Category: Security

Don’t Hold Up Signs on the Internet…

NewImage

We’ve all seen them before and I’m seeing more and more of them now that the Holiday Season is upon us (and today is “Giving Tuesday”).

I know I’ve seen a number of well-intentioned pictures of people holding up signs to support a specific cause on social networks this winter. A large number of those, especially on Facebook, have been churches and religious groups.

I hate to be Donald Downer, but be careful with such postings, especially if they include your face. It’s very (very very) easy to take those and do less-than-well-intentioned things with the images after they’re found via Google Image Search or a Twitter Search or Instagram hashtag search etc.

You’re not Michelle Obama, but that doesn’t mean that your own perception of your network size (or good intention) protects you from the wilds of the internet in 2016 and beyond…

Michelle Obama gave the Internet a sign—here’s what it gave back: “But once Reddit got ahold of the photo, its users—well-known for hosting Photoshop battles such as this—went wild adding anything and everything to the blank page”

So be careful, or you could be espousing something you probably wouldn’t agree with.

Amazon Finally Gets 2 Factor Authentication (Please Go Turn This On For Your Account Now)

amazon_logo_RGB

Here’s how to enable Amazon’s Two-Step Verification, a feature that adds an extra layer of security by asking you to enter a unique security code in addition to your password on computers and devices that you haven’t designated as trusted.

Source: Amazon.com Help: Turning On Two-Step Verification

Amazon finally has 2 Step Authentication. By all means, please go turn this on (and turn on for all the services you actively use from GMail to Slack to Dropbox to Facebook to Twitter etc).

I’m a big fan of Authy as my preferred authenticator, but Google has one and you can always use your mobile device for receiving authentication texts.

But you need to do this asap for your personal and business accounts or count the days until you’re “hacked.”

“Censorship that doesn’t look like censorship”

Remember, “free speech” doesn’t always align with the user policies on Facebook, Twitter etc. Own your content and your books or learn to live with the trade off of letting the algorithm decide how you vote…

“Censorship that doesn’t look like censorship. It deliberately reduces the spread of information that might otherwise go viral. Vicious. “You can say what you like but no one will hear you. And also, you’ll think no one cared, so you’ll give up trying.” Subtle, deniable, and quite ruthless.”

via Paul Dietric: Adventures in Twitter Censorship (PDF for obvious reasons)

Another Digital Divide Coming

Niels Ole Finnemann, a professor and director of Netlab, DigHumLab in Denmark, said: “The citizens will divide between those who prefer convenience and those who prefer privacy.”

via The Future of Privacy | Pew Research Center’s Internet and American Life Project.

I’ve long said that as the web continues to evolve, particularly as a social medium, we’ll see privacy and the idea of a federated web help shape a new digital divide.

On one side, there will be people who choose convenience and ease by utilizing networks akin to our current ones (ie Facebook). They’ll trade their privacy and data for connections for social connections in a walled garden with pretty flowers.

On the other side will be the federated web by those who are able (either technologically or financially or both) to have and sustain their own web presence that they own and control.

This isn’t a geek vs non-geek distinction as it has been since the web started or something like we have in 2014-2015 where people who care about things like federation or privacy are outsiders.

Now we just need to kill apps.

Don’t Use Admin As Your WordPress Username

We create, host, and manage a number of sites for churches, non-profits, community groups, and businesses. As a part of that, we also spend a good deal of time “behind the scenes” keeping these websites safe and secure. Our clients often don’t realize how much work that entails in 2014 / 2015 with the ongoing proliferation of sophistication and the sheer numbers of bots and bad folks looking to exploit poorly constructed sites or social media accounts to use for other nefarious purposes (nor should they).

Setting up a WordPress site on your own is not hard to do. You have to find a host, click a few selections for your server, then run through the install. It’s gotten tremendously easier over the years. However, if you’re setting up a self-hosted WordPress site, you have to take security seriously.

For example, the screenshot above is just a small sampling of the attempts to “brute force” access to this site from this morning. There are hundreds of these everyday for this site and I see thousands daily for some of our larger clients. You’ll notice the attempts are all trying to gain access to the site with the username “admin.” Before WordPress 3.0, the default for new site installs was to use “admin” as the username. Combine that with the terrible passwords that most people online use, and it’s not hard to see that with enough permutations, the math is there. It’s fairly easy to buy a list of the most commonly used passwords on the web if you know the dark parts of the web to look, as well.

Here are my surface level and generic recommendations if you do decide to set up a WordPress site for your church, group, or business after about a decade of working in this area…

1) Don’t use admin as your login username for WordPress or for any other account whether it will just be you logging in or a team of people.

2) Don’t use a short or “dictionary” phrase password. Use something unique to you and combine numbers, letters, etc as much as you can. That’s not fool proof and there’s research showing that doing so isn’t as effective as it was previously, but it’s still a good practice. Even if you’re “bad at passwords” as most humans claim to be, figure out system for a stronger password. It’s worth your time and it’s important no matter how small or large your site or social media account will be.

3) Use a good plugin such as Sucuri to keep track of security audits, reviews, and monitoring. Again, it’s worth your time and easy to set up email alerts for certain events.

4) Keep track of installed plugins and make sure that no one has installed a plugin that is actually a piece of malware or using your WordPress install for nefarious purposes. This is important especially if you are working with a number of people on a WordPress site and sharing a common user account rather than setting up various users (which you should do for a number of reasons).

5) Update, update, update. Keep your WordPress version, plugins, and themes as updated as possible. That usually means at least a couple of times a month.

Of course, there are many other things to consider but I get this question frequently and wanted to make my initial thoughts easy for others to find. Setting up a WordPress site is a great idea and it’s not terribly difficult. However, do it the right way and make sure you are keeping your brand, visitors, and users free from any potential threats that you can avoid with a little time investment.

Home Screen on My iPhone 2014

I like to post these every so often (this one from 2010 is historic) for my own archive uses

IMG_0333.PNG

By the way, someone asked me yesterday why I had Lastpass on the front page and what it did as an app. I don’t know any of my passwords as they are all generated by Lastpass. Between that and using 2 factor authentication for everything I can (the Google Authenticator app beside Lastpass on the top row), I feel pretty confident about my security online. Those are two of myost used apps as a result.

Additionally, I’m glad to see services like Mint (my personal accounting app) and Evernote integrate their apps with TouchID on the iPhone so that I have to supply my thumbprint to open them up (Bank of America is releasing their updated app with that integration as well).

Security is my app theme for the end of 2014, evidently.

Google Hall of Famer Wayne Porter

CostPerNews owes a great deal to one of its original backers Wayne Porter, even though he is evidently a spook…

Keeping Internet users safe is more than just making sure Google’s products are secure. Google engineers also contribute to improving the security of non-Google software that our products and users rely on.

Provided below is a list of software vulnerabilities discovered or fixed by Googlers, along with presentations we’ve given at industry security conferences. You can also find publications about security, cryptography, and privacy work in Google’s main research portal.

via Vulnerabilities – Application Security – Google.

Thanks for all you did  and do, Wayne 🙂