Sam Harrelson





School Shootings in America Since 2013

Since 2013, there have been nearly 300 school shootings in America — an average of about one a week.

Source: School Shootings in America Since 2013


WordPress Plugin Supply Chain Attacks

These are pretty popular plugins in the SEO world… I imagine lots more of these “supply chain attacks” exist due to older but still popular plugins being sold or leased:

If you have any of these plugins running on your site, we recommend that you remove them immediately and that you make sure that SEO spam hasn’t been injected into your site. Even though one of them, WP No External Links, has been updated to remove the backdoor, it has been closed, so it will never be updated again in the future.

via Three Plugins Backdoored in Supply Chain Attack


Building a website is cheap, but not protecting it is costly.

massive-brute-force-attack-dec18

We use Wordfence as a default on all new WordPress client sites that we create for good reason. Here’s a scary reminder that while building a website has become quick, easy, and relatively cheap your company / nonprofit / church / community group should not take WordPress security for granted with cheap hosting and no one overseeing these sorts of things:

This is the highest volume brute force attack we have seen to date. It may also be using the fresh credentials that were provided in the database released on December 5th, so it may achieve a higher than normal success rate. Please spread the word among the WordPress community to create awareness of this new threat.

via Breaking: Aggressive WordPress Brute Force Attack Campaign Started Today, 3am UTC


Tech and Public Policy

Interesting article from NY’s Attorney General directed at the FCC:

In today’s digital age, the rules that govern the operation and delivery of internet service to hundreds of millions of Americans are critical to the economic and social well-being of the nation. Yet the process the FCC has employed to consider potentially sweeping alterations to current net neutrality rules has been corrupted by the fraudulent use of Americans’ identities — and the FCC has been unwilling to assist my office in our efforts to investigate this unlawful activity.

If law enforcement can’t investigate and (where appropriate) prosecute when it happens on this scale, the door is open for it to happen again and again

via An Open Letter to the FCC: – Eric Schneiderman – Medium


“a new combination of media company and public utility”

Great point… and it’s unimaginable to me that anyone in government or a high profile position would take their own security and (operational and informational) so lightly…

As we saw this week, when Twitter, Facebook, and Google testified on Capitol Hill about Russias election meddling, “social media companies have failed to come to grips with who they are, and what role they play in society. They imagine themselves as tech companies that just make products, but they’re actually a new combination of media company and public utility,” Singer added.

These companies use of contractors, often part-time workers in internet call centers, to handle abuse and moderation is something else to consider. Twitter, for example, has never provided a breakdown of how much of its workforce is contracted.

via A Former Twitter Employee Told Us How a Contractor Could Take Down Trumps Account – Motherboard


Is Apple’s New Face ID a Security Risk?

The majority of negative commentary I’m seeing about Face ID in particular amounts to “facial recognition is bad” and that’s it. Some of those responses seem to be based on the assumption that it introduces a privacy risk in the same way as facial tracking in, say, the local supermarket would. But that’s not the case here; the data is stored in the iPhone’s secure enclave and never leaves the device. More than anything though, we need to remember that Face ID introduces another security model with its own upsides and downsides on both security and usability. It’s not “less secure than a PIN”, it’s differently secure and the trick now is in individuals choosing the auth model that’s right for them.

via Troy Hunt: Face ID, Touch ID, No ID, PINs and Pragmatic Security

Good read here on the pragmatic nature of what Apple is doing by pushing technologies such as Touch ID and Face ID in its devices. No, they aren’t foolproof and there are downsides. But Face ID is a way to help ensure that the “mainstrem” of security-apathetic users of these devices have at least some protection if their device is stolen etc.

However, that most people simply ignore or don’t care enough about basic security options such as 2 Factor Authentication that is available on most of the web and financial etc services we all use is appalling.

I’m constantly urging clients to use services such as 1Password or LastPass for their password generation and storage as well as services such as Authy which make it easy to use 2 Factor Authentication (and safer than relying on SMS for codes).

“But I’m a nobody. Who would want to hack my GMail or Facebook or Twitter?” isn’t a viable rationale or excuse anymore, if ever!


Even Hackers Take Summer Vacations

Pretty staggering July stats from Wordfence regarding attempts to log in to WordPress installs with guessed user / passwords. People still don’t use secure passwords (or more preferably a password manager)…

The average number of daily brute force attacks increased 21% from last month, which was up substantially from May. Daily attack volumes were incredibly stable throughout the month, with no big peaks or valleys. It’s almost like the attackers went on vacation and left their malicious bots running on autopilot.

via The July 2017 WordPress Attack Report


Why Your Church or Nonprofit Website Needs Regular Security Updates

hacked

One of the items Harrelson Agency itemizes on invoices when building out a new client website (particularly when using WordPress or Drupal) are maintenance and security updates for the year.

It’s not a major cost, but I often receive questions about the charge and whether or not it’s really necessary. That’s particularly the case when dealing with churches, nonprofits, and small businesses who are on tight budgets and looking to save every penny possible (and understandable). However, it’s necessary and I always counsel our clients (of all sizes) to understand what that cost entails and why it’s beneficial in the long run.

Regardless of the amount of traffic your website receives, if your site is self hosted and using software such as WordPress or Drupal, you have to make sure you or your website manager are doing regular updates of plugins and versions, as well as making sure there is some sort of security software in place to manage firewalls, login attempts, IP attacks etc.

If you accept online donations or payments via your website, this is especially true. If you host any sort of “member directory” or registration information or personal details of your congregants or customers, this is especially true. That’s not depending on the size of your church, nonprofit, or business.

This week, press (and governments) around the world are reeling from the explosive release of the Panama Papers. This is the largest leak of private documents ever, and exposes a number of world leaders and companies and their potentially illegal financial transactions. It happened because of outdated software with known vulnerabilities:

“FORBES discovered the firm ran a three-month old version of WordPress for its main site, known to contain some vulnerabilities, but more worrisome was that, according to Internet records, its portal used by customers to access sensitive data was most likely run on a three-year-old version of Drupal, 7.23. That platform has at least 25 known vulnerabilities at the time of writing, two of which could have been used by a hacker to upload their own code to the server and start hoovering up data. Back in 2014, Drupal warned of a swathe of attacks on websites based on its code, telling users that anyone running anything below version 7.32 within seven hours of its release should have assumed they’d been hacked.

That critical vulnerability may have been open for more than two-and-a-half years on Mossack Fonseca’s site, if it hadn’t been patched at the time without updating website logs. It remains a valid route for hackers to try to get more data from the firm and its customers. On its site, the company claims: “Your information has never been safer than with Mossack Fonseca’s secure Client Portal.” That boast now looks somewhat misguided.”

Source: From Encrypted Drives To Amazon’s Cloud — The Amazing Flight Of The Panama Papers

So yes… in 2016 it certainly matters that you have good passwords and good security on your personal online accounts as well as those of your church or business.

Don’t wait until it’s too late and have to deal with the ramifications.


Your Email Privacy (Thanks, Government)

Scary, true, and worth your attention if you value your privacy…

Mozilla will let go of Thunderbird | Boing Boing: “There are many good reasons to use standalone email clients, but for Americans one of the most compelling is the absurdly outdated Electronic Communications Privacy Act of 1986, which treats any file left on a server for more than six months as ‘abandoned’ and accessible to law enforcement without a warrant (no, really!). That includes all your Gmail previous to June 2015. Really. All of the efforts to reform ECPA have died on the vine, because law enforcement loves this creaking piece of legislation.”

Vote out your representative if they don’t “understand technology.” That’s not an excuse anymore.


Don’t Hold Up Signs on the Internet…

NewImage

We’ve all seen them before and I’m seeing more and more of them now that the Holiday Season is upon us (and today is “Giving Tuesday”).

I know I’ve seen a number of well-intentioned pictures of people holding up signs to support a specific cause on social networks this winter. A large number of those, especially on Facebook, have been churches and religious groups.

I hate to be Donald Downer, but be careful with such postings, especially if they include your face. It’s very (very very) easy to take those and do less-than-well-intentioned things with the images after they’re found via Google Image Search or a Twitter Search or Instagram hashtag search etc.

You’re not Michelle Obama, but that doesn’t mean that your own perception of your network size (or good intention) protects you from the wilds of the internet in 2016 and beyond…

Michelle Obama gave the Internet a sign—here’s what it gave back: “But once Reddit got ahold of the photo, its users—well-known for hosting Photoshop battles such as this—went wild adding anything and everything to the blank page”

So be careful, or you could be espousing something you probably wouldn’t agree with.