On the twelfth day of Christmas

The Security for All “Twelve Days of Christmas” series concludes.

On the twelfth day of Christmas…

Twelve scams of Christmas

So thus ends the “Twelve Days of Christmas” series, with information from this article in Computing SA. While the article is clearly a McAfee promo peice, it still contains a lot of valuable information and good advice. Just remember they are hoping you will buy their stuff. One peculiar thing I noticed about the article is that the author must have a thesaurus that thinks “hacker”, “bad guy” and “attacker” are synonymous.

Bad Santas are making their lists and checking them twice, gearing up to rip off consumers online with common scams that take the happy out of the holidays.

  1. Charity phishing scams – The hackers send fictional e-mails that appear to be from well-known charitable organisations, such as the Red Cross, the Salvation Army, and Oxfam that direct consumers to fake Web sites designed to steal their money.
  2. E-mail Banking Scams – The bad guys send an official-looking e-mail that asks consumers to confirm account information, including their user name and password.
  3. Holiday e-cards – Scammers may send you an e-card that appears as if it’s coming from Hallmark asking you to download an attachment to pick up your e-card. However, the attachment isn’t really an e-card — it’s a Trojan.
  4. Fake invoices – The bad guys create a fake invoice or waybill and send it via e-mail as an attachment. Once the consumer opens the e-mail attachment there are a few variations: the recipient may be asked to confirm or cancel an order, they may be told that the parcel service was unable to deliver a package due to having an incorrect address, or the recipient may receive a customs notification about an international package.
  5. You’ve got a new friend! – Sadly, in some cases, after clicking on the notice, you NOT only do not have a new friend-you have downloaded malicious software that you can’t even detect. Of course, it’s designed to steal personal and financial information.
  6. Dangerous holiday-related search terms – When clicking on the results of a “free Santa download” search, in addition to the Christmas-themed screensavers, puzzles, and pictures you find, you also could be clicking on adware, potentially unwanted downloads, and spyware.
  7. Coffee shop cybercriminal – Attackers can jump on an unsecured wireless Internet connection with a packet sniffer to see what Web sites users are visiting, the passwords they are using, and what bank accounts they are accessing.
  8. Password stealers – Attackers go after passwords for banks and e-commerce sites, multi-player online role playing games, instant messaging and finally, social networking sites.
  9. Fraud via auction sites – Scammers use the increased activity of the holiday season to prey upon new victims.
  10. Holiday-themed mail attachments and spam – The bad guys know that e-mails with holiday-inspired subject lines are intriguing to most consumers.
  11. Online identity theft – Sites that store your personal information can be vulnerable to cybercriminals who hack in to steal your identity.
  12. Laptop Theft – The bad guys can take the merry out of your Christmas by outright stealing your laptop.

So there you have it. Twelve interesting, possibly useful, even entertaining lists. Okay eleven lists and some killer music. In any case, I hope you enjoyed it.

Happy Holidays from Security for All

On the eleventh day of Christmas: Eleven reasons to analyze your logs

On the tenth day of Christmas: Ten biggest platform development mistakes

On the ninth day of Christmas: Nine Inch Nails album for free

On the eighth day of Christmas: Eight security tips and guidelines for your WordPress blog

On the seventh day of Christmas: Seven dirtiest jobs in IT

On the sixth day of Christmas: Six new Internet hoaxes

On the fifth day of Christmas: Five scary technologies

On the fourth day of Christmas: Four worst E-Mail errors you can make

On the third day of Christmas: Three tools to search for images online by color

On the second day of Christmas: Two fake Bill Gates quotes

On the first day of Christmas: One Belsec birthday

On the eleventh day of Christmas

The Security for All “Twelve Days of Christmas” series continues.

On the eleventh day of Christmas…

Eleven reasons to analyze your logs

Seriously, how could we do a peice that has a list of eleven reasons and not include one of Anton Chuvakin‘s “Top 11 reasons” articles. This article in O’Reilly Sys Admin is entitled Top 11 Reasons to Analyze Your Logs.

As promised, here is another “Top 11 Reasons” which is about log analysis. Don’t just read your logs (definitely don’t just collect them); analyze them. Why? Here are the reasons:

  1. Seen an obscure log message lately? Me too – in fact, everybody have. How do you know what it means (and logs usually do mean something) without analysis? At the very least, you might need to bring additional context to know what some logs mean (example: IP address -> hostname -> server owner)
  2. Logs often measure in gigabytes and soon will in terabytes; log volume grows all the time – it definitely passed the  limit of what a human can read a long time ago, it then made simple filtering ‘what logs to read’ impossible as well: automated log analysis is the only choice.
  3. Do you peruse your logs in real time? This is simply absurd! However, automated real-time analysis is entirely possible (and some logs do crave for your attention ASAP – e.g. major system failures, confirmed intrusions, etc)
  4. Can you read multiple logs at the same time? Yes, kind of, if you print them out on multiple pages to correlate (yes, I’ve seen this done :-)). Is this efficient? God, no! Correlation across logs of different types is one of the most useful approaches to log analysis.
  5. A lot of insight hides in “sparse” logs, logs where a single record barely matters, but a large aggregate does (e.g. from one “connection allowed” firewall log to a scan pattern). Thus, the only way to extract that insight from a pool of data is through  algorithms that “condense” that collection of logs into usable knowledge (some say, visualization is the way to go)
  6. Ever did a manual log baselining? This is where you read the logs for a while and learn which ones are normal for your environment. Wonna do it again? Thought so :-)  Log baseline learning is a useful and simple log analysis technique, but humans can only do it for so much before burning out.
  7. OK, let’s pick the important logs to review. Which ones are those? The right answer is “we don’t know, until we see them.” Thus, to even figure out which logs to read, you need automated analysis.
  8. Log analysis for compliance? Why, yes! Compliance is NOT only about log storage (e.g. see PCI DSS). How to highlight compliance-relevant messages? How to see which messages will lead to a violation? How do you satisfy those “daily log review” requirements (again, see PCI DSS)? Through automated analysis, of course!
  9. Logs  allow you to profile your users, your data and your resources/assets. Really? Yes, really: such profiling can then tell you if those users behave in an unusual manner (in fact, the oldest log analysis systems worked like that). Such techniques may help reach the holy grail of log analysis: have the system automatically tell you what matters for you!
  10. Ever tried to hire a log analysis expert? Those are few and far between. What if your junior analysts can suddenly analyze logs just as well? One log analysis system creator told me that his log data mining system enabled exactly that. Thus, saving a lot of money to his organization.
  11. Finally, can you predict future with your logs? I hope so! Research on predictive analytics is ongoing, but you can only do it with automated analysis tools, not with just your head alone (no matter how big :-)) …

Note: This is not a paraphrase of Anton’s article, I stole it directly and completely since any editing I could do certainly wouldn’t enhance it. So if you were thinking finally some intelligent insight and pithy reasoning, sorry that’s Anton.

On the tenth day of Christmas: Ten biggest platform development mistakes

On the ninth day of Christmas: Nine Inch Nails album for free

On the eighth day of Christmas: Eight security tips and guidelines for your WordPress blog

On the seventh day of Christmas: Seven dirtiest jobs in IT

On the sixth day of Christmas: Six new Internet hoaxes

On the fifth day of Christmas: Five scary technologies

On the fourth day of Christmas: Four worst E-Mail errors you can make

On the third day of Christmas: Three tools to search for images online by color

On the second day of Christmas: Two fake Bill Gates quotes

On the first day of Christmas: One Belsec birthday

On the tenth day of Christmas

The Security for All “Twelve Days of Christmas” series continues.

On the tenth day of Christmas…

Ten biggest platform development mistakes

Marty Abbott and Michael Fisher in this article on GigaOm lay out ten of the biggest platform development mistakes.

Just like with golf, technology is as much about ensuring that your bad hits are recoverable as it is ensuring that you make great ones. We’re all going to have failures in our careers but avoiding the really big pitfalls will help you keep your company on the right growth path.

  1. Failing to design for rollback – If you’re developing a SaaS platform and you can only make one tweak to your current process, make it so that you can always roll back any code changes.
  2. Confusing product release with product success – Do you have “release” parties? Don’t — you are sending your team the wrong message.
  3. Assuming a new Product Development Lifecycle (PDLC) will fix issues with missing delivery dates – Too often CTOs see repeated problems in their development life cycles, such as missing release dates, and wrongly blame the development methodology.
  4. Allowing history to repeat itself – Organizations don’t spend enough time looking at past failures. The best and easiest way to improve your future performance is to track your past failures, group them by causation and treat the root cause rather than the symptoms.
  5. Scaling through third parties – If you’re a hyper-growth SaaS site, you don’t want to be locked into a vendor for your future business viability; rather you want to make sure that the scalability of your site is a core competency and that it’s built into your architecture.
  6. Relying on QA to find your mistakes – You cannot test quality into a system and it’s mathematically impossible to test all possibilities within complex systems to guarantee the correctness of a platform or feature.
  7. Relying on “revolutionary” or “big bang” fixes – The degree of success of complete rewrites or re-architecture efforts typically ranges somewhere between not returning the expected ROI and complete failure.
  8. Not taking into account the multiplicative effect of failure – Every time you have one service call another service in a synchronous fashion, you are lowering your theoretical availability.
  9. Failing to create and incent a culture of excellence – Bring in the right people and hold them to high standards. You will never know what your team can do unless you find out how far they can go.
  10. Not having a business continuity/disaster recovery plan – No one expects a disaster, but they happen, and if you can’t maintain normal business operations you will lose both revenue and customers.

As you can imagine there are many great “top ten” lists out there, and as a result I’ve managed to collect some great ones in the process of putting this series together. I’ll post those at another time.

On the ninth day of Christmas: Nine Inch Nails album for free

On the eighth day of Christmas: Eight security tips and guidelines for your WordPress blog

On the seventh day of Christmas: Seven dirtiest jobs in IT

On the sixth day of Christmas: Six new Internet hoaxes

On the fifth day of Christmas: Five scary technologies

On the fourth day of Christmas: Four worst E-Mail errors you can make

On the third day of Christmas: Three tools to search for images online by color

On the second day of Christmas: Two fake Bill Gates quotes

On the first day of Christmas: One Belsec birthday

On the ninth day of Christmas

The Security for All “Twelve Days of Christmas” series continues.

On the ninth day of Christmas…

Nine Inch Nails album for free

Sorry couldn’t resist. But the release of The Slip is important for several reasons. Not only do Trent Reznor and NIN generate some killer music, but this album is released under a creative commons license. CNet news blog has this article about The Slip release.

Declaring digital sales a success, rock veterans Nine Inch Nails have released another online album, The Slip. Unlike their last album, this one is totally free, and, according to front man Trent Reznor, is a thank-you to the band’s fans.

The Slip is available from Nine Inch Nails’ Web site in a number of DRM-free formats: MP3, FLAC, M4A, and WAVE. The band is also streaming the album on music social network iLike.
So if you haven’t already downloaded The Slip do it now. It will make a great Christmas present. And who can argue with a creative commons license for music. And to keep the format of this series consistent, here is the song list from The Slip.

  1. 999,999
  2. 1,000,000
  3. letting you
  4. discipline
  5. echoplex
  6. head down
  7. lights in the sky
  8. corona radiata
  9. the four of us are dying
  10. demon seed

length: 43:45
the slip is licensed under a creative commons attribution non-commercial share alike license.

On the eighth day of Christmas: Eight security tips and guidelines for your WordPress blog

On the seventh day of Christmas: Seven dirtiest jobs in IT

On the sixth day of Christmas: Six new Internet hoaxes

On the fifth day of Christmas: Five scary technologies

On the fourth day of Christmas: Four worst E-Mail errors you can make

On the third day of Christmas: Three tools to search for images online by color

On the second day of Christmas: Two fake Bill Gates quotes

On the first day of Christmas: One Belsec birthday

On the eighth day of Christmas

The Security for All “Twelve Days of Christmas” series continues.

On the eighth day of Christmas…

Eight security tips and guidelines for your WordPress blog

Online Tech tips has these tips for keeping your WordPress blog safe – or at least functional.

Here are a few WordPress security tips I’ve learned over time. After reading a couple of horror stories about blogs being hacked, maimed and mutilated by crazy Russians or vindictive competitors, I’ve decided to it would be good idea to implement some security practices for my WordPress blog. After going through a bunch of sites and fixing things on my own blog, I thought it would be good to share these items with all of the other WordPress users out there.

Implementing these security measures is especially important for anyone who is currently making or trying to make money off their blogs. Once you blog is hacked or spammed without you knowing about it, you’ll be dropped from the search engines and it’s not easy getting back in. Remember, even with all the security measures, it’s essential to have a backup of your blog.

  1. Upgrade WordPress – This is probably the first thing you should do! If you’re not running the most up-to-date version, you’re asking for trouble.
  2. Change default passwords – Are you still logging into your wp-admin page with the same default password that was emailed to you? If so, CHANGE IT!
  3. Use SSH/Shell Access instead of FTP – This one is a big one! It’s not as easy to implement as the other two, but it’s probably the best tip out of all the others that listed here.
  4. Install LoginLock plugin – This is a really cool plugin that will automatically block an IP address from trying to log into your WordPress admin area after a certain number of attempts.
  5. Create a blank index.html file in your /Plugins/ directory – By default, your WordPress plugins folder is completely visible to anyone by going to http://www.domainname.com/wp-content/plugins.
  6. Block access to wp-admin folder using .htaccess – There is an article written Reuben that talks about how you can protect your WordPress admin folder by allowing access to it from a defined set of IP addresses.
  7. Remove the version string from your header.php file – Of course, if you’re running version 2.0 and the current release is 2.3 AND your blog explicitly states that it’s at 2.0 on every page, it’s not going to be very hard for someone to find your vulnerable blog and attack it.
  8. Block WP- folders from the search engines – There is no need to have all of your WordPress files indexed by Google, so it’s best to block them in your robots.txt file.

Better make sure I’m on top of this stuff.

On the seventh day of Christmas: Seven dirtiest jobs in IT

On the sixth day of Christmas: Six new Internet hoaxes

On the fifth day of Christmas: Five scary technologies

On the fourth day of Christmas: Four worst E-Mail errors you can make

On the third day of Christmas: Three tools to search for images online by color

On the second day of Christmas: Two fake Bill Gates quotes

On the first day of Christmas: One Belsec birthday

On the seventh day of Christmas

The Security for All “Twelve Days of Christmas” series continues.

On the seventh day of Christmas…

Seven dirtiest jobs in IT

Dan Tynan in this article for InfoWorld gives us this list of jobs that are critical but nasty.

Working in IT isn’t always pretty. After all, we can’t all work on the cutting-edge technologies all the time. Some of us have to get dirty — in some cases, literally.

Unfortunately, dirty jobs — whether you’re being chained to a help desk, hacking 30-year-old code, finding yourself wedged between warring factions in the conference room, or mucking about in human effluvia — are necessary to make nearly every organization tick. (Well, maybe not the human effluvia part.)

The good news? Master at least one of them, and you’re pretty much guaranteed a job with somebody. We don’t guarantee you’ll like it, though.

Dirty IT job No. 7: Legacy systems archaeologistWANTED: INDIVIDUALS FAMILIAR WITH 3270, VAX/VMS, COBOL, AS/400, AND OTHER LEGACY SYSTEMS NO ONE ELSE REMEMBERS. MUST BE ABLE TO TYPE ENTIRELY IN CAPITAL LETTERS FOR EXTENDED PERIODS. APPLICANTS MUST MEET MINIMUM AGE REQUIREMENT OF 55.
Dirty IT job No. 6: Help desk zombieExcellent entry-level opportunity for multitasking individual with low self-esteem. Ability to read from scripts a plus. Potential to move up to bug scraper, password reset technician, or tape rotation coordinator.
Dirty IT job No. 5: On-site reboot specialistSeeking individuals for on-site support of end-users. Must be familiar with three-fingered Ctrl-Alt-Del salute and power cord reconfiguration. Ability to withstand a variety of environments and personality types; concealed-weapons permit a plus. Individuals with anger management issues need not apply.
Dirty IT job No. 4: Interdepartmental peace negotiatorLooking for self-starter skilled at moderating tech disputes between warring factions within the same company or between company and its client. Must possess experience in ego-stroking, manipulative massage, and hand-to-hand combat.
Dirty IT job No. 3: Enterprise espionage engineer (black ops)- Seeking slippery individuals comfortable with lying, cheating, stealing, breaking, and entering for penetration testing of enterprise networks. Requirements include familiarity with hacking, malware, and forgery; must be able to plausibly impersonate a pest control specialist or a fire marshal. Please submit rap sheet along with resume.
Dirty IT job No. 2: Datacenter migration specialistPosition involves relocating and reconfiguring datacenter over impossible distances within a ridiculously short time frame. Prior experience as cable jockey, rack-n-stack grunt, console monkey, and/or log zombie a plus.
Dirty IT job No. 1: Sludge systems architectSeeking individuals with demonstrated ability to squeeze over, under, or between confined spaces to solve technical problems. Candidates should be prepared to work long hours for low pay under adverse conditions. Must not be allergic to sawdust, vermin, airborne pathogens, or sewage.

Actually #3 doesn’t sound so bad. I may just have to beef up my rap sheet, er… resume.

On the sixth day of Christmas: Six new Internet hoaxes

On the fifth day of Christmas: Five scary technologies

On the fourth day of Christmas: Four worst E-Mail errors you can make

On the third day of Christmas: Three tools to search for images online by color

On the second day of Christmas: Two fake Bill Gates quotes

On the first day of Christmas: One Belsec birthday

On the sixth day of Christmas

The Security for All “Twelve Days of Christmas” series continues.

On the sixth day of Christmas…

Six new Internet hoaxes

John Brandon in Computerworld writes this article about The best new Internet hoaxes.

Over the past year or so, several cons have appeared in one form or another — some in video form, and a few blog hoaxes. In some ways, it’s a disturbing trend because the Internet doesn’t need more inaccurate information to go along with the erroneous Wikipedia entries and opinionated blog postings. There are plenty of older hoaxes that have received more than their share of publicity, but here are my top six recent ones.

  1. Google TV – Like any good Internet hoax, the guys who made the Google TV spoof knew that a sucker is born every minute — or maybe that’s every second in Internet time. It had all the hallmarks of a good con: a product or service that is hard to obtain yet highly desirable, a brand name that people trust, a quirky geek who seemed oblivious to the fact that he looks like the long-lost nephew of Bill Gates, and a viral video format.
  2. UFO Haiti – Two spaceships fly overhead in an ominous shakycam video.
  3. Metalosis Maligna – Slightly old now (the video was released over a year ago), the “Metalosis Maligna” documentary works on many levels: It holds the interests of techies, preys on our fear of technology and just looks strikingly real. Metalosis was described as “a disease which affects patients with medical implants.”
  4. Fake Steve Lawsuit – Fake Steve Jobs pulled a fake-lawsuit ploy just before the holiday break last year. A hoax within a hoax — now that’s a particularly dastardly con.
  5. Czech Nuclear Bomb – The explosion itself does not look realistic, but the “lower third” (video titles) are convincing.
  6. Glowing Mountain Dew – Similar to the Google TV hoax, this is an instructional video, which supposedly allows you to use household chemicals to make a bottle of Mountain Dew glow like a neon torch.

Actually I like the hoax suggested in a comment to my If it’s on the web it must be true. Or not. post by ax0n

In the late 1990s, some co-workers of mine tried to start a hoax about insanely violent albino ferrets (ice weasels) living in the Rockies or some such madness.

Ice weasels indeed.

On the fifth day of Christmas: Five scary technologies

On the fourth day of Christmas: Four worst E-Mail errors you can make

On the third day of Christmas: Three tools to search for images online by color

On the second day of Christmas: Two fake Bill Gates quotes

On the first day of Christmas: One Belsec birthday