kuwamoto.org

I’ve been keeping more and more information in Google Docs, and it turns out that there is a neat trick to using the service more securely.

As it turns out, Google docs honors https urls, even though it doesn’t force you to use them. I use Firefox for most of my day-to-day browsing, and by doing the following, it was easy for me to always use the https version of the urls.

1) View your browser history and remove all occurances of google docs.
2) Remove any bookmarks you may have that point to google docs.
3) Type “https://docs.google.com” into your URL bar to visit Google Docs securely.
4) Recreate any bookmarks you may have had to point to the https version of the URL.

Everyone uses browsers differently, but the way I get to Google Docs is to type cmd-L to get to the URL bar, and then type “doc” or something like that, at which point I use Firefox’s autocompletion to pick Google Docs. Now that the history has been purged of the non-https versions of the URLs, I always end up visiting the site through a secure protocol.

Why this matters

By going over https, all the data that moves back and forth between the browser and the Google server is encrypted. That means that the content of my documents, spreadsheets, etc., can’t be viewed by someone snooping on the wifi transmission, or anywhere else on the network.

Is this paranoid? Sure. Does this make Google Docs secure enough to store highly sensitive information? Probably not. But this trick only took five minutes to do, and now there is one less way for people to snoop on my sensitive information, so I consider that a win.

A few weeks ago, I got an email from Google saying that my site was full of spam, and that my site was being removed from the indexes. The email contains a sample of the spam words (in my case, it was viagra, cialis, etc) Sure enough, it turned out that my blog had been hacked to include lots of words/links that were made invisible via CSS. Pretty distressing stuff.

For those of you in the same boat, here’s what I did to remedy the situation:

1) Most of the damage was in the form of obfuscated code that made use of base64_decode(xxxx). To find this code, go to the root of your site and do a grep base64_decode -Rl ./* It should be pretty easy to use your judgment about what code to remove. This code was inserted into my theme files (found in wp-content/themes/ThemeName).

2) To be extra sure, do a Google search for the offending words on your site. (e.g., viagra site:kuwamoto.org). For me, this turned up another problem with the site, which was that URLs of the form http://kuwamoto.org/?aff=1234 were being redirected to a different site (selling pharmaceuticals, natch). This code wasn’t obfuscated with base64, so I didn’t catch it in step 1. In my case, it was an extra file, so I just blew it away.

3) Look through your posts, pages, comments, etc. In my case, one of the links on my blogroll had been compromised.

4) Upgrade your WordPress installation. As recommended in the WordPress documentation, I used the automated upgrade plugin which worked like a charm.

5) Follow the recommendations at http://www.noupe.com/how-tos/wordpress-security-tips-and-hacks.html and http://sitening.com/blog/2008/04/08/wordpress-security-vulnerabilities/.

6) If you are using a hand-rolled theme (as I was), make a copy of it somewhere so it is easier to restore if it ever gets hacked again.

7) Change your passwords, and make a promise to yourself to be good from now on (keep WP and other software updated to the latest version, use SFTP instead of FTP, etc).