Secure Computing: Sec-C

In my previous blog posting, I mentioned how some people really do "get it" when it comes to digital manipulation and photo fakery. However, others like "photographer" Nicholas Routzen and BP's Marc Morrison still don't understand why representing modified photos as if they were "real" is nothing other than fraud.

BP was heavily criticized in the media for releasing edited photos. In fact on 22-July-2010, White House Press Secretary Robert Gibbs even commented that it was sheer stupidity:

"I think it's genuinely on the stupidity part of the transparency scale," Gibbs said this afternoon at the White House daily briefing. "I mean, if you want to show a picture of what the room looks like, just take a picture."

Upon the discovery of BP's digital manipulation, BP decided to come clean. Sort of. It was actually more of a "throw the photographer under the bus" than an actual correction:

BP cast the blame entirely on a hired photographer and claimed to have no part in the decision to alter the photos. "One of BP's contract photographers used Photoshop to edit images posted on the bp.com Gulf of Mexico Response web site," the company said, adding, "[W]e've instructed the photographer who created the images to refrain from cutting-and-pasting in the future and to adhere to standard photo journalistic best practices."

Too bad this isn't an isolated incident... and it still has not stopped.

As part of their corrections, BP created a special Flickr set where they show the before and after photos of the three pictures that America Blog and Gizmodo identified as modified. However, BP is only showing the three outed photos.

Standard is Better than Better

I really like that phrase, "Standard Photo Journalistic Best Practices". There is no such standard. As I detailed last year, different organizations have different rules about acceptable manipulation. However, there are some generalizations that can be made.

For Photographers

In general, if the photo is supposed to represent something real then the person providing the photo to the media should abide by these guidelines (a combination of rules from Reuters, Associated Press, Getty Images, and other photo providers including China's Xinhua news agency):

• No splicing, no drawing. Whether it is for removal or enhancement does not matter. You never splice images and you never alter content. If Billy blinked during the photo, then the photo must have Billy's eyes closed -- don't draw in eyes or splice them from a different photo.
  
• Minor cropping. A little cropping from an edge ("little" as in "up to 5% from an edge") is acceptable if it does not remove a subject from the image. Major cropping, such as Morrison's removal of the entire upper half of the photo, chairs, and two people (before and after) is not permitted.
  
• Minor dust and speck removal. Minor dust and speck removal from a non-critical section of the photo is generally permitted. However, this really depends on the photo provider. Some providers (like the AP) are more critical than others. In general, if there is a tiny speck of dust on the lens that ends up looking like a distant UFO in the sky, then you can remove it. But if there are lots of specks, then you must suffer with a dirty picture (next time, clean your lens!). And if the speck is located on the subject matter (like Hillary Clinton's shoulder), then don't touch it!
  
• Minor color enhancements. Color corrections that do not alter the subject are permitted. As the AP described:
  

  Minor adjustments in PhotoShop are acceptable. These include cropping, dodging and burning, conversion into grayscale, and normal toning and color adjustments that should be limited to those minimally necessary for clear and accurate reproduction (analogous to the burning and dodging often used in darkroom processing of images) and that restore the authentic nature of the photograph. Changes in density, contrast, color and saturation levels that substantially alter the original scene are not acceptable. Backgrounds should not be digitally blurred or eliminated by burning down or by aggressive toning.

  
  In general, any acceptable, minor color enhancements should be equally applied over the entire image and not isolated to a specific region. Highly focused or region-specific color alterations are no different than drawing. ("Select all" or "select none", but if you touch the selection tool or magic wand then you are drawing.)
  
• After effects. Blur, sharpen, smudge, liquify, rotate, blend, and other enhancements are not permitted. Basically, if it is not found in the real picture then this is considered "drawing".
  
• Acceptable drawing. There are only two situations where drawing, such as blurring or using a black censor box, are permitted: (1) to protect anonymity, and (2) to prevent advertising. A blurred face, blurred logo on a hat or shirt, or black box over a license plate is acceptable. However, the blurring/drawing must be blatant and obvious.

For Media Outlets

The photographers who provide the photos to the media must abide by much stricter rules than the media outlets. In contrast, outlets are permitted to perform manipulations that match their medium and format. These include:

• Scaling and cropping. While the photographer must provide the whole picture, the media is permitted to crop it to show a specific subject matter. For example, the photo may show President Obama surrounded by thirty people, but USA Today may crop it to just show his head.
  
• Color adjustment. The media, particularly printed media, are permitted to color correct an image. The photographer's picture may be too dark or not print well for a magazine. The media outlet can, and usually does, color correct the image. In this case, the pictures may actually be color corrected in specific regions or specific color bands, and not applied uniformly across the image.
  
• Acceptable drawing. The media may also choose to blur faces, censor logos, or annotate features with arrows or circles that highlight specific items. However, these modifications must be blatant. The subtle removal of a logo, when discovered, can lead to sharp criticism (or worse).

BP used to take photos and use them in their advertising campaigns; anything goes in advertisements. However, that role has changed. Since the Gulf disaster, BP has been providing photos that document recovery and cleanup efforts to the mass media. As someone who provides photos to the media, BP is expected to adhere to the higher standard. BP should not be making modifications reserved for media outlets.

BP: Best Practices

Unfortunately, BP seems to be making up their "Standard Photo Journalistic Best Practices" as they go. While I have not seen any splicing in the last few days, some of their photographers are still taking liberties with the crop tool and recoloring. Here are a few examples from BP's Flickr feed. (Click on the photo to see the full picture.)

Creative Cropping


This photo by Marc Morrison is dated 26-July-2010 but was last modified on 27-July-2010. The full picture is 3981x1496. The problem is, the Canon EOS-1Ds Mark II does not take photos at these dimensions. The closest it gets is 4992x3328. This means that Marc cropped nearly 20% from the horizontal and over 55% from the vertical. So what did Marc not want us to see?

A few years ago I was told a story about a photo from China. It appeared to show a government vehicle with people standing around it cheering. But the uncropped photo showed the crowd throwing stones; the people were not cheering, they were yelling. Creative cropping can alter the meaning of a picture. For this reason, "Standard Photo Journalistic Best Practices" requires the photographer to submit the whole picture and not something with creative cropping. For all we know, there could be a dead whale on the right, and that gray structure in the top-left could actually be pollution filling the sky. If the picture has too much sky, then BP needs to let the media outlets decide what to crop.

BP's True Colors
Here's a very colorful photo by BP:



This photo by Harrison McClary is dated 26-July-2010 and last modified a day later. The image itself measures 3600x2400. That is close to a native resolution for the Canon EOS-1D Mark III, which can take pictures at 3888x2592 (cropped or scaled 7% horizontal and 7% vertical). However, McClary over-applied the color correction. We can see this in the color histogram (graphing HSV).



There are two things that really stand out as abnormal: (1) the clusters of blue and yellow at the top shows a blown-out color space, and (2) the wide color blobs are too wide, too tall, and too blended for a natural picture. This is not a typical color space for a Canon EOS-1D Mark III.

For a comparison, consider this sample photo from the same model camera (and not provided by BP):




Notice how the unmodified photo does not blow out colors at the extreme intensities, and has less-blended color bands. This is very typical for a digital camera, including cameras made by Canon, Olympus, Nikon, Ricoh, and other manufacturers.

So why would BP's Harrison McClary over-correct the color space? Perhaps he is inexperienced with cameras. Or maybe he really wanted that brown water to look blue. By blowing out the color spectrum, he has given the image a "clean" look -- the sand is white, the sky and water are blue, the tractor does not look dirty, and even the brown grasses look green.

Here's another example from Harrison McClary:




Again, the blue and green are blown out (blobs at the upper intensities). Also, notice how the orange spike actually curves with intensity (vertical). That's why they call it a "color curve adjustment".

Of course, McClary isn't the only one tweaking colors. BP's Robert Seale also did some color corrections.




Notice how Robert's dark red, blue, and green all lean toward the left at the top? While he didn't blow out the color range, he did adjust the sky, grass, and maroon stripe on the bookmobile (the RV in the background-right that says "Vermilion Parish Public Library").

Seeing Red

Dear British Petroleum,

If you want to us to believe that the pictures are real, then please release real pictures. Don't crop out stuff you don't want us to see. Don't make the sky and water look bluer. And most importantly, don't think that we won't notice.

Having been caught splicing images, BP promised to adhere to "Standard Photo Journalistic Best Practices". However, this is clearly not the case. While BP claimed that the modifications were limited to one photographer, the actual problem is more systemic. BP's photographers may no longer be splicing, but they are still striving to literally show that the grass is always greener. This isn't a problem with BP's photographers; this is a problem with BP.

This week really gave me a thrill. Readers, models, and even large companies have taken steps against digital photo manipulation in the media.

The first big congrats goes to Domino's Pizza. They recently announced a promise to use real photos of real pizzas in their advertisements. No more cardboard, glue, and partially-cooked food that looks "better" when photographed.

Our Photo Promise
Here at Domino's, we don't think our inspired Domino's pizza needs the "extra" things typically done to food at photo shoots to look mouth watering. Our pizza is good enough to stand on its own. That's why we're making the following promises about how we photograph our pizzas from this day forward. Did we just buck the food photography trend? Oh yes we did.

1. We will only photograph real, honest-to-goodness pizzas.
That means fresh from our own ovens, with exactly the same ingredients we deliver to your doorstep. Nothing else added.

2. Our employees will make the pizza we shoot.
Not an art director or model maker or food stylist. A Domino's employee trained to make pizzas the only way they know how: by hand.

3. We will not artificially manipulate the food we shoot.
No tweezers, no steam guns, no model knives cutting perfect perforations in the cheese. The only thing that will touch the pizzas we shoot is the pizza-maker's hands and a standard Domino's pizza cutter.

Russell Weiner, Chief Marketing Officer

Bravo! I've looked at some of the pizza photos on their web site and I must say: no detectable manipulation (beyond scaling and cropping, which does not modify the look of the food). Moreover, the food actually looks good! (Good enough for me to now have a pizza craving.)

Pizza Photo by Makena B. from Houston, TX

Worth the Wait

Not to be outdone, plus-size model (and super hottie) Crystal Renn just went on the record saying that she is offended by some photoshopping done to her picture. As she said in her Today Show interview this morning, "When I first saw the photos, I would have to say I was absolutely shocked." The photographer turned this well-known size-10 into much thinner version. (But at least he didn't give her noodle arms, right Ralphie?)

The photographer, Nicholas Routzen, has this reply:

I want to reiterate that I feel Crystal looks amazing in both images and the minimal retouching that I did do - it's nothing you wouldn't see in any magazine today. There is nothing hidden about this.

This tells me three things: (1) he sways to peer pressure (everyone else is doing it...), (2) he does not listen to the models that he shoots (Renn has been a strong voice against the unhealthy, unrealistic anorexic female shape that most of the fashion companies strive for), and (3) he photoshops his pictures. It makes me want to take a much closer look and see if he also does splicing, smoothing, and other common forms of deceptive manipulation.

However, I would not recommend browsing Routzen's blog. Some of his photos could easily pass for child pornography. (Full frontal nudity of a minor.)

Feeling Pumped

But I am saving my largest applause for America Blog and Gizmodo. These people have been looking at the media photos released by British Petroleum (BP).

It isn't enough that BP's runaway deep-sea oil well poisoned the Gulf of Mexico, after they lied to the United States by claiming that they knew how to handle any deep-sea accidents. Or when they repeatedly underestimated the amount of oil and would not assist scientists in creating an accurate estimate (we still don't know how much oil was leaked). Or that they only provided low resolution video feeds to the public while they had high resolution footage available. Or that they tried to stop the media from documenting the disaster. No... they also have to doctor pictures. (Is anyone really surprised?)

One photo has the title "Aerials over Gulf of Mexico". With a name like "aerials", one would think it would be taken from the air...

The problem is, the view out the window has been photoshopped. I noticed many things in this picture, but the people on Reddit just shredded the photo. Some of the findings:

• The display clearly says that the door is open, ramp is open, rotor brake is on, and parking break is on. There is no way this helicopter is in the air.
  
  
• The radar shows something to the far left, but nothing in front of him. Thus, no boats.
  
• There is a light that says APU GEN ON. This is the alternate power unit. It provider power until the engines are started.
  
• The pilot is holding a pre-flight checklist. (Ironic that his fingers are crossed.)
  
• Neither pilot is holding the flight stick!
  
• There is a waterbottle resting in the handhold above the guy on the right. The water in the bottle is smooth and flat -- no vibrations at all.
  
• The pilot on the left is wearing glasses. The glasses are reflecting some type of straight-line object. This is likely a runway or edge for the helipad.
  
• The outside water goes from clear blue to smokey. You can clearly see the waves in the blue and smokey areas, but the waves are fuzzy/blended where the two meet.
  
• The water is also blurry around the pilot on the left and near the top of the right window.
  
• The edge of the boats on the left are precisely in the fuzzy section.
  
• The first boat in the right window has a very visible shadow. So all boats should have shadows. However, none of the boats in the left window have shadows.
  
• The boat with shadow indicates that the sun in in front of the helicopter. However, the entire copter is in shadow and so is the tower structure (top left).

This isn't even the entire list. It is suffice to say that this is not an "aerial" photo and it has been grossly modified.

Another photo shows people in front of some monitors. The problem is, the image shown in some of the monitors was changed. Technically, content from three screens was replicated into the three off-line screens. Oh, and the picture has an internal timestamp indicating that it was created in 2001 (2001-03-06 15:16:50.25) and not 2010 (EXIF data modified time 2010-07-19 18:54:04.25). In either case, the timestamps do not match the "HIVE at Houston Command Center 16 July 2010" as BP captioned the picture.

Modified

Allegedly Unmodified

The final picture (so far) shows people in a meeting room. However, the splicing of the content on the screen was done very poorly.

Here's a closeup of some of the splicing:

Frankly, I'm not sure what is more offensive -- the fact that the picture was modified, or the quality of the modification. In either case, this should be a firing offense.

Of course, I began to do what everyone else is probably doing -- poring over bp.com and looking for more doctored photos. That's when I noticed something. All of the modified photos appear to have something in common. The meta data and associated credits identify the photographer as "Marc Morrison".

Hello, Marc

According to his bio, Marc has been a photographer for 26 years and works for BP. A significant number of photos released by BP were taken by Marc.

Marc prefers Canon cameras like the EOS-1Ds Mark II or EOS 5D. While these cameras usually take very good photos, Marc's pictures always have a large mount of sensor noise and discoloration. (I can actually pick out Marc's photos on BP's site just by looking for the sensor noise and grainy coloring. Not every picture has had content modifications, but all look grainy and noisy.)

When it comes to manipulation, Marc seems to rely on overlaying and blending. He primarily targets flat surfaces like monitors or windows. His non-grainy photos appear to have color enhancements to make bright colors pop -- look for things that are red or yellow (his favorite bright colors). I have not seen him advance to people splicing, reflections, or lighting. He also appears to be fond of image cropping; I have yet to see any of his photos that are anywhere near close to a native camera resolution size. Oh, and Marc likes to use something called Photoshelter. (Since I have no experience with it, I can't tell if it is a program for editing or only web creations and annotations... In either case, many of his photos were modified by it.)

Two photos by Morrison. The left is "AP Photo/BP, Marc Morrison". The right is "EPA/Marc Morrison/BP Handout". Both show the same room and same people but at slightly different times. Some monitors are the same, some are different. Is either unmodified?

Now, for clarity, there appears to be many photographers named "Marc Morrison". One lives in Steamboat Springs, Colorado -- I really don't think it is him. Another lives in Houston, Texas. The Houston guy seems to take some celebrity photos as well as plenty of oil rig and related industrial photos. However, I haven't seen anything that says the guy in Houston works for BP. (This Marc could be a different Marc.)

In any case, many of the photos provided by BP's Marc Morrison were credited as "AP Photos/BP, Marc Morrison" and "Marc Morrison - AP". (Example: Washington Post, look at the slide show.) However, I cannot find any of Marc's photos at AP's web site. I wonder if they already booted him for altering images...

(Thanks to the 11 people who sent me links to this BP story. Keep 'em coming!)

The two largest computer security conferences are coming up! The Black Hat Briefings (frequently referred to simply as Blackhat) and Defcon are at the end of the month. If you've never gone and have an interest in computer security, then consider going this year or plan for next year. I learn more from three days of chatting with people in the hallways at Defcon than I do from a year of reading forums and news postings.

Blackhat has a more professional aura. The audience are generally well-behaved, professional, and very interested in the presentations. A few people even wear suits!

In contrast, Defcon is commonly called the after-party. It is billed as the world's largest underground security conference. But with nearly 10,000 people in attendance, is it really "underground"? T-shirts, shorts or jeans, and a very informal environment is the norm.

All Blackhat attendees get free admission to Defcon, and many of the Blackhat speakers also present the same material at Defcon.

Changing Reputations

In the early days, Defcon was a smaller conference and had a very different atmosphere. It was a neutral place where good guys (whitehats) and bad guys (blackhats) could mingle and meet-your-enemy. Due to the large number of anarchists that attended the conference, Defcon got a reputation for destruction. However, Defcon 9 was really the last of the destructive years. Last year (Defcon 17) was really pretty tame. Sure, a few idiots got arrested while they were trying to bungee jump off the roof, but the crowd is really pretty tame today.

And "crowd" is an understatement. With between 8,000 and 10,000 attendees, the hallways at Defcon are totally packed. In the good old days, you could get into any talk you wanted. (Even if it meant sitting in a steaming tent on a roof.) Today, the rooms are air-conditioned, but the rooms are so packed that you should plan on attending every-other talk.

Today, there are very few truly destructive people at Defcon. Where did the anarchists go? Defcon increase the entrance fee and the anarchists stopped coming. Today, it is $140 for all three days. You will likely spend more per day on a hotel room and food in Vegas than on Defcon's admission free.

At Defcon 9 (the first year I attended), the crowd was evenly divided among three types of people. There were whitehats that varied from law enforcement to corporate security professionals and academic researchers, true blackhat evil hackers, and feds who were trying to inventory the other two groups.

Each year, there are fewer and fewer blackhats who attend. (I suspect that it is the feds who scare them off.) Last year I recognized a total of two (2) true blackhat hackers. Everyone else was corporate, academic, or fed. As Omar the cabbie once told me, "feds rent cars and don't take taxis." So spotting a fed in the parking lot is pretty easy. The joke for the last couple of years has been around the "Spot the Fed" game. With so many government and law enforcement people in attendance, they should really change the name to "Spot the Hacker". (The Meet the Fed panel has a game they play: Spot the Lamer.)

Spotting Hackers by the Book

I've decided to do something new this year... I'm going to Defcon and will be giving away 10 copies of my new book, Ubuntu: Powerful Hacks and Customizations. To get the free book, you'll need to:

1. Find me. I'm short and look like a computer geek. (I blend in well...) But I always wear my "Hacker Factor" cap and will be carrying a bunch of books!
   
2. Mention that you read this on my blog.
   
3. After getting the book: if you like the book, mention it on Twitter or in your blog.
   
4. To show that hackers are everywhere, take at least 3 photos of people (or yourself) reading the book around Vegas. If you are in a cab, snap a picture of the cabbie reading the book. Riding a roller coaster at New York? How about a photo of you reading it upside down! Eating at a restaurant? Get a picture of yourself ordering from the book instead of a menu.

Each book will have a small instruction sheet with the two rules (blog/tweet it and take three photos) and an email address for sending your photos. I'll put the photos up on a web page.

I won't be giving away all of the books at once. However, 10 books are heavy, so they will be given away pretty quickly. Probably 3 books on Thursday and the rest on Friday. (I'm also not opposed to bribes.)

You know that feeling you get when someone gives you advice that you don't care about at the time but turns out to be prophetic? I just had that experience...

Boxes

Even though my background includes a significant amount of experience with artificial intelligence algorithms, I rarely use AI systems in my day-to-day work. The reason has to do with repeatability and provability. The various types of neural networks are relatively easy to construct and train, but act as black-box systems. You know the input, you see the output, but you don't know how the system generated the output from the input. Moreover, if you train a neural network with different initial weights or a different order through the training set, then it will result in a different learned configuration.

While black-box AI systems may generate accurate results, the training process is NP-complete -- you don't know ahead of time how much training it will take or whether it can actually learn. Moreover, these systems can be very good at memorizing training sets. Don't over-train your black box unless you want it to memorize the training set and completely screw up on the testing set.

In contrast to neural networks, fuzzy logic and genetic algorithms are gray box systems. You kinda know how they work. Given the input, it generates output and you can see how it came up with the output decision. However, barring very simple fuzzy logic systems, you cannot really tell what the output will be until you run the input though the system. You can see how it made the decision, but not before running it.

Finally, there are white-box AI systems like Bayesian networks. You know the input, the output, and how it will make the decision. The only real problem here is configuring the system. Since you need to know the probabilities, you really only have two choices. You could compute the probabilities before hand, but this requires you to have enough data to statistically compute the probabilities and be able to characterize the various statistical factors. The other choice is to use a gray-box or black-box system to learn the probabilities, in which case the probabilities may not be provable or optimal.

Dusting Off

I recently had a need for "a solution", where "provable" and "deterministic" are not requirements. This is a perfect situation for using AI. I wrote my own AI library many years ago. Basically, I didn't like any of the existing systems (not flexible enough for my own needs) and it was easier to build my own than adapt around existing systems. However, it has been years since I used it and I only vaguely remember the configuration options.

A couple of things really surprised me. First, my AI library was written in 1990 and last maintained in 1996. (Last bug fix was in 1994.) I didn't even know if it would compile with the latest GCC. My first surprise was that it compiled cleanly with "gcc -Wall". It even passed its benchmark and regression tests.

As I gawked at the output, I thought, "This is great! I wish I remembered how it worked!" Then I looked at the source code... There are huge paragraphs that describe how every function works and how to use it. Completely documented. Even the variables have reasonable names: no "int i,j" or "float q[12]" or "double phi,theta". Instead the variables have names like 'CutoffThreshold' and 'float *weights; /* network weight matrix */'. The comments even cite books and pages as references.

Way Back When...

I had a professor back in college who drilled "style" into all of us. He had three basic rules that, if broken, would result in a zero on your homework.

1. Always comment your code. If the code is more complex than a simple loop, then describe what it does.
   
2. C permits 64-character variable names (well, it did back then). Variable names should be descriptive and not generic. Single letter variables (i, j, x, y) are only permitted for very short loops. Greek letters should never be used for variable names unless you are programming in Greece.
   
3. Don't use features specific to a compiler or operating system. Stick with portable standards. If you must use something specific, encapsulate it so a replacement won't impact the rest of the code.

We obeyed because we wanted to pass the class. However, the lesson was never lost on me. I still "over-comment" my code.

I looked up my notes and found a great quote from the professor (from notes I took in 1988): "Always comment your code because you never know when you will refer to something you wrote 20 years earlier." Wow -- he even nailed the duration.

Over the last few months I have had friends and associates contact me about hacked web sites. In each case, someone (or something) planted hostile URLs on their web pages. These URLs would redirect visitors to porn sites or serve up viruses. Worse: these URLs would be embedded everywhere -- in HTML, in PHP, and in back-end databases.

The question they always ask me: What should I do?

It is easy to tell people that they should have a disaster recovery plan in place. However, few people have one. Other pre-attack advice, like hardening servers, changing defaults, and installing filters is great advice, but is usually ignored. In my experience, the sites that have taken simple steps and have plans in place are not the ones usually compromised. The common compromises are directed at non-technical users who installed default software and ignored even basic maintenance.

Post-Compromise

So let's say you have a default WordPress or Wiki or Blogger installation. It isn't a question on whether your site will be compromised or infected. The only question is when. And like most people, you haven't maintained your software (applying patches, upgrading as needed), don't have backups (your ISP does that, uh, right?), and haven't removed default files or hardened the system. What should you do after a compromise?

There are plenty of good checklists out there. Some examples include:

• http://www.freehostia.com/blog/webhosting/site-hacked-what-to-do.html
  
• http://www.malwaredomainlist.com/forums/index.php?topic=3122.0
  
• http://blog.sucuri.net/2010/05/simple-cleanup-solution-for-the-latest-wordpress-hack.html
  
• http://www.antiphishing.org/reports/APWG_WTD_HackedWebsite.pdf
  
• http://codex.wordpress.org/FAQ_My_site_was_hacked
  
• http://www.webdevelopersnotes.com/hosting/website_hacked_what_to_do.php3
  
• http://ocaoimh.ie/did-your-wordpress-site-get-hacked/
  
• http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

While each of these sites gives good advice, there is no single consensus regarding appropriate steps. My own checklist is a little more detailed and extreme.

Neal's Post-Compromise Checklist

Nobody wants to have their site compromised. However, like auto accidents, bad things happen. If you were not paying attention (like texting while driving or not applying system patches) then bad things are more likely to happen to you.

Here are the steps that I usually recommend to people with compromised web sites:

1. Stay calm. Only the WordPress checklist included this advice, but it is very valuable. Now is not the time to panic, place blame, or get angry. Compromises and exploits go hand in hand with technology. Don't panic, deal with it.
   
   
2. Check your own systems for malware. There is no point in fixing the server if your own workstation is infected. It is actually very common for a home computer to be infected and used to gain access to your public blog or web server.
   
   
3. Take the site offline. Most e-commerce companies really don't like this idea. However, which is more important? Making a sale, or compromising your customer's credit card and tarnishing your reputation because your site was hijacked? Shut it down. Put up a temporary "We're upgrading, back in 48 hours" message.
   

   
   After you take your site offline, check to make sure it really is offline. Some attacks actually hijack your domain name (DNS entry) and not the server itself. If your site still looks online, has the DNS server been compromised? Your DNS registrar and/or domain hosting provider can usually help you in this situation.
   
   

4. Make a full backup. This includes all files, scripts, and database records. Yes, it is infected. But if you don't have backups then this is your only option.
   
   
5. Grab your logs. You will need these to identify how the attack was done, when it happened, and who else might have been infected. This includes system logs, web logs, and any other kind of log file. Grab it first and see if you need it later.
   
   
6. Evaluate the compromise. What kind of attack was it? Were they after "a site" or "your site"? Was the attacker looking for low hanging fruit or was it personal? Most malware, like the kind that inserts links, are automated. They scan for known vulnerabilities and infect anyone they find. If you were compromised this way, then it is likely because you have a default configuration with a known vulnerability (known to the attacker).
   
   Defacements may be automated or semi-automated. They scan for sites with known vulnerabilities and then they either automatically or manually deface the site.
   
   E-Commerce theft is usually associated with an initial automated vulnerability scan. The scan is followed by a manual compromise that is customized for the site. However, if you use a very common e-commerce package, then the compromise may be semi or fully automated.
   
   Personal attacks are always manual compromises.
   
   It is important to recognize that automated attacks are almost never against custom code. They look for known vulnerabilities in default installations. If you change the defaults, move default files, or otherwise filter and harden the site, then automated attacks are very unlikely to succeed.
   
   
7. Look for similar attacks. Are other people running the same software getting attacked? Perhaps you need a patch. Is it everyone on the same server or in the same hosting environment? Maybe someone should maintain the system. Is it all of your accounts? Perhaps your computer has a virus.
   
   
8. Change passwords. Between taking the server offline and changing passwords, attackers will be kept out while you repair the system. (Hopefully.)
   
   
9. Wipe the system. There is only one thing people hate more than being told to turn off an e-commerce site, and that's being told to wipe the system and reinstall from scratch. But seriously, the inserted URLs and malware may only be the part that you notice -- much more may have been done to the system. There could be backdoor software, trojans, or embedded viruses that cannot be removed by a simple system restore. By wiping and reinstalling, you ensure that all malware is gone.
   
   
10. Patch. Bring the system up to the current state of the art. While you're at it, harden the system and change all system defaults.
    
    
11. Restore. You do have backups from before the compromise, right? If not, then install basic software (like blogs and wikis) and harden them first. Then place custom software on the system. Finally, restore content. Be sure to validate that the content is not infected. You can do this by reviewing the content before uploading it. (What? Review your 10,000 blog entries? Yes. There is no point in removing the malware from the server if you're just going to upload it again.)
    
    
12. Change passwords again. Passwords before the patch and restore could have been compromised.
    
    
13. Watch. Now you can turn the system back on. If the attackers come back, then you didn't patch or restore something. (And now you have experience to recover much faster!) Watch your logs and IDS and try to determine how they exploited your site. If the logs show nothing, then you know which parts of your site were not responsible for the attack.
    
    
14. Blame. This is everyone's favorite part. If you don't have logs, don't regularly patch or update, and don't maintain the system, then you cannot blame anyone except yourself. Security is a moving target -- software that was secure yesterday may not be secure today. Unless an administrator did something completely stupid, such as posting login credentials in a public forum or actively assisting the attacker, then there probably is nobody else to blame. Blame the management.
    
    Too many times I have seen management blame developers or software for compromises. For example, if your old version of WordPress was the source of the compromise, then they will blame WordPress even when newer versions are available. (Let's blame the software instead of ourselves for failing to maintain and harden the systems.)

Having your site compromised isn't fun, but it isn't the end of the world either. Stay calm and address the problem. Treat it as you would any other learning experience.