Help I’ve fallen and my identity has been stolen!

Identity theft through monitor

Click here to jump directly to recommendations

No matter where you live, you’ve probably heard about the many breaches of data that have occurred over the last few years.  Just to name a few (and no, I’m not singling out any particular companies):

  • Equifax 143 Million, 2017

    Equifax
    Equifax
  • Target 40 Million, 2013
  • US Government Office of Personnel Management 25 Million in 2 breaches, 2015

    OPM
    OPM
  • Ashley Madison 37 Million, 2016  

If your information has been compromised, and even if it hasn’t, what can you do?  This short article will explore some of your options.

Disclaimer

Better Call Saul Goodman!
Better Call Saul Goodman!

I need to start this article with a few disclaimers.  No, I am not a lawyer.  No, I do not play a lawyer on Television.  And no, my opinions in this article in no way represent a binding solution for your particular situation.  If you wish to have a personal and professional recommendation, by all means, consult me.  But this article is just that — an article — and only represents the general opinions of the writer.

How can I find out if my information has been compromised?

Identity Theft - yes it could happen to you
Identity Theft – yes it could happen to you

Let me make this simple.  My recommendation here is to consider your information compromised.  It really doesn’t matter whether you can absolutely confirm that your information is compromised, or if today, at this limited moment in time, you have not been compromised.  Chances are that your very personal information has been compromised, or will be compromised just after you check.  That said, if you really want to know if your information is out on the deep dark web and is being used by adversaries…. well, my recommendation goes right back to don’t bother.  You are wasting your time, and it is better to consider that you have been compromised.   Remember, you cannot get the information back, it is still real information, you can’t sue the guy who stole your data, you can’t sue the guy who is selling your data, and you can’t call Google nor the NSA and demand that they take all your information off the web.  It is there, and it is there for good.  Or at least it is likely there, or will be there very soon.

That wasn’t very helpful! 

Unhappy workerr - HELP!
Unhappy workerr – HELP!

Hey sorry about that, but it is important to understand that you cannot effectively research whether your information is out in the wild.  It is an impossible pursuit.  That said, I’m glad you asked what to do.  This is both simple and complicated at the same time.  And, there are two very different parts of a solution. First, what can you do, expecting that your data has been compromised.  And second, what can you do to maybe help keep your data a little more secure.

What you can do

You can do it!
You can do it!

There are a number of things you “can” do, there are some things you “should” do, and there are many things you shouldn’t or can’t do.

  1. DO File your taxes early.  Come next year, file as early as possible.  What is going to happen is that any personal data that is lingering out there will be used to file false tax returns.  Do whatever you can to file them as early as practical.  Get the information you’ll need together even this year, so you can quickly fill out the forms as soon as you can next year.
  2. DO monitor your bank accounts and credit card statements.  Put SMS Text and Email alerts on all your accounts.  If anyone tries to use your cards or lift money from your bank accounts, you’ll know quickly.  If you get an alert for a transaction that you did not complete, then call the associated credit card company or bank as soon as you can — immediately if at all possible.
  3. DO change your passwords!  A little technology here.  There is a password storage technique called “salted hashing” that protects your human readable password from the hackers.  But, not all sites store passwords correctly, and even the ones that claim to don’t necessarily store them correctly.  What this means is that if you are using the same password on multiple sites, and one site gets compromised, then your real live password might be used to get into other sites! Since you don’t know the “password storage” pedigree for each site you’ve entered your information into, go ahead and change your passwords — especially reused passwords, where you’ve used the same password on multiple sites.  It won’t hurt.  And besides, it gives you a refreshed idea of what your passwords are, and why you have access to the sites.
  4. DO consider placing a fraud alert.  A fraud alert makes it more difficult for a bad guy to open credit in your name.   Initial fraud alerts are enforced for 90 days.  You can call any of the three credit reporting companies to implement an initial fraud alert, and that first company you call will alert the other two.  Click here for FTC guidance on fraud alerts.
  5. DO consider placing a credit freeze.  A credit freeze makes it even more difficult for a bad guy to open credit in your name.  Note though, that it also makes it more difficult for you, yourself, to open credit in your own name.   Credit freezes are in place for 7 years.  If during that seven years you wish to open a line of credit, buy a home on credit, buy a car on credit, lease a car, or perform any number of other credit related activities, you’ll have to temporarily lift the freeze.  It is often the case (and it varies state to state) that in-placing a credit freeze and performing the temporary lift costs money.
  6. DO NOT use the same password on all your sites.  Although most sites use what are called salted hashed passwords, not all sites are compliant, and even the ones that say they are compliant are not necessarily compliant.  Definitely use different passwords wherever you can.
  7. DO NOT believe anyone who calls telling you they are from the company who got hacked!  These calls are likely social engineering, looking for ways to get more information from you!
  8. DO be VERY careful with entering your information on any web sites that say they are going to research whether you are breached, or whether your information is on “the dark web”.  My honest recommendation is that this is a pursuit in unhappiness.  Many, many, many of these are trumped up companies that are in fact just bad sites themselves!  There are many scams out there, don’t be a double victim.  If that isn’t enough, consider this one. These companies are going to ask you for personal information to check against sites in the dark web.  What happens when they, themselves, get breached?  Just not worth it.  My recommendation is to just say no.  
  9. Should I hire an identity theft protection company?  Many people are asking me about LifeLock, and other identity theft protection companies.  My personal recommendation is the same as for providing personal information to any web site or company:  In general, just say no.  For frame of reference, the FTC reports, “LifeLock will pay $100 million to settle Federal Trade Commission contempt charges that it violated the terms of a 2010 federal court order that requires the company to secure consumers’ personal information and prohibits the company from deceptive advertising.  This is the largest monetary award obtained by the Commission in an order enforcement action.” 

A few last words

Last words
Last words

Remember.  When you enter your personal information on a web site – any web site – you are opening yourself up to being compromised.

Do you have a shopping account at Wal-Mart, or Amazon, or Target?  Probably.  Did you provide your social security number to Comcast, or AT&T, or T-Mobile, or Dish Networks?  Probably.   Is your personal information retained at your favorite hospital, or clinic?  Probably.  Have you signed up for an “Rewards” accounts with an airline, or train, or local bus service?  Probably.

All these places are sources of leaks.  Every time you provide your personal information to anyone, anywhere, you are opening yourself up to potential leaks.  

When faced with a request for your personal information, consider alternatives.  Instead of signing up for postpaid cell service, opt for prepaid where your identity is not provided to that company.  When signing up for services, ask about alternatives.  Discuss what the company has in place to accommodate foreign nationals, who do not have a social security number and are still here in the United States legally.   There are usually options, but most companies are going to try to hard nose the request for your personal information.

no no no no no!
no no no no no!

If in doubt about providing your personal information, Just Say No.  You might just be saving yourself from a load of problems.

 

 

 

 

References

  1. https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do
  2. https://www.identitytheft.gov/Info-Lost-or-Stolen
  3. http://fortune.com/2017/05/23/target-settlement-data-breach-lawsuits/
  4. https://www.opm.gov/cybersecurity/cybersecurity-incidents/
  5. http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
  6. “Credit freeze”, https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs
  7. “Fraud alert”, https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#difference
  8. “Security Freeze”, https://www.experian.com/blogs/ask-experian/credit-education/preventing-fraud/security-freeze/ 
  9. “LifeLock to Pay $100 Million to Consumers to Settle FTC Charges it Violated 2010 Order”, https://www.ftc.gov/news-events/press-releases/2015/12/lifelock-pay-100-million-consumers-settle-ftc-charges-it-violated
  10. “FTC, how to place a fraud alert”, https://www.consumer.ftc.gov/articles/0275-place-fraud-alert

 

 

Registering a domain

Domain name

You are likely here because you want your very own domain name.  That is great news, and I’m here to help!

Branding

A domain name (also known as a URL, Uniform Resource Locator, or web address), is the unique way for the world wide web to know you.  Each URL is a branding, a brand name where others can find you.  Inasmuch, the brand should be unique, and memorable.  

Consider, what are you tying to convey?  Is it that you want people to find you as a person, or is it that you are selling something?  Ideas for branding might include:

  1. Your name.  Like this domain, marksatterfield.com, it is my name.  It might be unique enough, and descriptive enough for everyone to find you.  But it might not be exactly what you are looking for, and it might not be unique enough for other people to find you.  If your name is a common name, it is likely already taken.  If your name is Mark Satterfield?  Yes, the domain is already taken.  Sorry about that!
  2. Your nickname.  This might be an acceptable domain name, depending on how common your nickname is, and whether it is available.
  3. Have you started a company?  Then use the web address associated with your company.  
  4. Are you selling a book or product?  Then use the name of the book or product in your web address.

The next few steps are going to be iterative.  You are going to dream up the ideal name, only to find out that your ideal name is already someone else’s ideal name and registered.  Then you’ll have to dream up a different ideal name.

Searching for your domain name

A registrar is a company that is authorized by ICANN to register domains.  Once you have a few ideas for a domain name, you’ll next have to check if the domain is available.  This is a bit tricky.  if you search for a domain on the wrong registrar, the registrar might hijack and camp on your domain!  Although no one can prove this happens, I’ve searched for names on GoDaddy, only to go back in the next day or two to find out the domain is then taken. 

My recommendation is to use internic.net for domain searches.  Go to the whois page on internic.net, and enter your choice of domain.  For example, enter “godaddy.com”.  Be sure to use the Top Level Domain nomenclature (the .com, or whatever else TLD extension you’ve decided to use).

If you receive a No Match message, that means your domain is available!  If you receive anything else, that means your domain is not available and you’ll have to go back and search again.

Registering your domain

Next comes the registration process.  Be careful with unscrupulous registrars who might register the domain in their own name.  I’ve used several domain registrars and have not had a problem.  Google is actually a domain registrar, but other than Google I don’t want to recommend any particular ones here just in case you have an issue.

Setting up your web site

This part gets a little more complicated and beyond the scope of this article.  

Next steps

If you have special requests, or you’d like to have a domain registered and site set up and configured, please reach out to me and I’ll help you out.

Phone power button bootlooper

LG Nexus 5 Bootloop

Is your phone stuck in reboot mode for no apparent reason?  Maybe there is a reason, and there may be a simple fix to it too.

LG Nexus 5 Bootloop
LG Nexus 5 Bootloop

Power button stuck?  Let’s check for that!

If your phone looks to be in a “bootloop” where the phone starts to boot, then shuts itself down, then starts the boot process again, it might be caused by a faulty power button.  

 

Here’s a test.  Push and hold the power button.  Just hold it.  Does it appear to have the same behavior of boot looping?  If so, then it is likely a power button failure.

 

If it is exhibiting a different behavior when you push and hold the power button, it could still be a power button failure.  Especially if it boots up fully while pressing the button, it is likely a power button failure.  Why is that?  Because, it should be rebooting constantly with the power button pressed in.  If it is not, then there is a contact issue.

 

Read the rest of the article here

Computer Security Incident Response

Computer Security Incident Response Team

Computer incidents happen.  They just do.  Regardless of the expansive and proactive nature of a particular team, the Computer Network Defense (CND) job will include Incident Response.

Why?  Because in part, CND is reactive.  A properly running CND team will include a subgroup of Attack and Exploitation members who will actively look for vulnerabilities in your network, but that subgroup is dwarfed by the number of active attackers in the world.

So what should a CND team do?  The team should prepare for incident handling and response.  As it turns out, when it comes to incident handling and response, prior planning provides utmost performance.

A brief history

In the beginning was ARPA. And the Internet was with ARPA.  And the Internet was ARPA.  The Advanced Research Projects Agency (ARPA, later known as DARPA) network was the precursor of what we now know as the Internet.

In 1988, Robert Morris made international history… by mistake.  A young Cornell student at the time, Morris crafted what became known as the Morris Worm.  The worm was intended to gauge the size of the then current internet through a sequence of weak passwords and services available on most networked devices at the time.  But Morris poorly coded his worm.  The mistake was that the worm would reinfect the host computer as well as spread to other computers, thereby overwhelming the host computer with processes.  When a network engineer or systems administrator rebooted the machine to regain access, the nearby computers would quickly reinfect the machine.  Recovery was not a simple task, and the Internet came to a halt.

At the time, DARPA and the Defense Department were positioning the have a guaranteed delivery, always available information network.  The Morris Worm helped them realize the vulnerability of the net, and their response was to create the Computer Emergency Response Team (now known as CERT[tm]) hosted under the Software Engineering Institute (SEI) at Carnegie Mellon University.  The charter for CERT was created to be a coordination center for computer network operations defenders in the US and around the world.

The NIST Incident Guide

NIST’s Computer Security Incident Handling Guide is an excellent source of how to organize and design a Computer Security Incident Response Capability.  Realize, it will take some time to digest the entire document.  You’ll have to forget some ideas you’ve likely held on to, and learn new techniques that have been proven in the art of incident response.

But why would you want to rewicker your incident handling policies, and plans, and procedures?  This is a costly endeavor, no?  Well, yes, it is.  But it is going to help your organization prepare for incident response, will help in the process of incident response and recovery, and may even help in preventing an incident in the first place.

If your management is resistant to reviewing the policies, plans, and procedures in place, you might want to help them reconsider their position.  If you happen to work in an industry or at a company who is responsible to external validation, or maintaining information that requires response to incidents (read this: just about everyone, including those who handle SOX, PHI, PII, PCI, and nearly any other data), you might want to make sure your policies, plans, and procedures follow NIST, even if not strictly required.  When you are breached (and it is a when, not an if), your adherence to NIST or other standard is likely to go a very long way in reducing your fines.

Reviewing the NIST guide

The NIST Computer Security Incident Handling Guide is very well thought out and presented.  The following sections take abstracted direct quotes from the NIST guide.

Chapter 1: Introduction

This document has been created for computer security incident response teams (CSIRTs), system and network administrators, security staff, technical support staff, chief information security officers (CISOs), chief information officers (CIOs), computer security program managers, and others who are responsible for preparing for, or responding to, security incidents.

Chapter 2: Organizing a Computer Security Incident Response Capability

Organizing an effective computer security incident response capability (CSIRC) involves several major decisions and actions. One of the first considerations should be to create an organization-specific definition of the term “incident” so that the scope of the term is clear. The organization should decide what services the incident response team should provide, consider which team structures and models can provide those services, and select and implement one or more incident response teams. Incident response plan, policy, and procedure creation is an important part of establishing a team, so that incident response is performed effectively, efficiently, and consistently, and so that the team is empowered to do what needs to be done. The plan, policies, and procedures should reflect the team’s interactions with other teams within the organization as well as with outside parties, such as law enforcement, the media, and other incident response organizations. This section provides not only guidelines that should be helpful to organizations that are establishing incident response capabilities, but also advice on maintaining and enhancing existing capabilities.

Chapter 3: Handling an Incident

The incident response process has several phases. The initial phase involves establishing and training an incident response team, and acquiring the necessary tools and resources. During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments. However, residual risk will inevitably persist after controls are implemented. Detection of security breaches is thus necessary to alert the organization whenever incidents occur. In keeping with the severity of the incident, the organization can mitigate the impact of the incident by containing it and ultimately recovering from it. During this phase, activity often cycles back to detection and analysis—for example, to see if additional hosts are infected by malware while eradicating a malware incident. After the incident is adequately handled, the organization issues a report that details the cause and cost of the incident and the steps the organization should take to prevent future incidents. This section describes the major phases of the incident response process—preparation, detection and analysis, containment, eradication and recovery, and post-incident activity—in detail. Figure 3-1 illustrates the incident response life cycle.

Chapter 4: Coordination and Information Sharing

The nature of contemporary threats and attacks makes it more important than ever for organizations to work together during incident response. Organizations should ensure that they effectively coordinate portions of their incident response activities with appropriate partners. The most important aspect of incident response coordination is information sharing, where different organizations share threat, attack, and vulnerability information with each other so that each organization’s knowledge benefits the other. Incident information sharing is frequently mutually beneficial because the same threats and attacks often affect multiple organizations simultaneously.

As mentioned in Section 2, coordinating and sharing information with partner organizations can strengthen the organization’s ability to effectively respond to IT incidents. For example, if an organization identifies some behavior on its network that seems suspicious and sends information about the event to a set of trusted partners, someone else in that network may have already seen similar behavior and be able to respond with additional details about the suspicious activity, including signatures, other indicators to look for, or suggested remediation actions. Collaboration with the trusted partner can enable an organization to respond to the incident more quickly and efficiently than an organization operating in isolation.

This increase in efficiency for standard incident response techniques is not the only incentive for crossorganization coordination and information sharing. Another incentive for information sharing is the ability to respond to incidents using techniques that may not be available to a single organization, especially if that organization is small to medium size. For example, a small organization that identifies a particularly complex instance of malware on its network may not have the in-house resources to fully analyze the malware and determine its effect on the system. In this case, the organization may be able to leverage a trusted information sharing network to effectively outsource the analysis of this malware to third party resources that have the adequate technical capabilities to perform the malware analysis.

This section of the document highlights coordination and information sharing. Section 4.1 presents an overview of incident response coordination and focuses on the need for cross-organization coordination to supplement organization incident response processes. Section 4.2 discusses techniques for information sharing across organizations, and Section 4.3 examines how to restrict what information is shared or not shared with other organizations.

Appendix A: Incident Handling Scenarios

Incident handling scenarios provide an inexpensive and effective way to build incident response skills and identify potential issues with incident response processes. The incident response team or team members are presented with a scenario and a list of related questions. The team then discusses each question and determines the most likely answer. The goal is to determine what the team would really do and to compare that with policies, procedures, and generally recommended practices to identify discrepancies or deficiencies. For example, the answer to one question may indicate that the response would be delayed because the team lacks a piece of software or because another team does not provide off-hours support.

The questions listed below are applicable to almost any scenario. Each question is followed by a reference to the related section(s) of the document. After the questions are scenarios, each of which is followed by additional incident-specific questions. Organizations are strongly encouraged to adapt these questions and scenarios for use in their own incident response exercises.

Appendix B: Incident-Related Data Elements

Organizations should identify a standard set of incident-related data elements to be collected for each incident. This effort will not only facilitate more effective and consistent incident handling, but also assist the organization in meeting applicable incident reporting requirements. The organization should designate a set of basic elements (e.g., incident reporter’s name, phone number, and location) to be collected when the incident is reported and an additional set of elements to be collected by the incident handlers during their response. The two sets of elements would be the basis for the incident reporting database, previously discussed in Section 3.2.5. The lists below provide suggestions of what information to collect for incidents and are not intended to be comprehensive. Each organization should create its own list of elements based on several factors, including its incident response team model and structure and its definition of the term “incident.”

 

 

  1. ARPANET, http://en.wikipedia.org/wiki/ARPANET
  2. History of the Internet, http://en.wikipedia.org/wiki/History_of_the_Internet#Three_terminals_and_an_ARPA
  3. Morris Worm, http://en.wikipedia.org/wiki/Morris_worm
  4. CERT is a Registered Trademark of CMU, http://www.cert.org/incident-management/csirt-development/csirt-faq.cfm?
  5. CERT/CC, http://en.wikipedia.org/wiki/CERT_Coordination_Center
  6. CMU, http://en.wikipedia.org/wiki/Carnegie_Mellon_University
  7. ARPA/DARPA, http://en.wikipedia.org/wiki/DARPA
  8. Computer Worm, http://en.wikipedia.org/wiki/Computer_worm
  9. SEI, http://en.wikipedia.org/wiki/Software_Engineering_Institute

 

Zero day, 0day, ohday, oh my!

0day

APT2014 was yet another banner year in Computer Security.  The industry met with the Heartbleed SSL vulnerability, Point of Sale equipment attacks against Target and Home Depot, and the Shellshock vulnerability in a piece of software that has been around for more than twenty years.

If you happen to not remember any of those, well, you must be happily sailing the islands.  Good for you!

But for the rest of us in technology, and particularly for those in computer security, we’ve had quite a year.

One of the outgrowths of these vulnerabilities being exploited has been that it seems “everyone” has heard the term “zero day”.  But what is a zero day?

Before we begin

Before exploring anything else here, let’s set the record.  Regardless of a formal definition of zero day, the responsibility of the defense team is to prevent loss of confidentiality, loss of availability, and loss of integrity of data and systems.  The responsibility (if you will) of the attack team is to do just the opposite.  In some ways, defining zero day is going to feel like a lesson in academics.  In some ways, it is academic.  That said, let’s move on.

Exploits vs Vulnerabilities

As we define 0day, let’s explore a couple of supporting ideas.  Let’s start with Exploits and Vulnerabilities.

In security, a vulnerability is a weakness that allows a threat to compromise the integrity of a resource.  NIST SP 800-30, “Risk Management Guide for Information Technology Systems”, defines vulnerability as  flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

That said, an exploit is an attack on a resource that takes advantage of a vulnerability.  Think of it this way.  A vulnerability is an attack surface.  But it takes a special kind of vulnerability to be exploitable.  There is no exploit unless a vulnerability exists, but not all vulnerabilities are exploitable.

Let’s create a non electronic based example to help understand the ideas.  Let’s say you keep paper copies of all credit card transactions in a file cabinet.  You are vulnerable to having all of this PCI data compromised and stolen by an adversary.  The vulnerability is that all PCI data is in a file cabinet, so the exploit would be that someone walks in and takes your file cabinet.  What do you do to control the vulnerabilities?  You’ve placed locks on the cabinet and your front door, and you’ve hired an armed security guard and guard dog to police your premises.  Because of these safeguards, the original vulnerability is moot.  The new vulnerability is several steps deep, a defense in depth.  Now the adversary has to disable the dog, disarm the guard, pick the lock on the front door, and pick the lock on the cabinet.  You still have vulnerabilities, but the combined effort of all those vulnerabilities must be exploitable at the same time in order for an exploit to occur.

The elusive Zero Day

Computer Key with binary et alNow that we understand Vulnerability chains and Exploitability, let’s come to an understanding of what a zero day is, and what a zero day is not.  If you’ve seen literature about a security vulnerability, that vulnerability is likely not a zero day (I’ll get to that “likely” word in a moment).  To be comprehensive in this discussion, the systems may remain vulnerable to attack after a vulnerability is patched, but the vulnerability is not a result of the zero day, the vulnerability is a result of an unpatched system.

“Wait, what?”,  you might be asking.  “How is a zero day any different than an unpatched system vulnerability?”  Okay, let’s try this.  A zero day is a vulnerability in which the protectors have had no days to create a patch for the system.  If the protectors are aware of the vulnerability, then it is no longer a zero day.

That said, a vulnerability that has been presented to the protectors but in which a patch has not been created or has not been deployed still results in a vulnerability, but those vulnerabilities are no longer zero day.  But really, zero day is even a little more elusive than this.  Let’s be honest.  Being hit by an exploit will always feel like a zero day, because you likely did not take the attack vector seriously.

Timeline of vulnerabilities

Protecting systems often relies on patches.  So what is a reasonable timeframe between presenting a vulnerability to the vendor and a patch?  Some reports identify that it takes vendors more than ten months to develop a patch.  Google has put the brakes on this long forecasting though.  Google’s Project Zero gives the vendor 90 days between the time of vulnerability presentation to the vendor and the time the vulnerability is made known to the world.

Exploiting the SDLC

Opportunity Ahead Road SignExploiting systems truly relies on exploiting the Systems Development Lifecycle (or SDLC).  The SDLC starts with the first thoughts of a system, and continues through retirement or disposal of the system.  Wikipedia has a great article on SDLC, and we’ll visit and organize a few steps that are particularly important when discussing exploitation:

  1. (development) The development team creates software
  2. (initial deployment) The software is distributed to end user teams
  3. (installation) The software is installed by end user teams
  4. (feedback) The development team is made aware of requested upgrades and security issues.
  5. (patch development) The development team creates patches
  6. (patch deployment) Patches are distributed to end users
  7. (patch installation) End user teams install the patches
  8. (repeat) Repeat to Feedback loop
  9. (end of life) At some point the product will reach End of Life and no longer be maintained.

Ripe times for vulnerability discovery exist at the following points, and the vulnerability discovery teams will hand off those vulnerabilities to exploit developers:

  1. Between Initial Deployment and Installation.  Hackers will get the software and try to do daring things to it, sometimes even before the first end user team has installed it.  Any vulnerabilities discovered here are clearly zero day vulnerabilities.
  2. Between Feedback and Patch Development.  Hackers will look at public blogs and websites where bug track issues and core dumps are reported, to determine if any of the logs identify vulnerabilities.  Bugs that translate into vulnerabilities are not really zero days.  Instead, these vulnerabilities are known vulnerabilities that are not yet addressed.  But this definition could be a matter of semantics, and to argue the issue is not worthwhile.  From the point of view of an attacker, they are vulnerabilities.  From the point of view of the victim, they are vulnerabilities.
  3. Between Patch Deployment and Patch Installation.  Hackers will look at patch deployments — especially security patches — to determine what vulnerability existed in the prior version.  This point in time is one of the most prolific in the days of a vulnerability researcher.   These are not zero days.  These are known vulnerabilities, and the systems remain vulnerable only because the end user hasn’t been responsible and deployed the patches.  The attack surface is a result of unpatched systems, solely the responsibility of the end user.
    For an example, Microsoft’s Patch Tuesday invariably results in Exploit Wednesday.  Why?  Because it takes awhile for all users to update their systems.   Oftentimes business users will refrain from patching immediately because of incompatibility with other products.
  4. At and after End of Life.  Hackers will take advantage of end of life product in that zero days last forever once the development team has left the update cycle.  These vulnerabilities are sometimes referred to as zero days forever.
    Case in point, when Microsoft announced the end of updates for Windows XP, they also described how attackers will lay waste to users who remain on XP.

Zero day… What it means to me

So here’s the short of it all, and let’s revisit our previous definition.  A pure zero day is that moment in time between when an attacker knows about the vulnerability and the defense team knows about the vulnerability.  The exploit team is using it, and the defense team doesn’t know about it.

Computer Network Attack

hacker green backTo better defend your network, it is a good idea to understand how the adversary is going to attack your network.  From the perspective of the Computer Network Attack & Exploitation (CNA/CNE) teams, the job is to find vulnerabilities and build exploit paths.  How is this done?  CNA teams will:

  • Become aware of anomalies through publicly available crash dumps, bug reports, and forums where users of any particular piece of software discuss issues.  If  a system crashes or produces otherwise unexpected results, there is something wrong — and that something may turn out to be a real vulnerability, and in turn that vulnerability may turn out to be exploitable.
  • Reverse engineer patch code and compare it to the unpatched versions, especially anything identified by the vendor as “security patch”.  Realize if you find a vulnerability, you are in a race to attack the unpatched systems in the wild before the end user patches those systems.
  • Do what you can to create anomalies.  Look at the touch points on the system, be that a network, a keyboard, or some other input device.  Use tools such as Metasploit and fuzzers to force the system to do things it wasn’t originally designed to do.
  • Be realistic.  For every million well crafted test cases, be happy with a thousand anomalies.  With a thousand anomalies, be happy with a couple of repeatable vulnerabilities.

Computer Network Defense

If you are on the Computer Network Defense (CND) team, your job is to protect the network from known and unknown (0day) attack.  How?  Keep abreast of the product user community blogs to see what other people are reporting, and keep in touch with your own users to determine if they witness anomalies on the platform.  What should you do?

  • Expect an anomaly is a vulnerability.  There may not be an exploit path, but an anomaly is where every vulnerability is birthed.
  • Do what you can to isolate systems in general, and certainly any oddly acting systems.  Network isolation is a great place to start.
  • Patch early, and patch often.  Realize that when a patch becomes available, the CNA & CNE teams are reversing those patches to discover vulnerabilities and explore exploitation paths.
  • Be prepared with a patch plan.  If a patch breaks one of your existing applications, be prepared to isolate the system instead of leaving an unpatched system in your universe.
  • For particularly difficult deployments where existing applications are known to not work with the most updated patches, use Virtual Machines to isolate those applications.

Conclusive notes

Remember, all of this is a race against time.  Eventually (and yes, it may be years), every vulnerability will become publicly available and known, and once known the vulnerability will likely be eradicated through a patch or the exploit path will be nullified through isolation.

And as always, regardless of what side of the fence you are on, let’s be careful out there.

Reference documents

  1. NIST SP 800-30, “Risk Management Guide for Information Technology Systems”
  2. Heartbleed SSL vulnerability, https://en.wikipedia.org/wiki/Heartbleed
  3. US-CERT Alert on Point of Sale exploitation, https://www.us-cert.gov/ncas/alerts/TA14-002A
  4. Shellshock vulnerability, https://en.wikipedia.org/wiki/Shellshock_(software_bug)
  5. Google’s Project Zero, https://en.wikipedia.org/wiki/Project_Zero_(Google)
  6. Microsoft Patch Tuesday, https://en.wikipedia.org/wiki/Patch_Tuesday
  7. Defines Zero Day Vulnerability, “A zero day vulnerability refers to a hole in software that is unknown to the vendor”, http://www.pctools.com/security-news/zero-day-vulnerability/
  8. Zero Day, “A zero day exploit is when the exploit for the vulnerability is created before, or on the same day as the vulnerability is learned about by the vendor”, http://netsecurity.about.com/od/newsandeditorial1/a/aazeroday.htm
  9. Zero Day Vulnerability, “A zero-day vulnerability is previously unknown vulnerability in a software”, http://www.thewindowsclub.com/what-is-vulnerability-in-computer-security

A few thoughts as you start or continue your business

Business continuity

How does your company deal with Business Continuity? Business continuity planning is almost always a difficult endeavor, but it doesn’t have to be expensive. Business continuity planning for small businesses sometimes feels even more difficult.  Before discounting the idea of planning for disaster, realize that sometimes changing small practices can make significant impacts on continuing your business during adverse situations. In the case of one of our Home Health Agency customers, the strategy is to put as much computing power “in the cloud” as quickly as possible, reducing our Recovery Time Objective to near zero.

See this article for more information on Business Continuity.

Physical security

big bully
big bully

Physical security is more than just a lock on the door or a guard at the gate.  Many times the first consideration is cameras — the thought is that if we deploy a large network of cameras, then our site will be physically secure.  But truly, when it comes to security solutions deployment, cameras (or at least cameras alone) are simply not the best practice.

Cameras and photo evidence

area under surveillance
area under surveillance

Cameras are great for forensic analysis, that is, to catch a thief. But as many law enforcement agents will advise, cameras don’t do much to stop a thief.

What is better?  In the case of a Time Share Community customer, the community was being hit by midnight bandits stealing items off of boats.  In this community, a two fold solution was employed:  (1) Motion (passive Infrared) lighting throughout the community and (2) reducing the access and availability to the protected area through easily designed terraine chokepoints.

In this case, the protected area was specifically a boat trailer lot, adjoining ramp, and marina slip area. Reducing access involved creating a single entry point with natural artifacts like large rocks surrounding the area. Restricting access with a keyed gate was considered but decided against because of aesthetic appeal.

Are lights high tech? Nope. Are lights a trending practice in the industry? Some will advise yes.

But most importantly, did the combination of lights and pleasingly aesthetic chokepoints solve the problem at the community?

Yes, it did solve the problem.  Two years running, and there have been no recurring incidences of theft.

Wireless access deployment

Free WiFi
Free WiFi

There is a current trend in the business community to provide free WiFi Internet access for customers.  You see it at McDonald’s, at Starbucks, at Home Depot, and at your local grocery store.  But why?

Will deploying WiFi cost money and impact your revenue?  You bet.  Your company will incur a capital expense in buying the equipment, as well as a recurring expense of both maintaining the equipment and the cost of the internet.  Then why do it?  Because it may impact your revenue in a positive way and keep your customers around.

Free coffee

Free Coffee Makes Me Happy
Free Coffee Makes Me Happy

Deploying WiFi is the modern way of providing free coffee to your customers.   It creates a hospitable environment for your customers, an environment that may appeal to them in a very homelike, friendly way.  Not everyone will be drinking the coffee, and not everyone will even care.  In the same way, most customers who have a WiFi enabled device are likely to already have data capabilities from their phone provider.  So why do it?  Because everyone will see the sign that says “Free Coffee”, and everyone will see the sign that says “Free Wireless Internet”.

The return on investment for “free guest WiFi access” is difficult to establish for a cost conscious executive.  Free anything is marketing.  It is just a way to reduce the “salesman vs customer” feelings, and create an environment where your customers are, well, at home.  It helps to keep them around.

 

 

Safeguarding your computer – computer security

Computer Security thermometer
Computer Security thermometer
Computer Security thermometer

Computer Security.  Kind of scary, actually.  With the likes of Target going down to hackers in late 2013, and a large attack on Home Depot in 2014, what can the rest of us do?  If Home Depot can be compromised, how can I protect myself?

The bad news — you are a target.  Why though?  Well, let’s consider:

  • Do you have any financial data on your computer?  You are a target.
  • Does your company operate a health care agency with HIPAA/HITECH protected data?  You are a target.
  • Do you have a point of sale system where you perform credit card transactions?  You are a target.
  • Are you attached to the Internet?  You are a target.  What?  That is crazy sounding.  Why am I a target? Because a hacker can use your computer as a relay or in a Distributed Denial of Service attack.

I know at this point you are likely thinking, oh great, thanks for making my day.  But remember, we are trying to make your computers safer.  Before we get into that though, let’s take a look at how malware gets on your computer in the first place.

How malware infection happens

You may think, hey, the only way a stitch of malware can get on my system is through the network.  A firewall is sufficient to protect against those blasted attacks.

Hacker!
Hacker!

Unfortunately, not all malware infects systems the same way.  Certainly, network attacks are one attack vector, but there are others.

There are email attack vectors, mp3 attack vectors, html attacks, mpeg attacks, apk attacks, over privilege attacks, Excel attacks, Word attacks, PDF attacks, and in fact the list never ends.  An attack is possible anytime there is an interface to a computer.  Sure an mp3 attack may come through a network or USB, but it isn’t a network attack.  It is an attack on the software that is rendering the mp3.  Exploring attack surfaces is well beyond the purpose of this paper, and will not be fully discovered in this paper.

One thing to note though.  You might think hey, I don’t really care if someone exploits my mpeg player.  That is a risk I’m willing to take!  What are they going to get?  A movie?  The laugh’s on them.

Well… not exactly.  The way system exploitation works is, exploit a low hanging fruit and get a shell on that system.  Once an attacker has a root shell?  Game over.  He owns you.  Even worse, he may own your network, depending on perimeter defenses that are in place.  Think: defense in depth.

Alright already, we’ve covered enough.  You may be thinking, this is way too much to pick up. You are right, it is!  The short question is, what can you do to make your computer more safe?  Let’s explore a few ways to help protect you from an attack.

Update your operating system software

The first thing you should do is to make sure you are using a modern operating system if at all possible.  Sure, sometimes this isn’t possible — for example, some programs, especially embedded programs, are still operating on XP.  If that is the case for you, you’ll have to make other concessions to safeguard your systems, your networks, and your data.

The first thing you may be thinking is, why in the world should I update my operating system?  I paid for a version, it is working fine, so why should I update?  Because hackers know that there is a delay between the time a patch comes out and the time it is fully adopted in the community.  What happens when a patch comes out, especially a security patch, is that hackers are going to reverse engineer those updates to determine how an existing installation can be compromised.  And compromise they will.

Again, if at all possible, upgrade your operating system to a modern x64 bit solution and keep that operating system patched.  Are you using an outdated version of Windows and don’t wish to pay for an operating system?  Then use a free operating system such as Ubuntu or one of the other Linux platforms.  If that is not possible, then realize you are providing a fluid and rich attack surface and do what you can to protect perimeter systems.

Update your application software

Are you still using a x16 or x32 bit application?  Do what you can to upgrade that application.

In the same way as outdated operating system software present security vulnerabilities, outdated user applications present security vulnerabilities in a very bad way.  Each time an application is updated, hackers are very likely to review the updates to identify vulnerabilities in the existing installed user base.

Do you use an outdated version of Firefox?  Or an outdated Adobe reader?  My suggestion is:  Don’t.  But how about if our company forces you to use an outdated version of one of these applications?  Yes, that can be an issue.  You can only do so much especially if these decisions are above your pay grade.  If you are forced to use outdated software, realize that those are reasonable attack vectors.  Being aware is the first step to security.

But what about paid applications, you might ask?  You paid nearly $5000 for your AutoCAD solution and more than a thousand for Adobe, is paying for an updated version really necessary?  The answer is yes.  You happen to be using a coveted piece of software.  If you spent thousands for AutoCAD, it is likely that you have drawings and blueprints that are worth thousands more.  Someone could use those drawings, especially if they can freely exfiltrate them from your computer.

How about layered applications like Internet Information Services, or IIS, used to serve web pages to the world?  Well, you picked up on an easy target!  IIS is a common attack vector, in part because it is easy to thumbprint the version that is being used on a network.  Once an attacker identifies that an old version of IIS is being used, the attacker only needs to find a known vulnerability with that particular version of IIS to compromise the server.

Keeping your application software updated will go far in protecting your systems.  Will it cost money?  Yes, it likely will cost.  I am a big proponent for open source software and the Free Software Foundation,  so I’m not supporting the idea of having to spend money on new software.  If you can find an equivalent open source software package that can do an equally good job for you, I’d suggest migrating to that open source software.  Otherwise, yes, you’ll have to pay for that update.

If an application cannot be updated, do what you can to find a different and more recent application to use in its place.

Use a two way firewall

This might not at first sound reasonable.  Why would I need a two way firewall?  Because if a Trojan or other rogue executable finds its way on your computer, a bidirectional firewall will be able to alert you that the software is trying to communicate.

A great free solution is ZoneAlarm Free Firewall.

Use a virus protector

A lot of people are going to discount this part of the solution.  Why?  Because virus protectors provide a false sense of security.  Virus protectors only protect against “known” viruses.

This is true, virus protectors do often provide a false sense of security.  That said, virus protectors do provide protection against known viruses, so why not use one?

There are several free solutions, one of which is Microsoft Security Essentials.

Download only from known good sites

This is a really important artifact.  Download only from known good sites.

For example, are you looking for an HP printer driver?   Then go to the HP web site for the download.  Do what you can to avoid “third party” driver sites.

Are you looking for a game or a program?  Download from downloads.com / cnet.com, or from another known good source.  There are web sites that are devoted to providing you excellent software — with associated trojan or other form of malware attached.

Are you looking for a free Hollywood movie or free APK sideload of the latest Android software through The Pirate Bay? Then be aware that the free download may also have a free Trojan attached.  How will you know whether that illegal download is malware?  You likely won’t know, even if you run it through the Cuckoo Sandbox automated malware analysis software.

Behavior modification

Wait a second, behavior modification?  I’m not looking for a psychologist!  I don’t want to be Pavlov’s Dog!  Well, that is not exactly what I mean by behavior modification.

  • If you are downloading something that you are not sure about, be careful about downloading it to your primary computer, especially if you use that computer for financial transactions.  Set up a second computer where you can run any questionable programs, and where if those programs perform unexpected actions, your financial records will not be compromised.
  • You know those sweet popups that promise the first thousand who click on the banner will win a free iPad?  Yeah, you aren’t going to get a free iPad.  What you will get is infected.  Don’t click that ad.  Sadly, that the ad even popped up may be very bad news, you may already be infected.

Periodic scans

Another great safeguard is to run periodic full scans of your system.  Run MSE full scans, but also run other scans such as the free Trend Micro Housecall.

Use reasonable passwords

It might be better said as:  Don’t use unreasonable passwords.

What does this warning mean anyway?  One of the ways a hacker attempts to gain access to a system is through password cracking.  Password cracking is a method to gain access to a system by way of basically “guessing” the password.  A trained hacker will use one of the many password cracking software suites.

Is it reasonable to use abc123 or 1234 for a password?  Probably not.  Is it reasonable to use a single dictionary word?  Probably not.  Once a hacker has identified a username these types of passwords are very quickly guessed.

So what are more reasonable passwords?  Throw in a few upper case letters and maybe symbols.  For example, AbC123* is going to be a much less likely guess compared to abc123.

The four word solution!

So what is the solution to keep me and my data safe from attackers?  The answer is:  There Is No Answer.  There are things you can do to make yourself more protected, and there are things to avoid that would make you less protected.  Some of them have been covered in this paper.

The best advice available is:  Be aware.  Your data and your systems are costly, and compromises to your systems can be even more costly.

If you need personal advice on how to protect your data and your systems, feel free to contact me.

As always, let’s be careful out there!

Checklist

  1. Update your operating system
  2. Update your software
  3. Use a two way firewall
  4. Use a Virus Protector
  5. Download only from known good sites
  6. Change your behavior
  7. Periodic scans
  8. Avoid unreasonable passwords

Reference documents

  1. HHS reference document for HIPAA/HITECH protected information, http://www.hhs.gov/news/press/2014pres/05/20140507b.html
  2. The Free Software Foundation, http://www.fsf.org/
  3. Password Cracking Software, http://resources.infosecinstitute.com/10-popular-password-cracking-tools/
  4. Trend Micro’s Housecall online virus scanner, http://housecall.trendmicro.com/
  5. Cuckoo Sandbox, http://www.cuckoosandbox.org/
  6. Microsoft Security Essentials, http://windows.microsoft.com/en-us/windows/security-essentials-download
  7. ZoneAlarm Free Firewall, http://download.cnet.com/ZoneAlarm-Free-Firewall/3000-10435_4-10039884.html

<Article last updated 25/September/2014>

Websites – time to make a web presence!

Domain name

Wait, make a what?  Make a Web presence.

Web Presence
Web Presence

What does that even mean?  Well to be totally straight, it is more than just a website, but a website is a good starting point.

So first things first.  I think I’ve heard of HTML and stuff related to websites somewhere. I suppose I better learn about it.  Let’s read up about HTML (the language that powers the web), and CSS (the format scripts that help your site look homogeneous), and WWW, oh wait, HTML5 is new let’s look into that, oh and URL, which is of course much different than UML   And PHP!  Yes, we better learn PHP Hypertext Preprocessor, and MySQL, and PostgreSQL, and, and, and … wait, where is my Ritalin.  I’m exhausted already.  Isn’t there a better way?

Well, I’m glad you asked.  In fact, there is a better way.

Web design in the wild west days

Early screen capture of Alta Vista web search engine, circa 1997
Early screen capture of Alta Vista web search engine, circa 1997

Way back at the turn of the century and even ten years ago, when it was time to start a web site, a web developer needed to learn all this and more.  Web sites were coded, Dreamweaver was king.  Back then a content editor would create the perfect prose and package it up for the web developer.  The content editor would then tell the web developer where to put the important stuff and where to put… well, you get the idea.

But today it is different.  That was the Old Covenant of the World Wide Web.  Today, we are under a New Covenant. It is totally different!

Well kind of different.  And kind of the same.  The content editor’s job is very close to the same.  But it is true, the web developer portion has changed a lot.  There is still a web developer, but the developer’s job has changed.

Today, most web sites are not home brewed, new framework sites.   Today when we think of web sites, we think (or should think) Content.  As such, we will have the web developer look for a Content Management System (or CMS) to handle most of our back end work.

Custom development vs standards based off the shelf development

Foundry
Foundry

Think of it this way.  If you were going to build a home, what would you change?  Right, you’d change the doors, and the windows.  Oh, and the color of the house, and the size of the rooms.  But would you use custom sized doors that required a custom builder?  Would you hire a metal worker and forge your own water faucets, or buy them ready made off the shelf at Home Depot or a supply shop?  Would you hire a light company and create custom light bulbs, or use standard Fluorescent T8 and Edison screw light sockets? [ Bet you didn’t know they were called Edison screws… 🙂 ]

Edison Screw
Edison Screw

In most situations — scratch that, almost all situations — creating a brand new from scratch anything is just way more expensive, and also causes a lot of issues with the customers and users.  I mean, who wants to go to a special light bulb manufacturer and pay that extra special price when they need to replace a light bulb?  Not many people.  It creates a hard to build, hard to manage, and hard to maintain solution.

Same goes for web sites.  People have become used to seeing a certain format on web sites, and the easier we can make our site to use, the more likely we’ll have customers that stay around.  So for web development, keep it, well, normal.  Unless you have a very special need, there is no need to home brew a web site.

Get me started!

So now that we’ve decided we really don’t want to learn all this stuff, we just want to get on the web.

Person blogging
Person blogging

We want folks to be able to see news articles we find important, or rants about our children, or ideas that we’d like to share — like this page you are looking at right now.  We don’t want to be web developers, we want to be content editors.  We won’t be creating a brand new web development platform, so what do we want?  We want a content management system all our own.

Great!  Let’s go read about that.  What is the CMS paradigm?  What is a CMS engine?  Searching for Content Management Systems leads to WordPress, and Joomla, and Drupal,  and…. wait, gosh darn it!  Where is that Ritalin again?

Let’s look at this from a different perspective.  Is it really the case that these CMS solutions are appropriate for what I want to do?  Okay, I’m glad you asked that too.

  • WordPress is likely the most popular web imprint for blogging.  It is known for its easy management and thousands of free themes.  It powers the likes of The New York Times, eBay, and Samsung.
  • Joomla is a powerful and highly configurable CMS.  Joomla powers the likes of MTV, Barnes & Noble, and General Electric.
  • Drupal is the beast of CMS.  It is a very highly configurable and extensible framework that powers the likes of Warner Bros Recordings, NASA, and The White House.

So what is our take away from all this?  The shortest of answers is:  It just doesn’t matter.  What does matter is that we get out there and publish.  Sure, the CMS engine does matter some, but remember, content is king!  If we make a big mistake on using the wrong content management engine?  We can transfer the data later.

Choosing your CMS

Okay, time for a little candidness.  I’m new to this blogging stuff as well.  The last time I built a web site was ten years ago.  Guess what I used?  I built it using Dreamweaver, HTML, and CSS.  But like we’ve already discussed, times have changed, and it was time to learn a more modern approach at web sites and blogging.

When I started this article, I was going to approach it from the technical side — after all, I am an engineer.  I was going to get into the grit of how to install whatever engine on any given host, blah blah blah.  But you know what I’ve learned?  Everyone has a site like that.

This article is the essence of what I’m trying to convey — content matters.  As I’m new to this as well, I had to select one of the CMS engines.  I chose WordPress.  Why?  Because:

  • It had the largest number of free themes available.  I didn’t want to spend any money during the learning process, so free was desirable.  Since everything on this site itself is free, I didn’t want to impose any fees on the reader to get started.  My first impression of Joomla and Drupal was highly configurable, but with fewer free gadgets.
  • It was “configurable enough”.  I wasn’t looking for The Configurable King, I was looking for something to get content, like this article, out to you … oh, and the world, of course. 🙂

I did install Joomla after the fact.  My first impression was it is just like WordPress, just the menu system is different.  It looks as though it might be more highly configurable than WordPress, but again, I only installed it.  I didn’t work on it.

Is that enough?

But is WordPress really enough?  Well, maybe.

  • If I wanted to develop a web imprint for general use?  I would develop a WordPress theme.  Why?  Because of market share.  Of course, the market is highly competitive as well, so keep that in mind.
  • If I wanted to develop a highly scalable web imprint, like that might power a Facebook or dating web site, I would likely develop a Drupal theme.

Well gosh though, with this in mind, you might ask why use a CMS engine at all?  I mean, if you are going to develop a large part of the engine and theme manually, why not just start from Java or .NET?  Three things come to mind.

  • Security.  If the Drupal or WordPress engine is compromised, rest assured the world will know about it, and a patch will be forthcoming.  If a site is home brewed, the site designers have to be particularly aware of security issues.
  • Speed of initial development.  Since the engine is off the shelf, a web site can be fully operational in weeks instead of months leaving the developers to concentrate on content.
  • Less expensive to maintain.  Since a large part of the management is handled by the engine itself, the content designers can focus more on the content and presentation instead of focusing on how that presentation might be coded.

WordPress pros and cons

I am already a big proponent of WordPress — can you tell?  There are great things, and there are a few things that I’ve noticed are difficulties.  The difficulties might be my fault, and these might be issues with all CMS engines, but just to note a few things…

  • It isn’t very easy to edit great content.  What I mean by this is the actual editing process.  For example, this page.  It doesn’t autosave (might be a plugin for that), and it just isn’t as natural as say using Open Office or Libre Office (haha, can you tell I support free software?)  Realize I’m new at this, so it might just be a learning curve.  I’ll edit this note if I figure out a better way.
  • It seems as though the site is going to become a little difficult to manage as the amount of content (especially pages) grows.  Managing WordPress is likely a learning curve issue, and I’ll post a note when I get this figured out.  I expect if The New York Times can manage tens of thousands of pages, it must just be a learning curve fear of the unknown.
  • There’s an app for that.  By itself, WordPress is really just a security engine.  What makes the magic happen are the plugins and themes and widgets.  Just remember, there is an app for almost anything you wish to do.  Sometimes it might be difficult to find, and sometimes especially difficult to find a free one, but someone somewhere has likely developed a widget or plugin that perfectly fit your needs.
  • Pages and post and plugins and themes and comments and administrators and editors and… Well, what I’m getting at here is, there is still a learning curve.  Once you pick the CMS engine of your choice, give yourself a few weeks to just poke and prod.  Create a page or even a site, and then start modifying it.  Add an image, change an image, add a page, just poke around.  Do it in a non production environment — like, create a wp2 instance for your eyes only, and break it.  Then see if it is easy enough to fix.

The WordPress platform

WordPress
WordPress

Out of the box, WordPress is a great platform, but what makes it a great engine is its extensibility.  This happens in part through plugins.  For example,  have you seen those CAPTCHA requests that are annoying to you as a user, but do a great deal to help reduce the amount of SPAM and spammy links to sites?  Well, there’s a plugin for that.  And for contact forms, so you don’t have to create your own, and for many other extensions you will likely use during your life as a web blogger.  We have an article on notable plugins that will help you learn to search for plugins, and help you get started in using them.

“…Let’s get this party started!”

Great, you’ve told me all this stuff, but how do I do it?  The easiest way is to open a WordPress account, and let WordPress handle the chores for you.  You can do that here, and learn about how to get started too.  Once you get an idea of how blogging works, you can install your own WordPress on your own site.  That task is host specific though, so you’ll have to find out how to do that through your domain host, or you can ask me individually and I’ll help you out.

As always, let’s be careful out there!  Happy blogging!

 References

  1. Elements of a successful business web presence, http://mashable.com/2010/02/10/business-web-presence/.
  2. WordPress Blogging introductory article, http://codex.wordpress.org/Introduction_to_Blogging
  3. Drupal Famous Sites, http://www.tributemedia.com/blog/erika-meissner/famous-drupal-sites
  4. Joomla Famous Sites, http://community.joomla.org/labels/joomla-portfolio.html
  5. WordPress Famous Sites, http://en.wordpress.com/notable-users/
  6. Get Started with WordPress, http://codex.wordpress.org/Getting_Started_with_WordPress
  7. Install your own WordPress, https://wordpress.org/