1.4: How to Secure Your WordPress Working Environment
The crown jewel any hacker goes after is a workstation or mobile device. These are examples of ‘endpoints’ in the network when discussed among security professionals. The reason these are attractive targets is because you use the keyboard on these devices to enter your login credentials for every online website you visit, Gmail for example, and every service you use, Dropbox for example.
If a hacker is able to compromise your workstation or mobile device, or one of its applications, they can gain access to every service you have access to via that device. This includes your WordPress website, your web hosting account, your CPanel login credentials that you use to manage all your websites and your email. That is why it is critically important to protect these devices along with protecting your websites.
Below we’ve included a few tips on how to keep your workstations and mobile devices secure:
Always use a VPN (Virtual Private Network) to connect to the Internet
This ensures that if anyone is monitoring your home, office or public network, they will not be able to decrypt your network traffic. VPN providers are cheap – usually as little $4 to $7 per month. However it’s important to remember that even if you are using a VPN, your traffic is only encrypted from your workstation to the VPN gateway. Beyond that it will be unencrypted if you are using a plain-text protocol like plain-old HTTP. So it is still important to use websites that provide HTTPS when passing sensitive information across the network.
Avoid connecting to public WiFi using your mobile device. VPN’s are available for Android and iPhone devices. If you plan to connect to public WiFi or an untrusted WiFi hotspot using your mobile device, we recommend you use a VPN for your mobile device. Alternatively you can simply avoid using public WiFi and use your 4G connection.
Never install untrusted software on your workstation or mobile device
You may be in a rush to get something done and you just need that simple utility application that an unknown and untrusted website is offering. Think twice. If you are not careful about what you install on your devices, you may end up costing yourself way more time and misery than the application will save you.
To reduce the probability (note that I don’t say ‘prevent’) of installing malicious software:
- Get your software or apps from a trusted source, like the Apple App store or Google Play.
- Try to install software from a source that allows users to rate it (and verify that real users are rating the product). Check the ratings.
- Do a Google search for the name of the app or software and include keywords like ‘malware’ (without quotes) or ‘scam’. You’ll quickly find results on forums or in Better Business Bureau listings.
Use a reputable virus scanner
Virus scanners not only scan your local machines for existing infections but can catch an infection before it takes hold. If you do make the mistake of installing a malicious application, a good virus scanner will alert you before the application is run and save you from getting infected.
Should you use a Password Manager?
This is a controversial subject. LastPass which provides password management services was hacked in June of 2015. This does not bode well for password managers in general. 1Password is an alternative if you don’t want to use LastPass to manage your passwords.
On the plus side, using a password manager lets you create very long complex passwords that you don’t have to remember. This has the benefit of making your passwords much harder to hack via brute-force login attacks and via password cracking attacks. This is a very big benefit.
Password Managers also make it feasible to use a different complex password for each website without having to remember them. The benefit here is that if one website is hacked, your password on other websites is not compromised. You also don’t have to give a known password to a potentially untrusted website.
In addition, password managers like 1Password let you create a ‘vault’ and share that vault among friends or colleagues at work securely. That way you can avoid sending unencrypted passwords via email, Skype or mentioning them on the phone. Another plus for password managers.
Clearly password managers have several important benefits. There is one very important down-side: All your eggs are in one basket. If your password manager is hacked, a hacker essentially has just owned your entire life. Your email, servers, websites, financial information including bank logins and much more.
There is no easy answer to the question of whether you should use a password manager. If you can live with the eggs-in-one-basket approach, use a password manager and reap all the important benefits it provides. If you prefer to go old-school and find a kludge or workaround that lets you maintain multiple complex passwords across all the services you use, do that instead.
An alternative way to manage passwords
While this problem has no easy answer, one alternative method to manage your passwords is to use a formula to compose your passwords. An example might be:
- Use two misspelled words like ‘b4nana’ and ‘c4k3’. (Banana and Cake)
- Use a formula to create a unique password for each site.
- Concatenate the two words like so: b4nanac4k3
- Then use the first letter of the site name and advance it two letters. Put that letter at the beginning. So the ‘g’ from gmail becomes ‘i’ and your password becomes: ib4nanac4k3
- Now take the second letter of the site name and back it up two letters. So ‘m’ becomes ‘k’. Put that at the end and your password becomes: ib4nanac4k3k
Using this method you can create a password formula as complex as you’d like and it will give you a unique password for every website you visit. You might include a symbol as the third letter. You could use the third or fourth letter of the site name instead of first and second. You should also mix upper and lower case in your base-words that you use.
Password crackers have a much harder time cracking passwords that contain symbols, numbers, more than one word and especially where the words are misspelled by using numbers and symbols in an unpredictable way.
Watch out for Phishing and Spear Phishing Attacks
A phishing scam is a scam where a hacker will send an email to many people that contains a website that looks like it is trusted. They will try to trick you into signing into that website which lets them grab your login credentials. This is an old and well known scam and most people are aware of it. Phishing attacks are also relatively unsophisticated and you can frequently recognize an attack by the domain name in the link you receive e.g. instead of chase.com the domain will be chase.com.ru or something equally suspicious.
A far more serious threat is ‘spear phishing‘. This targets an individual. A hacker will learn about you, figure out who your colleagues and friends are and what subjects you are interested in. They will find out what project you are working on and what your field of expertise is. They will then send you a targeted email that usually contains an attachment. The goal is to get you to simply execute whatever the attachment is.
The United States Department of Justice accused several Chinese military officers in 2014 of targeting United States corporations. By far the most common tactic they would use to gain access to corporate networks was spear phishing.
In the more serious spear phishing campaigns a hacker will use a Zero Day vulnerability in the attachment to install a ‘remote access trojan’ or RAT on your workstation. Ordinary anti-virus software may not detect this kind of attack because of its level of sophistication. The RAT will give the hacker full access to your entire workstation including your webcam, keyboard with keyboard logging, mouse and network card including the ability to monitor all network traffic.
Being targeted in a spear phishing campaign is rare, but if you are in a job with security clearance, are a journalist covering a politically sensitive area or are in a competitive research field you are a potential target for this kind of sophisticated attack.
Here are a few tips to avoid a spear phishing attack:
- Avoid posting unnecessary personal information online like your phone number, email address, home address or anything else a spear phisher can use to get in contact with you.
- Work with your company to understand what tools are at your disposal to avoid this kind of attack. They may provide email sandboxing (storing and analysis of emails before allowing them through), real-time attachment analysis that is more sophisticated than what you can run on your workstation, and other tools.
- Do a double-take before clicking any link or opening any attachment you have received. Ask yourself ‘who, what, why’: Who has sent this to me and do I know them? What are they sending me and do I really need to open it? Why are they sending this to me i.e. what do they get out of including an attachment rather than putting it in the email?
Social engineering is unfortunately a common and effective tactic to gather information. It involves gathering information from an individual or a company using non-technical methods. Usually a hacker (or several) will simply phone you and try to persuade you over the phone to disclose sensitive information. They may use this information to access your workstation or devices directly or in combination with a technical attack.
They may claim they’re from an internal IT department or from a company you trust. Before calling you up, a social engineer will gather as much open source intelligence (OSINT) as possible to try and convince you that they are someone you trust. “Yes, Mr. Jones, we’re aware you recently received a computer upgrade. In fact I helped install those new IBM computers on the fifth floor where you are based.” They may have learned about the upgrade and where you work from something you and a colleague wrote on Twitter recently.
To protect yourself from social engineering attacks:
- Limit the amount of information you disclose on social media and other public mediums. That limits a social engineer’s access to OSINT.
- Have standard procedures for who you disclose sensitive information to and how that information is disclosed.
- If someone calls you and you are in doubt, get their number and call them back. Ask them for their main switchboard (or front-desk) number and their extension. Don’t accept their direct line because that is harder to verify. Then verify the ownership of that number before you call them. You can use the WhitePages reverse lookup feature on their number before calling back. You can also try simply doing a Google search for the number.
Sometimes it is difficult to say “no” to a real live human on the other end of the line, especially if they appear to already know a lot about you and your organization. But consider the cost of disclosing data to the wrong individual, no matter how nice they sound. Trust, but verify.
To learn more about social engineering, see our full article on how even big corporations are vulnerable to social engineering.
Protecting your workstation and networked devices is critically important to securing your websites and other assets. If a hacker is able to gain access to one of your endpoints they have unlimited access to every service you use. Take the time to develop good security practices to keep your working environment secure.