D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] An observation on wordpress and scripted attacks

 

On 06/02/13 22:38, Simon Avery wrote:
> 
> coordinated; the ips used are geographically diverse so probably
> compromised machines.

Did you check. A lot of abuse we see now is from servers, and my
suspicion is that these are purchased machines. Purchased with doubtful
credit cards perhaps, but at least for some server vendors if they are
compromised at that sort of level it suggests negligence.

> As before, WP is not insecure, just popular - that they're trying to
> bruteforce the admin account just shows it's the easiest way in rather
> than another exploit

Not necessarily.

It shows enough people pick poor passwords to justify the effort. The
advantage of the approach is it will work till everyone picks good
passwords, where as any specific vulnerability will work till Wordpress
is upgraded, and the insecure versions are probably already owned.

> Maybe more ways?

Use a good password?

A 22 character random password which is case sensitive and chosen in a
properly random fashion from alphanumerics has about 128 bits of entropy.

On average an attacker has to try half the password space to guess that,
so 2^127 attempts.

At 100 guesses a second we need 2^127Ã(100Ã86400Ã365Ã13000000000)
current ages of Universe. to guess.

I make that of the order of 10^18 times the current age of the Universe.
Count presumes the attacker knows the length of the password, but that
is irrelevant because the time to guess a shorter password (say 21
characters is of order 10^11 times the age of the Universe is so much
smaller than 10^18 times the age of the Universe that it can be ignore
for the purposes at hand ;).

Clearly if a password like this is compromised it is because I don't
have an SSL cert on my blog (wireless sniffing), or because my password
manager was compromised, it is unlikely it has being guessed.

The advice on password length is usually based on the assumption the
hash can be intercepted at some point, and the original password derived
from brute force attacks on the hash. On this basis it is usual to
suggest a minimum of 12 characters but that makes some assumptions about
the password protocols in use. Since by 12 characters of good random
passwords you are going to use a password manager, and it makes no
difference once you have a password manager whether it is 12 or 22 pick
a length that is long enough.

I like your other advice to, if you can restrict access, then it will
protect you even if the password is compromised by other means (such as
those I mention). But a good password is worth its salt.

My problem is system passwords, and other passwords not easily managed
by a password manager. Hefting around and managing SSH keys has its own
issues, so I mostly use system passwords that are in my head, and whilst
some of these are long they are not randomly chosen from all available
characters. Some are probably not long enough, although where possible I
also restrict access to services so they can't be guessed at.

-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq