Melanie

Melanie

Living in a parallel steampunk world of mechanical computers and a global communication system that looks awfully similar to Terry Pratchett's Clacks, this secret super heroine to the non-profit and small to mid-size business provides affordable custom websites demonstrating my super web powers both backend and frontend along with email marketing, security, analytics, support and seo. Well, not so secret anymore. Whups.

Strong Passwords: Keeping Your Site Secure

SAFE2

One of the single most effective things you can do to keep your web site or other online accounts  safe at the User layer is to have a strong password.

This past week in what has been one of the larger distributed brute force attacks against WordPress sites, over 90,000 IP addresses were involved in a login break in attempt by cycling through usernames and passwords.  The hackers control about 100,000 bots according to CloudFlare.  The scope encompassed every WordPress installation on the network.

Typically in the last few months, the attacks ranged in the 30-40 thousand per day.  This past week that number jumped to 77,000 per day.

The word went out from Hostgator, a popular hosting service late Thursday night:

At this moment, we highly recommend you log into any WordPress installation you have and change the password to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*).”  (Hostgator)

I highlight this attack, which was a brute force dictionary attack, to make you aware of how important a strong password is…not just for WordPress sites, but any web site, including social media accounts.   The scope of such attacks is gaining momentum.  This attack was so exceptional in its scope that it also caught the notice of the Department of Homeland Security.

Here at Switched-On-Sites, we make it a practice to always use strong passwords on all client sites.   We also worked through the night to make sure even those passwords were updated as a precaution.  The hosting services we recommend also have taken precautions to ensure protections against this kind of attack on their end.  But its best to think of security protection in layers and you need to have every layer protected against this kind of attack and other kinds.

What is a  Strong Password?  As in the quote above, its a password that follows these requirements.  It contains:

  1. upper and lowercase letters
  2. at least 15 characters long (why do I say 15?  Because it is known that hacking software can currently break  14 characters)
  3. and including “special” characters (^%$#&@*)

So what does a typical  Strong Password look like?  The following is an example.  Please DO NOT USE IT.  IT IS ONLY AN EXAMPLE.

9##@[iX’6s@C(8s

 

So if you are not yet using strong passwords, we strongly recommend that you start doing so immediately.
Want to know about other ways we can increase the security of your site against this and other kinds of malicious attacks?  Please contact me and we can discuss a plan that will cover your needs.  Stay safe out there!
No comments
MelanieStrong Passwords: Keeping Your Site Secure
read more

Zero Inbox Tip: How To Add An RSS Feeder To Your Browser

mailbox2

An empty mailbox can either mean one of two things: either everyone has forgot you or it can mean a beautiful thing  –  you’ve answered all your correspondence and paid your bills and you can kick back and use your time for other things.

Today we get more email usually than we get snail mail.  And with email, getting your inbox empty can become an overwhelming task.  So today I’m going to offer a helpful tip to get some of that necessary but overwhelming email out of your inbox:  Convert what you can by signing up for RSS feeds instead of email subscriptions.  And then install an RSS feed reader in your browser.

1) First off, take stock of the email you now get.  How many of those are email subscribes?  Do they offer an RSS feed alternative?  If so, convert by signing up for the RSS and cancel your email subs.

2) After you have done that, its time to get an RSS Feed Reader installed or opt for a service.  For today’s purposes, I’m going to take you through the first option and we’re going to install the reader right in your browser.  For today’s tutorial  I’m going to use Chrome for my browser.  Its got a lot of advantages over FireFox and IE as regards speed and its security is good for the most part.  It’s really a bit more than just a browser.  It actually operates like an OS for the web.

So, make sure you have Chrome installed.  Next, we want to take a trip to the Chrome Web Store. Specifically, we’re going to get their RSS Feed Reader and install it.

AddChrome

Click the green button and follow the install instructions (you may have to restart Chrome) and when you bring Chrome back up, you should see the following:

RSSReader

Now you’re set to start adding your RSS feeds.  Click the orange feed reader icon (see pic above) and watch the pop up dialog appear.  Click on the ‘+’ sign in the upper right- hand corner to add your feed.

AddFeed

EnterFeed

The feed URL may vary in the way it is configured but most will look like the above.  Where do you find this feed?  Most websites have the RSS icon somewhere on there site.   Right-click it and copy the URL like below.

RssClick

Now you have added the feed, its time to read! Click on the feed name and the new posts will expand underneath.  Just click on the one you want to read and voila! It takes you right to that page.

ClickRead

Also, for those of you who use Google Reader and are worried now that its going away, there’s a nice little option of importing your Google Reader stuff and pushing it to Feeder.

GoogleRead

There you have it: how to add an RSS feed reader  and RSS feed to your browser and empty some of the clutter from your inbox!  Stay tuned for more tips on how you can get your inbox down to zero in no time.

No comments
MelanieZero Inbox Tip: How To Add An RSS Feeder To Your Browser
read more

Keeping Your Facebook Account Safe

Facebook

UPDATE 8/10/2014:  What to do if you are infected with Facebook Malware (includes scanner download)

As of March 2013, there are 1.06 billion users and 689 million mobile users on Facebook.  Those users  visit 42 million pages and use 9 million apps.*   That’s a lot of opportunity for hackers to get your private information and hack into your stuff.  My post today is about explaining how they are doing it.  We’re going to cover a lot of ground so play close attention.  Here’s what we’ll cover : Five ways that your Facebook account can be hacked, ‘Silent Listeners’ and a recent phishing attack on Facebook of which you need to be aware.

Five ways your Facebook account can be hacked

The following are just some of the most popular ways among hackers to get into your account.  We’ll briefly consider them and, later, what you can do to protect yourself and others.

  1. Keylogging – this is done through spyware programs and basically can monitor your keystrokes, grabbing whatever information it can including your password as you type.  Affects local and remote pcs.  Very easy for them to do. Until its removed, they can monitor everything that’s being typed.
  2. Phishing – is about obtaining sensitive user information (passwords, credit cards, etc) through some kind of fraud, usually an email or a web page that directs you to click a link or give up some information that lands in the hands of a hacker.   In this instance, a fake facebook page is created and the user is tempted to trust it and enter information through a login prompt.  Once the information is entered it is stored in a text file.  Now the Hacker has your login credentials.  There has been a recent attack of this and Facebook has been warned.  I’ll write more about that  in a little bit.
  3. Mobile phone hacking – This is similar to keylogging (discussed above) in that it uses a spyware program installed on your smart phone to capture your keystrokes.
  4. Session Hijacking – this is one where the most dangerous thing you can do to invite it is be on a non secure connection (Http:  rather than Https:).  Session hacking allows the hacker to steal your browser session cookie information which allows you to authenticate (confirms your login) on a web site, in this instance Facebook.  Session cookies are usually temporary and get deleted when you close the browser. But during their time in use, a hacker can interrupt and steal the information associated with it.
  5. Side-jacking – this is similar in goal to session hijacking but the means are different.  Using a packet sniffer, the Hacker seeks  to intercept unencrypted cookies from a website in this case, Facebook,  and exploit them over a unsecure wifi connection or LAN.  In this instance, both you and the Hacker have to be on the same connection.

‘Silent Listeners’

According to a recent 7 year Facebook study (yes, we’ve been on there that long!),  there are ‘silent listeners’ getting your information on Facebook.  Although users ( on the whole since 2009) have been sharing less information publicly (electing instead to share within circles of friends), they have had others listening in to the conversations, photos, and other shared posts.  Who are these other ‘silent listeners’?  They are the third party apps so popular on Facebook.  Yes, every time you agree to that invite from your friend to remember your birthday, read The Washington Times, play Farmville,  share music from Spotify, check-in with Foursquare or any other third party app, you are sharing your private information with them.  As noted by ThreatPost, a Kaspersky lab news agency, states:

That, along with user information given up by Facebook to entities of its choosing (law enforcement, etc.) and the information from private fields that is ultimately given to advertisers comprise a significant uptick in shared personal information that oftentimes, users are completely unaware they’re sharing. It’s these apps and entities that are ultimately likened to as “silent listeners” in the trio’s paper.

So you might want to think twice about using third party apps in the future or at least limit the ones you use.

Recent phishing attack on Facebook

As of two days ago, a new phishing campaign has been targeting Facebook users and Facebook pages.  It looks and feels like a Facebook page but what it does is ask you for information Facebook is not getting – a Hacker is.

The following is an image of the so-called “Facebook Verification page” which is a bogus page asking users/admins for the page URL/ name and your login credentials. **

Hijacking Facebook pages

Once you fill out the page the Hacker has your information to exploit for selling or his/her own purposes.

Advice:

Facebook Phishing Protection:

  • Don’t click on links in email messages – unless you are absolutely sure of the source.  And even then, its not that hard to go to the web site out side the email to check it out.
  • Don’t put personal information in an email.
  • Do not enter personal information in a pop up page (opens a new window)
  • Send suspect Facebook phish pages and emails to:  https://www.facebook.com/help/217910864998172

Facebook mobile phone Protection: When connecting through a mobile phone, use a VPN (Virtual Private Network).   If you can’t afford a business or paid VPN service, there are free alternatives.  These free services will NOT give you the same level of protection so don’t use them for sensitive data transmission like bank records and such.  VPN’s  also tend to slow down your browsing speed.  Bottom line: invest in a good VPN service.

Facebook Keylogging Protection:  This is a difficult issue because many businesses use them to monitor their employees.  So some anti-keylogger software does not filter all key loggers.  There are free anti-keylogger software and paid.  Best advice: comparison shop and make yourself aware of the pros and cons of each and your situation and need.

UPDATE 3/26/2013

One of our leading Cryptograghers,  Bruce Schneier, just came out with a post addressing social sharing changes to his blog.  Again, it concerns how your and my data is being tracked through social media buttons – often without our knowledge, most definitely without our consent.  As he states the problem…

The problem is that these buttons use images, scripts, and/or iframes hosted on the social media site’s own servers. This is partly for webmasters’ convenience; it makes adoption as easy as copy-and-pasting a few lines of code. But it also gives Facebook, Twitter, Google, and so on a way to track you — even if you don’t click on the button. Remember that: if you see sharing buttons on a webpage, that page is almost certainly being tracked by social media sites or a service like AddThis. Or both. (Schneier)***

His solution to this is to use an alternative sharing system called Social Share Privacy.  It’s a plugin that developers can use  on your site to help provide a layer of privacy between you and the trackers.  Its a 2-click system.  Its not perfect but if you don’t click, you don’t get tracked.  Here’s how it works…

The buttons are first disabled and a user needs to click them to enable them. So in order to e.g. like a site on facebook with these social share buttons a user needs to click two times. But in return for this extra click a user can only be tracked be this third party sites when he decides to enable the buttons. Using the settings menu a user can also permanently enable a social share button. (Social Share Privacy)

Our post deals mainly with security, but part of that includes how much information you want third-party apps to be taking and sharing with Big Data storehouses as well.  I’ll be writing a bit more about that in a future post.

But for now,  give Switched-On-Sites a call and allow me to help make your web site secure and your information private while you do business on the web.

*Figures provided by Digital Marketing Ramblings

** image src: The Hacker News

***Schneier on Security

No comments
MelanieKeeping Your Facebook Account Safe
read more

SECURITY UPDATE: Adobe Updates for Flash Player – Multiple Vulnerabilities

FlashPlayLogo

Original release date: February 13, 2013 –

 “Adobe has released a security update for Adobe Flash Player to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to cause a denial-of-service condition or take control of the affected systems.” (CERT)


As a review, Denial of Service or (DoS) is a brute force attack that can stop a machine or network service making it unavailable to the user.   It does this by overloading the machine or service with too many requests at once.

Advice:

Go to the Adobe Flash Download Center and make sure your system is updated.  Chrome users should see the following message:

Your Google Chrome browser already includes Adobe® Flash® Player built-in. Google Chrome will automatically update when new versions of Flash Player are available.

If you wish to manually trigger Chrome to update, go to the 3 bar icon on your Chrome browser in the upper right hand corner.  Click and pull down the menu. Click on “About Google Chrome”.  It should immediately begin checking for updates.   If you wish to check to make sure the update is installed, type the following in the location bar of your Chrome browser:   chrome://plugins/    and check to see that the version numbers of the Flash player match to the update.

Relevant URL(s):
<https://www.adobe.com/support/security/bulletins/apsb13-05.html>

No comments
MelanieSECURITY UPDATE: Adobe Updates for Flash Player – Multiple Vulnerabilities
read more

Android Users: Malware Issue and Security Update Notice for Wireless Carriers

Android-hackedAndroid Users: Malware Issue

There’s a  new type of malware that can infect your computer when you connect your smartphone or tablet to your computer and then install a backdoor on your computer.

The suspected malware are Clean and DroidCleaner found in Google Play android market. These two are actually the same application.  They are just released under two different names.

These applications are apparently disguised as a tool to clean memory for the Android operating system, but after installing and running it, it displays a list of all running  processes and then restarts the device. Later, in the background, the app downloads three files:

  • autorun.inf,
  • folder.ico,
  • and svchosts.exe onto your phone.

Advice:

Currently, Google’s malware detection only targets about 15% of attacks.  Android 4.2  allows a user to access malware protection under ‘Quick settings’.  To access, ‘Quick settings’ can be accessed by swiping down from the top of the screen with two fingers, rather than the one-finger swipe used to access notifications. You can also use the settings button that located at the top of the notification drop-down menu.  You can access a malware scanner for the platform that screens “sideloaded” apps — meaning software not downloaded from Google Play — for any mischievous code.  As noted above, though, both of these apps mentioned above are found on the Google Play market.  So Buyer Beware!

android-logoAndroid Security Update Notice for Wireless Carriers

Android users may have noticed that they are not getting their regular security update notifications as they should leaving them and those they connect with open to exploit and risk.   The following explains why:

Activist Chris Soghoian, who has  targeted zero-day brokers in the past with his work, has focused his attention on wireless carriers and their reluctance to provide regular device updates for Android mobile devices.

Read more

Advice:

Make sure you check this link frequently, about once every 2 days.   Bottom line:  Google Android does not have the protection against malware that it should.  Keeping  up to date with security warnings is your best defense.

No comments
MelanieAndroid Users: Malware Issue and Security Update Notice for Wireless Carriers
read more

How To Add A Photo or Image on Twitter

Some of you are wondering (now that Twitter doesn’t want your to use a lot of third party clients to upload your photos) how you upload a photo to Twitter. Well here’s how…

  1. Begin a new Tweet on twitter.com.NewTweet
  2. Click on the camera icon.
    CameraAppears
  3. Locate the image you want to upload on your computer when prompted.
  4. After you select an image, you’ll see the image thumbnail and the camera icon highlighted in blue at the bottom of the Tweet box.
    PicAppears
  5. Type your message and click Tweet.
  6. If you uploaded the wrong image or changed your mind, just click the x in the thumbnail or next to the filename to delete the current image.
  7. That’s it! You did it!
No comments
MelanieHow To Add A Photo or Image on Twitter
read more

Take Control of YOUR Information

Image Source: Sneakers, film,

Image Source: Sneakers, film, 1992

There’s a war out there, old friend. A world war. And it’s not about who’s got the most bullets. It’s about who controls the information. What we see and hear, how we work, what we think… it’s all about the information!

– Cosmo, film-Sneakers, 1992

Yes, it is all about the information these days.  From the Garden of Eden with its ‘Tree of the Knowledge of Good and Evil’ to our ‘Information Age’,  we crave ‘the information’.  And now we’ve learned how to mine more of it, do it faster, and manipulate it to our advantage.

This is especially true of Social Media information.   Companies have the right (and do) collect and sell your information — if we give it to them.   Social Media like Google + and Facebook make their revenue off it and you and I look at ads through their interfaces aimed specifically at our likes that we’ve freely told them about when we ‘Like’ business pages or comment to our friends about where we went to eat or what we bought.  We log on and we post….

And we post and we post.  And Facebook and Google get all that information… FOR FREE, well, for free from us.  We don’t directly receive any payment for what we post.  What we post doesn’t lead back to our website (if we  have one ).  It stays right there on Facebook or Google or any of the other popular social media.  Facebook even allows you to download everything you’ve posted and they state in their TOS  (Terms of Service) that you and I  “…own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings. ”  Except that you can’t control the fact that Facebook reserves the right to use that information as a marketing asset to be sold to those willing to pay for it.  That’s the deal we’re all pretty much aware of…we just tend to forget it when we’re on Facebook and enjoying the fun of sharing with our friends.  So what is my point?

My point is this: It’s your information and you should at least take control of it to the extent that you can choose the privacy settings you want as a personal policy.  But there’s something you can do that gives you even more control — change the directional flow of your information.  Instead of posting directly to Facebook or Google + all the time, why not start posting your thoughts through your own blog from your website and then post that to Facebook or Google+?  Only then do you start controlling where the traffic flow goes:  from your website >> to social media >> and back to your website again instead of letting it sit on social media doing other businesses a lot of benefit.

Why not ask us here at Switched-On-Sites how we can help you take control of YOUR information and redirect your social media traffic to benefit you and your site!

No comments
MelanieTake Control of YOUR Information
read more

Different? Better? Completely Gone? We do know what’s going to happen to Google Sync

Source: The Googlighting Stranger, Google Images

If you have ever watched Microsoft’s now infamous Internet commercial “Googlighting Stranger“, you know there’s a couple of famous lines in it that describe Google’s business model of killing features and tools after getting people to commit to them.  “How else are we going to know what features to keep and what to kill?” asks Mr. Epperson, Google’s fictitious representative in the video.  “Different? Better? Completely Gone? Who knows what the future holds for Google Apps?”

Well, we do know what’s going to happen to Google Sync, the feature that allowed iPhone users of Google Apps to access all the familiar tools.   It will stick around for existing users and users of the Business, Government  and Education  versions of Google Apps but no longer for those who use the Standard (make that ‘free’ version)

According to Google from their blog, they are doing a little ‘winter cleaning’:

“Google Sync was designed to allow access to Google Mail, Calendar and Contacts via the Microsoft Exchange ActiveSync® protocol. With the recent launch of CardDAV, Google now offers similar access via IMAP, CalDAV and CardDAV, making it possible to build a seamless sync experience using open protocols. Starting January 30, 2013, consumers won’t be able to set up new devices using Google Sync; however, existing Google Sync connections will continue to function. Google Sync will continue to be fully supported for Google Apps for Business, Government and Education,”

Jim Dandy, aint it?   Of course, Android users won’t be affected.  But hurry soon, and get sync’d you free Google Apps users.  Because after Jan 30, 2013  you won’t be able to enable Google Sync on any new device.

No comments
MelanieDifferent? Better? Completely Gone? We do know what’s going to happen to Google Sync
read more

Ransomware Locks Computers, Demands Payment

There’s been a nasty virus that’s come into to town and the FBI wants you to be aware of it.

The Reveton virus, used by hackers in conjunction with Citadel malware—a software delivery platform that can disseminate various kinds of computer viruses—first came to the attention of the FBI in 2011.

What’s so bad about this new virus?

Reveton is described as drive-by malware because unlike many viruses—which activate when users open a file or attachment—this one can install itself when users simply click on a compromised website. Once infected, the victim’s computer immediately locks, and the monitor displays a screen stating there has been a violation of federal law.

I came across news of it today through one of my organizations, ChurchIT Roundatable (which seems to verify that is is indeed spreading according to FBI’s partner site IC3’s Donna Gregory) ,  from a member posting that one of his clients now had a compromised laptop as a result.  Nice, right.  So I decided to do some investigation of my own.

If you search Google for “FBI virus“, you’ll get the FBI site right up there at the top.  In fact, the quotes above come from them.  Later on the page, there are a various tech forum posts and a YouTube describing how you can remove this virus. MacAfee is one of the leaders – which makes me wonder just how good a security system they produce.  But it seems this one can get through MSSE, too.  And if you are interested in the nuts and bolts of how this works,  here’s as good as explanation as to how that can happen with malware.  The botton line: If you don’t keep up with all your security updates, there’s going to be an exploitable hole somewhere in some layer no matter how good a system you have.  Nothing is 100%!  So to recap: this thing is bad because 1) it can get through even if you have a security system running and 2) Its spreading – you can pick it up off

But Hey! What About Google Chrome’s Phishing and Malware Protection feature?

There are some things you can do to protect yourself.  First off, make sure the security features are turned on in your browser.

If you are running IE8 or IE 9, follow these steps:

  1. Make sure you have your SmartScreenFilter turned on.
  2. IE8 users will find this, under the Safety menu, IE9 users will fine it under Tools menu.

If you are surfing with Google Chrome follow these steps:

  1. Open Google Chrome
  2. Click on the Wrench icon located on top right corner of the browser.
  3. Select Settings from the drop-down list.
  4. Click on Under the Hood from the left panel.
  5. Mark the Enable phishing and malware protection under Privacy settings.

If you are running FireFox follow these steps:

  1. Open FireFox
  2. Click on Tools >> Options>> Security
  3. Make sure the following are checked:
    • Warn me when sites try to install add-ons
    • Block reported attack sites
    • Block reported web forgeries

So what can you do if you are infected?

The IC3 or The Internet  Crime Complaint Center recommends the following:

  • Do not pay any money or provide any personal information.
  • Contact a computer professional to remove Reveton and Citadel from your computer.
  • Be aware that even if you are able to unfreeze your computer on your own, the malware may still operate in the background. Certain types of malware have been known to capture personal information such as user names, passwords, and credit card numbers through embedded keystroke logging programs.
  • File a complaint and look for updates about the Reveton virus on the IC3 website.
  • If you want to attempt removal yourself, see the links above but be aware there may be a cost involved or that you may not know for sure that you are completely clean.

Source: FBI – New Internet Scam

No comments
MelanieRansomware Locks Computers, Demands Payment
read more

What Can A Blog Do For Your Web Site?

I sometimes hear from clients that they don’t want to mess with a blog.   Some think it’s more effort than its worth.  So I’d like to discuss today why it is worth your effort to take some time and write a weekly blog… or hire someone, like me (hint), to manage your content for you.

Traffic: A Reason To Come Back For More

You’re familiar with HubSpot, right?  Well, if not, let me introduce you to the marketing software people on the web.  Well, they’re not the only marketing people on the web but they’ve been around long enough in this fast paced online world to gather some impressive stats on blogging.  According to their research, companies that have blogs generate 55 percent more traffic and 70 percent more leads.  And if companies can do it, then your org or personal site is bound to benefit, too.

Penguin, Rankings and Original Content

Announced in April of 2012, Penguin (although not officially named until 2 days later), became the successor to the Panda algorithm powering Google’s search engine.  Panda’s job was to sanction sites with poor user experience.  Penguin’s job is to enforce original content on sites.  Simply put, not having original content will affect your site SEO rankings. How does this work?  If you have little content above the fold or are exclusively using content that originates from other sites , you might get nicked.  If you are using SEO tactics that involve webspamming or what Google calls “spamdexing” (inclusive of link bombing ) to up your rankings, you’ll get nicked.  Translation:  Google downranks web sites that do both of these things.  Google’s intent is to improve the quality of the web you and I search and depend on everyday.  And that’s a good thing to support.

An easy way to make sure you are contributing original content for the web (and to get noticed for it) is to have your own blog.  It’s a win-win situation for everyone.  Set up an appointment with me today to discuss how you can include a blog and increase your web site traffic!

 

No comments
MelanieWhat Can A Blog Do For Your Web Site?
read more