Security of DNI

As I have mentioned, we’re being routinely hacked. So far, the only evidence I can find is a large number of spurious links hidden in the footer (the dark brown area at the bottom of the page).  However, once hackers gain access, articles posted on the Inernet suggest that there is little limit to what they can do.

Many thanks to those of you who have sent suggestions.  It seems that some of our problems could stem from our residing on a “shared server,” in this case, Network Solutions, and I have reported the situation to them.

Most of the rest of the suggestions are far beyond my technical capabilities:

All files should be owned by your user account, and should be writable by you. Any file that needs write access from WordPress should be group-owned by the user account used by the webserver.

/ — the root WordPress directory: all files should be writable only by your user account.
EXCEPT .htaccess if you want WordPress to automatically generate rewrite rules for you
/wp-admin/ — the WordPress administration area: all files should be writable only by your user account.

etc.

And I actually know what some of these words mean.  A few, anyway.

POINT:  Until I can find someone who can assist in securing DNI, you must assume that the site may contain malicious code.  This is true of DNI and from what I can tell of many other blogs because the systems that make it simple to operate the blog also offer a network of ways into it.

VISIT THIS (AND ANY) BLOG AT YOUR OWN RISK. We cannot assume liability.

IF you would like to take the position of CIO here at DNI and have the requisite technical skills — operating WordPress in a shared environment, e.g. — I’d be delighted to hear from you (info at d-n-i dotnet).  We handle all the content, but we need some assistance with an occasional technical issue, and, of course, securing the blog. All we can offer in return is a little publicity, if you’d like, and the satisfaction of keeping DNI online.

In the meantime, please keep your own browser, operating system, and other software updated and follow the security procedures appropriate to your computer.

Be Sociable, Share!

Filed in Uncategorized | One response so far

One Response to “Security of DNI”

  1. zoagriaon 19 Jun 2009 at 9:56 pm 1

    Sir…

    I’d like to offer a suggestion regarding finding someone to help you and the other bloggers writing in this area on site security patches and general advice for site upkeep. Normally I’d have emailed you the suggestion, but my thought was that if I post, perhaps some of your (and the other DNI.net contributor/bloggers) readers who are actively working at DC3 or the NSA or with ANY of the young officer candidates at the service academies focusing on the “cyber-warfare” programs… OR whomever the various service academies have TEACHING and training those young men… could be convinced to donate some of their spare time to helping you old salts who really shouldn’t cough out the dough for a full or even part time civilian “CIO” whilst the entire Defense Department is in such a tizzy to find and/or train qualified officers in Cyber-warfare (and such).

    To the officers and officer candidates who might read this post: Guys… what is it you think “Cyber-warfare” qualified officers in the Military are supposed to be doing if not covering the old mens wrinkled behinds when they can’t be bothered to follow every little ‘best practice’ detail regarding either their sites or those web-sites they regularly post on or read related to their duty? Sure, protecting dot-mil and related servers from direct attack is your principle mission, but the fact is most senior officers will understand the value of an actual “Cyber-warfare” career track way more from you all spending some extra time hand-holding then they ever will from listening to someone from their staff giving everyone the cyber-wonk executive summary at a staff meeting. And as Cyber warfare ABSOLUTELY falls under the rubric of 4GW in PRACTICE, why don’t some of you take the initiative and keep the men who literally wrote the book on how you should be trained free of malware on their blogs…. Eh?

    Best,

    A. Scott Crawford

    [CR: Indeed.]