Hacker News new | past | comments | ask | show | jobs | submit login

This blog is not hosted by the Skype but on WordPress VIP. This means that, most likely, the blog was not broken into using a software exploit of any sort since the security on VIP blogs is professional. Knowing that this is the Syrian Army, this attack was most likely done using phished credentials.

If they had any sort of system access they would have defaced the entire subdomain or the main site. So most likely, this is nothing to worry about. Your account data most likely still in safe hands.




You're right. It was probably a brute force since they don't have maximum login attempts. http://blogs.skype.com/wp-admin


WordPress.com has pretty sophisticated brute force detection mechanisms and protections in place. I am not sure why you would say otherwise.


Limiting login attempts is not as effective as you might think. How should it work? If you want to ban IP addresses that get X attempts wrong in Y minutes, then you're failing to realize that hackers like this normally have access to hundreds or thousands of IP addresses. If you want to lock the whole account for a while, then you've just introduced a way for anyone to lock the account of someone else they don't like.

Also considering that their Twitter and Facebook accounts were also compromised, your assumption that it was the blog itself that was compromised is a big one. I don't have any first hand knowledge on that though personally, I'm just saying.


No need to ban an IP address. After x attempts just add y seconds before allowing another login attempt. If you like, lock account with SMS or email to owner after z attempts. Do this per login, regardless of device type/location. The time taken to test out just 5 passwords should make a brute force impractical.


That sounds not fun for the account owner. I could prevent you from logging into your account.


This plugin does exactly that and is very effective. Everyone using WP should be using it. http://wordpress.org/plugins/limit-login-attempts/


I run this on my personal site to prevent drive-bys but it won't stop a determined hacker with many IPs.

Here's a proper solution to secure your account: http://wordpress.org/plugins/google-authenticator/


Such a simple feature to implement...


It does appear to be a brute force or phishing attack. These sort of drive-bys can typically be permanently stopped with 2FA or a password-less MFA solution like LaunchKey (Disclaimer: co-founder). LaunchKey has a free WordPress Plugin available, among others: http://wordpress.org/plugins/launchkey/

It is 2014, you better prepare a good PR response for when you get breached OR start implementing stronger authentication ASAP.


It is only a simple feature if you don't care about DOS against the user account and do not have an adversary with a large botnet.


Yeah getting access to their WordPress blog doesn't really prove anything.


Doesn't look like they are trying to prove insecurity of the service but protest the spying that Skype and now Microsoft are involved in.


Doesn't WordPress offer any two-step auth option? Feels like a rather large limitation.


WordPress.com offers two-step authentication for all of our users. You can use any application which supports Time-Based One-Time Passwords (TOTP) such as Google Authenticator, Authy, etc. and you can also receive a one time password via SMS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: