters, whatever, there are a lot more places for them to hide than I’ve got time to look.

In fact it looks like this is a hack that focussed on my WordPress database. This is a nightmare, because your posts and site look clean (indeed, ARE clean), and I couldn’t even see the problem in Feedreader, just Google’s Reader!

Anyway, my sequence was:
1) to change the FTP password.
2) to replaced sections of the WordPress installation in sequence, (I didn’t find any bogus files doing this so there’s likely to be a follow up post when I get to repeat this joyous activity sifting for the sh#t).
3) to change the database user and password (maybe should have done this as #2? – Learn from my mistakes guys!)
4) panic to the wife (Archaeogeek), who being a l33t systems admin checks out with the following helpful links:

wordpress-pharma-hack from Pearsonified and
8-steps-to-clean-a-hacked-wordpress-blog from Knowit

I found the first helpful in looking for duff database entries (here I struck gold at least, and the blog hasn’t crumbled since removing the entries). There a lots of possible places where sh#t can get into your database weave though, so I guess we’re going to have to look through more tables for it next time (or even this time)…

Being online is like looking after a creche, I’d rather not have to clean these nappies again, but expect it to happen…

Email phishing – Gmail not the only target!

Recently I got the following email from alertsATmy_domain.

Dear user of the cookandkaye.co.uk mailing service!

We are informing you that because of the security upgrade of the mailing service your mailbox (my_email_address) settings were changed. In order to apply the new set of settings click on the following link:

http://cookandkaye.co.uk/owa/service_directory/settings.php?email=info@cookandkaye.co.uk&from=cookandkaye.co.uk&fromname=info

Best regards, cookandkaye.co.uk Technical Support.

I knew that this email could not be genuine, but it was very believable.

This phishing attack works on a number of assumptions that people make about email messages and URL’s, assumptions that you must challenge to stop other people assuming your online identity. These are:

  • That the From email address is genuine. In fact it is very easy to set the ‘from’ email address in a message, so email messages are in practice annonymous (you cannot be sure where any message comes from).
  • That a link goes where it says it does the only way you can check this is by looking at the raw code of the message (or web page). On doing this it was apparent that the link was not quite what it appeared – the correct domain was there, but configured as a sub-domain of a site somewhere in the co.kr TLD. Where ‘technical support’ would presumably have taken my email access details.

Configuring the link in this way makes it quite difficult to check by eye in the raw form, and I guess most people don’t do that! – We’re not a big (or particularly prestigious) company, so I don’t think we are high on anyone’s hit list, if we are getting these phishing attacks, the implication is that it is rife…

We hope you don’t get caught out – if you do you should speak to your technical support as soon as you can, perhaps in person…

An anatomy of spam

Spam is one of the really irritating things about modern life, but like its namesake, there is not usually a definable anatomy, never mind an easily identified origin! In this study, however, we get a sneak peak at what drives a spam…

For a number of years we have employed email forms on our websites to combat the worst excesses of spam. This simple system hides our email addresses from being harvested, and allows us both to follow up new enquiries, and to re-direct email easily dependent on who is available to answer it. What it prevents is our addresses being parcelled up and flogged mercilessly by spam robots!

Recently, however, we started getting very similar emails arriving in our in-box, all with random subject lines, and containing 20-30 links to pages within a domain, with a small added random component to each address*. A quick look round the web showed us that the web addresses often appeared in web-blog comments posts. Comments on blogs are intended to permit interested readers to feedback into a story, but have long been used as a means for the unscrupulous to advertise a load of web addresses. These addresses will usually be providing services that cannot be advertised more conventionally because they are illegal, immoral, or offer downloads that might damage or enslave your computer. This is spam; it exists is because there are some things that you simply cannot mount an ad campaign for, after all, it really isn’t that difficult or expensive to get a site noticed, so anyone using this technique for a legitimate product would be just too dumb to breath!

A quick bit of modification to our email form allowed us to pick up the IP address of the robot(s) sending the junk, and this was identified as 83.233.30.159, which appears to be a Swedish IP, advertising a site in the Netherlands (I don’t see any reason to advertise them here! Thanks to ip-lookup for tracing the IP information). Clearly one of the more stupid spam machines had picked up on our contact form, and every two hours was posting us a new set of 20-30 links, without realising that there was no blog behind the form for their advertising to have any effect on…

Hey-ho, at present this is only a minor annoyance, and has even provided some interest in that the activity is regular, and possesses a degree of anatomy that is subject to some analysis. As ever, however, we have to be alert to how efficiently we might block this kind of activity if it were to get more significant.

An obvious contender would be to block the IP address, which has remained constant for the last few days, this can be coupled to an apology and opportunity to contact through snail mail or phone if the IP address later passes on to a genuine person. Alternatively, the industry standard approach has been to deploy Captcha, which asks anyone submitting the form to type in a set of letters and numbers from an image that is doctored to make it difficult for a machine to read it.

Both systems have their advantages and disadvantages: Unfortunately a lot of early Captcha systems have now been broken; on the other hand, IP addresses are pretty easy to spoof or change…

As a final comment, on the mutability of IP addresses, it is quite interesting to probe an access log and watch a more sophisticated hacker ‘at work’. This is characterised by a number of related probes coming in, but with the IP address jumping over a broad range of values. This kind of thing can force you to get quite brutal with IP blocking – but more on that some other time!

*The random components to subject lines and addresses make it more difficult for spam assassin programs to pick out these bad emails.