Heartbleed bug

The news has been out there for a few days now:  OpenSSL, the means by which most major email companies and some banks, etc. keep your information safe has been compromised.  At first I did not realize how big of an issue this was until I did some research late last night and this morning.  While the companies are scrambling to change their software, your passwords may have been stolen, as this issue has been out there for over a year.    The worst part of this is that you may have no idea that your information has been stolen or not, as there is no way to tell until you start sending out spam, or much worse, your identity is stolen…

Change your password everywhere.   This is no joke, and it’s something that is supremely important: change your password and not into something that is easily hacked, so use a combination of upper case, lower case, numbers and, if allowed, characters.

A good read (somewhat technical but not as much as others) is here: http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/.  And here is full disclosure about the bug: http://heartbleed.com/

Thanks, and stay safe!

Stephan Lantos | IT Manager
NA World Services
Stephan@na.org | www.na.org

GEEKLOG: Localization And Adaptability Part Two: Token-Based Text

ABSTRACT
In Part One of this series, I explained how you should establish a basic text rendering environment that will display non-Roman character sets.

In this entry, I’ll discuss one of the most common patterns used to get those characters onto the screen.

The objective of this exercise is to explain a basic way to allow a display (in this case, a Web page) to reuse the same framework, yet drastically change the content, depending upon the chosen language of the viewer.

I’ll use PHP as the example language. This pattern can be applied to almost any programming language, and actually tends to be supported by many development frameworks. PHP is well-understood, and also has native support for associative arrays, which makes this all much easier to explain. It is also the base language for a number of content-management systems that use this pattern for their own localization.
Read more »

From a friend and fellow contributor about some safe measures

A friend sent me an email when he realized that this blog was not a public one meaning anyone could post.  He offered me the post below to do with as I choose.  Of course I am choosing to include it here as it contains really valuable info.

_______

In the OEM windows world it appears vendors (such a Dell, HP, etc.) deliver machines with the user having administrative privileges. It really isn’t necessary to have these rights for checking e-mail, browsing, word processing, (basic) web programming, etc.

I would advise against logging in with administrative permissions for everyday computing.
In Linux or an OS X terminal you can ‘sudo’. Recent versions of Windows try to implement this in the GUI with User Account Control. I noticed users who do not like UAC come from the Win 3, 95, 98, ME world. It’s not difficult to become acclimated with computing as a member of the Users group. Note: The Power Users group is still there for backward compatibility with NT 5.0 (Windows 2000) and is not necessary for 5.1 (XP) 6.0 (Vista) or 6.1 (Windows 7).

Some things that a member of the Users group cannot do are:

Cannot install software or hardware, but can access programs that have already been installed on the computer.

Cannot change his or her account name or account type. A user with a computer administrator account must make these kinds of changes.

Can change his or her account picture and can also create, change, or delete his or her password.

When I get a machine a few things I do are:

Rename Administrator to something other than Administrator, Admin or root.

Enable Guest account and set a passwd for people who want to use my computer. This way they do not have access to my files.

Setup an account and add it to the Users group. I do not use my name because website cookies will identify me by my username. This is the account I use for everyday computing.

Install applications under this user context using an administrative account (UAC).

If you are having difficulty running applications, check out this page:
http://www.sevenforums.com/tutorials/11841-run-administrator.html
There are additional links at the bottom of this page that are similar.

I do not login to e-mail (POP3, IMAP4, SMTP) using ‘clear text’. I use SSL, TLS or HTTPS. For information on securing e-mail authentication, contact you provider.

I do not rely on third-party software to protect my computer, network and (especially) my data. I tie down my computer to protect myself from myself- read the dialogue boxes carefully, don’t click on things I do not know, do not open e-mail from people I do not know or attachments that look suspicious (judgment call). After a short time practicing “safe computing” is easy to deal with.

These are a bit more technical:

If I am not familiar with an application, I do not install it, I’ll place it in a “Sandbox” https://en.wikipedia.org/wiki/Sandbox_%28computer_security%29 or Virtual Machine https://www.virtualbox.org/

Go into Network adapter properties (UAC asks for administrative passwd) and disable bindings to services I do not use. In my case that includes:

Client for Microsoft Networks (I can still access my Network Attached Storage).
File and Printer Sharing for Microsoft Networks.
IPv6 (for now since many ISP’s do not support it anyway).

When Windows detects a new network connection, I set it to Public (not Home).

Disable (hidden) administrative shares C$, D$, ADMIN$ etc. This is a good article explaining how to do it. http://www.petri.co.il/disable_administrative_shares.htm
It will not work with Home editions of Windows.

** Whitelist (this will paralyze most malware even if they get through (like CryptoLocker which Kaspersky, MacAfee, etc. did not come up with a signature for after weeks). Here’s a bit about whitelisting: http://community.spiceworks.com/topic/389016-need-help-with-gpo-to-block-exe-s-in-appdata-folder?page=1#entry-2581035

I also create a sub-folder within my downloads folder and create a policy that allows execution (NOT from the Downloads directory). I download and drag it into this sub-directory then execute it.

If people use P2P (including Skype) or are opening ports in a firewall or router I recommend they have at least two (firewalls/routers) and place that machine/device in between the two routers (or behind a firewall but in front of a router) and disable UPnP on the (internal) router. This is called a DMZ.

I have a Slingbox, TV’s Ethernet connection, VoIP adapter, Verizon (managed FiOS) router and server in a DMZ. Anything that is not mine (I don’t care what it is), I do not pace it on my internal network. I have wireless access for my guests in the DMZ as well. Not that I do not trust my guests but I do not know their computing habits.

For my family (and friends) in areas that do not practice Net Neutrality, I have them using the Tor Browser Bundle or VPN over SSH or SSL (NOT PPTP or L2TP). That’s not beyond the scope of “Security – personal computers” but this post is already too long.

_________

Thanks K

Keep em coming!

Not abandoned yet… just…

To all who have faithfully followed this experiment, I apologize for neglecting it.  There have been many events and things that have taken all of my time.  There will be some news in the near future focusing on:

  • V2 of the mobile meeting search apps
  • Some plans for the next year in NAWS’ IT world, including possibly a new and much improved shopping cart
  • Some changes expected for the website
  • etc.

Again, I am sorry, but things like the World Convention happen and this goes on the back burner.  If I promised any of you that I would be in touch with you and seemingly flaked, I apologize, but have not forgotten… just trying to clear some time to actually have a meaningful conversation.

Yours in fellowship,

Stephan Lantos | IT Manager
NA World Services
Tel: +1 818-773-9999 ext.181
Stephan@na.org | www.na.org

Meeting search apps up and running on iOS and Android

The meeting search apps were uploaded to both platforms within the past few weeks.  iOS went up in April while the Android version  was launched in the middle of May.  Thus far the responses for both versions have been overwhelmingly positive.  In addition to the standard map-based meeting search, there is the option to search for local phonelines and websites as well.   As an added feature, the daily posting of Just For Today is included.

You can download them either via the application distribution store on your mobile device or by clicking on the links below.

iOS Version:  http://tinyurl.com/otogobw

Andoid version: http://tinyurl.com/pd2sdwf

Support or comments about the apps can be sent to mobile@na.org.

Yours in fellowship,

Stephan Lantos | IT Manager
NA World Services
Tel: +1 818-773-9999 ext.181
Stephan@na.org | www.na.org

New update about security and WordPress and Joomla

Periodically I will post an especially interesting set of updates I receive from Qualys or SANS, that may have an impact  on fellowship websites.  This week, I received the attached update from Qualys about the most recent vulnerabilities.  The title, “RFI Botnet Compromising WordPress, Joomla Sites Worldwide” caught my eye as you can imagine.  So rather than keep it to myself I am attaching the entire update as a PDF. (see link after sig).

Anyone can subscribe to the vulnerability updates.  I have found over the past few years that Qualys, SANS, etc. reporting is a bit ahead of main-stream consumer-oriented publications and present it in a concise fashion that makes it easy for me at least to skim through, reading what pertauins to me and leaving the rest.

Yours in fellowship,

Stephan Lantos | IT Manager
NA World Services
Tel: +1 818-773-9999 ext.181
Stephan@na.org | www.na.org

qualys6-7-13

 

GEEKLOG: Keeping Up to Date

I have been frantically working for the last six months or so to create a new version of the BMLT, in anticipation of this date: May 19, 2013.

That’s because Google has been saying that they would be shutting down their Google Maps Version 2 API, and I needed to create a version that supports the current Google Maps Version 3 API, have it in place, tested, and ready to go before May 19.

It has been a HUGE job, and I have been desperately trying to make sure that I had a fully-working root server, and all of the satellite clients in place by May 19, as well as getting as many established BMLT implementations as possible to update their servers.

Well, May 19, came and went, and the world didn’t end.

Google blinked. Read more »

WordPress Brute Force Attacks and what that means here

Over the past few days many security sites and web hosts around the world reported that a WordPress brute force attack was under way.  Brute force meaning the attacks are attempts to find users that have weak passwords and outdated installations.  Once the attacker has found a WordPress account with a weak password, it’s used to gain access to the administration panel.  At that point, that site can be used in a variety of ways, but it is no longer controlled by the legitimate site owner.There are many articles on the subject out there, some of them detailed and very specific but here is one that seems to give sufficient details without getting overly specific.

What that means is that here on this site, I have had to make some changes. Login attempts have been limited to two.  After two failed login attempts, there must be a twenty minute wait before attempting to login again.  I changed password to something far more difficult and encourage anyone else who uses a WP site to do the same.

Lastly, on the advice of the webhost we use for this domain, all other users have been changed to contributors, meaning that they can no longer do their own publishing on the site. As an author, you can get access to the control panel in some form, which is to be avoided at this point.  This last part is a temporary solution, one that needs to be revisited in the next week or so.

Steve

GEEKLOG: Localization And Adaptability Part One: Text Systems

ABSTRACT:

In my work on the BMLT, I write a system that is meant to be used by many different Service bodies, and adapted to fit their needs (as opposed to the other way around).

That means being able to store and display special characters, like Ü, ç, å and ø.

This is absolutely necessary to support sites like NA Sweden. They are currently helping me to localize (translate) the BMLT into Swedish, so that they can upgrade their system.

When we create Web sites that are designed to be used in contexts other than those with which we are already familiar (such as sites that can be translated to other languages or cultural areas), we should try to design in flexibility and “hooks” that allow the software (Web sites are software, just like word processors and Web browsers) to be adapted or coerced into forms suitable for their own use.

There are some important things to keep in mind, like making sure that you use a text system that will support extended character sets For example, Extended ASCII and various flavors of Unicode.

Read more »

Service committee website hosting basics

The PR Handbook has some good information about local committee websites.  However, one of the topics that is hard to address without getting into potential issues with the traditions is the one about where to host, what to look for in a web host, etc.  So, this post is an attempt to start that discussion based on some hard won experience.

Things to consider:

  • There is no such thing as “free” in terms of a website.  There is always some catch, usually involving some advertising of products and/or services, any of which brings into question whether or not there is an implied endorsement or affiliation involved.  This is different from links to products like Acrobat Reader or Java or Flash, those are tools provided to help view web content and provided to everyone free.  
  • If you have followed the suggestions about your website content, target audience, etc., then its time to browse for some good web hosts.  I am not going to favor one or more host over another, but there are some qualities that most good hosts will offer:
    • a good quality SLA (service level agreement) meaning they guarantee that your site will be live for at least 99% of the time and offer steps you can take if they do not meet this guaranteed level.
    • support (both technical and account management) that is responsive and highly available.
    • an accessible control panel that allows you to setup your web presence the way you want to, including databases, email, some traffic reporting tools, FTP access, ways to back up your website, etc.
    • clear, easy to understand tutorials about how to use the control panel and the programs it contains
  • Find out if they offer a site restore option, meaning they do an daily backup of websites, in case your site gets hacked (it can happen to anyone) and you need to restore it to a previous state.  Most hosts will offer some form of disaster recovery.  If they don’t, make sure you back up your files frequently.  Depending upon your available resources, you may also want to consider mirroring your site.  If you need some info about what that means, email me at stephan@na.org (just remember that you may not get an instant response).
  • Lastly, try and find out how seriously does the host take security?  One way to start finding out is to ask how complex their passwords have to be.  Passwords for any website should be pretty complex, meaning they should include letters, numbers and special characters upper and lower case.  It may be a pain to remember the passwords, but the more complex, the harder to hack them.  No password is hack-proof but we don’t have to give the keys away ourselves by using something that is too simple.  Also ask what tools do they offer to filter spam at the server level.

There are a lot of good hosts out there, and don’t be afraid to spend a little research and time to find the ones that will serve you and your committee the best.

As always, yours in fellowship,

Stephan Lantos | IT Manager
NA World Services