Deerfield Hosting, Inc.

High Performance Web Hosting

Encrypted email – or is it?

by

We are often asked about certificate warnings which pop up in email clients.  When an account is moved to a new server, there is a new certificate and a new warning often appears.  In answer to a question about this:

It’s safe to accept the certificate.  We moved your accounts to a newer faster server a few days ago.  We had been using a wildcard certificate, but that was causing problems for people running software too dumb or too conservative to work with such a certificate.  It seemed like an appropriate time to switch.

Email client software often sets up TLS (encrypted) connections by default.  It makes people think sending stuff via email is secure, adding yet another misconception to the rampant ignorance.  It’s not secure.  Email is a store and forward system.  That means your message may cross the network encrypted, but it is then stored unencrypted on the target mail server.  It frequently passes through many servers before being delivered.  It’s trivial for an administrator of any of those servers to keep a copy – not encrypted.

The security of your message is in the hands of those administrators.  You will almost never even know who they are.

Nearly it’s only virtue is that your password is sent over an encrypted connection.    It also means that when someone at the NSA wants to read it, he will have to spend a few minutes on a powerful computer to decrypt it first.  If you want more secure email, you need to encrypt the content, not just the connection.  If you don’t want the NSA or anyone else reading your email at all, you’re basically out of luck.

Content encryption is good enough to deter most criminals and casual snoopers.  Unfortunately, a really sophisticated criminal can still decrypt it.  But you don’t need to worry about this too much unless you know that your content has a very high value to such a person.  If you make it even a little hard, they will move on.   There is no shortage of easy targets.

The bottom line is: encrypt the content if you need security.  That said, there are better ways to transfer sensitive information than via email.  There’s no reason to allow it to have such a high profile.  Virtually all cases of hacking are the result of gaping stupid security holes, someone incompetent in charge of security.

Search Engine Optimization and Blogs

by

This morning I was asked (slightly modified):

I noticed our blogs show up easily and on first pages on Google searches, however our new web site pages hardly show up (except for a few) on first pages.  Is that because it’s new and hasn’t been indexed by google yet? I have noticed if I modify a blog, Google searches find the new information within a few days or even overnight.

The Yoast SEO WordPress plugin shows many web site pages are now SEO [search engine optimized] friendly (green light status) yet they don’t show up.  I’m just curious if  there’s a logical reason my Word Press blogs get quicker Google attention than my SEO web site pages.

Google is very good at picking off certain kinds of search engine “optimizations” and will reduce rankings when it finds them.

When people do searches, Google attempts to differentiate when they are looking for information as opposed to looking for places to buy things.  In searches perceived to be for information, pages with the clear purpose of making sales are ranked negatively in order to drastically cut down the number of such pages returned in favor of pages with useful information.

They try to help people find what they are looking for, not help other people sell stuff. When it comes to serving interests, they are steadfastly on the side of the searcher.  They want people to like and use their service.  As a generality, the more closely you and Google share the same intent, the better your rankings will be.

Blogs which are written as information sources without “salesy” language do well in page listings because they parse as information. Lexicology, which studies word and phrase patterns, is an important part of how they do their rankings.  Using lexicology, it’s not hard to differentiate language meant to sell things, language trying to rank well or language meant to convey useful information.

As part of a course I took in artificial intelligence, I did a project to classify textual information into subject, relative content usefulness and reveal biases. It used a lexical database to analyze the documents. I fed it thousands of news and information articles. About 50 people read as many randomly chosen articles as they they were willing to and then answered questions derived from the analysis. That information was fed into a neural network to teach it how to classify articles using the lexical analysis. Later, when I asked the same people to rate results returned, I was able to show statistically that the vast majority of people would agree with the choices returned on searches which included not only subject but also the information value and biases contained in the results.  I found it fascinating and a bit startling that it was so easy to do this.

When you type in search terms, then click on results, then click on different results, Google records and uses the information to refine what it returns in subsequent searches. If you ignore the first three pages and click on the fourth page, that page may rank higher when other people do similar searches. But if you come back and click on something else without much time elapsed (meaning you didn’t like what you looked at) then the page is likely to rank lower next time. This information is collected and used in real time and changes constantly. Given the massive volume of pages analyzed and searches done, they are always going to be miles ahead of attempts to manipulate results.

That is just one aspect of how they rank results, but it’s an important one.  And it is essentially impervious to manipulation.

There is an entire industry devoted to search engine optimization, almost all of which is naive and worthless. Naive attempts to improve rankings are much more likely to do the exact opposite. The best way to get good rankings is to provide good content, to provide information people look for.  At this point common sense should tell you to be very careful how you link into sales pages from information pages.  If you are selling products, good product descriptions without overt sales language is probably the best way to do this.  For example, in an informational article you might say “for more information ……”.

Other aspects of how they rank pages include how recently added the information is and how active website changes are. The presumption is that an actively changing site is responding to its visitors and that in turn implies attempts to provide useful or interesting information.

I’m not an expert on this subject, but then neither are the vast majority of those who think they are or claim to be. What I do know from watching websites come and go for the last 10 years is that sites which are actively maintained and updated and have high quality content succeed far more often than others.  Blog software such as Word Press is a great way to do this because it allows you to concentrate on content rather than getting bogged down in the more technical aspects of web page design.

Most web site designers concentrate on the look and feel.  Certainly that’s important to create good first impressions, but its the words that attract visitors and sell things.

Privacy and Security

by

We have many emails this morning with questions about privacy and security.   Given the news over the week-end, this is not surprising.  A person with more than top secret security clearance at the NSA (the [American] National Security Agency) revealing secret capabilities is a very big deal.

If you haven’t already heard about this, let me suggest that you get information from as close to the source as possible.  I have already observed news sources injecting bias.  Most of that is due to ignorance, but some appears to be willful.  Most reporters lack the background and will dish out what they have been spoon fed by some “expert”.  There is often a heavy bias.  Be careful what you believe.  The real story is NOT the whistle blower!  It is what he is talking about. The Guardian

The intent here is to provide some basic information about network security.  It relates to email and your personal information on the Internet.  Network security is a huge topic.  Any opinion about what the NSA has done or may do in the future will be hopelessly naive without a reasonable understanding of what is possible.

The recent revelations have been no surprise to people involved with computer security.  That the capabilities exist has been common knowledge for a long time.

Passwords

To get an idea how long it takes to crack a password, take a look at GeodSoft Password Cracking Time Calculator. The problem with this site is that it doesn’t mention what computing power is being brought to bear.  The time it takes to crack the typical password with a typical desktop computer is about 2 days using brute force methods (trying every combination).  Using dictionary words cuts that down to under an hour.

To consider what the NSA is capable of, you can divide that by at least 1 million.  An article about passwords with more detail.

A good password provides adequate protection against criminal activity, but this is only true for 3 reasons:  1) most criminals are stupid,  2) smart criminals have an abundance of easy targets,  3) what you have that they want isn’t worth the trouble.  If you make it hard, they will move on.  If someone smart with access to a super computer wants to know your password, he can get it.  You have no defense, unless you also have a super computer.

SSL and TLS – Secure web pages and email

SSL and TLS use public and private keys to provide encryption.  The source computer provides a public key which the destination computer uses to encrypt what it sends and decrypt what it receives.  It takes a lot of computing power to do this without the private key.   It is in essentially the same class as very good passwords.  For some (scary) detail please read this.

Many years ago in a college class on computer security, the instructor described a paper written in the late 1970s by a friend of his, a mathematician.   She had used a PDP-11 to generate mathematical key signatures which could then be used to crack any encryption in existence within a few minutes.  If you don’t know, a PDP-11 had considerably less computing power than your cell phone.  When she was about to present the paper, she was quietly taken aside by some unexpected guests.  The paper was never presented anywhere nor published and she moved on to other areas of research.  It’s safe to say that the NSA and FBI know all about her work.  It’s also safe to say they have expanded on it over the last 30 years.

SSL is excellent protection against common criminals and snooping individuals, but against the resources of a government or a consortium of smart criminals, it’s useless.

Implications

There are techniques which go beyond what is described above.  The simplest to understand employ rotation schemes.  They are based on the idea that if it takes 1 minute to crack a cipher, but the cipher is changed several times per second, in theory the system can’t be cracked.  In practice, it boils down to the attacker simply needing several thousand times the computing power of the target.  Too hard for criminals, relatively easy for governments.  The NSA can protect its secrets.  Individuals can’t.

Most likely you will see news stories about who has and has not given unfettered server access to the NSA.  Google, Yahoo, Facebook and Microsoft, just to name a few, are loudly proclaiming that they have not.  Given that the NSA has no need to be “granted” access, this is completely irrelevant.  If they want access, they have it.  It’s as simple as that.

Over the next few days you will hear various assertions being made about the safety of your personal information.  You need to listen carefully because there are no absolutes.   It is impossible to fully deliver on guarantees.  Every case is relative.

Data Mining

This is the process of detecting patterns in data which have implications and then searching for other occurrences of the same patterns.   It goes beyond seeing who a terrorist was in phone contact with.  When an organization follows standardized procedures, their activities generate patterns.  For example, a terrorist sleeper cell might be detectable from phone and Internet records without any advance knowledge of the individuals placing or receiving the calls, just from their frequency, duration and places of origination and termination.

The problem is that the target organization can be anything.  That includes a group of individuals who might be seeking political change.  Having identified such a group, counteracting it by co-opting its goals is a common political strategy.   So is discrediting the individuals involved.  Information is power.

Those are the facts.  You can choose to believe or not believe how far the NSA has gone.  You can choose to trust or not to trust the government of the United States.

It is a historical fact that no significant weapon ever developed has gone unused.  Even nuclear weapons have been used without being fired in the same way a gun pointed at someones head is a weapon being used.  I personally think it would be naive to believe that it’s all a mirage or that these capabilities will never be abused.   It’s instructive to remember G. Gordon Liddy and why the American government has a division of power.

The question is what to do about it.  Would you be interested in enhancements to protect your email privacy?  To protect your on-line privacy?  The integrity of your information on our servers?

You may be interested in learning more about The Tor Project

Please comment.  If you are uncomfortable doing so in public, do so in private.

Some Security Questions

by

This morning we had an email asking about setting up a secure web site.

[note color=”#a5f0fc”]I want to set up my own private “cloud backup” because the one I bought into and set up was a big ripoff and I’m pissed at them. My problem is that my own websites are not secure, get hacked, etc.

I wondered if I bought a SSL certificate, would that make one of my domains hosted with you be totally like Fort Knox or just no difference at all, except more outgo (expense) for that particular domain.

Is there ANY solution to get super safe online storage whatsoever? [/note]
There is no such thing as a totally secure web site. As far as that goes, there is no such thing as a totally secure server either. This applies to everyone everywhere. Always. The only computer which is totally secure is one which is OFF.

Having said that, it is quite possible to have and maintain a web site which can be characterized as “safe”. You only need to do a reasonably good job of security and it is extremely unlikely that you will ever get hacked. The miscreants who do these things don’t need to go to great lengths to find exploitable web sites. If you just make it hard for them, 99% of the time they will simply move on.

Your web sites do seem to get hacked at a greater rate than our other customers. I suspect that this is because you buy and install so many php scripts.

It is the basic nature of PHP that it is insecure.  If you simply write code, it will be vulnerable.  Having written it you need to go back and with a very sophisticated understanding of how compromises are engineered, bullet proof it.  99.9% of amateur programmers lack a sufficient understanding of security to do this.

Probably more than 50% of professional programmers lack the skills as well.  It’s hard.  Take Word Press as an example.  It is written by the best.  Yet every few months new vulnerabilities are found in it.

Since the advent of broadband and computers typically always on, the number of computers connected to the Internet which are (in varying degrees) compromised is presently estimated to be about 35%. In other words, more than a third of those machines is compromised. The people who do these things have gotten very good at it. The basic problem is that the design of Windows operating systems is flawed regarding security. Attempts to make it and keep it secure are band-aids after the fact.

You need to use a very high quality virus scanner and keep it running. Because scanners use signatures to identify viruses and new ones appear constantly, it’s not enough merely to have it running. You can get infected with a new one not yet in the database. This is why you need to periodically run scans, to pick up what may have slipped through.

Did you have in mind to use your account with us as an online backup solution? Is that what you meant by “cloud backup”?  This is against our terms of service.    TERMS

With 5 copies of everything and the use of very expensive servers to provide fast web site service, it’s ridiculously too expensive to be used that way. We can provide such space if you really want it, but have to charge for it separately.

Consider buying yourself a hard drive with a USB interface for backups. Unplug it and it meets the OFF condition I mentioned above! It’s also faster and easier than an online solution.

Super long and complex passwords only provide slightly better security than one which simply has: upper and lower case; a number; a special character (like ‘#’). Don’t waste time on this. An 8 or 9 character password which meets those conditions is fine.

An SSL certificate merely encrypts traffic to and from a web site. It is a significant improvement in security to log in and administer back-ends using SSL. But this is not the basic problem. If there is a vulnerability in a program or script, it is as easily exploitable over an SSL connection as over one not encrypted.

My guess is that more than 99% of site compromises I see are done using kiddie scripts.  A kiddie script is an attack script to exploit a particular vulnerability in a particular set of scripts.  They are downloaded and used by people who have no idea how they work.

If you pay basic attention to security and keep your scripts up to date, your chances of ever getting compromised are very low.

Word Press Plugins

by

Word Press plugins come in many flavors.  Because so many look interesting, it can be tempting to install a lot of them.  Remember – the more plugins you have active, the slower your site will run.  It can make a very big difference.   You may not notice a difference in speed, but web site traffic often consists of load spikes.  It’s when many people are accessing a site at the same time that you might see a difference.   Also, every extra plugin creates a new target for attackers.  Unless a plugin is providing functionality you regard as important, don’t install it.  Uninstall any you are not using.  Often, less is more.

  • Rule 1 – Less is more
  • Rule 2 – Keep them up to date!
  • Rule 3 – Delete plugins you are not using.  This is for security.
  • Rule 4 – Do not use plugins which are not actively maintained.  If a plugin has not been updated in a year or more, it is likely a security hazard.  I once lost a site because of this.

Highly Recommended Plugins

Akismet – This plugins is so useful it is automatically installed with Word Press.  What it does is filter out comment spam.  A busy site can get hundreds of such comments daily and it’s an annoyance to get rid of them.  Aksimet requires and activation key which is free for personal sites.  A donation is requested for commercial sites. 

Word Fence – This plugin provides firewall functions and site hardening.  In just a few seconds you can dramatically reduce the vulnerability of your site.  To install it, click “Plugins” -> Add New.  Search for “Word Fence”.  After installing and activating it, you need to do some basic configuration.  After installation, a dashboard menu choice will appear.  Click on that to configure and check things.

Database backup – Generally on our servers this is not needed as we do this automatically.  The danger with many of the settings is that they will interfere with other plugins.  For most sites, simply clicking on, “Secure My Site From Basic Attacks” is 98% sufficient.  Next, run through the options.  If you simply change everything in RED, your site will be about 1,000 times more secure than the usual WP site.  If you have a very busy or controversial site, you may want to take this further.  Most attackers are looking for low hanging fruit and there is plenty of that around.

Anti Captcha – This plugin is invisible to users, but stops automated login attempts.

Recommended Plugins

Jetpack – by WordPress.com – a highly useful collection of functionality.

Ultimate TinyMCE – This plugin adds a lot of useful editor features.  After you install and enable it, click on the new dashboard menu choice.  Some of the things which can be added are color backgrounds, fonts and styles, various buttons and media functions.  When you add features, be sure to select Row 3 or it can make a mess.

Shortcodes Ultimate – This plugin provides many additional visual features.  Among them are tabs, dividers, drop caps, fancy boxes and too many more to mention.  Many plugins include some of these features, but this one has a longer list.

WordPress SEO by Yoast – The developer is a senior Word Press developer so this is a really advanced plugin.  Search engine optimization is the tip of the iceberg.  It includes social media, XML sitemaps, permalink behaviors and many ways to modify a sites internal structure.  It also includes many buying opportunities which I haven’t tried.

NOT Recommended Plugins

Any Cache Plugin – Keeping a cache is far more likely to slow down your site than it is to speed it up.  Our servers are optimized to serve web sites.  This means that the server itself runs many kinds of cache simultaneously, mostly in memory, but also on disk in a raw form which outperforms the file system.  Memory is thousands of times faster than disk I/O.

A cache plugin has to analyze what is being requested, generate signatures and then search on disk for those signatures.  Paradoxically, the larger the cache is, the longer all this takes.  98% of the time it would have been faster to simply generate the content from scratch, partly because doing so takes advantage of the server cache.  The pieces are usually pulled from memory rather than requiring any I/O.

A good way to speed up a Word Press blog is to use a content delivery network like Cloud Flare.  We are partnered with Cloud Flare to offer this to you for free.  Be sure to enable railgun to take maximum advantage of Cloud Flare.  Contact us if you want to discus this.

DDOS and Your Web Site

by

At this moment, Friday April 12 2:15 EDT 2013, global Internet traffic is well above normal and in some places more than 100% above normal. The trouble is, it isn’t normal traffic.  The extra is attacks on web sites.

DDOS stands for “distributed denial of service”.  This is the most difficult threat to defend against because it comes from thousands of computers simultaneously, each making service requests.  Usually the requests are designed to be as resource intensive as possible such as attempting to log in to services.

It’s not hard to account for where the attacks are coming from.  More and more computers are connected full time to the Internet and owned by ever less sophisticated users.  They make ripe targets for hackers.  Literally hundreds of thousands of such machines have been compromised.   Large networks of compromised machines have been put together this way.

You may not think so, but yours may be among them.  We have been seeing more sites compromised lately than ever before and the explanation tends to be hackers getting in by means of compromised passwords.   There have been some very effective viruses active lately which silently steal passwords and watch and wait for accounts to compromise using them.  Some are sophisticated enough to disable virus scanners unnoticed.  This means it is essential to occasionally scan your machine using software newly installed on it.  Probably less than 1 tenth of 1 percent of users do this.

You may have noticed a rise in spam to your inbox lately and a decline in that over the last few days.  Last week, the main service we use to help filter out spam was hit by a DDOS attack on a scale never seen before.  In the past, traffic has generally peaked at about 100 Billion bits per second.  Yes, 100 GBps.  That’s about 10 times faster than typical networks can go.  The attack on Spamhaus peaked out at 300 GBps.  This meant that we could barely reach them to do the usual spam checks.  Not to lose email, we sometimes have no choice but to let email in unchecked.

DDOS attacks are a serious threat to the entire Internet and they are going to get worse.

Currently Word Press blogs are a particular target. Some sources are reporting as many as 90,000 to 100,000 different IP addresses (individual computers) launching login attempts against sites on a single server.  The default installation uses “admin” as the login name, so all an attacker has to do is keep trying different passwords.  The goal is to further enlarge networks of compromised computers.

We run strong firewalls and scan every web request against known attacks, more than 10,000.  It is not possible to prevent compromises while still allowing normal activity like user logins.  Entry is gained by means of vulnerable scripts and weak passwords.

What you can do is make sure your passwords are up to the threat.  A good password is at least 8 characters long, contains a number, upper and lower case letters and a special character (#!@$ for example).  If you are running Word Press, install the limit-login-attempts plugin.  If you are using a weak password, please, change it right now.

We have added failed login checking to our firewalls.  When more than a few login attempts fail, the source is blocked.  This may cause some inconvenience, but will help considerably with server performance.  Note that this covers only service logins and not logins you may have on your web site.

None the less, you may notice some sluggishness as these attacks escalate.  Please understand that we are on it.