CSOonline: Top tools and best practices for WordPress security (2022)

Posted on by
Reply

If you run a WordPress website, you need to get serious about keeping it as secure as possible. WordPress continues to be a widespread target for hackers. There have been numerous breaches over the years and WordPress has become more popular with both its customers and hackers. I have been using it as my main blogging platform for more than a decade, and secure it with free versions of Wordfence and MiniOrange MFA tools. In my updated post that I originally wrote for CSOonline several years ago, I examine what has changed and why you need to be deliberate and serious about securing your blog.

The Russians have an airplane problem

Posted on by
5

Have you ever heard of the following companies: Nordstar, S7, Angara, Amur or Barkol? Probably not. All of them are just some of the names of dozens of airlines operating in Russia. Right now, Russian airlines have a problem and they are about to make international insurance lawyers very busy for the next decade to solve it. The problem stems from the way that all modern airlines operate their fleets. Since the airspace restrictions and sanctions were imposed earlier this year, all Russian airlines can only fly domestically. Given that Russia has more than 500 daily domestic flights, you would think that would still be a viable market for them, but you would be wrong.

I am writing about the Russian plane problem because it is something that I can get my head around in this horrific war with Ukraine. My heart breaks as I try to follow the latest news and see the misery of millions fearing for their lives and fleeing to other parts of Europe that I never thought I would cast in a kind light. But I have to remember not to confuse the people of a country with its leaders, too.

There are several problems with the planes.

First, there are more than 900 aircraft that are registered in Bermuda. Think of this as a “flag of convenience” as many ships are registered in Panama, but there is a separate complication. Bermuda has a very robust registration entity and favorable tax and treaty laws, so the Russian airlines have taken advantage of this and have registered more than 500 planes there. Last week, Bermuda pulled these registrations, fearing quite rightly that the planes will be held hostage as the war continues. The second problem is that the major aircraft manufacturers (Boeing and Airbus) have pulled their people and stopped parts shipments (so no one can maintain the planes). A third plane maker, Antonov, is based in Kyiv and its factory was recently bombed by the Russians. Planes require regular maintenance, but more importantly, they require people to log these repairs so insurers can be satisfied that the planes are safe and properly cared for.

The third issue is that many of the Russian planes are financed by leasing companies, which happen to be based in Ireland. Again, favorable taxes and treaties. The leasing companies tried to repo a few of the planes that were sitting outside of Russia when the sanctions went into effect, and managed to take control over a few (and lose a couple too). Now that is a high-stress job, being a plane repo dude.

The total value of the planes stuck in Russia was somewhere around $10B, including some brand new planes that were just delivered before the start of the war. The reason I say was is because their value will plummet even if they sit on the Russian tarmac: think of having your car sit in your garage for many months. Stuff just starts to deteriorate. So Russia is trying to do an end run around the Bermuda registration by passing a law that says they can re-register their planes in Russia, no harm no foul. Except registering a plane is a lot like registering a car: there is only one country allowed, and to change the registration involves some paperwork and agreements that aren’t just signing the plane over. For example, a lease becomes void when the registration changes. The international aviation industry has these rules, otherwise there would be chaos. Which there now is.

And the planes are just the beginning of other issues for Russia. This piece in CSOonline describes how Russia is disconnecting itself from the rest of the global internet by requiring use of its own digital certificates and DNS resolvers. We are witnessing the unbanking and disconnecting of Russia from the rest of the global economy. There is certainly more turbulence and misery ahead.

Infoworld: How to evaluate software asset management tools

Posted on by
Reply

The vulnerabilities of the Apache Log4j logging package—and the attacks they’ve drawn—have made one thing very clear: If you haven’t yet implemented a software inventory across your enterprise, now is the time to start evaluating and implementing such tools. These aren’t new —  I recall testing one of the earlier products, Landesk, which is now a part of Ivanti, back in the early 1990s. In this post for Infoworld, I go into detail about how you can evaluate Ivanti and four of other leading tools from Atlassian, ServiceNow (shown above), ManageEngine and Spiceworks, why these tools are needed in modern software development organizations, how you should go about evaluating them, what their notable features are, and what these tools will cost.

Avast blog:

Posted on by
Reply

US President Joe Biden recently issued an executive order that will oversee various cryptocurrency efforts, including a study of whether there should be a virtual dollar-based cryptocoin, the efficacy of various future banking regulations for the Federal Reserve, and the roles for executive agencies including Treasury, Justice and Homeland Security on how to best manage crypto markets. Additionally, those of you who have already begun doing your US federal taxes might have noticed that the IRS now wants you to document your crypto holdings for the past year.

These moves show that crypto is moving quickly into the mainstream. And with mainstream acceptance also comes the criminal element. Cryptocurrency-based crime hit new levels last year, doubling the amount collected from 2020 to $14 billion. According to a new report by Chainalysis, 2021 criminal crypto transaction volumes skyrocketed by more than six times what was seen in 2020. In this post for Avast, I explore some of the other trends in crypto crime, its intersection with ransomware, and what law enforcement is doing to stop it.

Moving money around: questions to ask

Posted on by
1

If you are looking to transfer money to someone quickly, you have a lot of choices, including Zelle, Venmo, Wise (form. Transferwise), Paypal and Xe.com. But with choice comes learning what is involved in using each vendor, including getting answers to the following questions:

  • Can you move money internationally? Not with Zelle or Venmo, but the others offer this service. Zelle can only be used to move money between US bank accounts with US mobile numbers. Venmo also requires users to be physically in the US to complete their transactions. Paypal has the widest selection of currencies, claiming they are available in 200 countries (which is pretty much everywhere), and Xe claims 170 countries. Wise is available in 59 different countries.
  • What is the effective exchange rate for your funds? Exchange rates change constantly, and it is hard to anticipate when the best time to move your money can be. None of these services makes it easy to figure this out, and tack on various fees for particular circumstances. I say “effective” because each service quotes rates differently. For example, Xe and Wise both use “midmarket rates” which they are very clear about up front, and for both you can actually run a quote before you do the transaction and see the rate and the fees deducted. Paypal has a whole bunch of fees, terms and conditions that are explained here, and their rates are usually less favorable. Monito.com, another money transfer service, has a real-time rate comparison shopping tool that looks at several competitors (I am not sure how accurate it is, but it can be helpful).
  • How safe is it to use the service? A recent NYTimes article documents how Zelle has become the fraudster pipeline of choice, with banks making it difficult to resolve complaints or reimburse fraud victims.
  • Can you secure your account with MFA? Speaking of fraudsters, you should set up this additional authentication factor to protect your accounts and your transactions. Some services make this process easier than others.
  • How easy is it to use the service? Some of the services have really poor usability experiences, making the process a lot more difficult that they could be. Some only work with a mobile app, while others support both mobile and web platforms. Some of the services can move funds into your recipient’s bank account, others require your recipient to open an account on their platforms before they can access their funds.
  • How fast is the money moved? Everyone operates at different speeds, so if this is important, check the fine print on when the funds will actually be available.
  • What other services are offered? Some of the vendors (like Wise) have prepaid debit cards and multi-currency accounts that reduce fees. If you have to move money on a regular basis, you might want to check into these.

Here is one other alternative: using a brokerage account to move your money. I recently had to get funds to my daughter in Israel. She wanted dollars, not Shekels, but we both used Morgan Stanley to manage our investments. It was a simple matter to take money from my checking account, and deposit it in her brokerage account, and no fees were involved and the whole operation took a few minutes.

 

FIR B2B podcast episode #153: How to Build Your “Voice Brand”

Posted on by
Reply

David CiccarelliPaul Gillin and I talk with David Ciccarelli, the CEO of Voices.com about how to build a stable of voice and sonic branding for your business. David C. has created an online marketplace for voice actors and believes audio is the most underused asset B2B marketers have. 

We discuss how to build a brand with the voice actors. This means deciding on what your organization “sounds like” and how you want to connect with your customers. The choice of a voice actor matters. Should you go with a commanding narrator or an approachable expert guide? Your sonic brand is the unique soundscape that drives home the tone and personality of your brand voice,” he says. The company has created a guide to becoming a voice actor and also produces an annual “State of the Voice Over” report.

David says visual media has become crowded and notes that nearly one-third of people are primarily audio learners. “Marketers have saturated the eyes and we have to move on to the ears,” he says. “They have found that audio presents an opportunity to tell their story in a deeper, more meaningful way.”

He shares several podcast tips for B2B marketers. Commit to a small number of initial episodes or set a threshold and evaluate, but once you commit, stick with it. Decide if you want to primarily be a guest on other podcasts or host one of your own; those are very different strategies. Prepare show notes in advance, and make sure to tell a story with a beginning, middle and end. He has found that 20 minutes is the ideal podcast length as it’s the average duration of a commute, walking the dog or a daily exercise routine.

David has appeared in numerous media outlets, including Business News Network and The Globe and Mail TV, and is a frequent guest speaker at industry conferences.  He is also a great resource for all things audio, such as this online recording studio and this streaming production service.

You can listen to the 24 min. podcast here.

Avast blog: Tips for securing your WordPress website

Posted on by
Reply

Last November, more than 1 million GoDaddy-managed WordPress customers were part of a breach that could have exposed their email addresses, private SSL keys, and admin passwords. The attacker was apparently able to operate undetected inside their networks for two whole months. This is just one data point in a long history of past exploits because WordPress has been a very rich and desirable target. There are numerous things you can do to protect your site, including using two tools that I have been using  (Wordfence and MiniOrange, shown here).

You can read more about how to secure your WordPress site on Avast’s blog. If this is a new topic for you, you shouldn’t operate WordPress without making use of these steps — even if you gradually add in individual security measures one by one.

Book review: Suddenly Hybrid Provides Good Advice On How To Manage Our New Way Of Meeting

Posted on by
Reply

Karin Reed and Joseph Allen have written a great sequel to their book, Suddenly Virtual, titled, naturally enough, Suddenly Hybrid: Managing the Modern MeetingIt should be required reading for all of us as we try to keep up with the changing nature of work as we move into the third year of the COVID pandemic.

The authors have a few suggestions on how to improve hybrid meetings and other practical tips and tools to both run them and participate in them. This book will help you build upon the habits from our fully remote world over the past few years and use the collaboration tools found in videoconferencing platforms, even when we are conducting meetings in person or with hybrid audiences. It will help you figure out where an organization wants to land on the “hybrid meeting spectrum,” and remove any obstacles from fully realizing their benefits.

You can read my full review on Biznology here.

Avast blog: A 2022 update on data privacy legislation

Posted on by
Reply

Last year, Mississippi didn’t pass its privacy bill and more than a dozen states had bills that are still under consideration. Iowa, Indiana, and Oklahoma are all in the process of moving various privacy bills through their legislatures, and several other states have begun to consider new laws. Also, seven states are considering biometric information privacy legislation.

The most comprehensive source remains the above annotated map from Husch Blackwell, which will link you to each state’s legislation. If you are looking for more analysis, this page from the National Conference of State Legislatures has more contextual explanations.

In my latest post for Avast, I review some of the recent developments and further refinements on the three states that have enacted privacy legislation — California, Colorado and Virginia.

An open letter to Gov. Mike Parson

Posted on by
10

Several months ago, our governor began an attack on Josh Renaud, a reporter for our local newspaper, the St. Louis Post-Dispatch, about an article that he wrote about a vulnerability he found in a state website. Since then there has been plenty of coverage by the paper, including the latest events this week showing the governor’s efforts were wrong, misplaced, and counter-productive. (And Brian Krebs also covered it this week as well.) I exchanged some email with Renaud, and he suggested I use my platform to explain my POV and shed some light on what happened. So here goes a letter that I will also send to Parson.

Dear Governor Parson:

The hardest thing about being a great leader is to admit you made a mistake. I am writing to try to convince you that your course of action in trying to prosecute Josh Renaud and the St. Louis Post/Dispatch is not just wrong-headed but taking our state down a dangerous path.

As a computer security technologist and reporter, here is my perspective. First, the state education website that was identified by Renaud had major security weaknesses as it was originally constructed, because it could easily reveal Social Security numbers. The recent police report documents these were in place for a decade when the site was constructed. Renaud was actually doing the state a favor by identifying this weakness, and the agency was given time to fix this vulnerability before the Post was going to publish his story. Think of it as building a house without a proper foundation.

Second, the county prosecutor was doing the right thing by declining prosecution. There was no crime committed by anyone here, which was further corroborated by the police investigation.

Third, by continuing to refer to the vulnerability as a hack you don’t really understand the nature of either the vulnerability or what hackers or journalists do. The best way for the state to “continue to work to ensure [data] safeguards and prevent unauthorized hacks,” as your office stated, is for journalists and other third parties to uncover these vulnerabilities so that bad actors can’t take advantage of them. As the state agency recently stated, Renaud accessed “open public data” that would be available to anyone.

Your statements about “hacking” is where you do more harm to the state – both perceptually in the greater computer security community and also in terms of journalists who are trying to report on these vulnerabilities in the future. By using the power of your office with promoting these sham investigations, you also make it more difficult for journalists and security researchers to do their jobs in the future when they find other computer security vulnerabilities. As others have already mentioned, numerous tech companies have “bug bounty” programs in place to encourage researchers to find exactly these vulnerabilities that Renaud found and gladly pay them too!

Renaud could have published his story prior to the state’s fixing the vulnerability. But he tried to work with the state agency to fix the problem he found.  He acted responsibly and honorably. It is time to admit your mistakes in both your language and intent and thank him for protecting the data of our citizens.