Posted on 27 Mar 2020 by Ray Heffer
Without a doubt, Wordpress is the most popular and versatile blogging platform available today. It is used by both individual bloggers and large organizations alike. According to WordCamp, over 75 million sites are running on Wordpress around the world. One of the fundamental problems with this popular blogging platform, or more precisely, content management system (CMS), is keeping it secure. With over 50,000 plugins and the ease of installation, it is no wonder it has become the platform of choice by millions of websites. Unfortunately due to it’s popularity, it will continue to be pwned on a daily basis.
Wordpress can be a secure platform if deployed and managed properly. However, there will continue to be zero-day exploits that exist in many of the plug-ins used by the millions of Wordpress sites around the world. Whether Wordpress itself is secure is only part of the story. If you run a Wordpress blog, how often is the underlying server OS patched? What about the plugins, and Wordpress itself? While an unpatched server or vulnerable plug-ins is one such attack vector, there are numerous others including brute forcing XML-RPC, and exposed
wp-config.php files on GitHub.
Poor implementations of the underlying server architecture is also to blame. Wordpress requires a database, and there is no way around that. Often MySQL is installed on the webserver along with everything else. This is a LAMP stack after all! But, one of the issues with this is how MySQL is managed, using add-ons like phpMyAdmin or cPanel. As I write this, cPanel has over 360 known vulnerabilities and phpMyAdmin has over 250. Don’t get me wrong, tools like this make it easy to deploy you own Linux server and build your website from scratch, but it is a wornderland for hackers.
Posted on 25 Mar 2020 by Ray Heffer
In recent weeks we have all had to adapt to changes that the COVID-19 pandemic has inflicted on us. With the increase of people working from home, it is no surprise. With the influx of home workers, many organizations, schools, and communities are switching to video conferencing apps like Zoom, to bring their teams and students closer together. Even IT certification providers are allowing people to take exams from home, using dedicated testing software linked to a webcam and microphone.
The immediate need of home working solutions is overshadowing good privacy practices. Most of my colleagues in the IT industry think I take a very aggressive stance to privacy at the best of times. I admit that I am inclined to wear the tinfoil hat most days!
In just the last few days, I have seen several posts on Twitter of virtual happy hours and team meetings taking place at organizations around the world. As someone that has worked from home for the past 10 years, it is only in these recent circumstances that webcams are being enabled on almost every conference call. While I understand (and fully endorse) the importance of virtual meetings with webcams, we all need to be very careful about posting these on social media. I am sure my concerns are reflected at various IT security departments right now.
Note: If you are used to me posting about End-User Computing, Cloud Computing, AWS, and VMware, then don’t abandon my blog just yet! While I feel very strongly about good security and privacy practices, I’ll be blogging about these other topics again very soon! - with Privacy & Security included :)
I get it. It’s exciting to share your virtual happy hour and team get-togethers, but before posting screenshots on social media think of the consequences. I found the image above by searching Google. I also found dozens of others in my Twitter feed in just the past week alone. The problem is that every single one of these screenshots contain full names, faces, and often phone numbers for anyone that dialed into the conference. These all get scraped by various services, many of which you have probably never heard of.
What is even worse is that many of these screenshots include the Zoom Meeting ID at the top of the screen. Now anyone can listen in to future calls. The fact it has just been posted on Twitter also reveals which day and time the meeting takes place each week. Bad idea. Back in 2012, Anonymous hacked into an FBI WebEx conference call, then posted the entire call to YouTube. Next time you join a conference call, just be careful who else is listening in.
Posted on 23 Jun 2019 by Ray Heffer
Privacy and security are not one of the same. Without security, your privacy will be compromised. This is easy enough to understand if you think about your home. The place you sleep safe at night. The doors, windows, curtains, and shutters provide you with both privacy and security. Some people might even have locks on their doors and windows!
When it comes down to our digital privacy and security, people don’t always think of it in the same way. Unlike the physical world we live in, the digital world is abundant with malware, tracking cookies, identity theft, data collection, and an exploding number of data breaches. If you fail to take any measures to protect your personal data, then that next data breach could cost you dearly.
One way to illustrate my point is to try a little experiment. Head over to HaveIBeenPwned or DeHashed, and see if your email address is found in any of the data breaches. If not then congratulations. But give it time, and check back again someday.
Another example is at-home DNA testing kits, which are becoming very popular these days. They are cheap and easy to use. However, how would you feel if you were turned down for health insurance or you have to pay a hefty premium based on your DNA? The video below, by Verge Science, shows how you could be identified via your DNA even if you’ve never taken a DNA test yourself. You may be thinking “I’m not a serial killer, so I don’t care”, but what would happen if these private DNA databases get shared with your insurance company? Worse still, your DNA profile gets leaked in a data breach.
Posted on 22 Jan 2018 by Ray Heffer
I’ve been using Microsoft Visio for a very long time, and it’s still my tool of choice when creating architecture diagrams. Since PowerPoint on the Mac has been massively improved I do use that more often, but you can’t beat Visio for the more detailed diagrams. With that, it has been almost 3 years since I shared my last EUC Visio stencil set so I decided it’s time for an update for 2018. I do intend to add a lot more shapes to this set as I create them. Many of these are from existing Visio Stencils available online (see links below), whereas others are ones I’ve collected over the years or had to create myself. You can see all of the shapes and icons included in this Visio Stencil Set in the image above.
Tagged with: vmware vdi euc networking