Prepare Your Information Technology Will!

I know I still have some work to do on the travel tips entry in this blog, but events in my family and in the community have led me to put this blog LeetLink Tips entry to top priority.

Please get your information technology world in order!

What would happen to all the information you have on the internet when you die:  web site subscriptions, sites where you have stored your credit card information, your personal information, or set up automatic payments?  All this information should be deleted; but will it?

On the other hand, information on web sites that need to be kept, such as documents or emails:  do you have directives on where these are and what needs to be saved?

Other than the internet, you need to consider information on your computer(s), tablet(s), and phone(s). Which of these do you have? What information needs to be deleted, what should be kept?  What are the passwords?

You need to set up your Information Technology Will!  This has to contain directives on all of the above.

I know this is a pain to do, but for your family's sake, please do it.  I don't think I need to dwell on the justifications; they are self-evident.

What do I do?

• First, I use an application that uses the latest secure technology to manage my IT Will.  It contains all this information and is accessible on the internet.  You can use paper and pencil, an excel document, or whatever... just get all the information and instructions down.
• Second, identify your IT Trustees.  Give them instructions on where your IT Will is and any other pertinent instructions. I have given the password to the above repository- one that is so complex there is no chance of it being broken- to my children, along with instructions on what to do if something should happen.   My spouse has this information too, but she will need the support of my IT savvy kids to execute the directives.  Always make sure that at least one of your IT Trustees has the skills to execute your will.  
• Third, change your existing internet habits.  You've heard this before:  complex passwords, use secure communication methods (https: instead of http:), and clean and sweep your computer, especially your browser, regularly.  (I know this needs further instruction... perhaps I need to set up a class on this.)
• For those who read this, please get the word out to others to visit this blog and to get "write" your IT Will. 

Blessings

 

Travel Best Practices for Using Mobile Phones, Tablets, Computers + Keeping Travel Blogs, Photos...

I have a lot in my head about how to travel and use electronics, so I thought I would put some of my thoughts down and back those with links to more information.  The travel issues are:

• Safety
• Expense
• Convenience
• Efficiency; ie, how to keep your blogs and photo commentary current without becoming obsessive and running your vacation.

Safety:  

Wifi Safety

What I am seeing is that a significant percentage of people get "hacked" when they go overseas.   The "visible result" are messages like this:

Hello,

I am sorry for reaching you rather too late due to the situation of things right now.My family and I had a trip visiting Manila Philippines,everything was going on fine until last night when we got attacked by some unknown gunmen. All our money,phones and credit cards was stolen away including some valuable items, It was a terrible experience but the good thing is that they didn't hurt anyone or made away with our passports.  
         
        We have reported the incident to the local authorities and the consulate but their response was too casual, we were ask to come back in 2 weeks time for investigations to be made proper,But the truth is we can't wait till then as we have just got our return flight booked and is leaving in few hours from now but presently having problems sorting out our  bills here and also getting a cab down to the airport, Right now we're financially strapped due to the unexpected robbery attack, Wondering if you can help us with a quick loan to sort out our bills and get back home. All we need is (3,000 $ )  I promise to refund you in full as soon as I return home hopefully tomorrow or next. write back now to let me know what you can do.

Thank You.

The basic best practice is to to use https: to communicate or, better yet, VPN.  

Another fundamental aspect of safety that applies whether traveling or not is to be able to both find your phone and to disable it when you can't find it.  

References

• Google "wifi safety overseas"  Pick articles
• How to Use Wifi Safely While Traveling

Expense:

There are two most important things to remember:

1. Keep your phone in airport mode and turn data off. The most common expense problem is that you leave your phone on and you are near a ship or hotel that charges a very large fee per minute.  The phone jumps on their service and you have a huge bill, not only for phone calls but for data usage.
2. If you are traveling overseas, your phone may not work.  This is because there are different communication standards; you phone doesn't support those standards.  

Cell Phone Communication Standards

Sim Cards

References

• SIM card primer

I will continue this as time permits, but I thought I would put this out as is because this is will be useful even when incomplete.   Add comments at any time.  Thanks, 

Lousy DSL Service in our neighborhood?

I've been to several houses that have been experiencing "bad" internet response.  I have also experienced that.  In fact, I did some research on the signal and I tried some techniques to make it better.

First, the data:

time	Action	Ping	Jitter	Pkt Loss	IP	up	down
12:18	reset router	31	0	0
12:25	restart ooma	404	144	0
12:26	select new server	390	149	0
12:28	pull plug on Ooma	415	94	0
12:32	ran again	337	94	0
	ooma disconnected for next tests
12:35	reset router	44	25	0	74.248.232.157
12:37	retest	376	65	0
12:38	retest new server	37	1	0	picked same one
12:41	retest	37	1	0
12:42	retest	36	1	0		0.43	6.5
12:44	retest	40	8	0
12:48	retest	37	1	0
	ooma reconnected
12:49	retest	461	65	0
12:50	retest	37	1	0
12:51	retest

 
What does this mean?

The column headings mean:

• time- the time when I ran the test
• Action- what I did before running the test
• Ping- tests the time it takes for a round drip of the signal from my computer to some server on the internet
• Jitter- tests how much noise is on the network- a noisy network means you can't have good audio or video performance (eg Skype or internet based phone- VOIP)
• Pkt loss- tests the number of packets (the fundamental group of bytes of your message transmitted over the internet)
• IP- Address of the computer I am using to receive the test signals
• up- the upload speed in Mbps
• down- the download speed in Mbps

A good signal has numbers similar to the times from 12:38 through 12:48.  A bad signal is like the times from 12:25 to 12:37.

You can see that the signal is unreliable.  I tried disconnection our VOIP machine (OOMA) because our bad phone connection alerted me to the problem.  The tests show that the OOMA machine was not contributing to the noise.

It seems that what worked was to unplug the modem, and router, turn all the equipment off, and then plug in router, then modem, then VOIP machine, then other equipment.  However, as you can see, that did not guarantee a good signal. You can also see that any changes to the network, such as plugging or unplugging equipment, results in a bad network signal for some period of time.

My advice to you is to test your line whenever things seem slow.  You do this by going to two web sites:  http://www.pingtest.net to test the ping, jitter, and package loss, and http://www.speedtest.net to test the upload and download speeds.

Let me know when you get bad results and, if I am on line, I'll run the tests myself to determine if there is an ATT systemic problem.

An Example of How Your Personal Information Can Be Compromised

The following article on Web Servers came from this web page.  Apache is one configuration of a host web server.  Let me say it another way.  For most of you, your computer is either Microsoft or Mac OS based.  Servers have different bases; eg, Apache (on a Unix operating system) or IIS (on a Microsoft operating system).  Apache and other Unix-based web servers account for some 80% of all web servers.   (See this article for some current information on which operating environments are used for web servers.)

I am copying a portion of the web page here so you can see how malicious attacks make there way into servers, undetected by the host company, and from there they impact you.  The words are techie, but I can make the point:  You are at the mercy of companies that host web sites- the individuals that support the servers MUST know security, must correctly and intelligently configure the servers, and they must keep the software up-to-date.  I'm betting a large number of people in many hosting companies don't meet best practice criteria.  Be especially careful of offshore hosting sites and the websites residing on those hosts.

So read this as an example of best practices for hosting companies.

The latest high-profile attack aimed at Apache was uncovered by researchers at security firms ESET and Sucuri. Attackers managed to work a backdoor into Apache that redirected Web traffic to malicious websites, where visitors would be infected by the Blackhole exploit kit. This attack underlined the need for organizations to enact Apache security best practices and highlighted the serious fallout that can be caused by insecure Apache Web servers.

In this tip, we'll provide the best practices needed to secure Apache servers against modern attacks.

Apache security basics

In many cases, Apache server compromises are the result of outdated modules, configurations or even Web code hosted by the Web server. To combat these problems, the most recent versions of both Apache HTTP and its add-ons should be used; keeping the HTTP server up to date is absolutely critical. However, the current trend among attackers is to focus on external component frameworks, modules and add-ons that open up Apache HTTP to attacks to which it would not otherwise succumb. Keeping track of these new components is half the battle; the other half is ensuring that these packages are updated with patches and new versions as they become available. As always, remember to double check the source of a download when updating; clever attacks often try to disguise malware as a benign software update.

Beyond ensuring that updates are applied, organizations should also configure Apache HTTP Server to minimize the attack surface. While this may sound simple, there are dozens of considerations that only the system administrator can make (usually in collaboration with the Web developer). For example, a current trend with distributed denial-of-service attacks is to consume system resources while using the least amount of traffic possible. The effect of such an attack can be minimized by configuring parameters such asRequestReadTimeout, TimeOut, KeepAliveTimeout and MaxRequestWorkers to values that cut down on resource consumption. (More information about this can be found on Apache's website.) Other considerations for system administrators should include the following:

• Run HTTPd using an account with restricted privileges. Doing this will minimize the impact to the overall system, should an attacker manage to compromise the daemon itself.
• Deny the use of .htaccess files by configuring the AllowOverride parameter to None. This will ensure that htaccess files cannot be used.
• Configure mods such as mod_python and mod_php to use safe mode. Use this where it makes sense, but it may not be necessary in newer versions.
• Lock down the file system so that only root can overwrite the Apache binary. Doing this will prevent the httpd binary from being replaced with a malicious version.

Monitoring for Apache attacks

High-risk Web servers also have the most to gain from enabling mod_security, though all systems can gain some benefit. This module opens the door to a variety of tools that can be utilized to both detect and prevent attacks. You can choose to integrate this into your existing enterprise security model through IPS, IDS, NIDS and SIEM systems. mod_securityhas the ability to act like a Web application firewall, which is invaluable when serving Web applications that may not have the best input filtering.Even after putting protections in place to defend Apache servers, organizations must still be wary of attacks slipping through the cracks and wreaking havoc.To ensure that attacks don't go unnoticed, organizations should monitor their logs closely for signs of compromise. Enable a level of logging that makes sense both for HTTPd at a system level and with the Web daemon internally. A bash or python script can be easily constructed that will search the logs for certain terms, or the built-in syslogd command can be used to alert admins to potential errors or attacks. Effective monitoring and alerting requires a firm understanding of the content being served. Some content, such as use of LDAP for authentication, may behave in ways that would cause a less dynamic Web server to generate alerts. If your server is trying to use LDAP while the Web application is designed to use local authentication, there may be cause for alarm. Disabling mod_phpmay allow organizations to exclude attacks of that type from alerts, thus making real alerts that much more meaningful. For Web servers facing a high risk of attack, consider enablingmod_log_forensic to get an even more in-depth view of client requests.

Remain aware

By enacting these basic measures, it is possible to confidently secure Apache HTTP server and serve content with minimal risk of compromise. One of the most important parts of operating a secure system is keeping abreast of the latest security risks and software releases. Doing this, along with practicing diligent monitoring, will go a long way toward keeping your Apache instances secure.

About the author:Brad Causey is an active member of the security and forensics community world­wide and tends to focus his time on Web application security as it applies to global and enterprise arenas. He is a member of the OWASP Global Projects Committee and the President of the International Information Systems Forensics Association chapter in Alabama. Brad is an avid author and writer with hundreds of publications and several books. Brad also holds dozens of industry recognized certificates such as CISSP, MCSE, C|EH, CIFI and CGSP.