Should have done this a while ago turned on HTTPS for default

We all take for granted that if you are going to go to an ecommerce site you want an HTTPS connection. What I hadn't got around to was adding HTTPS to greenm3.com. Will did it yesterday. You should see a locked icon now in your browser url.

The link on how to do for squarespace is here.

  • Secure (Preferred) - All visitors are redirected to HTTPS, even if they entered the HTTP version in their browser. Sitemaps contain HTTPS links and search engines index the HTTPS version. Unsupported browsers can’t load your site.

This was so easy I feel dumb not doing this sooner.

Security or Insecurity - what’s next? 7x24 2017 Fall Keynote Kevin Kealy

A 7x24 Keynote speaker favorite gave the Tuesday Keynote, discussing the current state of Security or Insecurity

IMAGE.JPG

Kevin started out discussing Equifax Hack

Kevin pulls no punches pointing out their stupidity and how they set a new benchmark for mismanagement. Equifax had a single server that needed to be patched and the CIO chosen not to apply a patch, because the service would have gone down. A single server???

Simple free thing to do is to apply the patches. Don’t defer the patching. Even at home. 

FullSizeRender.jpg

Kevin added a new topic that is not on his slides. https://www.krackattacks.com/  Kevin covered the reality and asked a great question on how many of you run LINUX and made the point that any of you who run Android is running LINUX.

FullSizeRender.jpg

Kevin uses Fortinet firewall and AP

And in the above slide Kevin repeats the need to patch.

Kevin mentioned many ideas that are ones that I live by and part of a good process is regularly review and watching Kevin is one of the most enjoyable ways to self evaluate. 

As usual Kevin is a crowd pleaser. 

and last here are some resources to help you out. 

Sorry this an image file and not a link clickable HTML. :-( 

FullSizeRender.jpg

Watch out for the do-it-yourself Wordpress Designer, It is tough to be a security expert and Designer

Wordpress comes up regularly when people think about hosting a website or blog.  It’s popular what is the problem?  Netcraft has some data that will show you the problem.  Security.

WordPress is the most common blogging platform and content management system in the world: Netcraft's latest survey found nearly 27 million websites running WordPress, spread across 1.4 million different IP addresses and 12 million distinct domain names. Many of these blogs are vulnerable to brute-force password guessing attacks by virtue of the predictable location of the administrative interface and the still widespread use of the default "admin" username.

But remarkably, not a single phishing site was hosted on Automattic's own WordPress.com service in February. WordPress.com hosts millions of blogs powered by the open source WordPress software. Customers can purchase custom domain names to use for their blogs, or choose to register free blogs with hostnames likeusername.wordpress.com.

If you are going to use wordpress try hard to use wordpress.com.

Vulnerable WordPress blogs can also be used for other nefarious purposes. A botnet of more than 162,000 WordPress blogs (less than 1% of all WordPress blogs) was recently involved in a distributed denial of service (DDoS) attack against a single website. Attackers exploited the Pingback feature in these WordPress blogs (which is enabled by default) to flood the target site with junk HTTP requests, causing it to be shut down by its hosting company.

Wonder if Snowden gets a job looking at Sochi Surveillance Data

Snowden is in Russia.  Wouldn’t it be ironic if he got access to the surveillance data from Sochi?  

Here is a post on the spying at the Sochi Olympics.

But as is often the case, the bigger threat to visitors may be the one they can’t see. As athletes, journalists, and spectators arrive in Sochi, their every electonic move is being watched. All information transmitted in the country via phone and Internet, including text messages and e-mails, is flowing through the Russian System for Operational-Investigative Activities, according to the U.S. State Department’s Overseas Security Advisory Council. The council is warning American travelers that the system, known as SORM, has had an upgrade in Sochi just in time for the games, allowing the Federal Security Service (formerly known as the KGB) enhanced access to communications.

“The system in Sochi is capable of capturing telephone (including mobile phone) communications; intercepting Internet (including wireless/WiFi) traffic; and collecting and storing all user information and data (including actual recordings and locations),” the U.S. council, which operates as a joint venture with the private sector, wrote in an assessment for its members ahead of the Olympics. “Deep packet inspection will allow Russian authorities to track users by filtering data for the use of particular words or phrases mentioned in emails, web chats, and on social media.” Of course, the terrorist threat at the Olympics is a real one, and the Russian system is authorized under local law, the report says.

There are two data centers in Sochi.  

Rostelecom Commission Sochi 2014 Secondary Data Center

23 March 2012 / Partners News

A Secondary Data Center (SDC) has been provided by Rostelecom for the Sochi 2014 Games. Its purpose is to guarantee the absolute reliability of the main information systems used by the Sochi 2014 Organizing Committee offices in Moscow and Sochi.

The SDC is one of the key elements of the Unified Information & Telecommunications Infrastructure for the Games and provides the complete backup of email systems, MSDynamix ERP systems, MSOCS systems (Office Communications Server), and DocsVision documentation systems, as well as Organizing Committee catalog services. The equipment included in the SDC is located on platforms at the Rostelecom data processing center in Moscow.

 

Seems like Snowden would have a lot to keep him busy if he got access.

What happens when your data mining is flooded with SPAM? NSA's data center problem

Washingtonpost discuss the problem of the NSA data center being flooded with SPAM.

The NSA's data-collection activities are so resource-intensive, the agency can't complete its new server farms fast enough. But when it does, a significant share of what gets held on those servers could wind up being worthless spam.

We now know the NSA collects hundreds of thousands of address books and contact lists from e-mail services and instant messaging clients per day. Thanks to this information, the NSA is capable of building a map of a target's online relationships.

The abundance of SPAM is probably one of the top reasons so many users try not to use e-mail.

The writer closes making the point that part of what is stored in the NSA data center is lots and lots of SPAM.

Industry reports show spam accounts for an overwhelming share of all e-mail. Other internal NSA documents obtained by The Post's Barton Gellman appear to agree. If what the NSA is downloading is at all reflective of the broader Internet, then it's fair to conclude the agency collects a significant amount of spam and has little choice but to store it — meaning that of the "alottabytes" of storage the NSA brags about in its Utah data center, a heap of them will be filled with junk.