Well I have seen a number of talks about this. It is pretty much what we were saying back in the 00’s. The basis of this article is about the idea of being offline and using software offline. Offline meaning: not on the Internet or on a public network. In the 90’s everything we did within businesses was offline; this included all types of software and databases. Companies used a lot of web browser based software that was internal on an intranet. In recent times we have seen the increase in Software Systems being moved to the Internet – the real question is: Why? Software Houses have more control of licensing if you can only use a product online as there can be a check on your account for products you own. You can also share files easier. But moving systems and software online create far more security risks to the end user.

If you are someone who follows infosec you will know that attacking is far easier than defending. The problem with online software and online storage is – it is open to everyone on the net world-wide. Where before you used to store your office documents on a local intranet / domain server – companies and general users are increasingly storing their documents within online accounts, or in the cloud (the cloud is just another name for someones server online). The security risks are far worse for businesses storing all their data online rather than storing all the data on a local server.

We saw an increase in push for companies to use VPN‘s between offices world-wide, more companies should be taking this route rather than use online software services from others. VPN’s are great and companies have far more control over securing them. You can setup a VPN that only the IP’s of each office have access to through firewall rules; this means the only way any data is going to be leaked is through someone within the company. All user logins are logged and all users need a username and password to access the VPN. Where as if you store all your documents in ‘the cloud’ everyone on the web could potentially access them, or access the accounts. VPN’s are a vital tool for many uses now, I just wish more companies used them.

Another problem online only software brings is; network targeting by things like ransom-ware. You can only use Office 365 online and Microsoft are trying to force people to store their files on OneDrive. We are seeing an increase now in old styles of virus and malware writing – using things like office macro viruses, that we saw throughout the 90’s. What’s to stop a ransom-ware gang from infecting files on cloud accounts? If it’s not stored online – but stored locally, there are far fewer risks of intrusion or manipulation.

Something else we are seeing on the rise by both multinational tech businesses and governments, is the use of collecting data for analytics, tracking and espionage. If you are storing and sending your documents to an external ‘cloud’ or business un-encrypted – they will be using the information in the files whether they state it or not. This is another common trend that is dangerous for both security and privacy. It has the potential to be catastrophic for businesses working on prototypes and new technologies. I have posted before about the increase in business, government and intelligence agency espionage.

I have been both a Linux and Windows Server administrator for quite some time now and stared using Linux back in the mid 90’s. I have recently seen an increase in spam relays and spam mail reconnects. This article is wrote to minimise spam to your servers and clients.

Detecting Spam Relays and Spammers

Most spammers follow the same steps 1) Test for SMTP connection through port scanning 2) Try to send a mail to the root user of the server @ the domain and 3) Try to push email to addresses in TLS certificates or general addresses that companies use (info, sales, contact, support etc). As an administrator you should already have email blacklists setup – but spam emails may still get through a number of ways. As an administrator you should be checking server logs daily if possible. E-Mail spammers are learning how anti-spam services work and are finding ways to get around them. Before I started doing daily log checks I was getting on average 1 spam mail every three months – now I receive none. I was getting a considerable amount of hits to the mail server which were turned down though either anti-spam services or through blacklists. You can spot a spammer easily in blacklists; they will keep on reconnecting – trying to force the server to accept the email. You may also spot brute force attempts on your logs which need to be dealt with.

How to stop Spammers and Spam Relays

Over the past three months I have noticed an increase in spammers using multiple IP’s in the same range; when one IP is banned they just switch to another. Rule of thumb for me is – if there are more than 3 IP’s spamming in the same range I will ban the entire range. What you need to do is 1) Create a database or excel spreadsheet of banned IP’s with reasoning for the ban. In this case I always do a lookup on the IP to see where it is based and log the Country, reason for the ban, host provider and the reverse DNS of the IP (if it has one). If you have a customer contact you stating their server is banned, you can reference this database or spreadsheet as to why the server was banned.

If you are getting multiple hits on your logs of servers that are failing you should ban them through IPTABLES or Windows Firewall on your server. A lot of admins justs setup blacklists and leave their servers never checking the logs, if you do this these spam servers will still be open to attack or brute force your server. I will state more about IPTABLES as most email servers use Linux now – if you do not have IPTABLES rules setup on your servers you should not be running servers simple as that. If you have Fail2Ban it will not automatically ban hits to the mail server as mail servers work through a white listing and a spam score – so servers have to reconnect in most cases (even if they are not spammers). If you have Fail2Ban, you need to set ban rules for the email service you are using as well as placing a standard ban. Fail2Ban works by creating it’s own rule sets within IPTABLES for specific ports, so setting a normal ban won’t block thigs from the ports it protects.

While enforcing heavy bans and routine log checking, you will deter spam servers from attempting to connect to your servers. Before I started doing routine server checks I was getting thousands of hits a day to the mail server that were being dropped, now I get rare hits to my servers from spammers and the logs have decreased in size considerably.

Well this has been a big discussion recently among Developers and the infosec community on twitter. There have been a number of bad reports recently that ad-blockers are bad based on a few actions by companies. First off: Forbes (owner of WIRED) has started to block people visiting it’s websites when their browser is seen to be using an ad-blocking addon (of which forbes has been shown to be hosting malware – explained below). The second, which I noticed last week was the discussion by the BBC on Three (Mobile Network) placing ad-blocking on all devices by default (which is a good thing). The BBC titled the article ‘Three criticised over plans for network-wide ad-blockers’; the only person to criticise ad-blocking in this article was the The Internet Advertising Bureau (IAB). Which shows yet more incorrect, biased Journalism by the BBC. Why the BBC has started to constantly state the bad of something -as an article title – based on either 1) The Government 2) Intelligence Agencies or now 3) Advertising Bureau is beyond me. It’s almost as if they think they need to post what these three say; which would imply dictatorship.

Why use ad-blockers?

Ad-blockers are good and vital in my opinion; not only do they protect you from Advertisement targeting, they also protect your privacy and your device from malware. The biggest source of malware is adverts – this has been shown by many anti-virus companies that track where viruses originate and sites where they are spread. As soon as Forbes started to stop people accessing their website with ad-blocking, they specifically targeted those people with malware when they did disable their ad-blockers. Malware from adds is on the rise, it rose 325% in the last year. The problem is; people who visit a page don’t have to click the ad to be infected by the malware. Most websites that have ad’s use other 3rd party networks for the ad’s, which means; ad networks can be and have been targeted by malware developers.

A number of big malware which has been spread in the past, have been tracked back to Governments and Intelligence Agencies – used for spying, physical access to devices and corporate + economic espionage. This includes specific malware found a couple of years back which was reportedly wrote by China that targeted AutoCad Drawings; every drawing that got infected was sent to a database server. The movements of the infected documents (companies sending them to each other via email) only increased the spread of the malware.

Other ways of ad-blocking:

There are many other ways of ad-blocking that developers can use, you can write your own scripts to block adverts, but obviously you need to know what you are doing. Everything on a website is ran inside your browser, so can be blocked some way or another. My hope is that more developers and ad-blocking addons continue to do more regular updates to stop sites blocking ad-blockers.

The fact is: it is your device, no company can dictate security failures to you – if they do: they are extremely stupid and their website is not worth visiting. Stay safe and keep on ad-blocking!

Related Sources:
 1 - Forbes forces readers to turn off ad blockers, promptly serves malware
 2 - The Rise of Malvertising

Shared Hosting is bad for Businesses. We have all seen the adverts on TV or heard the adverts on the Radio, they go along the lines of: “You can get a domain, hosting and email for your business for just £1 a month”. These hosts are great for personal blogs and testing (to a point), but should never be used by big Businesses – especially not online traders or shops.

What is Shared Hosting?

Shared hosting is where a company hires or uses their own single Dedicated Server or VPS for all users (or a set number of users). The server automatically creates a single linux user with allocated space and domains – based on the options you choose when you sign-up. There is no setup time or input by an employee at the company – most run themselves. Because the server is being shared by multiple users, your domain could be on a server with 3,000 other domains. The limited server bandwidth is also shared across those other users / domains, so the sites on it may be extremely slow – especially if all those domains are in use at the same time. This also means, your email accounts are also on the same server as thousands of other domains and users. I have seen shared hosting start-ups using VPS servers before now with 99% load on the server.

Why is shared Hosting Bad?

Shared hosting is not always bad per say, but for businesses it is not ideal for a number of reasons. It may look like a good deal on the TV or on a advert, but in reality this is what you are getting:

1. Shared server with thousands of other domains on a single IP
2. Shared email server with thousands of other domains and users
3. Limited email box size and number of addresses
4. Email blacklists- if one person spams on your server, spam lists will block the IP – which means everyones (all domains on the server) emails will be dropped. This is extremely bad for all businesses.
5. Limited site space
6. Free Domain – which is usually owned by the hosting company – this is a big problem if, or when you want to move
7. Slow bandwidth all be it unlimited
8. Non-secure connection between your site and your customers

Email Problems:

I have seen this so many times from both small businesses and people using shared hosting for their blog and private email: “My server got blacklisted”. This is a massive problem for businesses of any size, if you are blacklisted it basically means that someone purchased hosting on your shared host and used it for spamming. There is a way to check if your server is blacklisted by checking the IP on blacklist sites, most sites will not disclose to you why the server was blacklisted, and most will not remove the server from the list; unless the owner of the server contacts them and assures them that spamming will never happen again. You also have limited control over spam incoming, if there is a spammer on the same server as your domain (a domain list can be checked on a specific server), the server will send the spam straight through locally.

Why Shared Hosting should never be used for Online Shops:

Online shops need to have TLS to be able to even function, without a secure connection between your customers and your server you are basically running something that is Illegal and your company will be liable for. All open source web applications and banking services specifically state in their terms: the site must have full TLS. I have seen online shops before running on shared servers who have had to pay a considerable amount of money to sort this out because a customer contacted the said money transfer bank (PayPal etc). Bank services like PayPal are getting considerably tough with companies that do not comply with their rules now. This may even result in the termination of your account.

I have seen a lot of people and businesses over the years ignore Password strength. This post is wrote to educate people on why password strength is so important. First of all, going back to the 90’s when computers were not Online people used general passwords; this was fine. People still seem to think that it’s still OK because ‘Hey, I never had my password stolen in the 90’s’… well you didn’t have the password stolen because the only people around you or in your office were trust-able colleagues or family and the password could only be used locally. Today the passwords you use are used to access accounts for many things online; from email, general websites, blogs, social media, shops, forums, internet banking – the list goes on – all of these sites and services are accessible to everyone on the web.

Points of Interest:

1. If you can remember a password it is not secure
2. False advice – spread by those wanting to access your information
3. Using the Same Password for multiple sites is beyond bad – I explain why
4. Short Passwords can be brute forced in minutes or hours
5. Someone could be in your account/s right now – without you even knowing
6. Encryption is your biggest asset Online
7. Password storage advice

The age old saying that every security expert tells you; but you ignore ‘If you can remember a password it is not secure’, but it is right on so many levels. If you can remember your password generally you are just using either 1) Family or Pet Names 2) Telephone Number 3) Date of Birth 4) Company Name or a mix of these. The first thing that any person who wants access to an account that is subject to brute force (constantly trying passwords – no site should allow this but not all developers care about security) does is use a piece of software with a database of ‘knowns’, this includes: names dates of birth etc. If you are subject to this, that person will access your account within minutes.

This brings me to a point of false advice which seems to be on the rise by both Governments and Intelligence Agencies. We have seen this on many occasions recently in mainstream news, you might think ‘But they only want to help us surely’, well not really. The UK Government has recently made adverts for password security stating “Multiple words make a great Password”, this is so wrong as described above. In the UK over the past 6 years the Tories have been trying to push through something called the IPBill, this bill was created so that the Government can access everything you do Online through your ISP. The bill is Illegal under EU and International Privacy + Human Rights Law. The bill has also been chucked out of parliament by MP’s on 3 occasions now. They have also been trying to create propaganda in mainstream media to drop ECHR (European Court of Human Rights) jurisdiction. Intelligence Agencies employ general computing graduates (basic level of computer understanding) – so they want the data handed to them on a plate – which means: place everything in a massive target-able database that is also accessible by millions working for Intelligence Agencies and could be edited to create a false positive. They want any way they can to access your accounts and private data (more so than any criminal or hacker).

How many of you use the same password? If you think this is not bad I will state one thing here: what happens when one database is leaked online by a company that does not care about security? Simple answer: the person who targeted that data – be it a hacker or intelligence agency (the later more probable) – will have a list of email addresses and passwords. Proper security experts and developers who care about security when developing already know that passwords should never be put in a database in plain text; they should always be salted and hashed – which means only the server knows how to check the passwords. When passwords are checked they are never decrypted from the database, they are merely checked through re-encrypting. Developers used to use encryption called MD5 – this is no longer a secure way of storing, but is better than nothing. With the data these people will setup software databases to check the email and password on multiple websites – this means they are not brute forcing – so this technique will work (and be hard to detect by administrators) on all websites.

Short passwords you use can be brute forced by intelligence agencies and hackers within minutes or hours, if it is possible to brute force on the specific website or encrypted volume. This is why companies like google and banks not only allow longer passwords but also provide two-tier authentication. This means you can get an app on your phone that creates a secure code that will only ever be created on your specific device. It is basically a move on from those small number authenticators that banks used to give out for online banking.

The only way that you will know if someone has accessed your account on any said website is if they have proper logging of IP’s, next to no public email or store sites do this. Most social media websites do and you can usually look at signed in sessions and previous IP’s that have entered the account. If the site is Developed by a Developer that does not care about Security you will never know who could be sat in your account.

This brings me to the encryption point: encryption is every internet users biggest asset, yet governments and intelligence agencies are trying to force back doors in encryption – which means force an encryption company to write a vulnerability in their code that not only your intelligence agency can access – but hackers, criminals, terrorists, every intelligence agency around the world will also be able to access. How do you think your credit card information or banking information is protected online? Yes – it is encrypted. When you send your payment information over a secure website (like this site) the data is encrypted between your computer and the server with something called SSL or TLS, if SSL has a back door it is made redundant: hackers and criminals could quite easily intercept the information between you and the server – not just intelligence agencies. Only people who don’t understand how bad this is are going along like sheep with governments. The Netherlands recently announced that it is to support Encryption because it is so vital.

So, what can you do to improve your password security? First of all there are a number of ways in which you can store passwords. Nearly all websites you use accept long passwords now, wherever you can – use the longest password possible. Software like KeePass will create a secure password and store it in a database, if you use this I suggest you create a key to open the database and place it on a USB disk (pref-ably a Encrypted USB disk), that way you will have two-tier authentication – the only person who can access the database is the person who has the USB disk. With this software it copies your password to the clipboard just by double clicking and removes it from the clipboard after a certain amount of time, so your password is not stored if you forget or have to quickly go out and close the database. Make sure you remove the USB disk and close the database when not in use or if you have people around you that you do not trust.

Conclusion:
The thing to remember is: people like me and other security researchers are not out to spread miss-information; we understand the systems and how data is stored and communicated between computers and servers. Yet a lot of people take their Government or The Press’s (which is basically controlled by the Government) word over experts – if you question the Government, MP’s or the press promoting these ridiculous laws about technical aspects, they don’t have a clue. This has also been shown many occasions recently in News interviews. This kind of thinking is only destroying online rights and online security and is quite frankly ridiculous. There is also a lot of propaganda going on in mainstream media which is promoted by Governments and Intelligence Agencies.

If you have read this entire article I would like to thank you and hope that it helps to keep you safer online.

Links of Interest:
 1 - Bruce Schneier - The Conflict between Privacy and Security

I suggest that you watch this video if you have an interest. Bruce Schneier is one of the worlds top Cryptographers and explains to a military unit his views on where they should be going.