Tag Archives: security

WordPress Configuration for Security

WordPress security is important. Because of WordPress’ popularity, because it IS A GREAT PRODUCT, it is also targeted more than any other CMS on the web.

What to do? Let’s keep it simple and look at three easy things you can do in less than 5 minutes to increase your security.

  1. Install Jetpack from WordPress https://wordpress.org/plugins/jetpack/ and then remove all of the other individual plugins that overlap with the functionality of Jetpack.
  2. Make sure your wordpress site is set to automatically update to the latest version
  3. DELETE any non-active plug-in and any non-active theme from your site.
secure your wordpress site
3 easy things to secure your wordpress site

To up your game a bit I would add a few more items as “highly recommended”

  1. Test your site now with Securi’s free scanner https://sitecheck.sucuri.net/ and maybe consider purchasing one of their security plans https://sucuri.net/website-antivirus/signup
  2. Install an SSL certificate on your web site. These can be purchased from a number of sources like godaddy, free but short lived ones are available from letsencrypt. Or you can get really serious about it and work with a security professional like my friend Jason Palmer http://www.jasonpalmer.com/ .

Data on why you need to secure your site from the Securi blog at https://sucuri.net/website-security/website-hacked-report . Some graphical excerpts below:

securi-website-hack-report-q1-2016

not-patching-causes-most-infections

Security starts with the basics – use good passwords, use muti-factor authentication, keep your software up to date and have a plan in place to restore backups.

The Internet has Fundamentally Changed – Here’s One Partial Solution

This post is based on the premise that 1) we have a serious security problem on the Internet and 2) money is the only (unnecessary) barrier to solving a large portion of it.

The Problem

The Internet has fundamentally changed. It is so virus and malware infected that a normal human being can’t keep their own PC, Mac or Linux computer from being infected. In other words, the Internet is broken. And our devices don’t work if they aren’t connected to the Internet.

Screen Shot 2015-01-23 at 4.43.01 AMIt’s just not right. Why should you have to become a security expert? And it DOES NOT NEED TO BE THIS WAY. There is no need for this. The powers that be over the Internet are CHOOSING this and you are the victim.

The (Partial) Solution

We can’t fix it all, but what if we could stop the bleeding by even 50%? Or maybe 30%. Or even 10%. It’s a start. These are our neighbors, our family, our friends and they are being victimized by identity theft because, well, because they are human. Well, reduce the crime? WE CAN! We just have to encrypt everything. By doing so, a large portion of the problem goes away.

Will there still be break ins? Of course. Frequency however will be radically less and you are far less likely to be a victim.

Why? Because the weapons of cyber-warfare are now out in the open to be purchased for as little as $500 on the forums. People are desensitized to it all and now just accept it.

As a company that hosts web sites, here is what I know to be true.

  1. Clients will use weak passwords and we can’t audit that because WE encrypt the passwords in the database. So if a client uses “changeme” or “123456” of “washington” as their password we can’t see it, but when you login from the local hotel the wifi isn’t encrypted and bad guys can. We can’t detect or fix this because its encrypted on our side. But if you aren’t using SSL then it’s NOT encrypted when you send it over.
  2. Example top 100 passwords used on Adobe after they were hacked. http://stricture-group.com/files/adobe-top100.txt
  3. Clients and end users are faced with hundreds of passwords so they use the same passwords over and over. If someone gets one of your passwords, they effectively get everything.
  4. With the proliferation of Open Source, as Tendenci is, developers will deploy a site for you, give it to you, and leave it to you to maintain. So are you running your security updates? Because that is your responsibility now.

Why don’t people encrypt their web sites? Because there is a $50 to $500 a year fee. Plus a hidden cost of updating it every year and paying your hosting provider to install your SSL certificate so the real cost is more like $250 to $1,000 a year.

So why?

Generating a certificate takes one (1) line of code. ONE LINE! Hosting servers to verify the certificates does come at a cost, but so does DNS and it isn’t anywhere near as expensive. Generating a key is technically FREE. Here – go do it for yourself.

openssl genrsa -des3 -out server.key 1024

The certificate you just generated is called a self-signed certificate. So if you visit the site from IE you get a scary message that it can’t be verified. BUT if you visit a site with no encryption, oh, then IE is completely cool with that. Onward thus. Proceed into into unencrypted unsafe territory with abandon. Do you see the problem here?

So what’s the motive? Why? Because of the cash machine. The certificate authorities want to charge you for their certificate chain saying that you are legit. But GoDaddy charges $270 for a wildcard SSL? Or Network Solutions can offer the same wildcard ssl for $494 with a 5 year contract.

So I guess if you aren’t rich your voice isn’t as legit as someone else’s voice? The bottom line is the certificate authorities want your money. Now, DNS service providers usually charge 10 to 15 a year to resolve your domain name. Tell me again why an SSL certificate is $50 to $500 or it gives a browser warning that terrifies people? It’s not a new debate, it’s a license to print money that deters security on the Internet globally.

It’s just greed. But the cost is astronomical to the citizens of the world. It’s like a city not repairing roads and ignoring the cost the citizens bear fixing their cars which is so much more than the cost of filling potholes and installing stop signs. It’s pennies for lives. Hence, cities fix the roads (for the most part.)

What if we flipped it? Why don’t you have to pay $100 a year to NOT have your site encrypted? What if security was the default? What if encrypted email was 10$ a month but unencrypted email was 500$ a month? Would that get people attention?

We can self sign web sites and email ourselves. We don’t need no stinkin’ web authority to do it. It’s one line of code.

Oh wait. Stop. Idealistic guy trying to save the world with open source disclaimer. Why not? Because of the “man”.

The browser will give you a terrifying warning about that certificate not being “approved” and IE will flat out block it if you don’t pay up. No, you must pay “the man” which is in this case the Certificate Signing Authorities who are powerful enough to have their codes shipped with all of the web browsers. What would their cost be to include a public domain certificate authority, much like wikipedia is for information be? Um…. nothing. Zero. Nada. They just wouldn’t get a kick back.

It’s generating an “approved” key where the registrars make all of their money. It’s about the money. It’s greed. Even from foundations like Mozilla – they could easily solve this by endorsing a free and open certificate signing authority. They haven’t. I expect more from them. Some leadership in this would be nice. Where is Lessig on this? Why is there no outrage?

I’ll tell you why? Because it’s too geeky. Too technical. People zone out. zOMG, I like to create things. I bore myself talking about this crap. But it matters. Encrypt it all. Now. And do it for free. If my client buys a domain name why do I have to do ANYTHING to encrypt it? Don’t they deserve that? Should encryption be the default. I THINK SO. And I don’t think you should have to pay for it given it is as simple as DNS and could easily be included.

And yet the powers that be continue to be the “Certificate Authorities” and they continue to make money causing only 4 to 5 % of the web to be encrypted. So you and I continue to be the victim.

Please tell me someone out there is a little outraged by this? Not that I/we/you aren’t the problem as well…. read on …

To emphasize the point on weak passwords (again – this is YOUR responsibility, but irrelevant if on an unencrypted connection), these are the actual top 10 passwords used on Adobe logins (mind you this software costs thousands of dollars and this is the key to get it.) 1,911,938 of your fellow citizens chose “123456” as their password. Seriously. Another 345,834 people chose the password of …. wait for it …. “password.”

Rank	Count	Actual (no really) Passwords
---	-------	------------
1	1,911,938	123456
2	446,162	123456789
3	345,834	password
4	211,659	adobe123
5	201,580	12345678
6	130,832	qwerty
7	124,253	1234567
8	113,884	111111
9	83,411	photoshop
10	82,694	123123

One simple solution that would significantly reduce network attacks. Encrypt every site. At no cost beyond the price of the domain name. Make it easy. And free.

Dear non-technical people – please stay with me for a moment. I know I have to use a bit of geek speak but I want to try to explain the ruse that is being played on you. That it isn’t needed. That the cost of certificates is almost non-existent and you are the victims.

Encryption explained in one paragraph (simplified)

If I give you the number 21 and ask you what prime numbers divide into it besides 1, there is only one way to find out and that is to try every prime number. But if I give you 7 (my “public key”) and you can verify very quickly that it divides to a prime. That’s it.

Solution – every web site is encrypted with SSL by default and you have to pay extra to NOT encrypt your website. Done.

Obstacles – the companies that sell SSL certificates don’t want that. I pay $300/year for our wildcard certificate and what I am proposing is that they be given away for FREE TO EVERYONE WHO GETS A DOMAIN NAME.

Seriously, this isn’t a game people. YOU, as an individual need to not use dumb passwords. As programmers say, like it or not, “you can’t fix stupid.” Yet I do have sympathy given the average human has NO IDEA of the cyperwar that isnt pending, it’s happening NOW!
Screen Shot 2015-01-23 at 4.42.20 AM
Thus WE, all of us need to have everything encrypted end to end to avoid the obvious. Occam’s razor.

Fake Facebook Profiles – Keep Your Guard Up

From this quarter’s 2600 magazine, an article excerpt from “Create Mass Hysteria on a College Campus Using Facebook” by alleyrat.

The two most crucial aspects of a fake profile are that it must be a woman (women won’t friend unknown males, but males will friend unknown women) and that it must have an inviting innocent picture. Generic photos were obtained that were not direct face shots, but rather had some distance to them. It’s easy to find stuff that fits the overall campus climate and apply them. Each account was also given some fake interests, political orientations, etc. and the wall and chat featured on Facebook were disabled.

Once a bunch of profiles were made, I imported a randomized .csv list of .edu emails into each. Facebook matched profiles for roughly 300 of the emails imported, and friend requests were blasted out en masse for each profile. Within 24 hours each account had 150-200 friends. UCSD is a relatively prestigious school, and I am baffled by how successful this technique was and how little people know about the workings of the internet and, in particular, spam (Internet license anyone?). Many people would send me a private message with “Do I know you?” I just ignored all of them.

– alleyrat, 2600 Magazine, Volume Twenty-Seven, Number Two, Page 18

Emphasis added.

Uninstall Facebook Applications Internationally Day (UFAID) September 1 2009

I am a fan of Facebook. I enjoy using it and it has brought me closer to a lot of awesome people. We are even approaching 1000 people on our Facebook Fan Page!

stopBut I can’t handle Facebook’s lack of respect for our privacy. The fact that it shows me “dating website” advertisements (I’m married and they KNOW this!?) even after I mark them “thumbs down” and “irrelevant” or sometimes even “offensive.” Yet they return.

In response to previous privacy concerns, Facebook launched a charm offensive for better Facebook Governance. As someone who studies PR, this was a smart thing to do. Start by listening and their blog in fact did request feedback. Great job! But wait! There’s more!

A few months go by and this poor chap finds a dating advertisement on his Facebook profile featuring a photo of HIS WIFE! Not cool. At all. Facebook’s response on the unauthorized use of the photos is:

In the past couple of days, a rumor has begun spreading that claims we have changed our policies for third-party advertisers and the use of your photos. These rumors are false, and we have made no such change in our advertising policies.

If you see a Wall post or receive a message with the following language or something similar, it is this false rumor:

FACEBOOK has agreed to let third party advertisers use your posted pictures WITHOUT your permission.

The advertisements that started these rumors were not from Facebook but placed within applications by third parties. Those ads violated our policies by misusing profile photos, and we already required the removal of those deceptive ads from third-party applications before this rumor began spreading.

I feel for them. But the answer seems weak – it wasn’t us. It was a third party. And we stopped the practice AFTER y’all complained about it. The weak link in the chain here is the facebook application provider. I’d like to see two things change to improve security and privacy on facebook.

  1. Facebook needs to be explicit about the “reputation” of a particular application provider or advertiser. Make this transparent. I LOVE the “report this” next to the advertisements, but as I mentioned above, for me they are ignoring my feedback. And why can’t I see EVERYONE’S feedback on an application or an advertisement? Would this type of transparency be a bad thing?
  2. We, the Facebook customers, need to uninstall as many applications as possible. We need to uninstall these unnecessary Facebook applications for our own safety until we can see more transparency. Just remove them. Only add back the necessary ones. So many people remove the box from their profile and THINK they have removed the application. They have not!

We propose September 1st 2009 as Uninstall Facebook Applications Internationally Day (UFAID).

Not all applications mind you, just the ones you don’t trust or recognize.

To uninstall your Facebook Applications follow these steps:

  1. Login to Facebook
  2. Click on your “Profile” link at the top of the page.
  3. Scroll down to the “Applications” link on the lower left. Click it.
  4. Click “Edit Apps” link which should take you to a page like this: http://www.facebook.com/editapps.php
  5. IMPORTANT Change “Show” from “Recently Used” to “Authorized”!
  6. Click the “X” next to the applications you want to remove.
  7. Confirm.
  8. Repeat until all cruft and untrustworthy applications are removed.

Find any applications you did not realize were installed? Yup, thought you would. Put them in the comments below so we can see the sneaky ones?

Excellent Use of Corporate Blogging – Over My Dead Body

A frequent question from public relations professionals when discussing "corporate blogging" is "who should blog?"  Lutz is a good case study with good dialog like this, as are McDonalds and channel 9 and Sun. Those blogs are relevant to the company yet they contain individual voices.

Slashdot picked up this great post by a Microsoft Developer that shuts down a possible future crisis. with words like:

Back-door nonsense

Two weeks ago BBC News published an article speculating about a possible “back door” in BitLocker (http://news.bbc.co.uk/1/hi/uk_politics/4713018.stm).
The suggestion is that we are working with governments to create a back
door so that they can always access BitLocker-encrypted data.

 

Over my dead body.

Now that is a good crisis response. And PR would never have written "over my dead body" in a press release. I love it! And it helps Microsoft. Its all good.

A tip of the hat to KT for the links!

Riya – Can I get an Opt Out Option to Protect My Identity Please?

I am a fan of Riya and in particular of the great PR being generated, in an ethical manner, by Tara Hunt.  She is articulate and isn’t afraid of calling someone an "ass clown" when warranted.

But I do have an urgent request for Riya to help protect privacy.  I think an individual, perhaps a non-user, should be able to opt out of the sharing and feature set of Riya.  I should not have to register with the site to do this.  Just an option to say "hey – if two people upload their address books and I am in both, please don’t share the training and identification features."

RiyaaddressbookuploadconcernThis seems reasonable, right?  Just an option to exclude an individual based on their wishes.  The image at right was on the coverage page for Riya here.  And here is an excerpt that does concern me.

"Now, there is an even faster way to train Riya.

If you click on the auto training tab and let Riya analyze your address book.  Riya will determine which of the people you know have been trained by other friends and family.  If so, those people will be automatically recognized without you having to do any training at all."

I should be able to opt out of that. 

Good PR includes crisis communications, and crisis communication is MOSTLY about crisis prevention

If I may be so bold as to make a suggestion, ideally I’d like to hear the CEO talking about ensuring privacy every time he does a demo.  And I’d like a privacy link on the home page that talks, in plain language, about the importance of privacy for the company.  Then be sure to walk the talk. 

Two reasons why the above is so important.  1) I am not the only privacy nut on the Internet and it WILL turn into a crisis if not addressed proactively.  Just ask Sony.  2) If I were a competitor of Riya, this is where I would attack.  Not addressing privacy and security proactively is your open flank.  You have worked too hard to leave the opportunity open to spamming competitors.  Close the gap! 

Talk about privacy and let people opt out of others sharing their identity please.

Brave New World of Security Vulnerabilities and Public Relations Responses to a Crisis

There is a new and significant security problem in the wild with Microsoft Internet explorer.  I am not writing about the security of it, rather the timeline and the public relations and crisis communications response

The first indication was NOT from someone in the Microsoft communications group, rather it was their well known blogger scoble.  From his blog on December 28, 2005

Scoblesecuritywarning Microsoft customer warning: Bad exploit in Windows

It’s interesting, I was just talking with Hitachi’s blogger and CTO about what to do in a crisis. Here’s one thing. Warn your customers. That’s what I’m doing here. We’re seeing a bad exploit being reported on blogs and other places.

and

Update: the Security Response Center is working on this. They have a blog, but haven’t posted about this issue yet.

So late last night, December 28th, I get my SANS email security alert.  (SANS is a must in the security community – your government does some things that really do help)

—–Original Message—–
From: US-CERT Technical Alerts [mailto:technical-alerts@us-cert.gov]
Sent: Wednesday, December 28, 2005 7:38 PM
To: technical-alerts@us-cert.gov
Subject: US-CERT Technical Cyber Security Alert TA05-362A — Microsoft Windows Metafile Handling Buffer Overflow

—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA1

Microsoft Windows Metafile Handling Buffer Overflow
http://www.us-cert.gov/cas/techalerts/TA05-362A.html

Just to check, I went to what I consider to be the logical place for a security update which is http://windowsupdate.microsoft.com/ and there is no update (OK, they are still working on it I guess) but most surprising is there is NO MENTION OF THE SECURITY PROBLEM.

WindowsupdatenoupdatesThe BAD news.  The main corporation is not reacting quickly or logically enough, the government was slower than a blogger issuing a relevant security alert.  Note the screen shot doesn’t just say "nothing found" it doesn’t even hint at impending doom if I don’t come back soon.

The GOOD news, the GREAT news is that Scoble works for Microsoft.  He didn’t have to ask permission, he just did the right thing and notified thousands of a potential security problem with his company’s products.  He acted with good crisis communication skills and he did it as part of the Internet conversation.  No big brother required.  This is a net positive for Microsoft in my book from a PR perspective, assuming they fix it in a timely manner.