security Archives

  1. Rowhammer, “the first remote software-induced hardware-fault attack” →

    Frightening indeed:

    Rowhammer takes advantage of a design defect in dynamic random-access memory, or DRAM, chips, which provide the high-speed data storage for a computer’s CPU. The most common DRAM standard today is called DDR3, ubiquitous on laptops, workstations, servers, phones, and tablets.

    DDR3 memories are also littered across non-commercial embedded applications (industrial, medical, military).

    A single DRAM chip contains billions of electrical capacitors, each of which stores a single bit. The sheer density of capacitors on these memory chips, however, causes a problem. By “hammering” a row of bits repeatedly, constantly changing their values, an attacker can sometimes induce an electrical interference in which capacitors in a different, adjacent row are mistakenly flipped. If the attacker can sufficiently control what’s in that adjacent row, then the attacker can manipulate your computer without authorization.

    At the most basic level, memory robustness is verified by focusing on a single cell’s ability to affect neighboring cells. See this excerpt from the folks at ParkMass software, who develop the acclaimed Memtest86 memory test software:

    Memory chips consist of a large array of tightly packed memory cells, one for each bit of data. The vast majority of the intermittent failures are a result of interaction between these memory cells. Often writing a memory cell can cause one of the adjacent cells to be written with the same data. An effective memory test attempts to test for this condition. Therefore, an ideal strategy for testing memory would be the following:

    1. write a cell with a zero
    2. write all of the adjacent cells with a one, one or more times
    3. check that the first cell still has a zero

    How memory manufacturers will add robustness to prevent a row of cells from affecting a neighboring row may be a challenge, but this testing philosophy could be scaled to toggle groups of cells within a row to help determine if the memories are at risk for an attack similar to Rowhammer.

    I hope that I never see this thing.

    (via Alex King)

  2. Hardening WordPress →

    While WordPress account containment is one way to improve a website’s security, there are a number of different ways to prevent your WordPress account(s) from being compromised.

    Within the article is a link to another one titled “How Hosts Manage Your Website Security“, which reminds us “Hosts are concerned with the security of their infrastructure, not with your website.” It is up to you to make your website secure.

  3. WordPress Account Containment

    For nearly every one of my music projects, I have been the guy with enough experience in web development to take a stab at making a webpage for the band.

    The result is that, over the years, I’ve attached a handful of add-on domains to my web-hosting account. As my account has slowly grown, this has led to a combination of issues ranging from increased exposure to malware, privacy concerns, and sloppy .htaccess files.

    After a recent talk with my web-host, I’ve transitioned my web-hosting package to a reseller account, and have finally completed the process of migrating the add-on domains to independent, contained accounts. The result for each site will (hopefully) be reduced exposure to malware, improved privacy, cleaner .htaccess files, and — more generally — easier maintenance.

    While it would have been best for my hosting package to have been a reseller account from day one, this transition has taught me how to port web-mail accounts, email forwarders, and MySQL databases between servers. (Although my accounts are on the same server, the process is the same). More generally, the migration process has taught me about the challenges one can encounter while porting WordPress.

    From my early days of static websites, PHP and MySQL, and much later – WordPress, child themes, automated back-ups, and now a reseller account – it has been a long but illuminating road as a hobbyist web programmer. The lesson seems to always be “do it right the first time”, but often it takes making mistakes to learn that there is a right way of doing things.

    This post is part of the thread: Ralford.net – an ongoing story on this site. View the thread timeline for more context on this post.

  4. Security Trade-Offs →

    A great response from John Gruber on an article suggesting iPhone users shouldn’t trust Apple to store their data.

    He reminds us that, while iCloud is a great way to get iPhone users on-board with backing up their data, security is the trade-off to backing up data on iCloud (or any other service):

    iCloud backups have not eliminated this problem, but they have made it far less common. This is, like almost everything in tech, a trade-off:

    • Your data is far safer from irretrievable loss if it is synced/backed up, regularly, to a cloud-based service.
    • Your data is more at risk of being stolen if it is synced/backed up, regularly, to a cloud-based service.
  5. I Passed “The Test”: Surviving My First Hack

    Over the last day or so, I noticed that any posts added to Ralford.net as a “Link” were not appearing. Instead, they were displaying as an upload box next to a submit button. I ignored the issue for a day or two, and today noticed that the same was true of all old “Link” posts.

    Upon reviewing the files on my web host, I noticed that a number of malicious files and folders had been added over the last few days — I had been hacked!

    I have been backing up my site every Sunday using the XCloner plugin since May of 2013 and a cron job. In under 10 minutes, I was able to replace my entire WordPress folder with this past Sunday’s XCloner back-up, restoring my site to the last known good state. Though I did an export from WordPress prior to restoring, to my surprise, no posts added since the back-up were lost.  And all “Link” posts are all back to normal. (Though I failed to save a few uploaded photos before restoring — but I have back-ups of those elsewhere.)

    Phew!

    This post is part of the following threads: My Digital Backup Strategy, Ralford.net – ongoing stories on this site. View the thread timelines for more context on this post.