Thanks to everyone who came out to the Asheville Area WordPress Group meetup last night, and thanks for the great discussion! I learned a lot from you all, and I hope you came away with something you could use to make your own website more secure.
As promised, here are the slides from the presentation:
Yesterday I got the email that millions of other people got in regards to Evernote resetting my password due to someone hacking into their user data system.
The investigation has shown… that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)
After following the very geeky discussion about it in /r/netsec I was left wondering if I was placing too much faith in Evernote to protect all the brain dumps, notes, files, and private information I like to store in it.
After stumbling across this blog post entitled “Evernote doesn’t really care about security” I became convinced that it was time to leave Evernote. The security breach was actually the last straw in a number of things that have been bugging me more often than not — frequent crashes being the chief one.
Sometime around when Evernote added Skitch, the whole shebang started crashing on me frequently. I’m a premium Evernote user, and dealing with the app crashing multiple times a day quickly became aggravating. It has been almost unusable at times. That does not bode well for something you need to access frequently throughout a given day.
Then there were the issues where my notes were not synching between my laptop and my desktop, which I don’t really need to go into. You’ve probably had them too, if you are an Evernote user on more than one computer.
Lastly, I mentioned I was a paid Evernote user, but I never found myself using the paid features. The other big issue for me was with tagging – I would add tags to notes but then forget about them and never use them to find things. The inability to organize notes hierarchically is very necessary to me as someone who thinks that way due to my years as a sysad and developer, and I couldn’t get used to everything having to be arranged with tags.
So my question yesterday became: “Where do I put all this info I have in Evernote that is more secure and can be synched and access between my phone, laptop, and desktop?”
Security experts mostly agree that putting secure information in the cloud is not a very good idea. But I want to have faith that it can be, and there are companies making an effort in that regard. I turned to a solution that was right under my nose: Google Drive.
Why Google Drive over Dropbox or some other service? Because it integrates easily with everything I already use, and more and more features and interactions with it are becoming available. I, for one, welcome our new Google overlords.
I’m still working on moving everything over from Evernote to Google Drive, and it’s not a simple process, but I think I will be able to live with it. I’ll also be able to rest a little better knowing that, while my data is still in the cloud, Google seems to value it more than Evernote.
Other fed up users are coming up with their own solutions for replacing their faith in Evernote.
What will be yours?
We here at Geekamongus are by no means partial to one operating system over another. We love Macs, we love Linux, we love Solaris, and we love those other guys. Seriously, in no way do we ever intend on taking sides, and articles such as this one are not to be mistaken as an attack upon a particular vendor, nor should they be misconstrued as a statement proclaiming that we prefer other platforms.
That said, some news items of late have raised a few eyebrows upon the foreheads of the security-minded regarding Apple and their operating system, OS X. For example, there seems to be a new variant of an OS X trojan out there, according to the folks at macnn.com.
Judging by the responses from the opinionated users at the bottom of that article, the Mac fan base may be smart enough to avoid such malicious software. Cynicism aside, it is clear there is an entirely untapped user base upon which Phishing attacks may be starting to prey. One must consider the fact that people who have used Macs their whole lives may not be as familiar with such vulnerabilities, where web sites attempt to trick you into downloading a plugin with ulterior motives in mind, and that they could be more easily fooled into taking the bait. Heck, it would seem the folks at Apple could use some tutelage about Microsoft viruses too.
Seeing as Apple still considers themselves to be rather impervious to viruses, trojans, worms, and their ilk, I don’t forsee this getting better any time soon, even though they did briefly post a note about using antivirus software on their website. One thing Microsoft users have going for them is that they are by-and-large more aware of common Internet vulnerabilities because they run into them more often, and they must take steps to avoid them. Some may even have received training in the workplace or from a geeky neice or nephew.
Granted, OS X is based upon a relatively secure Unix kernel and the Apple marketshare is much smaller than that of Microsoft. That can certainly help when talking about the prevention of spreading traditional viruses, trojans, and worms. However, when a user is unaware and clicks “OK” to download and install seemingly legitimate plugin, all bets are off. And who know what evil is brewing in the basements of evildoing jerkfaces to target OS X itself in ways which Windows users are unfamiliar with.
The other day I had an old client forward me an email from their credit card processing company, saying that the server upon which their website was hosted failed their PCI Compliance security check. I had never heard of this and was wary that it might be a service they were being tricked into adding on, but upon further investigation, I learned that many credit card processing companies are now instituting this new security policy, which is designed to tighten up security on web servers in order to decrease the chances of credit card theft.
This sounded all well and good, and I figured that with my background in securing servers to meet Department of Defense standards it ought to be a breeze. Little did I know that the server in question would put up quite a battle for the lone reason that it was running Plesk, the web host management tool. I had written off Plesk long ago, having ditched the server I had it running on after many issues with it, and I thought I would never have to work with it again, but alas…
I started Googling, of course, and found some great resources out there which cover the tightening up of Plesk in order to meet PCI compliance.
One of the best articles I found was at linux-advocay.org, which explains how to fix issues with Courier, Qmail, Apache, SSL, and iptables in case you don’t have Plesk’s Firewall add-on.
Also, a fellow by the name of DrJermy writes of his solutions about dealing with Plesk and PCI Compliance.
For some general information about what PCI compliance is all about, check out pcicomplianceguide.org.
My Take
As I worked through the PCI issues with the client who contacted me, I started realizing that the standards by which the server was being scanned were presumptuous in that they didn’t take into account back porting, as implemented by RedHat, and that they were making me fix issues which seemed rather trivial in regards to credit card processing security.
If they really wanted to do something that mattered, they should have a look at the NSA’s hardening guides.
I’ve been following the story about the domain name hijacking of MakeUseOf.com the last few weeks with interest. All signs are pointing to the domain thief having cracked the MakeUseOf.com Gmail account in order to retrieve their GoDaddy.com password and transfer the owenership of the domain.
This is not good for any GMail user, let alone domain name owners who have registered their domains through GMail.
Apparently, this one hacker has stolen over 850 domains this way, and holds them for ransom at $2000 a piece.
The latest part of the saga details how the MakeUseOf.com folks think this happened, right down to the hacking of the GMail account. If there is indeed a security flaw in GMail, which there appears to be, MakeUSeOf.com offers prudent steps to take in order to secure yourself (emphasis added by me):
(1) Well, my very first advice would be to check your email settings and make sure your email is not compromised. Check fowarding options and filters. Also make sure to disable IMAP if you don’t use it. This also applies to Google Apps accounts.
(2) Change contact email in your sensitive web accounts (paypal, domain registrar etc.) from your primary Gmail account to something else. If you own the website then change the contact email for your host and registrar accounts to some other email. Preferably to something that you aren’t logged in to when browsing web.
(3) Make sure to upgrade your domain to private registration so that your contact details don’t show up on WhoIS searches. If you’re on GoDaddy I’d recommend going with Protected Registration.
(4) Don’t open links in your email if you don’t know the person they are coming from. And if you decide to open the link make sure to log out first.
I would add to that list:
(5) Always use secure, encrypted GMail. There is an option at the bottom of the main Settings page in GMail for “Always use https” under the “Browser Connection” heading. Select this and leave it selected! Otherwise, anything you do in GMail is sent unencrypted over the Internet. Not good!
Keep in mind that this security flaw not only matters to domain name owners, but to anyone who has any sensitive email in their GMail account, whether it be online banking info, love letters, or whatever.
This will be interesting to watch, and I hope Google takes notice of this.
UPDATE: This fellow here has posted a proof-of-concept on creating malicious filters in someone’s GMail account.
In light of the latest wireless vulnerability found, which can break “WPA” using “TKIP” for encryption, I thought I would advise everyone to review your home wireless setup.
The subject of securing your wireless (or wired) networks at home could be talked about for hours on end, and depending on what hardware (model/brand) you have, your set-up and configurations may vary. Please see the documentation that came with your device or the company’s website for more information on the specific model you have. Also, don’t hesitate to call or email the vendor for help if needed.
Basically it comes down to these few things:
General Home Computer Security Info:
There are a million resources for articles on computers and security online, but here are a few good ones if you are new or inexperienced with the subject (or just need a refresher).
Microsoft Security Resource for Home Users:
http://www.microsoft.com/protect/default.mspx
US-CERT.GOV – Home Users:
http://www.us-cert.gov/nav/nt01/
http://www.us-cert.gov/reading_room/home-network-security/
CERT.ORG – Home Users:
http://www.cert.org/homeusers/
http://www.cert.org/homeusers/HomeComputerSecurity/
http://www.cert.org/tech_tips/home_networks.html
With all that said, have a safe, secure, and happy computing day.