Gmail Password Breach? Not !

Ignore all the breathless media panic about Gmail passwords being exposed. See the Google Security Blog here: http://googleonlinesecurity.blogspot.com/2014/09/cleaning-up-after-password-dumps.html

Do follow the recommendations in the Google Blog: enable two-factor authentication, use a strong password, don’t use the same password, etc.

The only site to check if your email address has been ‘found’ is https://haveibeenpwned.com/ . This site is valid and honest.

Using INI files on PHP sites

I’ve built some personal web sites using PHP. I’ve been working on one site that I hope to bring public soon. The site will contain some personal information that must be encrypted. So I have been using code that is (hopefully) secure from potential exposure. There is data stored in a database, and some of that data will need to stay confidential to any outside hacks. The intent is to write code stores data securely, even if the source code files are compromised. Of course, it is difficult to do that level of security, but there are techniques that help with that.

One of the techniques, which I am documenting here (mostly for my own benefit), is to have some variable data used by the code pages stored in an area away from normal web access. Think of the credentials used for database access, for instance. That is data that needs to be used by the code, but should not appear in the the code files that use the data. So we need a way to store the variables data in an outside file for use by any code page that needs it.

There are several steps involved in this. First, we need to have a plain text file that contains the variables values. The data is stored in an array;in this example, the array is called ‘config’. Here is the file (parameters.txt) that defines the array that contains the variables

[config]

xProgram = “My Program Name”

xHeading1 = “The Heading 1 Text”

xHeading2 = “The Heading 2 Text”

xText = “This is the true text that belongs to the program”

Note that we have used double-quotes to surround text with space characters. That’s to ensure that there won’t be a problem (and an error) if the text string contains a reserved word (as in the xText value).

The process of reading the configuration file into a variable (let’s call it $xvariable), which will contain the arrays as defined in the configuration file. So the $xvariable array will contain those four values. We can reference each value with code similar to $xvariable[‘config’][‘xProgram’], which will contain the value of ‘My Program Name’, when you read the file contents into an array called $xvariable. You can put multiple array names within the brackets, if you need additional data arrays. And you might want to consider non-specific names for the variables, like using numbers instead of a descriptive name like we show above.

Now that we have created the parameters.txt file, we secure place to put it. Normally, you would want to place this file outside of the site root, but you may not have access outside of the site root on some shared hosting systems. So we will place it in a subfolder of the site root called ‘xini’. That makes the configuration file will be accessed as ‘./xini/parameters.txt’.

With the file in the ‘xini’ folder, we need to protect that folder (and any files within that folder) from prying eyes. This is done by putting the following commands in an ‘.htaccess’ file. These commands will prevent access to any file with a ‘txt’ extension.

<FilesMatch “\.txt$”>
Order allow, deny
Deny from all
< /FilesMatch>

There’s lots of other places that discuss .htaccess file, so go there if you need more info.

At this point, we have the configuration file built, stored in the ‘xini’ folder, and protected by the .htaccess file.

Next, we need a function to read the parameters.txt configuration file and make the ‘config’ array available to the other code pages. Here, we will use a function that we store in our functions ‘include’ file.

function show_ini() {
global $config;
// check for ini file there
if (file_exists(‘./xini/parameters.txt’)==0)  {
die (“Did not find the file.”);
}

// file found, read it into the $config array
$config = parse_ini_file(‘./xini/parameters.txt’);

return;
}

We just call the show_ini file at the top of the functions.php file (the code file that contains all of the functions used by the program). Since all pages ‘include_once’ the functions.php file, the config array will be available to all code pages.

Note that we use the ‘global’ command at the beginning of the function so that the config array will be available outside of the scope of the function. Another note: you will have to ensure that the page that calls the function can get to the file using the path you specify in the file_exists and parse_ini_file, so adjust that as needed. And some additional error trapping, or a more friendly ‘die’ process would be useful to add.

But the process allows you to store confidential information outside of the code pages. Of course, access to all of the site’s source code files will be a concern, but (hopefully) there are other protections against that exposure.

[added 3 Oct 2014]

Found that the ini file can contain ‘//’ or ‘/*’ and ‘*/’ pairs. But you can’t put any parenthesis or square bracket characters in the ini file. If you do, the parameters in the ini file won’t be read.

The Internet Never Forgets

I had someone call me about their web site ‘disappearing’. All that was there was a ‘Parked” page from the hosting place. It wasn’t a very important site, just a few pages with some pictures, and a few custom products that he sold. No blog, no custom programs, no databases, etc. And he didn’t have a backup of the pages. But he still wanted the site back. So I took a look at things.

I looked at the domain registration, and the domain name was still registered to you, with an expiration date that had not passed. The nameservers pointed to the web hosting place, which was as expected.

With the credentials for the hosting place in hand, I took a look at his hosting account. He had apparently used the hosting place’s ‘web creator’ to create his web pages. I couldn’t find any files anywhere. Apparently, the ‘web creator’ program stored them in a place I couldn’t get to. And it looked like he let the site hosting service expire. So since there was no content, the ‘parked’ page is now seen at the site.

The site would need to be rebuilt. And he didn’t have the source files for the site; but he wanted the site back up quickly.

So I turned to the Internet’s “WayBack Machine” (www.archive.org) to see if they had a cached copy of the site. They did, so I looked at the latest version they had (March 29, 2014). I opened up the main site page, grabbed the source code for each page (with a View Source), and plugged it into my HTML editor (I use Adobe Dreamweaver, but any HTML editor would have worked). I also copied the graphic images to my local computer. I did this for all of the pages that the WayBack Machine had (the entire site). Luckily, the site was not that complex (about 10 pages plus the graphics files) and a simple order form.

Then, I went into the Dreamweaver editor, adjusted the images links, rearranged the image files into a separate folder (the CF editor adjusted the HTML code for those links automatically). I then used the Dreamweaver ‘link checker’ to ensure that all links/images/etc were valid. All was well with my local copy of the site.

He wasn’t too happy with the hosting place (a small operation), so we set up an account at JustHost (disclosure: it’s what I use, and I‘ve been happy with it; that link gives me a small commission on new accounts at the same price as their main link). Since the domain name was registered somewhere else, I went through the somewhat convoluted process of transferring the domain name to the new JustHost account. I also set up the ‘nameservers’ for the domain to point to the new JustHost account. Then I transferred the files there. I then checked the pages and links at the remote (JustHost location), and the site pages worked properly.

After a short propagation delay (while all the nameservers in the world get the updated information), the site was active and visible.

The lesson here? A few points to consider:

  •  Don’t Panic
  •  If you have a web site hosted somewhere, pay attention to any notices about renewing services there (I am assuming that a notice from the hosting place may have gotten lost in his emails)
  • If the site is truly ‘gone’ from where it should be, Don’t Panic (again)
  • Use the “WayBack Machine” to find your site. It will probably be there. Perhaps not the latest version, but a place to start.
  • Use the techniques described above to rebuild your site and place it on your hosting location.
  • Backups of your site to an alternate location are always a good idea. That includes any databases used and any custom programs. For instance, I use a popular plugin to email me a daily backup this WordPress site’s database.
  • Don’t Panic

The recovery technique worked, as evidenced by the reappearance of his web site. There may be some minor adjustments needed, and perhaps some content updated, and I set up a procedure for him to store site backups at an alternate location. But the technique will work.

The Internet Never Forgets.

 

Keeping Clean

If your computer is plagued by popups and other junk, you may have wondered how it got that way. Lots of different reasons, but here is what I do to keep my computer clean.

  • Whenever you search for something with any search engine, the first few results are going to be paid ads. Those results may look like what you want, but usually aren’t. I never click on the paid results on any search. They probably aren’t what you want anyhow.
  • Many times, those paid results are going to cause problems. For instance, if you search for ‘fixing something’, the ‘fixes’ you get when you click on a paid ad are probably going to make things worse. You’ll get a pitch for a ‘easy and free’ program to help ‘fix’ your problem. Just don’t go there. Ignore the paid results, and carefully look at the non-paid results to get what you were looking for.
  • Never click on a pop-up, no matter where it is. They are just trouble. Especially the ones that claim to be updates for some program (‘click here for an updated version of whatever to view this page’). Just don’t click.
  • Now there are times when a valid popup will ask you to update things. An example is a Windows update, or maybe one from your browser. Proceed carefully, Grasshopper. Windows Updates are good, and you should do them when they ask. But make sure that the update is for something you have, or is from the actual vendor site, not one that looks like it.
  • Wherever you go, tread carefully. Even a mainstream news site might cause a popup asking you to do something. Again, just say no.
  • If you need to install a program, make sure that you install it from the vendor’s actual site, not one that looks like it. And beware of add-in programs that come with an update. Adobe is a place where you will get additional programs when you try to install an update. Watch for those pre-selected check boxes for additional browser plugins or other programs. If you need to get an Adobe update, then do it, but don’t get all the extra stuff they try to force on you.

We’ve had other posts on how to keep your computer safe. Here’s the quick list.

  • Do the Windows Updates.
  • Make sure your antivirus is current.
  • Install Windows Security Essentials anti-virus program (pre-Windows 8; it’s built into Windows 8).
  • Install the free Personal Software Inspector program from Secunia to keep your other programs current.
  • Uninstall Java (unless you are sure that you need it).
  • Don’t use the same password on multiple sites.
  • Make sure your password is complex and hard to guess.
  • Don’t do financial transactions at a public Wi-Fi spot.
  • Be careful of public WiFi spots.
  • Don’t click on popups.
  • Do backups (I use an automated backup-to-the-cloud service – Carbonite).

With a bit of effort, you can keep your computer clean. And make your browsing life much simpler.

iDevice Ransom

The reports of ‘ransom’ locking of iDevices from Australia are starting to spread to other countries, including the US. The process involves locking your phone as if you had reported it stolen. The attacker changes the access PIN on your phone, and asks for $100 (US/Euro) to unlock.

One clear explanation is here http://www.symantec.com/connect/blogs/apple-ids-compromised-iphones-ipads-and-macs-locked-held-ransom .

Any iDevice user (not just iPhone) should immediately change the password on their Apple account, and also change the access lock code on their device. The above article has good advice on what to do to prevent the attack.

Heartbleed Thoughts – and a Phishing Warning

There is lots of noise on the interwebs about the Heartbleed vulnerability. Here’s my thoughts on the whole thing, in no particular order:>

  •  This vulnerability has been around for two years, I believe. And there is no logging available that would tell you that you or a web site got attacked.
  •  The Internet Storm Center (isc.sans.org) guys did raise their alert level to yellow, and strongly encouraged all site administrators to check and fix. But that applies to site administrators, not to “Aunt Minnie”.
  •  Media reports that tell you you must change all your passwords immediately are overblown. Although a good idea to reset passwords occasionally, it might be better to wait on that for a few days. Of course, when you reset your password, don’t use the same one as on other sites.
  •  ‘Watchful Waiting’ is probably the best action for individual users to take now. People should watch their financial accounts, perhaps change their passwords in a few days (which will let sites remediate as needed). And make sure that you don’t share credentials (user/pass) between sites.
  •  it is probably good that site owners make sure their sites are not vulnerable, and patch accordingly.

But there is some excitability going on, and perhaps the risk to the user is not as great as the media would make it seem.

Here’s what I think:  *If* a site was vulnerable, and *if* you logged into that system, and *if* an evildoer did the attack after you logged in, then you *might* have your credentials stolen. And *if* you changed your password on a vulnerable site during an attack, your credentials *might* be compromised. But that is a lot of *if’s* to worry about.

Although the “Heartbleed” thing is a risk, my view is “Watchful Waiting” is a good idea, but “Don’t Panic”.

Now, you may start seeing some “Heartbleed Phishing” emails, with some dire warnings and helpful links for you to click on to ‘help’ you reset your password. In general, it is not a good idea to click on a link in an email, even if it looks legitimate. If you want to reset your password on a site, then go there by manually typing in the site link, logging in, and then change your password. Don’t click on those helpful links in any email.

In the meantime, since you are practicing Safe Computing (see here for some hints). Don’t Panic; just be careful out there.

 

Redesigning and Testing

Over the holidays, I have set up a new theme for Dr. Jerry Pournelle’s Chaos Manor blog. The new theme is now ‘responsive’, which means that his posts are going to be more readable on mobile devices.

That was not without some minor issues. There are tons of themes out there, but it is difficult to find a theme with all of the features that are needed. In addition, Dr Pournelle is somewhat set in his ways on how to write content for his site. He wants more control over the visual look of his posts, so he needs to easily see how things look before he publishes.

When we first moved him to the WordPress platform, we had to move him away from FrontPage and into a visual editor. We decided on Windows LiveWriter, which had the advantage of giving him a close approximation of the final look of his posts before he publishes. Live Writer had most of the features he needed, and those that he was used to (mostly fonts and how to get pictures in his posts) we figured out some workarounds.

With the new theme on his site, we have found that LiveWriter had some shortcomings. One in particular: fonts. LiveWriter has the fonts that are available on his computer, but those font are not necessarily the same fonts available on the web site. So things would look as he wanted them on his local system (in Live Writer), but the published post would substitute fonts away from what he had selected.

So, I’ve been spending a bunch of time trying to find the ultimate combination of responsive theme with an editor that will show posts that will look the same while editing and when it is published.

So this site is the ‘test-bed’ of that search. The current theme is “Graphene”, which has lots of customization options. I’ve also installed the TinyMCE Advanced editor plugin. The combination of the two appears to be what is needed. The TinyMCE Advanced options allow customization of the editor screen. The Graphene theme seems to support having the published posts look like the post on the editor screen. The Graphene theme options allow for the customization of theme settings. Plus it is responsive, so it should look OK on mobile devices.

So, this place has changed the look, and it will change as I tweak things to get closer to the ultimate needs. And perhaps this will provide the features that Dr. Pournelle needs for his site.

Another Form Spammer Blocking Success Story

I’ve written before about blocking form spam here and also here . You can look at all the details there.

And I have another form spammer blocking success story — on one of my other sites, the DigitalChoke blog.

I wrote about it there; take a peek if you are interested in how to block form spam on your blog or web site.

It really works. And it is really easy to implement. And it is really free.

Check it out. You can get form spam blocked on your site.

Getting and Staying Safe

You’ll find lots of places that will advise you on safe computing. Here’s my quick advice.

  • Install all Windows updates
  • Install Microsoft Security Essentials – free antivirus program. If you already have an antivirus program on your computer, and it is current, go ahead and use that. If it has expired, just uninstall it, then install MSE from the Microsoft Protect site (www.microsoft.com/protect) . After installation, get any updates, then do a quick scan of your computer. Do a full scan later; they take a while. If MSE finds anything, delete it. (BTW, some good computer safety tips on that site.)
  • Install Personal Software Inspector from Secunia (www.secunia.com). It’s free. It will keep all of your other programs current. Do a scan, update everything.
  • Uninstall Java. Look for it in Control Panel, Add/Remove Programs. It is probably not needed on your computer. (Some business applications use it; if so, make sure it is updated.)
  • Change all of your online passwords. Don’t use the same password everywhere. Don’t use dictionary words. This is important, especially on financial sites.
  • If you access your financials on-line, don’t do it at a public place. Do it at home, where you have a password for your wireless Internet. (You do have your home wireless password-protected, right?)
  • Be careful about clicking on any links in emails or Facebook or other social sites. Be careful when any place asks you for your user name and password. Make sure it is legit.

So there’s some quick tips about getting and staying safe.

Oh, and one other thing. Your data is important. I use Carbonite to automatically back up all of my data without any effort on my part. Use this link: http://refer.carbonite.com/a/clk/1Tjw3f (Disclosure: I get a finder’s fee if you sign up, but there is no additional cost to you. I’ve been a Carbonite user for more than two years, and am very satisfied.)

More Form Spammer Blocking

A few posts ago, I wrote about a technique to block form spammers. It is very effective, and easy to implement. More details in the post there, or you can see it in action at FormSpammerTrap.

I made a tweak to the program that allows for a resubmit of the form when a correction needs to be made to a field that doesn’t implement the form spammer blocking trick. A small tweak to add the blocking function, but needed on one of the sites that has implemented it.

Full details are found at the FormSpammerTrap site. The technique is still open source, free, no obligation. And it just works. I put it on another site today that was having form spam problems, and the technique stopped the form spam immediately.

Check it out.