This too shall pass.
Tickets are on sale for WordCamp Asheville, and I hope many of you will come. This is my first opportunity to attend WordCamp, and I’ll actually be getting to speak at it. Come check it out if you are attending.
My presentation will be about WordPress security, how to make yourself less of a target, and how to harden your WordPress website against hackers using freely available tools.
Come say Hi if you attend!
I have been a big fan of free SSL certificate authority LetsEncrypt.org since it was in Private Beta. Now in Public Beta, and now being a Certificate Authority recognized by every major web browser, it’s time for you to start using it on your website!
The great thing about Let’s Encrypt is that it is free. Why? Because the sponsors behind it believe encryption is for the public good. And they are correct. No more do you need to pay $80/year or more for an SSL certificate through some company like GoDaddy. This all may sound too good to be true, but it isn’t.
In case you are unfamiliar with what I’m talking about here, LetsEncrypt.org offers you free SSL (Secure Socket Layer) certificates for your website. This make your website secure and encrypted for your visitors, just like your bank does, by changing your site’s address from using http:// to https://.
Being a user of the WHM/CPanel web hosting tools for the handful of websites I run, I found a great set of instructions and scripts you can use to get this set up and running in that environment. Just follow the instructions in the WHM forum here. Be sure to set up the cron job so that your cert(s) get renewed automatically. If you forget, it’s very easy to do it by hand from the command line, but the cron job makes it so that you don’t need to remember.
If you are a WordPress website owner, you can configure it to use the SSL certificate by editing your site’s URL in Settings > General. I especially recommend this for WordPress admin area logins, but there’s not reason you shouldn’t be using SSL on your whole site anymore. This is especially true considering Google favoring SSL-enabled sites over non-SSL sites.
Using an .htaccess file, you can set it up so that any traffic going to your http:// website is automatically redirected to your https:// version. This is the snippet I use in my .htaccess file for that:
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Go forth and encrypt all the things!
This is really bugging me: Two nights in a row, on major news outlets reporting on the horrific attack on Paris, I have heard the reporters say things like, “the terrorists used encryption technology to ‘go dark’.”
I heard that on CBS evening news tonight (slightly paraphrased).
Last night on CNN, Poppy Sanchez (or whatever her name is) said that encryption was used to hide all of their communications, and that it was very concerning.
They are alluding to encryption as a bad thing because the terrorists used it to coordinate their attacks. They may have used automobiles too, but they didn’t seem concerned about that.
Why this attention to encryption irks me is because there has been a concerted effort by governments of the world (ours in the forefront) to get major tech companies (Google, Amazon, Facebook, more) to build so-called “backdoors” into encryption technology.
That means that if you send an encrypted message to someone, otherwise unreadable by anyone except the person you sent it to, it can still be read through this “backdoor” by the governments who are in cahoots with the tech companies, allegedly to be able to monitor communications amongst the bad guys.
You’d think that’s a good idea, right? Well, it’s been proven over and over again that backdoors get found and exploited by people who are not supposed to find them.
That is what hackers do, for better or for worse, and it’s usually for the better. You heard me correctly. Hackers find exploits and tell people about them so that they get fixed, and make everyone safer.
That is what my day job involves, actually. Sure, there are evil hackers who like to exploit these things for nefarious purposes, but that’s why we continue to find vulnerabilities and fix them.
The news outlets are pushing this idea that encryption is some dark arts majik that terrorists are using, while no one else would ever dare need such a thing. I worry that this will give the general public the wrong idea: that encryption = terrorism, so we need to do something about it.
What better time to push this idea than after a terrible tragedy?
I will link to my favorite article about encryption. It’s short, and it makes sense, and you should read it. For now, a quote:
Today, we are seeing government pushback against encryption. Many countries, from States like China and Russia to more democratic governments like the United States and the United Kingdom, are either talking about or implementing policies that limit strong encryption. This is dangerous, because it’s technically impossible, and the attempt will cause incredible damage to the security of the Internet.
–Bruce Schneier, in Why We Encrypt
Edit (9:4pm): I missed the story circulating about this exact topic, confirming everything above.
The old bait and switch: promise you one thing and sell you another. That’s what happened when I signed up for a year of VPN service through NordVPN. Their website said:
“Easiest VPN Ever. To get on NordVPN, just click and go. NordVPN’s secure VPN software takes care of all the hard stuff so you can focus on fun stuff. And work stuff, if you have to.”
Their imagery showed multiple devices running their software, including phones and laptops.
I had read about their service and took the plunge. After I had paid, I found out they do not have an app for Mac OS X or Android. Those apps are supposedly coming soon, but not yet. For now, you have to download a third-party app for each device, download a bunch of configuration files, install said configuration files, configure a bunch of things, remember your username and password for each configuration file, and then figure out what is going on and whether or not you are actually connected.
To be fair, they do have instructions on how to do all of this, but it is far from “Easiest VPN Ever.” Every other VPN app I have used is a simple app you download and click a button to get going with.
I chatted with NordVPN’s technical support guy, “Dave,” who informed me that of their refund policy, which states that unless their product did not work for a fault of their own, I could not get a refund for my money. All he could do was extend my subscription by 3 months.
(01:30:40) David: if the service does not work we will issue a refund.
(01:31:17) Visitor 34392357: that is my point – it doesn’t work as you advertise it. it only works through a lengthy process of installing other software.
I would argue that their product does not work as advertised and I am entitled to a refund. In fact, it’s not even their product I am using — I am using something called “Tunnelblick” on my Mac, and an app called OpenVPN on my Android phone to connect to the NordVPN servers.
In summary, the bait was the promise of an easy to use VPN app. The switch was not even having an app for me to use. And no matter what VPN you will choose, be sure to run a speed test so you can see if your VPN is slowing down your internet speed.
We have one network in the world today. Either we build our communications infrastructure for surveillance, or we build it for security. Either everyone gets to spy, or no one gets to spy. That’s our choice, with the Internet, with cell phone networks, with everything.
How true.
WordPress as a platform has been a solid, secure application over the years. The few times a vulnerability has been found, the WP team has been super-fast to patch it, publicize it, and take care of business.
That said, there are two major areas where WordPress lacks in security:
1. Plugins
2. Administrators
There are so many plugins for WordPress, which is part of what makes it so great. However, those plugins can also present attack vectors, and we see evidence of this almost every day.
It was just revealed that most WP users have very little understanding of the risk they are lending to their own websites. Not updating plugins, not updating WP itself, and not doing backups, are the most easily fixed things that people tend to not do.
This puts WP websites at risk, lets them get hacked, and gives WordPress as a whole a bad wrap.
The survey of 503 WordPress users, which took place online during February this year, revealed that WordPress users are more exposed to security problems than expected. In total, 54 percent of respondents said they updated WordPress between once a week and every few weeks, and yet only 24 percent back their websites up — and only 23 percent have received training in the use of tools such as backup plugins.
On that note, I thought I’d mention that the most popular SEO plugin for WordPress, Yoast’s WP SEO, has a new, major vulnerability in it. GO UPDATE!
I have quit Facebook for good, in case you came here trying to find out what’s up. Why have I done this?
Facebook made changes to their user agreement on January 30, and I don’t feel OK about them at all. This article, Get Your Loved Ones Off Facebook, factually sums up everything Facebook can do, and does do, with the information it collects about you, and it might give you the same uneasy feeling it gave me.
The information grabbing and sharing Facebook does reaches far and deep, and it’s not limited to what you do while on Facebook itself. Anything you do anywhere on the Internet where a Facebook Like button is present reports your activity back to Facebook. And that means just about everywhere.
“I have nothing to hide”, you say?
The issue here isn’t what we have to hide, it’s maintaining an important right to our freedom — which is the right to privacy, and the right to have a say in how information about us is used. We’ve giving up those rights forever by using Facebook.
I want to quote the part of that article that gave me the biggest heebie-jeebies, because I know most of you won’t actually go read it yourselves. As of 3 days ago:
Facebook is demanding to track what you buy, and your financial information like bank account and credit card numbers. It’s already started sharing data with Mastercard. They’ll use the fact that you stayed on Facebook as “permission” to make deals with all kinds of banks and financial institutions to get your data from them. They’ll call it anonymous, but like they trick your friends to reveal your data to the third-parties with apps, they’ll create loopholes here too.
Facebook is also insisting to track your location via your phone’s GPS, everywhere and all the time. It’ll know extactly who you spend your time with. They’ll know your habits, they’ll know when you call in sick at work, but are really out bowling. “Sal likes 2pm Bowling at Secret Lanes.” They’ll know if you join an addict support group, or go to a psychiatrist, or a psychic, or a mistress. They’ll know how many times you’ve been to the doctor or hospital, and be able to share that with prospective insurers or employers. They’ll know when you’re secretly job hunting, and will sell your endorsement for job sites to your friends and colleagues — you’ll be revealed.
They’ll know everything that can be revealed by your location, and they’ll use it however they want to make a buck.
And — it’ll all be done retrospectively. If you stay on Facebook past January 30th, there’s nothing stopping all of your past location and financial data to get used. They’ll get your past location data from when your friends checked-in with you, and the GPS data stored in photos of you. They’ll pull your old financial records – that embarrasing medicine you bought with your credit card 5 years ago will be added to your profile to be used as Facebook chooses. It will be sold again and again, and likely used against you. It will be shared with governments and be freely available from loads of “third-party” companies who do nothing but sell personal data, and irreversibly eliminate your privacy.
There you have it. You can still find me here and on G+. For now.
Here are some infosec-related resources, tips, and interesting things I’ve come across in the last few days, all of which are related to to cyber security and you. Hope you find this stuff useful.
Edit: Here’s a late-breaker to add to the list:
Photo by Brad & Ying 
Get your updates going as soon as possible, as this looks pretty serious!
This is a bad bug, and Jetpack is one of the most widely used plugins in the WordPress world. We have been working closely with the WordPress security team, which has pushed updates to every version of the plugin since 1.9 through core’s auto-update system. We have also coordinated with a number of hosts and network providers to install network-wide blocks to mitigate the impact of this vulnerability, but the only sure fix is updating the plugin.
So not only is that an issue, but if you haven’t done your part in protecting yourself from this week’s HeartBleed bug, which has scared the bejeezus out of the entire Internet, get yourself fixed up ASAP!
If you are lucky enough to have been using LastPass to manage your passwords, log in there and do a Security Check to find out which websites you frequent may be vulnerable to that bug. LastPass will also help you quickly change passwords as needed.
Good luck, citizens!