Dec 072013
 

Here’s another spammer-scammer that came this morning from fahad at clickingz dot org:

Dear Caspar Green
How are you? I am Fahad Hassen, a php developer from Clearwater
working with website security. I am writing to ask whether you 
are aware that your domain configuration has serious security 
issues which lets anyone use your email address without your 
authorization?
Just to prove this to you, I can send an email to you from 
"your email address itself". Do you want me to send an email 
to you from your mailbox itself, so you can see the problem?
I found your website while researching the websites using the 
wp-e-commerce plugin, as part of a security research to 
strengthen the plugin's security. I also found that your 
website's wordpress files are not protected, which means by 
right clicking and checking the source code of the website, 
almost anybody can figure out the framework you are using 
(wordpress), its version, the themes and plugins you are 
using etc. A competitor or anybody interested in your site 
can easily duplicate your site since the whole structure of 
your site is exposed. Further, since wordpress is very prone
to hacking and hackers target the open URLs of the system 
such as wp-admin and wp-login and other common files, your 
site is always under the risk of attack. To overcome this, 
you will need to takeaway all the traces of a standard 
wordpress site, so no attacks/hacking will work on your site. 
For anybody viewing the "source", all they will see is nice 
and clean HTML and no traces of wordpress.
I am sure you understand the concerns I have raised, and I can 
fix these for you for a very modest fee if you wish. 
Please let me know.
Thank You and Regards,
Fahad Hassen
Senior PHP Developer
+1 727 474 1044
Clickingz Security Research Lab, Clearwater FL. 33760

So I go to clickingz.org to see what this Fahad’s site looks like. Here it is:

clickingz dot org

Nice!

I don’t guess I’ll actually send this back, but for anyone else whose thinking of taking him up on his offer, I offer the following response:

Dear Mr Hassen:

Thanks for your offer to fix the security issues on my site. Your own site looks real good, by the way, and I particularly like the way you have all the directories on your server root exposed. Free tip for you – if you’re using an Apache server, you can just add a line to the .htaccess file in your root directory that says:  Options -Indexes and that’ll take care of your security issue. It’s a simple one-liner and for a security expert, like yourself, it really would be good to make sure you have this basic measure in place on your own site.

I’m also particularly interested in your offer to harden the security of my exposed wp-e-commerce plugin, since it isn’t installed on my site. And yes, I’m aware that my site exposes that I’m using WordPress. In fact, I wrote a blog post about it just a couple weeks ago that you may be interested in. WordPress is a fairly secure platform. Of course, like any software, it has it’s problems. If you’ve found a specific security issue, however, I’d love to know, and you really should submit a ticket to the folks at WordPress so we can all sleep better at night, knowing it’ll be taken care of in the next patch.

As for your ability to send email that appears to come from my own account, I am aware that it’s pretty easy to spoof an email’s “From:” header. In fact, I’ve spoofed this email’s header so it will appear to come from fahad at clickingz dot org. Can you please tell me more specifically, how you intend to prevent anyone from sending mail using “my email address itself?” Will you also spoof my IP, or will you be bouncing it off a few proxies? I’d just like to know before I commit any money, though I’m sure your fees are, as you say, very modest.

Thanks again for your kind offer. I’ll look forward to hearing from you again soon.

Sincerely,

Caspar

Nov 262013
 

For the last week or so, I’ve been checking out WordPress starter themes. By starter, I mean starter. As in, down to bare bones. The starters I’ve been working with are Toolbox and Underscores. Both of these starter themes come from people at Automattic (the WordPress parent organization), so they both provide a solid foundation for [Read More...]