Hacker banner

Website Hacking — Strong case for Shared Managed Hosting

WordPress self-hosted websites can be very sophisticated. So therefore also are the range of hacker vulnerabilities.

How do you secure your site? Have you been hacked, need help?

hackerThis is normal. Because under-managed websites are normal. It used to be that you put up a page and things were “static.” Not so nowadays.  Any Web Presence needs persistent care and feeding.  Most especially where Security is concerned.  New exploits emerge almost daily. Keeping up with patches and upgrades? Critical.

There are no technical suggestions here. Just ones for managers who wear all the hats at once. (As does Yours Truly.)

We’re devoted to demystifying this stuff for the small, independent operator. We don’t actually think you should afford people with IT certifications on the payroll.

So, one best practice (and certainly a minimum for anyone who isn’t a developer or doesn’t have the vast quantities of spare time to invest learning — and then keeping up with — the ever changing security ecology of websites) — is to contract for your coverage.

A great free tool to catch almost anything — as a surety against gaps in your perimeter defenses — is to add your site to Google Webmaster tools.

At the end of the day, by moving to a shared hosting scenario, you’ll deliver better results not only in the security spectrum but performance. Shared hosting is inevitably a cloud of servers and these automatically scale to accommodate loads.

Get faster, get shared. Get secure, get managed.

If you don’t require customizations that can’t be delivered with a site on WordPress.com, don’t let anyone talk you into Self-Hosted.

The driver is: What am I doing that I can’t accomplish except by going self-hosted. Can I dump that? (Critical decision making flowchart involving this issue and the one of choosing consultants at that Link. Enjoy.)

And if you can’t dump that unique widget, think (very seriously) about outsourcing that function to a third party.

Radio Shack TRS-80Call or email me with questions.

Or, dump the new science and go back to smoke signals, sneaker net and snail mail.

By the way, we just recently used a resource (not listed above) to salvage a hacked site. He deserves mention.

Andrew at http://FixWordpressSite.com

His specialty is responsiveness … but be patient, he bounces from issue to issue helping others simultaneously. If your site was hacked you’re not alone and you’ll appreciate Andrew.

googlebbs_

World War “IT” — Are Linux Duffers the “National Guard” of Tech?

BBS MenuOne of the conversations I’m having more often (say in the past 20 months) is “continuity” planning — in the event that “World War IT” breaks out — how are businesses going to continue?

  • If communication utilities are hacked? How will we rebuild B-B and B-C networks if the internet is shaky — fall backs like a BBS might serve as an order processing platform.
  • How to operate in isolation for a while? If we’re not connected to a WAN. Inventory — where is that box?

These dialogues are more often “beer” fueled … and not really actionable but they have a strategic vein. Few I know are actually going to the time/expense to build systems, collecting old bones into unpowered piles that can be used as “bricks” — rebuilding networks that have been damaged. There are some, though…

The challenge we’re facing is sort of on the DHS front and there is a certain symmetry to it.

Think of it like this: Linux IT Duffers are the National Guard of IT.

There is a widening dialogue (Link) within Microsoft and Windows circles particularly – about alternatives that are quick, inexpensive and secure. An essential element is modest hardware requirements. Linux shines on all of those aspects.

If you’re hoarding and/or building systems and storing “IT Bricks” in your closet, let me know.  I’d like to take this temperature — fill in the Poll below?

Ad Injection Malware Removal — Mac

It's not often, but you sometimes see "Warnings" like this.  Once installed into your computer, these software agents can be very, very dangerous.  BEWARE!

It’s not often, but you sometimes see “Warnings” like this. Once installed into your computer, these software agents can be very, very dangerous.
BEWARE!

This has come up several times recently — complaints like:  “I get so many ‘Popup Ads’ I can’t use my computer anymore..”

Visit this link: http://support.apple.com/en-us/HT6506

Ad-injection software is advertising-supported software that can come from third-party download sites. Software you download from such sites may have been customized to install both the software you want and the ad-injection software. If your Mac has ad-injection software installed, you might see pop-up windows, ads, and graphics while surfing the web, even if “Block pop-up windows” is selected in Safari preferences. Ad-injection software might also change your homepage and preferred search engine.

Have you downloaded software from third-party providers lately?

Be careful out there!  If you have questions, it’s always best to phone or email us first.  Our policy is to answer basic questions for free. “Snappy answers to silly questions” (remember the MAD Comic?) are our specialty, and there is no charge.  Why not ask first instead of suffering the consequences later?

Best $5 monthly fee we pay – just got better!

GHS - a suite of apps from email, to phone, calendar file share, webs, and multi-media.  Integrated. $5/mo.

GHS – a suite of apps from email, to phone, calendar file share, webs, and multi-media. Integrated. $5/mo.

Our solutions design process builds on free services. If needed we look at paying fees, we always aim for minimal expense.

So,we’ve had a policy — begin with Google Hosted services.

If for some reason clients can identify a legitimate reason the enterprise tools can’t work, or be extended… we’ll start looking at self-hosted or other combinations of services.

Well, in June Google announced that premium features will be added to basic accounts.  These new features go into effect in a few days.

This is the text of the “go live” announcement we received this morning:

Hello Administrators,

As we announced on June 16, the advanced capabilities and admin controls known as Google+ premium features will become standard for our existing business, government, and education customers. This change will take place the week of July 23.

After the change, these controls and capabilities will no longer be called premium features. The premium features setting will also be removed from the Admin console.

If you use Hangouts on Air (HOA), you might’ve noticed that enabling premium features disables HOA. To continue using HOA, just do one of the following:

Before July 23, proactively enable premium features for your domain, then re-enable HOA.

After premium features become the new default, enable HOA.
Visit the Google Apps Help Center to learn more about Google+ premium features.

The fees are minimal. $5/mo per account to start.  Amazing, right?

Okay but here’s something you should consider – Google is advancing the end-to-end messaging security thing.  Right now if you communicate within Google’s servers, your email is secure.  Our understanding is that it’s transparent — but message encryption/decryption is already in place.  That’s a big thing.

So if your enterprise is hosted at GHS, you’re starting from secure.   That’s step one.

Encryption — Email is next

Encryption

Fundamentals. Basic encryption entails injecting a random data string … to obfuscate the real contents of the message or packet.

Reading through my feeds, I see recent posts from various sources that Google, Facebook and others are beginning to realize that:

Server to Server encryption of Email messages is never going to be secure.

TLS (Transport Layer Security) – a minimal implementation that allows servers to converse and exchange messages more securely — is not adopted in a high percentage of email servers across the internet.  Something in excess of 40% of Email servers don’t answer this protocol.

250px-Public_key_shared_secret.svgWhat can be done?

For starters: Personal Encryption.

See this Wikipedia Article for some remedial reading — we all need to understand this layer of engineering language.  Relax, there’s lots of pictures.

I’m committed to bringing this topic to the blog on a regular basis.  We’ll try to keep track of what’s being done, and how to easily adopt the best practices.

My forecast is that Services — Google to Facebook, many others will adopt a paradigm that supports personal encryption in various layers — including service to service.  At least you’d know, if you’re sharing credentials and info between a Blog, Facebook and Google (as I do now) that those channels would be secure.   This is big iron taking seriously our privacy needs.

Go man, Go!

eBay password change? Now’s a good time.

Sophisticated passwords are a must.  Use no personally identifiable info.

Sophisticated passwords are a must. Use no personally identifiable info.

Change your password.  If you have an account, that is.

Here is a link to a walk-you-through the strokes to get it done:

BEFORE start any changes … Be sure to review all of your settings, especially your mobile telephone number.

I prefer receiving the secondary authentication by text, so if the number was wrong?  It’s difficult to say how much trouble that would cause.

A word on password security: Does yours look like this?

“H1gh.35t Est3me?”

Now write it down (no not literally.) I recommend storing credentials at http://PassPack.com for a storage tool.  Yes! Keep records, but do so securely!

PassWord Security

Encryption aside, where are your storing your credentials?

Encryption aside, where are your storing your credentials?

It’s no longer okay to share security credentials by email.

There, you have it.  A line in the sand.

Even if you go the extra distance: to send the UserID in one message and the Password in another, nope.

Here is a tool I recommend:  www.PassPack.com

Some excellent ingredients here…

  • Very secure
  • Available to you where ever there is a web browser
  • Ability to share records with other users
  • Ability to securely message other users

And a couple of words about how to use credentials

  • Don’t use the same credentials across multiple sites
  • Do use Chrome and iCloud services to “remember” credentials (it’s pretty secure)
  • Do use non-personally identifiable strings — no pet names, no nicknames, no cities, schools or other stuff like that
  • Do use upper & lower case, numbers and punctuation
  • A minimum of 10 characters

And change your passwords — I would recommend every 6th time you visit a third-party site … it’s easy, and in a moment you can change the password, update your storage tool and relax.

I don’t change passwords that frequently on sites I own and manage.  In these circumstances I alter the  credential strings perhaps every 6 months.