Let’s Encrypt Apache With Multiple Virtual Host Files

Over the holidays I converted this site over to use SSL using a free SSL certificate from Let’s Encrypt since the folks at Digital Ocean had written a nice tutorial, How To Secure Apache with Let’s Encrypt on Ubuntu 14.04. The problem was that the installation script partially worked. It created a SSL certificate for multiple hosts but it did not update any of the virtual hosts files. So I had to update the files manually using the template in the /etc/letsencrypt folder. To get an “A” rating from Qualys SSL Server Test I had to download the intermediate certificate https://letsencrypt.org/certificates/. Finally I redirected all of my encrypted traffic to the SSL site. Here is what my Apache host configuration file looks like.

<virtualhost *:80>
ServerName mysite.com 
Redirect / https://mysite.com/ 
<virtualhost *:80>
ServerName www.mysite.com 
Redirect permanent / http://mysite.com/ 
<virtualhost *:443>
ServerName mysite.com 
DocumentRoot /var/www/html 
ErrorLog ${APACHE_LOG_DIR}/error.log 
CustomLog ${APACHE_LOG_DIR}/access.log combined 
SSLEngine on 
# Intermediate configuration, tweak to your needs 
SSLProtocol all -SSLv2 -SSLv3 
SSLHonorCipherOrder on 
SSLCompression off 
SSLOptions +StrictRequire 
SSLCertificateFile /etc/letsencrypt/live/mysite.com/fullchain.pem 
SSLCertificateKeyFile /etc/letsencrypt/live/mysite.com/privkey.pem 
SSLCertificateChainFile /etc/letsencrypt/lets-encrypt-x1-cross-signed.pem 

R Portable Version 3.2.3 has been Released! Download R Portable for free! http://bit.ly/1SW96rk via @sourceforge

R Portable Version 3.2.3 has been released and is available at the R Portable project page, http://sf.net/projects/rportable/.

  • R Portable Version 3.2.3 incorporates the 3.2.3 version of R in a portableapps format.

R Portable Version 3.2.2 has been Released! Download R Portable for free! http://bit.ly/1JmwEp7 via @sourceforge

R Portable Version 3.2.2 has been released and is available at the R Portable project page, http://sf.net/projects/rportable/.

  • R Portable Version 3.2.2 incorporates the 3.2.2 version of R in a portableapps format.

R Portable Version 3.2.1 has been Released! Download R Portable for free! http://bit.ly/1JbYrro via @sourceforge

R Portable Version 3.2.1 has been released and is available at the R Portable project page, http://sf.net/projects/rportable/.

  • R Portable Version 3.2.1 incorporates the 3.2.1 version of R in a portableapps format.

R Portable Version 3.2.0 has been Released! Download R Portable for free! http://bit.ly/1OuYdJM via @sourceforge

R Portable Version 3.2.0 has been released and is available at the R Portable project page, http://sf.net/projects/rportable/. Please update RStudio to the latest version to avoid the “Error in tools:::httpdPort < = 0L" error when using RStudio with R 3.2.0.

R Portable Version 3.1.3 has been Released! Download R Portable for free! http://bitly.com/1G2ejZU via @sourceforge

R Portable Version 3.1.3 has been released and is available at the R Portable project page, http://sf.net/projects/rportable/.

  • R Portable Version 3.1.3 incorporates the 3.1.3 version of R in a portableapps format.

How To Quickly Install Packages With A New R Installation

Okay, Joel, here it is. I got these instruction off of the Internet but I do not remember who was the original source.

  1. I keep this file in a RStudio project I call installed_packages.
  2. Before I upgrade I run the first two line to update the package_list.
  3. After I upgrade I go back to project, un-comment the install.packages line and run it.
  4. I also have a line in there if you want a csv copy of the installed packages.
#Get currently installed packages

package_df < - as.data.frame(installed.packages())
package_list <- as.character(package_df$Package)
#write.csv(package_df, file = "package_df.csv")
#Re-install Install packages

A Better Windows Command Prompt

This month I have been fooling around with ConsoleZ. ConsoleZ by Christophe Bucher is the open sourced Windows Command Prompt replacement and is a fork of the more popular replacement application, Console2 by Marko Bozikovic. Since I was already using Console2 I already had customized tabs for Windows Command prompt, Ipython, Powershell, MinGW shell, and some custom DOS/Powershell applications. One of the tabs I wish I had was a DOS prompt with Administrator access. So I searched the web and found that Ben Garrett had solved that problem and few others I did not know I had in his post, Create A Better Windows Command-line Prompt. So I added an Administrator console tab, ANSI color, a DOSKEY macro to start Notepad++, GOW, and a colorized version of ls. It is almost as functional and colorful as a Linux prompt now. 😉 Here is what it looks like.


Over 90 percent of data breaches in first half of 2014 were preventable

This ZDNET article, “Over 90 percent of data breaches in first half of 2014 were preventable”, had me intrigued but it was their summary that really caught my attention. Since the latest explanation of how the North Koreans hacked Sony was that they stole a system administrator’s password by some method that is not discussed but vaguely confirmed by the NSA, we would have to conclude that the Sony breach was probably a staff mistake.

The Online Trust Alliance says that a high percentage of data breaches were the result of staff mistakes — rather than external hacking.

dpd_graphic_2015_final_150px_1According to a recent Online Trust Alliance press release about 47% of data breaches was the result of staff mistakes and 40% were the result of external intrusions. Here is what they said.

OTA also announced that it has analyzed over a thousand breaches involving the loss of personally identifiable information (PII) in 2014, as reported by the Open Security Foundation (OSF) and the Privacy Rights Clearinghouse. OTA found that only 40 percent were the result of external intrusions, while 29 percent were caused by employees—accidentally or maliciously—due to a lack of internal controls. The balance of incidents were primarily attributed to lost or stolen devices or documents (18 percent) and social engineering/fraud (11 percent).

If The Sony Hack Was An Inside Job, When, Why, And How Did North Korea Decide To Plant A Spy At Sony?

There are a lot of loose ends with the Sony hack that bother old IT guys like me. Kim Zetter in the article, The Evidence That North Korea Hacked Sony Is Flimsy, makes the point that nation-state attacks are not normally this noisy. This attack was public and filled with revenge-filled rhetoric that sounded distinctly non-North Korean.

Marc Rogers in the article, Why the Sony hack is unlikely to be the work of North Korea, goes a step farther and says an insider is the likely culprit.

3. It’s clear from the hard-coded paths and passwords in the malware that whoever wrote it had extensive knowledge of Sony’s internal architecture and access to key passwords. While it’s plausible that an attacker could have built up this knowledge over time and then used it to make the malware, Occam’s razor suggests the simpler explanation of an insider. It also fits with the pure revenge tact that this started out as.

So if we are to assume that the attack is from North Korea, we have to ask when, why, and how did they plant a spy at Sony? The mainstream news media seems to be proceeding under the premise that the North Koreans could walk into Sony either literally or electronically and collect extensive knowledge of Sony’s architecture including key passwords in a relatively short period of time. I think this supports main stream media’s agenda that this is technology problem all we need to do is install the latest and greatest firewall. The reality is that this type of hack is typically an inside job so it is a primarily a personnel rather than a technology problem. In most major corporations this type of broad access requires lots of time since security is compartmentalized and transferring passwords to new people is dependent on developing trust. Password management in a large corporation like Sony can be further enhanced by delegating password control to different people. In this case the passwords for administering email, human resources and accounting systems are probably controlled and periodically changed by the people who have operational control of those systems. So if the insider working for the North Koreans is a new hire or contractor then they must have been inserted into Sony months ago. This begs the question of why did the North Koreans target Sony months ago, develop such a sophisticated operation, and then release detailed information about this operation to the world. All of this work for a movie! The North Koreans may be crazy but I do not think they are stupid!

If this hack is not North Koreans consumed by revenge over a movie, we have to conclude the insider was a long time employee or contractor who got the data directly off the servers or via malware installed on certain key computers. We are looking for a person with a Edward Snowden profile. Although some people who are skeptical of the North Korea explanation see a government conspiracy, my guess is our law enforcement agents are temporarily feeding the public misinformation to buy more time to complete the investigation and arrest the suspect while still in the United States.

For a detailed list of the Sony hack events check out the Riskbased Security article, A Breakdown and Analysis of the December, 2014 Sony Hack.

R Portable Version 3.1.2 has been Released! Download R Portable for free! http://bitly.com/1G2ejZU via @sourceforge

R Portable Version 3.1.2 has been released and is available at the R Portable project page, http://sf.net/projects/rportable/.

  • R Portable Version 3.1.2 incorporates the 3.1.2 version of R in a portableapps format.

Strengthening 2-Step Verification with Security Key – Part II

A couple of days I ago I wrote the post, Strengthening 2-Step Verification with Security Key, and yesterday I got the security key. I guess parcel post from France is pretty quick! I had to reboot the computer before I could get the hardware drivers to install. It took about two minutes to register the key with both of my gmail accounts after it finished booting. Pretty cool!

Today I tested it at work. The first step was to insert the security key and let Windows 7 install the drivers. Once again my luck installing the drivers was better after I rebooted. Then I cranked up Chrome and went to gmail. Google asked me to login. After I entered the password, it asked me to install the security key. In a couple of seconds it had validated and I was redirected to my inbox. I took the key out and put it back in my storage bag. Although I have entered my password several times as I browsed my security settings, it did not require access to the security key.

The last task was to create an app specific password for gmail for those applications that will not use the security key.

Strengthening 2-Step Verification with Security Key

I was reading the Google article, Strengthening 2-Step Verification with Security Key, and decided to see how much strengthening my security would cost. Everyone says they want better security until they see the price tag. Surprisingly a security key does not cost much. The cheapest key on Amazon comes from Plug-up International, costs $5.99 with $2.00 postage, and my estimated delivery date is November 10. I can do that!

Discover’s Low Tech Solution To Improve Credit Card Fraud Protection

25a_thumb.jpgLast week Discover notified me that due to the Home Depot data breach, my Discover debit card was going to be re-issued. Their solution is not cheap but it is the best way to improve credit card fraud protection.

An Interesting Wrinkle On Credit Card Fraud

This is the first incident we have seen in which an auction site was used to launder money for stolen credit cards.

Yesterday we ran into an interesting new wrinkle on credit card fraud. A customer called us because they did not recognize a credit card charge on their bill. We had an order in our system with the correct billing address but they did not know the person the order was being shipped to. This is the typical way we find out about credit card fraud but this time when we called the person who it was being shipped to and she answered the phone. This was a first! She said that her husband probably ordered it and told us to call him. So we called him and he said he had ordered not one but two pumps from an auction site. Sure enough our order system said we had shipped a second pump to his wife using a completely different credit card and billing address. This is the first incident we have seen in which an auction site was used to launder money for stolen credit cards! Fortunately FedEx had not delivered either pump so we asked FedEx to return the pumps to us. Today we called the second customer and confirmed that they were unaware that their credit card had been stolen. We told them that a credit card refund had been processed and recommended that they notify their credit card company of the fraud. In this case the people whose credit card data was stolen did not lose any money. Typically we lose both the product and the shipping costs so we are pretty happy to get the products back. The biggest loser is the guy who thought he had won a legitimate auction for two pumps. I do not know how he paid for it but if he is fast enough he may be able to process a charge back.

In case you did not already know Home Depot had a data breach that is pretty similar to the Target breach. Since I am one of those Home Depot customers who are at risk, I took them up and signed up for their free identity protection from AllClearID. Like the first customer I plan to check my card activity several times a week.

Fixing WordPress SEO Sitemap Problems

I decided to switch over to WordPress SEO(Yoast) yesterday and ran into a slew of problems with their sitemap generator, a 404 error, a blank screen, and a sitemap.xml not being properly re-directed to the new sitemap_index.xml. The first problem led me to this Yoast knowledge base article, My sitemap is giving a 404 error, what should I do? I fixed the first problem by adding the code to my .htaccess file. To fix the last two problems I added the RewriteRules for the xsl statement(Line 8) and the sitemap.xml(Line 5). Now both sitemap.xml and sitemap_index.xml are being properly redirected and formatted. My Google Webmaster Tools is happy!

Note: The code below is for a WordPress blog in a sub-directory called wordpress.

# WordPress SEO - XML Sitemap Rewrite Fix
RewriteEngine On
RewriteBase /wordpress/
RewriteRule ^sitemap_index.xml$ /wordpress/index.php?sitemap=1 [L]
RewriteRule ^sitemap.xml$ /wordpress/index.php?sitemap=1 [L]
RewriteRule ^([^/]+?)-sitemap([0-9]+)?.xml$ /wordpress/index.php?sitemap=$1&sitemap_n=$2 [L]
# This rewrite ensures that the styles are available for styling the generated sitemap.
RewriteRule ^/([a-z]+)?-?sitemap\.xsl$ /wordpress/index.php?xsl=$1 last;
# END WordPress SEO - XML Sitemap Rewrite Fix

R Portable Version 3.1.1 and RStudioPortable Version 0.98.977 Are Released!

R Portable Version 3.1.1 and RStudioPortable Version 0.98.977 have been released and is available at the R Portable project page, http://sf.net/projects/rportable/.

  • R Portable Version 3.1.1 incorporates the 3.1.1 version of R in a portableapps format.
  • RStudioPortable Version 0.98.977 incorporates the 0.98.977 version of R Studio in a portableapps format.

Did P. F. Changs replace a high tech security breach with a low tech security breach?

25aLast Wednesday my wife and I celebrated our 31st anniversary at P. F. Changs. We had a nice dinner and they ran our card through a manual imprint system. Today I noticed that they wrote my CVV on the receipt. That is not necessary if they were actually going to process my bill as a manual credit card transaction in which the card is present. By writing the CVV on the receipt that means that they plan to process the charge later as a card not present transaction. For those of you who have jumped through the PCI hoops, you have to wonder what measures they are using to protect these receipts since they now include the CVV. In the PCI world there are some pretty serious restrictions on keeping the CVV information secure. This is a dumpster diver’s gold mine.

Okay, I am really annoyed. What is the best way for a company to continue their business after a data breach without annoying their customers? There are some interesting comments over at Krebs on Security but I have my own recommendation. As a long time developer I look for a good manual procedures to automate. In this case we are going in the opposite direction. We are breaking up a good automated procedure into standalone parts. In this case I would recommend creating a corporate web app to process the credit card transaction that would be very similar to the model used by internet retailers. In fact I would not be surprised if a corporate developer does not already have one they used to get through credit card processing certification. In this case either the waitperson or some other designated person enters the sixteen digit credit card number and CVV to run the transaction. If the transaction goes through then you update the bill in the restaurant’s order system with the confirmation code or reference ID. Is this a little more work? Yes but we literally have millions of people who enter their sixteen digit credit card number and CVV every day without exposing themselves to credit card fraud. There are a whole lot less PCI compliance issues with this procedure than a manual imprint with the customer’s CVV on the receipt.

Curiouser and Curiouser… The Strange Story of TrueCrypt

I have been using TrueCrypt for several years. It is not the key cog in my security plan but it is helpful. The TrueCrypt development process looked trustworthy and professional. So I was shocked  with the developer’s announcement last week. It was just so weird, I thought the site had been hacked. The developer’s explanation on why he was stopping development bordered on incoherent. What does the end of Windows XP maintenance have to do with anything? As an old IT guy I decided to wait this mess out. There was an ongoing security review of TrueCrypt which should sort some of the issues out. For those conspiracy buffs out there, Snowden was a big fan of TrueCrypt. This weekend I decided to see if I could still download the source. It was not available at the normal location but I did locate it at Gibson Research Corporation who I recognize from Shields Up fame. Considering their reputation in the security game, they had some interesting some things to say.

Yes . . . TrueCrypt is still safe to use.

Although the disappearance of the TrueCrypt site, whose ever-presence the Internet community long ago grew to take for granted, shocked and surprised many, it clearly came as no surprise to the developers who maintained the site and its namesake code for the past ten years. An analysis of the extensive changes made to TrueCrypt’s swan song v7.2 release, and to the code’s updated v3.1 license, shows that this departure, which was unveiled without preamble, was in fact quite well planned.

For reasons that remain a titillating source of hypothesis, intrigue and paranoia, TrueCrypt’s developers chose not to graciously turn their beloved creation over to a wider Internet development community, but rather, as has always been their right granted by TrueCrypt’s longstanding license, to attempt to kill it off by creating a dramatically neutered 7.2 version that can only be used to view, but no longer to create new, TrueCrypt volumes.

Then, leveraging the perverse and wrongheaded belief that software whose support was just cancelled renders it immediately untrustworthy, they attempted to foreclose on TrueCrypt’s current and continued use by warning the industry that future problems would remain unrepaired. This being said of the latest 7.1a version of the code that has been used by millions, without change, since its release in February of 2012, more than 27 months before. Suddenly, for no disclosed reason, we should no longer trust it?

I will continue to use it until a better option becomes available. Although I doubt I will look at the code for security problems, I am curious what the security professionals find.