Security Threats in 2017

As the 2016 election cycle shows, computer security cannot be taken lightly. The Russian hack of the Democratic National Committee was exacerbated by the fact that it was initially handled only by an entry-level employee who made some poor decisions. The Russian social engineering hack of John Podesta’s email may have been made easier by a possible failure to turn on two-factor authentication on his Google account. It will only get worse.

Malwarebytes released a forecast of problems in the coming year that should be required reading for all computer users; computer security people already know this stuff; I’m talking about my wife, my siblings and my extended family members whose home network problems I fix when I visit. Read the article and then start doing the following if you have not already done so:

• Turn on two-factor authentication for Google.
• Turn on two-factor authentication for Facebook.
• Turn on two-factor authentication for Yahoo/Flickr.
• Turn on two-factor authentication for everything else
• Encrypt your iPhone or Android phone to protect it if is lost or stolen.
• Enable a remote reformat capability for your cell phone.
• Tell all businesses that you deal with to convert to HTTPS if they have not. Give them a reason to get secure–your continued business
• Do not re-use passwords, which will require getting a password manager. Use a hard password on your password manager. Password managers are a likely new target for attacks, so I have chosen one (Keepass) that is somewhat less convenient, but which would first require the attacker to gain access to my computer.
• Stop using Internet Explorer (and any service that requires it) and switch to Firefox, Chrome or Vivaldi as a browser. Firefox is best from a privacy standpoint, but Chrome and Vivaldi are faster and OK for privacy if you turn off some default settings. I am starting to use Vivaldi a lot and like it. Opera was purchased by a Chinese firm, and is no longer a browser that I use regularly, as I just do not trust Chinese companies for anything after the Startcom certificate mess.
• Decommission all Windows XP computers, if you have not already. Remove the hard drive and destroy it or wipe it before disposing of it.
• Change the default passwords on your router, Roku, Apple TV, smart TV, DVD player, baby cams, kitty cams, garage door opener (yes, some have WiFi) and other devices. Use something unique to each device and hard. For these it is OK to tape the password on the device; if someone breaks into your house and gets the password to your kitty cam, you have bigger problems. Hacked baby cams and other devices were used on a recent denial of service attack.
• Update the firmware on all of the above devices. Pay attention to the manufacturer’s firmware update practices when purchasing new devices, and do not buy from firms that never release security updates. You can continue to use some manufacturer-abandoned routers with DD-WRT.
• Consider encrypting USB flash drives. Veracrypt works on all platforms if you have to go from Windows to OS X, to Linux.
• Encrypt your laptop hard drive.
• Make sure that your phone has security patches. This is easy on iPhones, but not on Android devices (except those purchased directly from Google like the Nexus series). If your device cannot be made current on security patches, get a new one.
• Switch to Signal, What’s App, or perhaps the somewhat less secure Hangouts for all of your messaging. I really like Signal.
• Do disk-level backups to a USB drive and keep one off-site in a safe-deposit box. This is to protect family photos. I use Clonezilla. When I was a systems programmer and database administrator, we used to say “tape is cheap.” Today, USB disks are cheap. You only need a backup when you need a backup, and when you need one, you would pay a lot to have one.
• Use a cloud backup service like Backblaze or Carbonite. The cloud is cheap today. Macafee, Symantec and others offer cloud backup as well.
• Keep your antivirus updated. Windows 10 has a decent built-in anti-virus and firewall, but if you are on another platform, you should have something and there are solutions for Windows 10 that are arguably better than the free one.
• Give your extended family members a disk drive with family photos for Christmas or the gift-giving opportunity of your choice. This is part of my disaster revovery plan as well as family history communication.
• Stop taking fun quizzes on Facebook. Most, if not all, are just a way to collect your personal information for impersonation, identity theft or more benignly to fill you Facebook feed and mailbox with annoying targeted marketing.

Details

Written by: Bruce Moore

Published: 24 January 2017

Created: 24 January 2017

Last Updated: 07 March 2017

Hits: 4258

• Security
• iOS
• OS X
• Linux
• Windows
• Android

SSL for Small Business Owners

Google has begun penalizing unencrypted web sites in search results. Although a 1% penalty may not sound like a lot, it can mean the difference between being the last link on page 1, and the first link on page 2 of search results, and that difference can cost small business owners a lot of lost business. This started in 2014, and in the Chrome browser beginning on January 10, 2017, Google is adding visual penalties for data entry on unencrypted sites.

Most large website operators are somewhere on the road to implementing encryption using Secure Sockets Layer (SSL)–also known as HTTPS–on their web sites, but many small web site operators see no need to go through the effort of converting to SSL. There are fundementally four reasons to make the switch:

• HTTPS can help end users to identify a spoofing attack.
• HTTPS can help prevent man-in-the middle attacks.
• HTTPS web sites will be favored in Google page ranks. This started in 2014
• Unencrypted sites will start to get visual penalties in Chrome beginning on January 10, 2017, and eventually in search results.

While purchasing the SSL certificates needed to implement website encryption used to be quite expensive, a number of changes in the last year have made it possible to install free domain verification (DV) certificates that are sufficient for most small business. In most cases you can get most of this done with a call to your hosting firm and a call to your site designer.

What to Say to Your Hosting Firm

When you call techical support at your hosting firm, you should ask them to configure “AutoSSL” and a free domain verification certificate. If they do not have AutoSSL available, ask them when they plan to enable it. If they don’t have it and don’t have plans, find another hosting firm. In most cases, they will configure AutoSSL to use certificates from Comodo and sometimes from Let’s Encrypt. Either one is fine.

Your hosting firm may try to upsell you to get an organizational verification (OV) or enhanced verification (EV) certificate. From an encryption standpoing, DV, OV and EV certificates are essentially the same. OV and EV certificates display the name of the business in the URL bar of some browsers–compare the Bank of America web site to this website. That is what the cost of an EV certificate buys you at a significant price. An OV certificate is in between, and only shows the ownership information if someone clicks on the certficate information. Only geeky people like me do that. Software development firms frequently get OV certificates as part of a package with code signing certificates, which require the expense of an organizational verification; these firms have to go through the OV process, and essentially get the OV web certificates as a biproduct of getting code-signing certificates. Most businesses only need a free DV certificate.

You may need to pay for a private IP address, which usually costs about $50/year. This has the added advantage that if another web site on your server (same IP address) gets compromized and starts sending spam email, your email domain will not be blacklisted just because you have the same IP address. The requirement for a private IP address is a techical restriction that will go away later this year but which hosting firms may not change as it gives them more money.

What to Say to Your Site Designer

Tell your site designer to configure your site to force traffic to use SSL. If your site runs Joomla, this is literally just checking a box. If your site runs Wordpress, you will need to manually update your .htaccess file. This will take most site designers about 10 minutes, unless there is something unusual about your site, or it is on a hosting firm that runs something other than CPanel with Wordpress or Joomla. If your site designer cannot do this, you should negotiate lower hourly rates or find a new designer.

Do It Yourself

If you are fairly technical, you can do this yourself by following the instructions in Why and How to Set Up SSL/HTTPS on Your Web Site.

Details

Written by: Bruce Moore

Published: 19 January 2017

Created: 19 January 2017

Last Updated: 19 January 2017

Hits: 2711

• Security
• Web Hosting

Problems Upgrading from OS X Yosemite to Sierra

Our main machine for managing photos is a Late 2012 Mac Mini running OS X Yosemite. Some of the software we use on it had problems when Yosemite first came out, so we didn’t upgrade at the time, but those problems have been resolved, so it was time to upgrade to Sierra. I cloned the disk with Clonezilla, and tried the upgrade. It did not go well. OS X started the upgrade, but failed with a message to restart and try again. And again.

On the failure screen, you can load Disk Utilities; I tried that and it discovered unrepairable problems. Next, I opened a command window and ran fsck_HFS on the drive. This time, it reported problems with the index but failed on the rebuilding the B-Tree due to lack of continguous space.

The disk would no longer boot.

Copy and Fix

Prior to attempting the upgrade, I made a copy using Clonezilla; at this point, I replaced the existing drive with a new 1T SanDisk SSD, and restored the Clonezilla copy from before the upgrade attempt. The drive replacement instructions are daunting, but it was not as bad as the instructions made it look. The instructions call for an Apple Logic Board Removal Tool–which Apple does not sell–but I was able to replace the drive without it. The new drive booted (fast), so I deleted some directories to make space for the B-tree rebuild. Next, I booted into the OS X Recovery image and ran DiskUtil to see if it could repair the drive. It tried and failed, leaving a drive that would not boot.

DiskWarrior to the Rescue

I restored from the pre-upgrade clone again, and again deleted unnecessary files. This time, I purchased a copy of DiskWarrior. You cannot read the documentation without a working OS X machine–a real problem for disk recovery software. I ended up having to install DiskWarrior on the still-working but broken OS X image, and then was able to make a bootable repair USB flash drive.

After booting from the DiskWarrior flash drive, I selected the Directory Repair option. While running “Rebuild Directory”, it hung up during test 9–Compare Directories–so I skipped that step. I wouldn’t boot. I still didn’t boot after running file check and repair.

Next, I booted to the standard OS X Recovery image, and selected Disk Utilties, where I ran a permissions check which indicated numerous problems, so I ran a permissions repair. I ran the disk verify option which showed as completely clean. It still would not boot.

Reinstall OS X

Since I could always go back to the Clonezilla image, I next tried the “Reinstall OS X” option. This reinstalled the OS and managed to keep all of the programs and user settings. I next ran an update to pick up application updates to about a half-dozen applications, followed by the upgrade to Sierra, which ran for about an hour on the SSD. Once Sierra installed, there were about seven applications that asked for updates.

Conclusions

I have had few problems with OS upgrades, but when I have had problems, I have been thankful for Clonezilla backups. This would probably have been very, very ugly without it.

Details

Written by: Bruce Moore

Published: 19 December 2016

Created: 19 December 2016

Last Updated: 19 December 2016

Hits: 3012

• OS X

Matomo (formerly Matomo) and Apache Mod_security

I recently enabled the mod_security plugin for Apache, and encountered several problems with Matomo Analytics; every page load with Matomo enabled triggered a CRITICAL rule violation and blacklisted the user’s IP address. At first, it looked like I had problems with the HTML on particular pages (that may yet be true), but eventually I tracked the problem down to Matomo’s calls to retrieve scripts and images from another domain. I tried several different Matomo plugins, but all had the same problem and all triggered a mod_security violation. In the end, I had to disable two of the rules from the OWASP rule set.

If you are implementing either Matomo or mod_security for the first time, make sure to test all possible combinations of browsers, and privacy settings–the problems did not occur when the “Do Not Track” browser setting was enabled. To do this testing use the following steps:

• Before you start testing, make sure to white-list your IP address, as you will absolutely trigger a rule violation that will lock you out.
• Configure mod_security to process rules, but not act on them as you begin to implement the tool.
• Log in to Web Hosting Manager and open up a tab to the mod_security tools and look at the violations log
• When you retrieve a page and trigger a violation, report the rule as a false positive and disable it, or figure out another way to bypass the problem.

It would be great if Matomo and mod_security worked well together but at this point they do not.

Details

Written by: Bruce Moore

Published: 04 December 2016

Created: 01 December 2016

Last Updated: 26 March 2018

Hits: 6713

• Security
• Web Hosting
• Web Analytics