Monday, October 15, 2012

How hacker could steal your information?

As oppose to explaining this topic from the technical point of view which most technical people would prefer to, I would give some examples on how hackers could steal your information the low-tech way.

The most common method of a hacker to steal your data the low-tech way is by using social engineering. It does not require any technology at all to do it this way. Scary, isn't it?
Have you ever thought that by calling your credit card company in the public could lead to data theft? Well, while you are in the airport sitting at the lounge awaiting for your flight, you decide to call your credit card company to inform them that you will be going abroad and would like to increase your credit temporarily. The most common information that you would need to provide for verification would be your credit card number, full name, address, phone number, mother maiden name and etc. Most of you would not realize that the gentlemen sitting beside or near to you have been taking notes or memorizing on all those information to be used against you. That is one example of social engineering.

With a little use of technology, a hacker could get all the sensitive information in your PC by using a bait. The technique could be as simple as placing a pen drive with the label "Financial Report xxxx" loaded with virus/trojan within the vicinity of your company. An unknowing curious employee from your company would pick it up and try to open the file in your company PC. By clicking on the "Financial Report" file, this would create a chain of event leading to information theft. The virus or trojan would infect the PC and start transferring all the targeted files to the hacker. All of these could happen in the background without you even realizing it.

These are some of the examples of the low-tech hacking technique and we have not even talk about the high tech hacking topic yet. You could always consult your technology consultant to protect yourself even better in the cyber world.

High Availability

High Availability means eliminating the possibility of single point of failure. It could mean by having redundant hardware, nodes, networks or even a data center across different geographical locations. As a result, you would get a better data and services uptime.

High availability could start as simple as having your data in multiple pen drives so that you could still continue to perform your work if any of the pen drive fail or it could be as complex as having multiple servers on different geographical locations so that your application could work even if one of the node is down.

Do not be mistaken that high availability would provide perfect or 100% uptime, remember the Murphy Law.

High availability hosting for your website and email would mean having your application running in more than one node/server at any time. This is a complex setup and you would have to consult your hosting provider if they have this services.

Thursday, September 6, 2012

SPAM!! I had enough of it!

SPAM or electronic junk mail are the worst nightmare of all email users. Most of the SPAM consist of commercial advertising and the worst out of all, virus or malware.

Most of email users spent the first few minutes of the working hour to clear out spam to make way for the real email.

What could be the problem with SPAM?

Lost of productivity:
- Spending 15 minutes each day in the office to filter out SPAM from valid email would translate to about 7 hours a month of productivity wastage at work. If you multiply this with the number of people in the company, it would be a serious problem to tackle.

 Virus/Malware
- A small portion of SPAM come with a deceiving attachment which usually contain virus or malware. This will be a problem if the security software in your workstation or email server does not catch it. Virus or Malware have the potential of crippling your system or to the extend of stealing the important data from your workstation.

Phishing
- Have you ever receive an email from your local bank requesting you to click on a hyperlink to perform a task with your online account? Well, most local bank does not practice this, only the bad guys do it. Phishing email has causes the industry and people to lose million of dollars.

Bandwidth charges
- This would be a problem if you are on a limited bandwidth Internet connectivity esspecially on a mobile line. Each email including SPAM uses bandwidth to transmit to your device.


How do I get ride of SPAM?

To be frank, even the industry most best spam filter would not promise total SPAM annihilation. Anti-spam solution would help to reduce the amoun of SPAM that you will receive. Most of the anti-spam softwares are based on algorithm provided from the threat center. Each spam criteria/algorithm would have its specific point and an email would be considered as SPAM if the point reaches the threshold.

Software
Computer is dumb and it will treat every email as legitimate data. You would need to subscribe or purchase additional security software to minimize SPAM. Most of the off the shelves computer security software come together with anti-spam feature. Most probabably it will work out from the box or it might require minimal tweaking on your workstation to integrate.

Email Host
A good email host would already has an anti-spam gateway at the server level and filter out most of the SPAM before it could reach you. A very popular anti-spam software on the server level is SpamAssassin and most of the expensive security appliances are built based on it. Talk to your email hosting provider to get a more information.

Email Address
Use a unique email address username which is not a single word in the dictionary. Most spammers would launch a dictionary spam attack to your domain and hope some of it would reach your mailbox. Alexander@domain.com would be a spam magnet while Alexander.st@domain.com would be spam deterrent.

Posting Email address on public website
One of the most common way for spammers to retrieve the victim email address is to crawl the world wide web for possible email addresses to be included in their spam list. Try your best not to publish your email address on a public website and if you have to, you could include your email address as an image.


I hope the simple steps above would save you countless of time and resources battling SPAM.

Tuesday, August 21, 2012

Help! My website got hacked

Internet security has been one of the most important component in our everyday life but most people is taking it lightly.

We have been hearing website got hacked on a daily basis but what could be the possible cause. In the recent weeks, there is a sharp increase in web site hacking cases by a group of local hackers targeting WordPress website. The victim's website would be defaced with a hacked "Hari Raya" page.

With more than 12 years experience in the web hosting industry, we see most of the hacking cases were caused by insecure and outdated source code in the website itself. This is amounting of up to almost all of website hacking causes.

Possible causes of website hacking:

1. Common Web Site framework (Wordpress, Joomla, Drupal and etc.)
- The most common website framework being used is Wordpress as it is mature, easy to use and it offer a lot of useful free plugins. On contrary on the popularity of Wordpress, it come with a big security issue. Wordpress is an open source platform which means everybody could download the code including the bad guys. This would mean that the bad guys know the in and out of your website.

2. SQL injection
- The bad guys could launch an SQL injection on your website as they know how does your website work. You need to remember that they have the codes of your website. Upon gaining access, they could deface your website and steal your data.

3. Password leak
- Do you save your password in your Internet browser? That is a very bad habit and you need to remove all of it. A virus, malware or Trojan infection on your workstation could cause your website got hacked. The bad guys will be able to retrieve all your password and launch an attack. Use a secure password, save it on the safe location and only share it with the needed person.

4. Easy to guess password
- abc123 and qwerty would be an easy password for you as well as the bad guys. Stop using easy password! Your password should have a combination of upper/lower case, number and symbols.

5. Plugins/Themes
- You have updated your Wordpress but still got hacked, what is happening? We see many cases of intrusion from the plugins and themes. Remember to update all your plugins and themes. Only install the necessary trusted plugins on your website. 

6. Compromised host
- The hosting server could be compromised or have bad security policy. From our experience, this would be the last to happen as most good hosting companies secure their servers from attack unless you are getting inferior low budget services from your host. There would be more bad guys trying to hack on website level instead of server level due to the difficulty differences.

10 Simple Steps to secure your website

1. Secure and update your framework all the time whenever there is a new update
2. Choose your plugin and theme carefully. Keep it updated regularly.
3. Hire a good developer to customize and secure the website for you.
4. Inspect your web site logs to trace the possible hacking attempt.
5. Subscribe to a third party security scanning service.
6. Remember to have a local backup copy on your workstation all the time. Usually, your host will do the backup for you.
7. Monitor your Wordpress with plugins. My recommendation would be:
  • Exploit Scanner
  • WordFence Security
  • WordPress Sentinel
  • WP Notifier
  • VIP Scanner 
8. Get the assistance from your hosting provider to trace the intrusion, restoration and advise. A good premium grade hosting company could be your choice as they would assist you while the budget hosting solution would have limited resources. Running a forensic investigation on a hacked site would require a lot skills, experience and time.
9. Talk with your developer or host on how to improve your website security.
10.  Subscribe to Web Firewall services if the budget allow.

Are you totally safe from the bad guys now after securing your website? My answer would be NO! Government website with million of dollars security investment could be hacked so there would be no exception for yours. There is no guarantee that your website is safe from hacking but at least you have reduced the risk by making it difficult for the hacker.

Wednesday, August 8, 2012

Simple steps to secure your email account

Email services with collaboration is a norm nowadays and most users keep critical data on the cloud. With this great power that you get from your email services, it would come with a greater responsibility to protect your account. 

As a continuation from the previous topic of identity theft with domain name, the same thing could also happen when somebody hijack your email account. The hacker could cause a lot of damage if they could gain unauthorized access to your email account. Your email account could contain your password, top secret email, password retrieval email and etc. The last thing that you need is nasty emails being sent out from your email account to your contacts. Is this enough to scare you off from having an email account? You do not have to worry and delete your email account now, I will provide few simple measures that you could do to secure your email account so that you would not have to fall back to pigeon post.

With 12 years experience in the web hosting industry and numerous encounter with email account intrusion, you could follow these recipe to secure your email account:

1. Password
This is the most crucial and first line defense of your email account. A weak password is a recipe for disaster. Password such as 'abc123', 'qwerty', '123456' and etc. are too common and these are the first few combinations that a hacker will attempt. A strong password would consist of upper case, lower case, numbers and symbols. If your name is Michael and you would want a password that is easy to remember, you could try something like 'W1cH@3LM2012'. The strength of this password would definitely turn the hacker off. A good password is a strong password and easy to be remembered by you.

2. Email Service provider
Depending on your email hosting package, a good provider will enforce minimum password strength policy and having at least a brute force attack firewall to fend of unauthorized access.

3. Choosing a unique email username
david@domain.com, mary@domain.com, peter@domain.com and etc. are too common and it is based on the word from dictionary. I would recommend you to use firstname.lastname@domain.com as these words are not from a single line in the dictionary. Aside from increasing your account security, you could also reduce the amount of spam coming to your account.

4. Check your PC for virus
A badly infected machine could contain virus that is able to manipulate your email client (Outlook, Thunderbird and etc.) as well as your browser's saved passwords. Most of the time, the user would not aware that the virus is actually exploiting your email account as the process is always running on the background. A virus could be a medium in your machine to relay your account information back to the hacker or it could be a spambot which reside in your machine and turn it into a spamming gateway. Always get a qualified technician to scan your machine periodically and get a good antivirus software.

I hope these few simple steps will save you from the misery of experiencing email account exploitation.

Tuesday, July 10, 2012

Samsung Galaxy

Few weeks ago, my faithful phone, HTC Desire-Z got stolen during a commotion in a restaurant. It was late at night and I could not get a replacement until the next evening. I was without my phone for almost 20 hours and life was so meaningless.

Office hour ends and it's time to shop for a new phone. I was in Digital Mall, PJ walking around for look for a replacement. Initially, I wanted to get a phone with QWERTY but the option was so limited. Phone manufacturers are not focusing in making phone with keyboard anymore. The one that caught my attention is the Droid 4 from Motorola but nobody is selling it over here.

After strolling for while and given up hope to get a keyboard Android phone, my choices boiled down to either HTC One X (RM1899), Samsung Galaxy 2 (RM1499) or Samsung Galaxy 3 (RM2199). Obviously, the Samsung Galaxy 3 is the hype and the most handsome of the lot. The 4.8" HD Super AMOLED make it stands out among the competition and it has with a quad core processor! It has 2 more cores than the notebook that I have been using for work. If the iPhone 3 is more powerful than the computers used to launch Apollo to the space, the computing power in Galaxy S3 could send the same shuttle to the far end galaxy.

To cut the story short, I ended up with a used unit of Samsung Galaxy 2 due to budget constraint. In fact, the older Samsung Galaxy 2 is not too far behind the newer Galaxy 3. It has a 4.3" Super AMOLED Plus screen and a dual core 1.2GHz processor with sleeker body design.

It got me quite a while to get comfortable with the soft keyboard. I have tried Swype which is the best soft keyboard but I still prefer to have a QWERTY keyboard. For the first few days, I was having fun navigating the gorgeous screen with tremendous level of smoothness. Then problem came, the phone hung once in a while, overheating and the battery life was so bad. The phone consume half one the juice when I was sleeping for 6 hours!

Life was so meaningless again as I thought I have gotten a lemon this time. Not giving up, I tried to troubleshoot the phone and found an official software update. It is the Ice Cream Sandwich! Ran a last backup and press the "update" button. Everything was done in about half and hour. Hooray!

I observed the phone performance for the next few days and it does not give me anymore problem. The ICS upgrade has fixed the battery life problem, overheating and the stability issue. I have not rebooted my phone for the past few weeks.

There are temptations to get the newer Galaxy 3 but it does not make a lot of difference in user experience at the moment. The Galaxy 2 is still a good all rounder. It is not a big upgrade for somebody that already has a Galaxy 2. Perhaps if you have an older phone and looking for an upgrade, the Galaxy 3 is a good upgrade. The telco company is running a lot of promotion for the S3 and you could get it as cheap as RM699 from Maxis with a 24 months lock in period.

Wednesday, May 30, 2012

Protect your online Identity

Finger printing identification has been innovated more than a hundred of years ago to give each person a unique identity. As the innovation continues to the modern era where everybody has a hand in the virtual world, the importance of having a unique online identity is as important as having your finger print identity.

You would want your friends, acquaintance, business partners, clients and families to be able to reach you in the cyberspace all the time.

One of the way to create and protect your online identity is to register a domain name for yourself. Just like finger printing technology or even better, a domain name is unique and nobody would have the same one as yours. Some people would purchase domain name to protect their real identity, business, nickname so that nobody could steal their online identity. I am sure you would not want to have a bad write-up on your identity by somebody else that has hijacked your online identity.

Your online identity become more prominent as the day goes by as people would build a picture of your based on what they could search online. It could be your personal or business identity.

Securing a domain name is much easier and affordable now comparing with the older days. There are thousand of providers out there offering the same product with different level of service and package. Depending on your requirement, you could secure an international domain name (gTLD) which require minimal fee and processing.

If you want to secure a domain name within your locality, you would need to contact your local domain name registration provider as the process could be a bit more complicated as you would need to prove your local presence. Trust me, it would not be a rocket science. A good provider will walk you through the entire process just like a walk in the park.

You have purchased a domain name to secure your online identity, what is next? You might want to direct your domain to a website and have email account within your domain with a web hosting package. I would not discuss much on web hosting in this article as I have wrote it previously.