Strengthening 2-Step Verification with Security Key – Part II

A couple of days I ago I wrote the post, Strengthening 2-Step Verification with Security Key, and yesterday I got the security key. I guess parcel post from France is pretty quick! I had to reboot the computer before I could get the hardware drivers to install. It took about two minutes to register the key with both of my gmail accounts after it finished booting. Pretty cool!

Today I tested it at work. The first step was to insert the security key and let Windows 7 install the drivers. Once again my luck installing the drivers was better after I rebooted. Then I cranked up Chrome and went to gmail. Google asked me to login. After I entered the password, it asked me to install the security key. In a couple of seconds it had validated and I was redirected to my inbox. I took the key out and put it back in my storage bag. Although I have entered my password several times as I browsed my security settings, it did not require access to the security key.

The last task was to create an app specific password for gmail for those applications that will not use the security key.

Strengthening 2-Step Verification with Security Key

I was reading the Google article, Strengthening 2-Step Verification with Security Key, and decided to see how much strengthening my security would cost. Everyone says they want better security until they see the price tag. Surprisingly a security key does not cost much. The cheapest key on Amazon comes from Plug-up International, costs $5.99 with $2.00 postage, and my estimated delivery date is November 10. I can do that!

An Interesting Wrinkle On Credit Card Fraud

Yesterday we ran into an interesting new wrinkle on credit card fraud. A customer called us because they did not recognize a credit card charge on their bill. We had an order in our system with the correct billing address but they did not know the person the order was being shipped to. This is the typical way we find out about credit card fraud but this time when we called the person who it was being shipped to and she answered the phone. This was a first! She said that her husband probably ordered it and told us to call him. So we called him and he said he had ordered not one but two pumps from an auction site. Sure enough our order system said we had shipped a second pump to his wife using a completely different credit card and billing address. This is the first incident we have seen in which an auction site was used to launder money for stolen credit cards! Fortunately FedEx had not delivered either pump so we asked FedEx to return the pumps to us. Today we called the second customer and confirmed that they were unaware that their credit card had been stolen. We told them that a credit card refund had been processed and recommended that they notify their credit card company of the fraud. In this case the people whose credit card data was stolen did not lose any money. Typically we lose both the product and the shipping costs so we are pretty happy to get the products back. The biggest loser is the guy who thought he had won a legitimate auction for two pumps. I do not know how he paid for it but if he is fast enough he may be able to process a charge back.

In case you did not already know Home Depot had a data breach that is pretty similar to the Target breach. Since I am one of those Home Depot customers who are at risk, I took them up and signed up for their free identity protection from AllClearID. Like the first customer I plan to check my card activity several times a week.

Fixing WordPress SEO Sitemap Problems

I decided to switch over to WordPress SEO(Yoast) yesterday and ran into a slew of problems with their sitemap generator, a 404 error, a blank screen, and a sitemap.xml not being properly re-directed to the new sitemap_index.xml. The first problem led me to this Yoast knowledge base article, My sitemap is giving a 404 error, what should I do? I fixed the first problem by adding the code to my .htaccess file. To fix the last two problems I added the RewriteRules for the xsl statement(Line 8) and the sitemap.xml(Line 5). Now both sitemap.xml and sitemap_index.xml are being properly redirected and formatted. My Google Webmaster Tools is happy!

Note: The code below is for a WordPress blog in a sub-directory called wordpress.

# WordPress SEO - XML Sitemap Rewrite Fix
RewriteEngine On
RewriteBase /wordpress/
RewriteRule ^sitemap_index.xml$ /wordpress/index.php?sitemap=1 [L]
RewriteRule ^sitemap.xml$ /wordpress/index.php?sitemap=1 [L]
RewriteRule ^([^/]+?)-sitemap([0-9]+)?.xml$ /wordpress/index.php?sitemap=$1&sitemap_n=$2 [L]
# This rewrite ensures that the styles are available for styling the generated sitemap.
RewriteRule ^/([a-z]+)?-?sitemap\.xsl$ /wordpress/index.php?xsl=$1 last;
# END WordPress SEO - XML Sitemap Rewrite Fix

R Portable Version 3.1.1 and RStudioPortable Version 0.98.977 Are Released!

R Portable Version 3.1.1 and RStudioPortable Version 0.98.977 have been released and is available at the R Portable project page, http://sf.net/projects/rportable/.

  • R Portable Version 3.1.1 incorporates the 3.1.1 version of R in a portableapps format.
  • RStudioPortable Version 0.98.977 incorporates the 0.98.977 version of R Studio in a portableapps format.

Did P. F. Changs replace a high tech security breach with a low tech security breach?

25aLast Wednesday my wife and I celebrated our 31st anniversary at P. F. Changs. We had a nice dinner and they ran our card through a manual imprint system. Today I noticed that they wrote my CVV on the receipt. That is not necessary if they were actually going to process my bill as a manual credit card transaction in which the card is present. By writing the CVV on the receipt that means that they plan to process the charge later as a card not present transaction. For those of you who have jumped through the PCI hoops, you have to wonder what measures they are using to protect these receipts since they now include the CVV. In the PCI world there are some pretty serious restrictions on keeping the CVV information secure. This is a dumpster diver’s gold mine.

Okay, I am really annoyed. What is the best way for a company to continue their business after a data breach without annoying their customers? There are some interesting comments over at Krebs on Security but I have my own recommendation. As a long time developer I look for a good manual procedures to automate. In this case we are going in the opposite direction. We are breaking up a good automated procedure into standalone parts. In this case I would recommend creating a corporate web app to process the credit card transaction that would be very similar to the model used by internet retailers. In fact I would not be surprised if a corporate developer does not already have one they used to get through credit card processing certification. In this case either the waitperson or some other designated person enters the sixteen digit credit card number and CVV to run the transaction. If the transaction goes through then you update the bill in the restaurant’s order system with the confirmation code or reference ID. Is this a little more work? Yes but we literally have millions of people who enter their sixteen digit credit card number and CVV every day without exposing themselves to credit card fraud. There are a whole lot less PCI compliance issues with this procedure than a manual imprint with the customer’s CVV on the receipt.

Curiouser and Curiouser… The Strange Story of TrueCrypt

I have been using TrueCrypt for several years. It is not the key cog in my security plan but it is helpful. The TrueCrypt development process looked trustworthy and professional. So I was shocked  with the developer’s announcement last week. It was just so weird, I thought the site had been hacked. The developer’s explanation on why he was stopping development bordered on incoherent. What does the end of Windows XP maintenance have to do with anything? As an old IT guy I decided to wait this mess out. There was an ongoing security review of TrueCrypt which should sort some of the issues out. For those conspiracy buffs out there, Snowden was a big fan of TrueCrypt. This weekend I decided to see if I could still download the source. It was not available at the normal location but I did locate it at Gibson Research Corporation who I recognize from Shields Up fame. Considering their reputation in the security game, they had some interesting some things to say.

Yes . . . TrueCrypt is still safe to use.

Although the disappearance of the TrueCrypt site, whose ever-presence the Internet community long ago grew to take for granted, shocked and surprised many, it clearly came as no surprise to the developers who maintained the site and its namesake code for the past ten years. An analysis of the extensive changes made to TrueCrypt’s swan song v7.2 release, and to the code’s updated v3.1 license, shows that this departure, which was unveiled without preamble, was in fact quite well planned.

For reasons that remain a titillating source of hypothesis, intrigue and paranoia, TrueCrypt’s developers chose not to graciously turn their beloved creation over to a wider Internet development community, but rather, as has always been their right granted by TrueCrypt’s longstanding license, to attempt to kill it off by creating a dramatically neutered 7.2 version that can only be used to view, but no longer to create new, TrueCrypt volumes.

Then, leveraging the perverse and wrongheaded belief that software whose support was just cancelled renders it immediately untrustworthy, they attempted to foreclose on TrueCrypt’s current and continued use by warning the industry that future problems would remain unrepaired. This being said of the latest 7.1a version of the code that has been used by millions, without change, since its release in February of 2012, more than 27 months before. Suddenly, for no disclosed reason, we should no longer trust it?

I will continue to use it until a better option becomes available. Although I doubt I will look at the code for security problems, I am curious what the security professionals find.

How To Migrate WordPress from Shared Hosting to a Cloud Server with Zero Downtime

Background

I have been a customer for several years and generally speaking I have been pleased with the services I got from Bluehost. Recently I noticed some annoying variability in response time which appeared to be directly related to the shared host arrangement. I did a little shopping and found that for almost the same monthly price I could get a virtual server at DigitalOcean.

Objective

My primary objective was to migrate two shared host WordPress blogs and an open source web-based news feed (RSS/Atom) reader called Tiny Tiny RSS from Bluehost to a virtual server at DigitalOcean. A secondary objective was to replace my web analytics with Piwik.

My Plan

My plan was to follow the DigitalOcean tutorial, How To Migrate WordPress from Shared Hosting to a Cloud Server with Zero Downtime, with a couple of changes. The tutorial was written for Ubuntu 12.04 LTS and I would be installed 14.04 LTS. Since I am a Windows guy I would be using Putty for SSH sessions and WinSCP to transfer files.

Step 1. Create a Backup

The biggest change I made in this step was to backup of the entire WordPress folder. Several services asked me to put little files in the root directory as part of the approval process. I also have a customized .htaccess file. Since my copies of WordPress are up to date, it was easier and faster to copy over the entire folder.

Step 2. Set Up the Cloud Server with LAMP Stack

Here :

  1. I followed the first four steps of the tutorial, Initial server setup for Ubuntu 14.04, but if I had to do it over again I would go ahead and configure ssh to restrict root login and explicitly permit certain users. Considering how many folks will be trying to break into your server, you might as start locking down the server.
  2. Next I followed the tutorial, How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu 14.04.
Step 3. Install WordPress

Since I was going to restore the entire WordPress folder I skipped this step.

Step 4. Create a Virtual Host

In this step I started to follow the tutorial, How To Set Up Multiple WordPress Sites on a Single Ubuntu VPS. In my case I was going to use a wordpress folder under the default directory for the main blog and a second folder under www for the second blog. I created two virtual host files, yourdomain.com.conf and yourdomain1.com.conf, for my two blogs. The original tutorial omitted the conf extension.

Step 5. Restore Database and Files

This is when I learned the most important lesson. My first Mysql backups were incomplete or bad when I tried to load them. I had poor results trying to load compressed files. So I made it simpler.

  1. I saved the Mysql backups to a temporary folder
  2. I compressed them.
  3. I transferred them to the new server.
  4. I uncompressed them.
  5. I created the database and user.
  6. I loaded the uncompressed file.

To restore the WordPress files :

  1. I transferred the compressed file to the server.
  2. I uncompressed the file in the home directory.
  3. I copied the files to the web server using:
    sudo rsync -avP wordpress/ /var/www/html/wordpress/ 
    sudo rsync -avP firstsite/ /var/www/firstsite/
  4. Give ownership of the directories to the Apache web user and then add your linux username to the web group:
    sudo chown www-data:www-data * -R
    sudo usermod -a -G www-data linux_user_name
  5. Configure each wp-config.php with the new Mysql usernames and passwords for the databases you just loaded.
  6. This is a good time to make sure that the WordPress permissions are set correctly.
    sudo find . -type f -exec chmod 644 {} +
    sudo find . -type d -exec chmod 755 {} +
    sudo chmod 600 wp-config.php
Step 6. Test your Blog

For me everything worked except for mail and some hard coded links in the widgets. To solve the mail problem I installed the wordpress plugin, WP-Mail-SMTP, and sSMTP for a simple and lightweight MTA for the system messages. All of my messages are sent through Gmail.

Step 7. Update Your DNS Settings

If you are using a CDN like Cloudflare that is linked to your Bluehost account, this would be good time to deactivate it. I did not and the response time was all over the map for a day.

Step 8. Install phpMyAdmin, Piwik, Fail2Ban, and Logwatch
  1. I did not need to install phpMyAdmin but DigitalOcean does have a pretty simple tutorial showing how to install it.
  2. I was originally planning to install Awstats but Piwik looked like a better choice. The 5-minute Piwik Installation was easy.
  3. After a little browsing of the auth.log it was easy to see that there was too much SSH traffic that was not originating from me so the solution was to follow this tutorial, How To Install and Use Fail2ban on Ubuntu 14.04. After running Fail2Ban for a couple days it became apparent that I needed to permanently ban some folks. I followed the tutorial, Permanently Ban Repeat Offenders With FAIL2BAN.
  4. Obviously I needed to look at the log files on a daily basis until I get this SSH hacking under control. The solution in this case was this tutorial, How To Install and Use Logwatch Log Analyzer and Reporter on a VPS.
  5. The first thing I noticed from looking at the authentication failures in the pam_unix section was that some of the folks were spacing out their probes to get around the default settings for Fail2Ban. So I expanded the findtime and bantime and maxretry. This caught some more hackers but it still was missing some others.  So I brushed up on my grep, awk, and bash coding to find the worst of the bunch and ban them. Sorry China! There is something odd about restarting Faile2Ban.  It looked it was working but it was not banning IPs I thought it should. Sure enough when I rebooted the server it would read the log file and immediately ban the IP.
Step 9. Take a Snapshot and Project Wrap-up

At this point I can say that the migration is complete. The sites are working and I fixed all of the configuration issues that showed up in the log files.  The response time for the sites is much faster than on the shared host even though I added another application, Piwik. It looks like I can easily support another blog. I have another blog with a renewal date a couple of months from now.

The last thing to do was to take a snapshot or backup. So I took a manual snapshot as outlined in this tutorial,

How To Use DigitalOcean Snapshots to Automatically Backup your Droplets, and it took about five minutes to complete.

For fun I charted the IPs I had already banned by country.

 

BannedIPs

R Portable Version 3.0.3 and RStudioPortable Version 0.98.501 Are Released!

R Portable Version 3.0.3 and RStudioPortable Version 0.98.501 have been released and are available at the R Portable project page, http://sf.net/projects/rportable/.

  • R Portable Version 3.0.3 incorporates the 3.0.3 version of R in a portableapps format.
  • RStudioPortable Version 0.98.501 incorporates the 0.98.501 version of R Studio in a portableapps format.

Publicize for Admin and Editor only

I think I found a bug in the Jetpack plugin for WordPress that is stopping me from publicizing my posts to social media sites. It worked under version 2.8 but was broken in 2.9. When I go back to the 2.8 version of publicize it works so why did they change the code? I am guessing but it looks like they fixed the problem with "Publicize for Admin and Editor only" they created a new problem with publicizing posts created using Live Writer and maybe other methods. Here is the code I am talking about.

304,308d303
< 				if ( false == apply_filters( 'wpas_submit_post?', $submit_post, $post_id, $service_name, $connection_data ) ) {
< 					delete_post_meta( $post_id, $this->PENDING );
< 					continue;
< 				}
<
312a308,312
>
> 				if ( false == apply_filters( 'wpas_submit_post?', $submit_post, $post_id, $service_name, $connection_data ) ) {
> 					update_post_meta( $post_id, $this->POST_SKIP . $unique_id, 1 );
> 					continue;
> 				}

Integrating Twitter Summary Cards Into Your Blog Using Jetpack And All In One SEO

Recently I was wondering why some tweets had extra graphic images in them. It looked like someone had figured out how to create a tweet from a blog post and include first image from the post in the tweet. That looked pretty cool. Here is an example.

2014-03-04 15_26_46-alazycowboy

There are two tricks here. The first trick is configure Jetpack to publicize your post via Twitter. With Jetpack you can publicize your posts to several social media sites such as Facebook, Google+, and LinkedIn. Click here for more information on using Publicize. This will get you the standard tweet format. That is okay but I wanted the tweet with more information and graphics in it. To get that format you have to use Twitter Cards and get it approved by Twitter. Here is the Twitter information on configuring Jetpack. There are several Twitter Card formats to choose from and I chose the Summary Card. The next trick is find the plugin that generates the correct meta data for Twitter, validate the card, and apply for approval. I tried several different plugins with varying degrees of success of getting the first image in the post into the tweet. Then I discovered that the best plugin to generate twitter meta data was one I already had installed, All In One SEO Pack. All I had to do was to activate the Social Meta feature and configure it. The changes I made were:

  1. I set Select OG:Image Source to “First Image in Content” to see the first image from the post.
  2. I deleted the default content in Default OG:Image to get rid of the default image.

When I was happy with the layout of the Summary Card preview, I applied for approval. I read somewhere that it takes up to 72 hours to get approved but my approvals arrived within a few minutes. Enjoy!

KrebsOnSecurity reports that the network credentials of Fazio Mechanical were stolen with by a password-stealing malware called Citadel

KrebsOnSecurity reports that the network credentials of Fazio Mechanical were stolen with by a password-stealing malware called Citadel. This is what I feared. Recently I spend a lot of time working through some problems updating McAfee ASAP because I was pretty sure it had a better malware protection than Microsoft Security Essentials.

The breach at Target Corp. that exposed credit card and personal data on more than 110 million consumers appears to have begun with a malware-laced email phishing attack sent to employees at an HVAC firm that did business with the nationwide retailer, according to sources close to the investigation.

Since Citadel is not a new threat I assume it must be a modified version that was not detected by the virus/malware checking software. I wonder if the current versions of the top virus checking software catches it now. My desktop version of Outlook is twice protected via McAfee’s SaaS. My private email is protected by Yahoo(Symantec). Hmm… I wonder what Fazio was using?

How Did I Miss Knowing About WordPress Jetpack?

I was playing around with the WordPress app on my Android phone when it told me to install Jetpack if I wanted to see statistics on my phone. This has been a long time annoyance of mine. You could only see statistics with the Android app if you hosted your blog on wordpress.com. To make up for this deficiency I installed a couple of web statistics plugins. So I thought why not one more. I already had a WordPress.com userid. So I went back to my laptop, installed the plugin, and connected to wordpress.com. To my surprise there were 31 features that I could enable with Jetpack and some of these features were interesting. Since there are so many new features I opted to start off small and connect my blog with my Twitter, LinkedIn, and Google+ accounts. Let’s see what happens when I publish this post.

IIS, MySQL, WordPress, and The Famous 5-Minute Installation

Yesterday I was upgrading some programs on my home laptop and realized I had an old version of MySQL, 5.1. The current version is 5.6. The 5.1 version of MySQL was installed when I used Microsoft’s Web Platform Installer to install a test WordPress blog. This is a really easy way to checkout software when it works so I set out to upgrade MySQL to the latest version. Surprisingly there is no way to upgrade or remove MySQL using the Web Platform Installer. So I downloaded the community upgrade from www.mysql.com and ran the upgrade. It did not work. I kept getting an unhandled exception error message during the upgrade. Since I did not have any important information in the data base I uninstalled the current version and installed the 5.6 version. Now MySQL is working but I kept getting password errors when I tried to install a new blog using either the Web Platform Installer or Microsoft’s WebMatrix. So I did a complete MySQL reinstall using these instructions for Windows 7 from serverfault.com.

  1. Uninstall MySQL using the uninstaller.
  2. Delete C:\Program Files\MySQL
  3. Delete C:\Program Files (x86)\MySQL
  4. Delete C:\ProgramData\MySQL
  5. Delete from any Users’ AppData folders. Example: C:\Users\rdoverby\AppData\Roaming\MySQL
  6. Reinstall MySQL

This did not fix my problems with Web Platform Installer or WebMatrix. Since I had phpMyAdmin working under IIS and a working version of MySQL, I opted to try “The Famous 5-Minute Installation”. I copied an old WordPress installation to a new folder, followed the instructions, and in about five minutes I had a new WordPress blog working on my laptop.

Mr. Zients Versus The Mythical Man Month

Last week I had to chuckle when Mr. Zients announced that "by the end of November, HealthCare.gov will work smoothly for the vast majority of users." I am one of the few long time www.healthcare.gov visitors and have been anxiously looking forward to improvements since 2010 when I first complained the insurance finder was useless. Although I admire his chutzpah the two things I can say for sure is that there will be a touchdown dance on November 30th and there will still be a lot of serious problems to fix. The touchdown dance is the easy part of his task. Unfortunately the American people are married to this software. Like a bad Las Vegas wedding in which we hate to admit our mistake, we will trudge onward for the sake of the children.

The first problem facing Mr. Zients is that he is up against the software engineering and project expertise of Fred Brooks, whose central theme in his book, “Mythical Man Month”, is that "adding manpower to a late software project makes it later" has been ignored by the administration. They have already announced their plan to hire QSSI to come in and fix the problems with the web site in 30 days. Adding more people and thinking this will fix the problem is a big problem. Saying that it has to be done in 30 days has me in alternating fits of laughing and crying. As a person who has made his living fixing “other people’s code” for thirty years, this solution is a recipe for disaster and no seems to be listening. So let me frame the problems facing this system with a diagram from the book, Mythical Man Month.

MythicalManMonth

Using the analogy from the book software products start out in the “Program” quadrant and are transformed via generalization, testing, documentation, maintenance, and system integration into a “Programming System Product”.  The “Programming System Product” in our case is www.healthcare.gov and the final acceptance test is whether the American people can use it to purchase subsidized insurance. In 1974 Mr. Brooks asserted that a “Programming System Product” costs nine times as much as the “Program” so the vast majority of the cost and effort is spent generalizing, testing, documenting, and integrating the interfaces. Unfortunately for Mr. Zients this part of software engineering has not changed over the years.

From the reports I have read there has been very little testing and the specifications for the programming interfaces did not go out until eight days before the launch. It looks like most of the money and effort was spent in the “Program” quadrant and very little was spent in the areas that would actually result in a successful “Program System Product”. This reeks of management failure. As part of the 1% who successfully got through the application process far enough to download a copy of my potential insurance plans I can say that the site has a lot of serious problems. It brings a whole new meaning to the term, “bad beta site”. Although I have no doubt that this new contractor, QSSI, can clean up the code discussed in this Reddit thread, the other problems that have been reported are more daunting and time consuming. Here is a short list of problems in no particular order.

  1. The usability problems pointed out by the NN group
  2. The back end problems pointed out by Dan on marginal revolution.
  3. The 834 problems pointed out by Sarah Kliff on the Wonkblog
  4. Identity theft  problems pointed out at MotherJones.

I think both the Affordable Care supporters and detractors agree that despite the fact that the web site is a clusterfark of monumental proportions, it will get fixed eventually. The question is whether it will be sufficiently complete and secure in time. Since they ignored my old web development adage, “copy the best and ignore the rest”, maybe they should start looking at an exit plan that involves joining forces with the “best in the business”. There is still time for letting www.eHealthinsurance.com and its six competitors finish a smaller, less politicized version of the  the job and minimize the impact of a failed www.healthcare.gov.

Cross posted at alazycowboy.com

The Mythical Man Month

With the web site problems of www.healthcare.gov dominating the news, I was reminded of the classic book on software project management from my era, The Mythical Man Month. Surprisingly I found out that the first edition is available at archive.org. I guess it is too late to recommend that someone in the Department of Health and Human Services read it before throwing more people at the project.

Some people might argue that a book written in 1975 is not relevant to today’s project managers. Well, here is a shorter IEEE article, Why Software Fails, written in 2005 that echoes a lot of the same sentiments. If we believe the www.healthcare.gov reporting is accurate then this project has already exhibited many of the factors that should cause the project to fail. Read it and weep! In that article the authors say:

Why do projects fail so often?

Among the most common factors:

  • Unrealistic or unarticulated project goals
  • Inaccurate estimates of needed resources
  • Badly defined system requirements
  • Poor reporting of the project’s status
  • Unmanaged risks
  • Poor communication among customers, developers, and users
  • Use of immature technology
  • Inability to handle the project’s complexity
  • Sloppy development practices
  • Poor project management
  • Stakeholder politics
  • Commercial pressures