Security Tools And Technology Archives

Google Begins Campaign Warning Forms Not Using HTTPS Protocol

Published in Security on August 17, 2017

August 2014, Google released an article sharing their thoughts on how they planned to focus on their “HTTPS everywhere” campaign (originally initiated at their Google I/O event).

The premise of the idea was that every website, regardless of what it was doing, should be communicating securely between point A and point B. To help motivate users, it went right for the carotid artery by making it a ranking factor in search.

December 2015, Google adjusted their crawlers to start start prioritizing and indexing HTTPS pages by default. If you had HTTP / HTTPS, they would start giving more weight to your HTTPS pages.

Defense in Depth And Website Security

Published in Security on October 23, 2016

The concept of Defense in Depth is not new. It’s been leveraged in the InfoSec domain for a long time, and has it’s roots deeply embedded in military strategy and tactics. That however doesn’t mean that even those in the InfoSec domain explain or implement it correctly. To fully appreciate the idea of Defense in Depth you have to subscribe to a very simple idea:

There is no single solution capable of providing 100% protection against any environment.

I recently wrote an article on the Sucuri blog sharing some thoughts on how I feel we should think about the concept, and how we should go about deploying it within our technology stacks and organizations. I expanded my thoughts this past weekend at the BadCamp Hack The Planet summit in Berkeley where I shared some of the challenges we face in the website security domain pertaining to the subject.

The idea of Defense in Depth is simple: employ as many complementary defensive controls as makes sense for you and your organization. The optimal word being “complementary”. It’s based on the idea that every tool has a weakness, so find tools that help address them and that work in unison with one another. This does not mean you deploy every tool available, instead you must strategically map out the threats that you are most concerned with, that pose the biggest impact to your organization, and prioritize your defensive posture.

Today’s threats are evolving at a faster clip than any one solution or team can account for. It’s not a matter of finding the 100% solution, but about deploying the things we need to help reduce the growing risk. This has never been truer than in the website security domain. If employed correctly we should be better prepared to quickly identify issues, mitigate the threats and respond to incidents if so required. Attackers only need to win once. As defenders, we have to win every time.

How To Protect Your Business Data

Published in Security on September 17, 2016

It’s impossible to go a week without seeing some reference to a data breach, whether it’s a write up on what happened years ago, or updates on breaches that are still happening. The two breaches I found most interesting where a treasure trove of business data (not credit card data) was exfiltrated, and subsequently released would have to be the 2014 Sony Hack and more recently the Panama Papers hack. With this in mind, there has never been a better time for more discussion around how we think about data protection in our businesses than now.

I am partial to these hacks because as a business owner, especially one in the website security industry, the threat of a compromise is very real. We work under the guise that someone is always watching and the fact that a compromise is inevitable. As such, a lot of what we do is about minimizing the exposure and impact when it happens. There are many ways to do this as well as many areas to focus on, but one particular domain for us is the protection of the data that keeps our company going.

Impacts of a Website Compromise

Published in Security on April 15, 2016

The threats of a compromise are real, and are not specific to operating an online store. Attackers find value in a number of things, some of which include your audience and resources. In this webinar I spend some time exploring a number of the impacts we should all be aware of as website owners.

I recently gave a webinar at Sucuri in which I discuss the impacts hacks have on you as website owners. In this session I dive into three core areas:

Psychology of the Attackers.
Things they can do if successful.
Impacts to you as a website owner.

If you are currently infected, or know of someone that is, I encourage you to learn more about Sucuri and how they can help!

WordCamp US 2015: Navigating Today’s Website Threats!!

Published in Security on February 17, 2016

Recently I spoke at WordCamp US 2015 on the topic WordPress Security — Navigating Today’s Website Threats!!

WordPress is one of the most recognized website CMS platform available in the market. Dominating over 25% of the websites on the web, and over 50% of the CMS-based websites, it’s no surprise that it’s the preferred technology by marketers, sales professionals, small and large business alike, and those intent on nefarious actions.

Security In Open-Source CMS Applications

Published in Security on February 12, 2016

Open-source CMS applications are no stranger to the battle they face with security. The size of the organizations adopting the platform also has little to do with it – from bloggers to mom and pop shops to Fortune 500 companies; the concern is the same. Can open-source CMS applications be deployed securely within their respective stacks?

There are those that look at open-source and have a general distrust for it. The idea that people can see the code and submit patches makes them uneasy. There are also those who can’t get their head around the general ambiguity of open-source, in which the code belongs to no-one and everyone. What they don’t realize is that most open-source projects have a stringent commit process.

The security perception is still a very real problem for the open-source CMS industry, and many feel it’s unattainble.

How To Encrypt Gmail Emails Using Mailvelope

Published in Security on January 2, 2016

Over the past couple of years we’ve been reminded time and time again of how susceptible our communication mediums are to prying eyes. Classic examples of its susceptibility can be seen in the very public disclosure of General Petraeus affair in 2012, the release of over 170,000 emails after the Sony compromise in 2014, to the recent Ashley Madison compromise in which the CEO’s emails were shared publicly in 2015.

In either case, the information gleaned from these emails were damaging at best, and destructive at worst. In either case, what we should take away from it is that how and what we say, even if in what we perceive to be secure, is not necessarily the case.

Emails are a treasure trove of information, and as such we should all be spending a bit more time thinking of not only what we say, but how we keep what we say safe from prying eyes.

Website Security is Not an Absolute

Published in Security on October 31, 2015

I work in the field of Information Security (InfoSec), specifically website security. With that in mind, it’s but one very small piece of a very large pie. Security is complex, even at the 50,000 foot level; within each specific area of the industry, it can get even more complex. It’s no wonder it can feel overwhelming.

I have to remind myself that Security, regardless of which domain you’re focused on, always comes down to three basic elements working in conjunction with one another:

People
Process
Technology

Updating Permalinks in Ghost

Published in Security on December 8, 2014

When I think about blogging, there is perhaps no more important feature or concern than impacts to SEO. It’s perhaps one of the biggest concerns many will likely experience when performing a migration to the Ghost blogging platform.

I recently migrated my personal blogs to this platform and share some insights into the installation process in case you want to give it a go.

As you might expect, it’s had it’s up’s and down’s, much like when I first got started with WordPress. Needless to say, I’ve been making my way through it over the past few days. I’ve learned a number of things, and one such thing pertains to permalinks.

Install Ghost .5 on CentOS 7 w/NGINX

Published in Security on December 6, 2014

I recently wrote of the migration from WordPress to Ghost. In this post I want to share with you the installation workflow I used. I plan to go cradle to grave through the process.

I’ve tested it a number times, and it works every time, so even if you’re a novice you should be able to get it going. Just follow the steps:

Assumption: You have a clean install of Centos 7.0. For my scenario I’m using a droplet from Digital Ocean. What’s really awesome is that Digital Ocean actually provides a preconfigured Droplet for those that want to leverage Ghost. I believe it’s built on Ubuntu. I personally prefer Centos.

Ghost: Blogging For The Future

Published in Security on December 5, 2014

It’s only been recently that I have come to the realization that I fit into the blogger category. In doing so, I have started to place more emphasis on the technologies I’m employing to get my work done.

Ghost: Just a Blogging Platform

For the better part of 5 years I have been an adamant WordPress user. Not sure if you would say I was a power user, but I definitely employed it in my day to day activities, whether at work or at home. In that time frame I have witnessed the evolution of the platform.

How Hosts Manage Your Website Security

Published in Security on November 7, 2014

Hosts are concerned with the security of their infrastructure, not with your website.

This is a distinction that most website owners fail to make, and it’s made more evident to me every day. This same misunderstanding however puts hosts in a precarious situation where clients expect security, and to some extent get it, but on the other it’s not the type that matters nor will it address today’s challenges. This is all compounded by the economics that drives the hosting ecosystem.

I should probably clarify however that this is probably not a blanket statement for hosts. But for a majority of today’s Shared hosts that deal specifically with end-user websites, it’s very much the case.

Website Security is about Passwords?

Published in Security on October 30, 2014

Perhaps the thing that annoys me the most when I hear security being shared with end users is when they get the information wrong or overemphasis on things they don’t understand or can’t support. This is the problem in the way we communicate, especially in the WordPress community. This is applicable to all communities though, regardless of platform.

To be clear, in case the title was misleading, this sentiment is wrong and we should do a better job at communicating security.

It All Lies Within the World of Passwords

Most of the nonsense I hear around this comes from folks with a very small perspective into the world of security, and as of late seems to stem from the access control guys (those that are fighting the password game).

How We Think About Website Security

Published in Security on October 30, 2014

I recently attended WordCamp San Francisco (WCSF) where Matt Mullenweg, founder of the WordPress project and CEO of Automattic, gave his annual State of the Word.

WordCamps are informal, community-organized events that are put together by WordPress users like you. Everyone from casual users to core developers participate, share ideas, and get to know each other.

WordCamp Central

As I sat there and listened to the various accomplishments the platform had achieved, one common theme continued to pop in my head around security. It’s a theme that plagues all platforms, not just WordPress. It’s something that my business partner and I struggle with on a daily basis — it’s the biggest vulnerability every website and CMS faces, it’s users.

What’s wrong with your pa$$w0rd?

Published in Security on September 5, 2014

The discussion on access control seems to be common place these days with the latest revelations news. Found this video on some research Lorrie Faith Cranor is doing on the subject very interesting and insightful.

Importance of Updates in Website Security: WordPress, Joomla, Drupal and CMS’s

Published in Security on August 17, 2014

In my recent post talking to the dilemma that is WordPress Security, there seemed to be some confusion as to my position on updates. Allow me a moment to provide clarity on the subject, yes, updates are very important.

My previous statements are specific to the importance level of updates, it was designed to foster a very different type of conversation than one you would have with an everyday website owner. An everyday website owner doesn’t care about the nuisances or philosophical arguments that occur at higher echelons of a specific domain their concern is what affects them right now.

For the everyday website owner, along with a variety of other best-practices, you should be applying updates as they become available. This post is more specific to you and your needs and what you must understand about the world that is Updates.

Secure Your Traffic on Public WiFi

Published in Security on May 5, 2014

Often when I give talks on website security one of the various discussion points is, and rightfully so, around your individual posture when interacting on the web. This often means being aware of things like transferring your data insecurely over the web.

This insecure act is often achieved through the use public WifI access points (i.e., Starbucks, Airports, Hotels, etc.). The most obvious solution, or what feels like the most obvious is to work off a Virtual Private Network (VPN). When talking to a Network / Systems / Security individual this is the obvious choice, but to the everyday consumer it’s not.

Forensics: Analyzing a WordPress Attack / Hack

Published in Security on November 8, 2013

Recently one of our honeypots was it by an attacker and in the process we were able to gather a bunch of good intelligence on the actions taken by the attacker.

I write and detail the forensics of the attack in my latest post, for Sucuri: Case Study: Analyzing a WordPress Attack – Dissecting the webr00t cgi shell – Part I. My goal is to put out a part II next week in which we break down the shell used.

All in all, it was pretty interesting and amusing at the same time. Any questions or insight let me know.

Check Out The Article

Enable 2FA with SSH Connection

Published in Security on July 24, 2013

If you don’t know, I’m a big fan of two-factor authentication. I often talk about it integrated into your web applications access points, like wp-admin in WordPress and administrator in Joomla, but in this post I’m going to talk about leveraging it with your SSH connections.

When configuring your server access points it’s important you enable Public Key authentication in the place of passwords. Mainly because, unlike passwords, you can’t exactly brute force the access point with the keys enabled. There is also a functional aspect to it, not having to worry about passwords is great. Once you have it configured you can quickly access any of your boxes without having to remember or store the passwords. An example of where this would have been in your favor is the SSHD rootkit outbreak in February. With public keys enabled, those affected would have been spared compromises as passwords would not have been stolen.

Jump Between Servers using SSH and Shuttle

Published in Security on July 22, 2013

Jason Tucker shared this cool link over the weekend and I like it a lot and wanted to share.

It’s a tool that allows you to quickly access your various servers via SSH. If you authenticate using keys, then this is a serious win for you. It allows you to manage multiple SSH accounts via your MAC, but more importantly allows you to quickly log into them by opening your terminal and passing your syntax.

Why this is so convenient is because it helps you set your various ports, assuming they are all different, allows you to set any special options like binding to specific ports and / or defining specific keys that might not be your standard. Instead of trying to remember which one is which, you set it once and leave it alone.