Are you using a utility that requires Zip Archive Enabled in WordPress? For me, this was the backup utility Duplicator.
And there’s the pain point. This took quite a bit longer to find than I expected! Here’s the journey to success.
1. The Issue
The issue arose because I wanted to backup my site using Duplicator with Zip archive.
Most of the documents mention changing this in WHM. This was not the case for me.
Of note: What you are about to do has the capability of totally crashing your WordPress site. Be sure to document any changes you make, and test the changes regularly in an incognito window or another computer.
2. The Fix
Log into your hosting company
Access WHM
Go to List Accounts in the left hand menu
Access the cPanel for the site in question
Click Select PHP Version
Select Extensions
Scroll down to activate Zip
Test your site in Incognito window
Go back to Duplicator to confirm it is working!
Zip backups selected, and no errors! We’ve fixed the issue.
Now you can create a Zip archive.
3. But now the question, should you?
Up until now, I’ve used Zip archives because I’ve had issues with Daf archives where the entire site would not be handled. I’m reading this shouldn’t be the case… but it just has been.
Have you ever received a phone call where the caller’s first question is, “Can you hear me?”
A lot of talk on the internet since around 2017 with people saying they were encouraged to say “Yes!” only to later have their voice used to pay for services.
Disclaimer: I am not a lawyer, and I do not play one on television. I am however familiar with social engineering. I can tell you, in my professional opinion, of all the things that never happened, this never happened the most.
But… really? Is this for real? Or is it fear mongering, which is quite common on the internet? With a simple one word answer, can someone really steal my identity, or obligate me to a purchase?
Can I be obligated with a single word?
The answer is: Probably not. Realize, you likely have dozens of video clips with you and your friends on YouTube, or Instagram, or TikTok, or Facebook. And can a single word be used to identify you? So the perpetrators of this likely hoax are saying that a bad actor can order stuff on the internet, be on a call with whoever sales person for however long they need to be on, and then at the crux of the call they will change their voice completely and insert your voice with a single word response “Yes”?
Does that even sound reasonable? Of course it doesn’t sound reasonable. But it makes for good click bait, and fear mongering creates a lot of interest. The problem is, it also distracts you from real adversaries. Distractions are sometimes fun, but distractions are usually not very good use of your time.
Why the “Hello can you hear me” then? What are more reasonable thoughts on why these calls come in with that odd question?
Confirming you are a real person
The reason for the can you hear me is most likely a robocall where the calling company doesn’t want to waste the time of a real agent. Robo companies are operating on volume – the more the calls the better, because some percentage of people will actually buy what they are selling.
If an answering machine answers, there is no reason to waste the time of a real agent. When the “just say yes or no” happens, it is because the robocall recognized a voice, but thinks it has an answering machine.
Buying time for the operator
A second reason is that the robocaller just transferred the call to a real agent, who is trying to buy themselves time in the awkwardness of having the phone answered. You may have said “Hello” or something else, and they don’t know what you said, so in order to trick you into thinking they were having phone issues they ask you to basically repeat yourself with the cue “Hello? Hello? Can you hear me?”
Final thoughts
There are many reasons that a caller would ask whether the called party can hear them, including
A delay tactic, while being transferred to a live agent.
A simple way to start a conversation and to get the other person to respond.
Allows the scammer to test the audio quality of the call and to make sure that they are able to understand the other person.
A way to gauge the other person’s interest in the scam. If the other person responds positively to the “Can you hear me?” question, the scammer is more likely to continue with the scam.
A way to confuse or startle the other person, making them more likely to fall for the upcoming scam in confusion.
A basic tactic for sales, get the potential buyer to get used to saying “yes” in the conversation.
Now that said, these are my professional opinions. And remember, just because you are paranoid doesn’t mean they aren’t out to get you, so hanging up the phone is the right thing to do.
“The future of malware” is a trigger for most of us in computer security. Most cyber professionals have an idea of what they think malware looks like in the next few years, but truly few of us write about it or document it in a formal way. In 2013, I presented on the “future of malware”. My predictions at the time were that initial attack vectors would pivot strongly away from IP based network attacks and towards (1) social engineering, (2) insider threats, and (3) overprivileged systems. At the time, application sandboxing was somewhat in an infancy (especially phone based applications), and phishing was gaining speed. Stuxnet was at the time a recent exploitation that was still being discussed in the industry.
Since then, Target was attacked through an over privileged thermostat — it was a control unit that was on the same layer of protected network as the rest of the enterprise and credit card machines. Then along came SolarWinds, where the attackers compromised service delivery of an application that was then distributed by the vendor to their clients.
Without much further ado, I’d like to present an interview with ChatGPT, and discovering what an artificial intelligence makes of the future of malware.
ChatGPT was asked to write a 1000 word essay on the future of malware. This is the result. I’ve added notes to each paragraph. ChatGPT content is italicized.
Malware, short for “malicious software,” is a term used to describe any software that is designed to harm or exploit computer systems. It has been a significant threat to individuals and organizations for many years, and it is likely that it will continue to pose a threat in the future.
This is an accurate description to the question “what is malware?”, and the status of malware in the industry. Kudos ChatGPT.
One trend that is likely to continue is the increasing use of malware as a tool for cybercrime, such as ransomware attacks that hold data hostage until a ransom is paid. These attacks can be especially damaging to businesses, as they can disrupt operations and lead to lost productivity and revenue. In recent years, there has been a rise in the use of ransomware as a tool for extortion, and it is likely that this trend will continue in the future.
Types of malware come in many forms. My own opinion of this is that the trend is likely to pivot to data exfiltration and blackmail based on content (compromising the Confidentiality of data while leaving the data itself largely intact and Available) rather than the current lock and hold for ransom (Availability disruption). My basis for this argument is that more companies are using endpoint protection, “thinner” clients, and vendor segmented SAAS solutions where Encryption of large scales of data will be difficult. That said, this is a professional opinion, and I wouldn’t say ChatGPT is “wrong”. Kudos ChatGPT.
Another trend that is likely to continue is the increasing sophistication of malware. As security measures and technologies evolve, malware will also continue to evolve to become more sophisticated and harder to detect and remove. This could include the use of machine learning algorithms to evade detection and the development of “zero-day” vulnerabilities, which are security vulnerabilities that are unknown to the vendor and can be exploited by attackers before a patch is available.
Well, on this one there are a lot of fancy words being used like “sophistication of malware”, “evolve”, and “zero day”, all of which many of us in cyber war have written about. I’m going to say this paragraph is more fluff than fodder No bonus points ChatGPT.
One potential future development in the field of malware is the use of artificial intelligence (AI) and machine learning algorithms by both attackers and defenders. On the one hand, AI and machine learning could be used by attackers to more effectively evade detection and launch more sophisticated attacks. On the other hand, AI and machine learning could also be used by defenders to more effectively identify and respond to malware attacks.
Agreed, and it is of benefit that artificial intelligence is being mentioned. To note, my thesis is in Artificial Intelligence, and I likely would not have mentioned AI in attack and exploitation. While this paragraph doesn’t present many details, it does bring up the subject. So… Kudos to ChatGPT for mentioning it.
Another potential future development is the increasing use of malware in the Internet of Things (IoT). As more and more devices are connected to the internet, they become potential targets for malware attacks. This could include attacks on smart home devices, industrial control systems, and other connected devices. Protecting against these types of attacks will require new approaches and technologies.
Agreed, yes, absolutely. The security perimeter becomes the node or system itself, instead of some artificial boundary between “enterprise” and “Internet”. Up until 2010 or so, breaking the perimeter usually meant bypassing the firewalls protecting the Internet border. That border is now already broken, because IOT (such as that thermostat at Target, or even SolarWinds if it is considered an appliance) is already in the building. Kudos ChatGPT.
To protect against future threats, it is important for individuals and organizations to implement strong security measures, such as keeping software and security systems up to date, using antivirus and firewall software, and being cautious when opening emails or downloading files from the internet. It is also important to regularly back up important data to prevent loss in the event of a successful malware attack.
Hmm. This paragraph on malware protection really seems to fall short. Anti-malware software only helps once signatures have been developed. Patching systems, using antivirus, check, agreed. However, earlier ChatGPT mentioned zero days, and of course zero days have no patch. I think ChatGPT should have tied these two concepts together. Good ideas ChatGPT, but there is something missing.
In addition, it will be important for individuals and organizations to stay informed about new threats and developments in the field of malware. This could include staying up to date on security patches and updates, participating in security awareness training, and staying informed about the latest trends and techniques used by attackers.
There is a quote from the cold war that I’m going to paraphrase for cyber warfare. “In order to beat an attack, you have to think like an attacker.” Defenders will never win until they become the attacker. My recommendation is to regularly rotate the Defender staff out to Attacker mode, let them learn the Attack and Exploitation game, then come back and Defend for awhile while the next group rotates out. A defender will never win until they think like the attacker, and even then, the defender cannot “win”, they can only thwart an attack that is underway. As soon as the Attacker recognizes the Defender has caught on, the Attacker then pivots to a new Attack vector. So… with regard to “staying informed”, I’d say that is implemented as, let the Defender put the Attack hat on from time to time. Kudos to ChatGPT.
In conclusion, the future of malware is likely to be marked by increased sophistication and the use of new technologies, such as AI and machine learning. Protecting against these threats will require strong security measures and a proactive approach to staying informed about new developments in the field. By taking these precautions, individuals and organizations can help protect themselves against the ever-evolving threat of malware.
Great conclusion. Kudos ChatGPT.
Let’s take a look at this!
Overall assessment
ChatGPT as of 2022 provides some clever ideas and insights, and puts together a reasonable basic essay. There doesn’t seem to be much depth, and ChatGPT doesn’t bridge ideas together. There are what I call “flower words and phrases”, such as “increased sophistication” and “new technologies” without explaining why. Diving into this, every year the technology world experiences “increased sophistication” and “new technologies” — so the words and phrases really don’t do much to increase the sophistication of the essay, or to help the reader understand why these statements are being made.
For basic layout, the Chat bot does a decent job at assembling a basic non sophisticated essay. For this example in discovering the future of malware, the bot did a basic 101 level essay on the topic, but not much more.
Chess automata
Concluding remarks
Chess computers have been theorized for a hundred years. The Cray Blitz in the 1980s was the first chess automaton to register as a chess master. Twenty years later in 2006, the world champion Vladimar Kramnik is defeated by Deep Fritz in a 4-2 match. No human has topped a chess computer since.
In the same way, ChatGPT is in its infancy. This is just the beginning. Today, ChatGPT is demonstrating basic and very good writing techniques.
That all said, this is the beginning of ChatGPT and automata writing engines. Give the bot a few months or a few years, and I’d expect the sophistication of the bot to be on a competitive level to human writers. My prediction is that ChatGPT and automata writing engines will be used for “basic framework”, then more advanced human writers will add to the basic text that is generated — very similar to what I myself did in the earlier section. Let ChatGPT and automata do what they are good at (not much different than having an entry level lawyer write the beginning of the contract), then have a more advanced human take over to edit and include details that may have been overlooked by the automata.
So tell me, what are your thoughts? Where is this technology likely to wind up in the next few years?
Risk management is an essential skill for any business professional. Whether it be having a second screwdriver available on the job in case one is lost or broken, or it be having Errors and Omissions or liability insurance, we are constantly evaluating risks and the costs associated with managing those risks.
In this paper we are going to focus on understanding risk management. If you better understand that you have options when it comes to risks, you may be more comfortable with the risk brainstorming cycle.
Risks are often complex. In an effort to disassemble or distill the risks, we’ll break them apart into two different underlying components. Each of the components of a risk are normally managed separately. In this case, we’ll be working with the likeliness of a risk actually happening, and the impact of that risk against our organization. Risks can then be more easily visualized on a basic X-Y graph.
a. Likeliness or probability
Controlling the risk is actually two exercises in one. The first is to control the likeliness of a risk, that is, reduce the likeliness that the risk will occur. For example, say our software shop has been hired to create a feature rich point of sale system. We may mitigate the risk of not meeting the customer’s feature list by increasing the schedule or by adding additional engineers to the staff. An option to reduce the likeliness of not meeting the customer’s expectation is to use a spiral, agile, or incremental release schedule in lieu of a waterfall development lifecycle so the customer is able to see early on what they will be receiving in the end. 5 The US DoD categorizes the four options as Avoid, Control, Accept, or Transfer (ACAT).
b. Impact or severity
The second is to control the impact of the risk, that is, reduce the negative impact to your business. Say you are concerned about fire: You can install fire suppression equipment to reduce the impact of the fire. Or consider lighting strikes: You can install lightning rods to reduce the impact on the building and it’s contents from the damaging effects of lightning strikes. You can install redundant or high availability computer equipment to reduce the impact of technology failure that would otherwise negatively affect your business (systems remain operational through a failure).
2. Risk treatment
When it comes to risks, remember to mind the gap! (Photo courtesy Pixabay)
Risks in themselves are not “bad”. In fact, risks can create opportunities – some businesses actually cater to helping people manage their risks, like portable air conditioning services are there to help people in crisis, where their primary air conditioning system has failed.
But risks can be bad, especially if they are not managed correctly. How can we reduce the likelihood or the impact of a risk? There are basically four ways to manage risk,5and a few more we’ll discuss. Makes this pretty simple, no? We’ll look at each of these options in the order that you should be looking at them.
The United States Department of Defense Defense Acquisition University enumerates the risk treatment opportunities ACAT, a mnemonic for Avoid, Control, Accept, or Transfer.
A: Avoid, eliminate, or withdraw from the source of the risk
Avoiding risks is sometimes an option (photo courtesy Pixabay)
First, you can avoid the risk altogether, that is, eliminate them completely. Now that sounds great, right? Avoidance is extreme mitigation! But risk avoidance is likely not practical in most situations. Let’s look at a few situations.
Let’s say you are a software shop. You’d like to add a new function to your software that includes automatic electronic data transfer to a bank. You realize this is a risky function, since it will have regulatory impact. In this case, you can avoid the risk by not implementing the feature. There is a drawback, though, and that is that you may lose sales because the feature is not present. Is this reasonable? Maybe.
Take another example, say you own a hair salon. You realize there is a risk that someone may get cut with a pair of scissors, and in fact the insurance company has identified the hazard and offered a significant discount if you do not use scissors in your practice. Great, to avoid that risk, get rid of all the scissors! But is this reasonable? By avoiding the risk, you are also avoiding any hair cut engagements that require scissors. Sure, you can still do clipper cuts and razor shaves, but you cannot layer hair with scissors. Does this sound reasonable? It may be fine if you are on a military base and only cut men’s hair in a strict military style. It may not be so fine if you also cut hair for the wives of the servicemen.
C: Control, reduce, optimize, or mitigate
Control risks if you can! (Photo courtesy Pixabay)
Second, you can reduce or “control” the risk. Risks are composed of two dimensions. In the case of controlling the risk, you’ll be working to optimize either the likeliness or the impact of the risk.
A part of mitigation is monitoring. Say for example you are a roofing contractor and have a firm fixed price (FFP) contract to replace a roof. Since this is FFP, you are responsible if material costs increase – but there is also an opportunity to make more money if you purchase the goods at a better price. You may decide to monitor the selling price until the kickoff. If the price goes up to some pain threshold and you believe further price increases are coming, you may purchase the goods early. If on the other hand, prices continue to erode, you may wish to continue to monitor until you absolutely need the material.
A: Accept, or retain
Accept the risk (courtesy Pixabay)
If all other options are too costly, too disruptive, or otherwise unacceptable, you can retain, or “accept” the risk. This is kind of like “self insurance”. Accepting a risk is completely viable where the cost of other mitigation options is too costly. Take for example insurance policies that normally do not cover acts of war. If your business is destroyed by an act of war, you are by default self insured, and you have accepted the risk.
Say you are part of a Business Warehouse Cooperative. You realize there is a risk that a hurricane could hit. It is impossible to avoid this risk, since you happen to live on the Gulf Coast. You can mitigate the risk by installing hurricane windows and shutters, and you have off site backups and online cloud computing resources to protect your data. But there is still residual risk, you could lose your building, and you could lose your customers. You look into hurricane insurance and Business Interruption Insurance, and you believe the likeliness of occurrence is less than the cost of insurance. In this case, you self insure, and after all the mitigation, you retain the residual risks associated with a hurricane strike.
T: Transfer to another party
Transferring risks requires an agreement (photo courtesy Pixabay)
Third, you can share, or “transfer” the risk. Transfer of risk is actually quite common. Most of us have car insurance. Car insurance is transferring the financial risk of an accident to a third party.
There are also other forms of insurance. Say you are hiring a small computer and Information Technology shop to do a highly important deployment. You may wish to purchase “key man” insurance to transfer some of the risks associated with hiring this shop, just in case the key man dies during the deployment. Another common form of insurance to transfer or share risks is E&O or Errors and Omissions insurance. This form of professional indemnity insurance or professional liability insurance helps to protect you in defending against negligence claims.
E: Another option: Exploit!
Risks can be opportunities! (Photo courtesy Pixabay)
Exploiting a risk is an interesting idea. If you are a Home Health Agency, and you see a significant risk with HIPAA, you may create a new business focused on helping Home Health Agencies with HIPAA compliance.
3. Conclusions
Risks are a part of everyday life. Every day, we are faced with risks, and managing those risks. Risk management is an essential skill required to effectively running a business.
In this short paper we’ve looked at concrete methods to manage risks. Risk management playbooks are important, and prior planning prevents all sorts of problems. However, remember that risks are ever evolving, and managing risks requires some amount of flexibility in the practitioner.
“This publication describes the Risk Management Framework (RMF) and provides guidelines for applying the RMF to information systems and organizations. The RMF provides a disciplined, structured, and flexible process for managing security and privacy risk that includes information security categorization; control selection, implementation, and assessment; system and common control authorizations; and continuous monitoring. The RMF includes activities to prepare organizations to execute the framework at appropriate risk management levels. The RMF also promotes near real-time risk management and ongoing information system and common control authorization through the implementation of continuous monitoring processes; provides senior leaders and executives with the necessary information to make efficient, cost-effective, risk management decisions about the systems supporting their missions and business functions; and incorporates security and privacy into the system development life cycle. Executing the RMF tasks links essential risk management processes at the system level to risk management processes at the organization level. In addition, it establishes responsibility and accountability for the controls implemented within an organization’s information systems and inherited by those systems.”
