WDTalk

In an earlier article entitled -  ”Are your applications secure?,” I talked about SQL injection threats. It’s a threat that refuses to simply go away.

Just this morning I stumbled upon a thread on a web hosting forum - about an OP (original poster) who had his shared account terminated by his web hosting provider for being hacked twice. He was clearly the victim of the hacks, but the host deemed the OP was responsible for keeping his sites safe, so that his sites would not affect other clients on their server.

The site in question was a WordPress site - with a couple of plug ins activated – nothing out of the ordinary. It was duly noted that WordPress sites attract a lot of hack attempts, and the more popular they are (lots of traffic), the more attempts. Obviously, the OP needs to find another web hosting provider, but his troubles are probably far from over. Should he install the same plug ins on his site at his new host, the hack will most likely reoccur. Why?

One of the plug ins the OP alluded to was - Penny Auction, on which a “hack advisory” was recently issued by ngenuity-is.com.

Recommended plug ins that help fight intrusion attempts:

Login LockDown - Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.

WordPress Firewall 2 - This is an updated version of the popular WordPress Firewall plugin, with fixes for all known bugs and a few new features!

This WordPress plugin investigates web requests with simple, WordPress-specific heuristics, to identify and stop the most obvious attacks. There are a few powerful, generic modules that do this; but they’re not always installed on web servers, and usually difficult to configure.

This plugin intelligently whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.

WordPress Security Scan - checks your WordPress website/blog for security vulnerabilities and suggests corrective actions such as:

1. Passwords
2. File permissions
3. Database security
4. Version hiding
5. WordPress admin protection/security
6. Removes WP Generator META tag from core code

Certainly it’s the long term goal of every business to - minimize customer churn. The expense to sign on new clients way exceeds the cost to retain and resell existing clients. Every interaction with your clients, from warehouse, sales and service, to the accounting department shares a responsibility to exceed your clients expectations, by going that extra one percent – everytime.

Fix the Client and Not Your Product or Service. When I was employed as a technician by Varityper, our titles were tech rep 1, tech rep 2 and so on. That was changed to Customer Engineer. When you troubleshoot a client’s problem, you’re not fixing their typesetter, printer, broadband connection, website or whatever your business provides – you’re fixing the client. And in doing so – you need to give at least the perception of value.

Providing Value - Can this be done on the fly? Sure, but not with great results. Good customer support reps go through extensive training for the sole purpose of maximizing the client’s perception of their business. They offer benefits and solutions. This pays off in reduced advertising cost, minimized churn, customer loyalty and “branding.”

Are you rememberable? Are you rememberable in your clients eyes? Do you ‘own’ your business niche? Or are your customers simply satisfied clients? A certain level of support is expected from every vendor. On your customer surveys, do you ask the question, “Have we exceeded your expectations?”

Set yourself apart from the masses - Customer support encompasses so much more than simply responding to a service ticket, fixing the issue and closing it out without explanation. I see so many entrepreneurs asking how to develop a niche that sets them apart from the masses. Of course, the offer is KING, but great customer support keeps you on your throne.

Your accounting department has been complaining – about your network slowing to a crawl, but your sales reps are finally making cold calls – because they can’t surf the web or use email (Or they’re out on the golf course ).

What’s the problem? Could be a collision domain. Computer networks can be segmented physically as well as logically (Ethernet protocol), leading to circumstances where one single network device can send packets throughout a network segment forcing every other device to acknowledge those packets. Or it could be a group of Ethernet devices in a LAN running on CSMA/CD, connected via repeaters competing for network access. If two devices follow the exact procedure at the exact time, their transmissions will collide, and they will both become unusable. Simply put, a collision occurs when two or more network devices are trying to transmit packets at the exact same time.

As collisions increase on a network – the less efficient the network is. So how do you combat collision domain? Utilize switches and/or network bridges that filter and forward packets by their MAC address. A switch or network bridge will forward frames with addresses that are not in its domain, and will duplicate and broadcast frames to the devices inside its network.

Routers can filter, forward or drop packets – based on MAC addresses. Routers reduce collision domain by broadcasting to the LAN only packets that have addresses on that specific network. Routers are able to redirect packets not only by  IP or MAC addresses, but also by data type (email, graphics, plain text), function or port used (FTP, HTTP, SMTP, POP3) plus other variables and functions (acting like a firewall) in order to improve network performance.

Contrast your network to – data center networks that occupy entire buildings and house thousands of servers. They’re designed to host mission critical computer systems, with fully redundant subsystems and security zones. They contain routers and switches that transport traffic between those servers and the outside world. Redundancy of their Internet connection is usually provided via BGP bandwidth, blending multiple upstream providers.

Updated April 1 2011 – This is still HIGHLY relevant. See this story.

December 2009 – I just read an article this afternoon about the fastest growing security threat in the hosting industry. Apparently this threat has grown over a hundred fold in just the last year alone. What is it?

SQL Injection

Why have SQL injection attempts grown so dramatically? It was pointed out, and I agree, because the bad guys are using (very sophisticated) automated tools. More and more, we’re seeing attempts not only to be disruptive, rather to be focused on identity theft. Anyone remember Heartland Payment Systems and TJX?

Who is Susceptible?

Certainly, if you’re processing lots of credit cards, you need to guard against SQL injection, but even if you aren’t, this exploit needs to be addressed. I did a quick Google search for SQL injection prevention and stumbled upon an SQL Injection Cheat Sheet at http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet. Since most SQL injection exploits are due to lax coding and poor application design practices, prevention measures like those outlined on this site can significantly minimize your risk of being compromised.

From Owasp.org

“SQL Injection flaws are introduced when software developers create dynamic database queries that include user supplied input. To avoid SQL injection flaws is simple. Developers need to either:
a) stop writing dynamic queries; and/or
b) prevent user supplied input which contains malicious SQL from affecting the logic of the executed query.”

I just read a post on Seth’s Blog about embracing lifetime values, and was immediately able to relate this to any number of industries. When I was selling security systems in Miami, my employer had years of data highlighting the lifetime value of every new client. Think about it – who changes alarm vendors once the system is installed? Their monitoring ran $24.95/month, but clients routinely stayed with them from six to seven years. Value adds were additional motion sensors, control panels, remotes and door contacts. 

I wonder how many sales or support reps understand the real value of each shared, dedicated or colo sale, and how that drives the business as a whole? In the post, the lifetime value of new cell phone clients (on two year contracts) was estimated at $2000.00. I’ve been with my cell phone provider since 1997, and have grown from one to four phones.

Is there a lifetime value in web hosting?
What do you estimate the lifetime value is (on average) of a month-to-month dedicated server client? What about the new 2U colo client, who someday grows to a full rack, or a cage?

Could you increase your client’s lifetime value?
The answer is, absolutely – under promise and over deliver. Empower your staff, from sales reps to the billing and support departments, to go that extra one percent in every contact they have with each client. Your goal should be to exceed your client’s expectations. This is the stuff of long term business relationships.

Bottom Line
If one of your clients left in a huff, would you surmise, ‘there goes a $20 client’ or ‘we just let $2000 walk out the door.

I bought a memory enhancement program in the mid 90′s to correct for what I thought was memory leakage. I noticed my computer running slower and slower, even after defragging my huge (60MB+) hard drive. That technology has improved over the years, but memory leakage issues still persist.

Memory leakage can cause serious problems
While most memory leakage is quite small and doesn’t present any serious problem in and of itself, the accumulated effect of running programs for hours on end can compound problems, sometimes leading to disastrous results.

So what is memory leakage, exactly, and how can we resolve it?
My original understanding was that certain programs, when closed, did not release their allotted space in memory – thus reducing the amount of memory available to other problems. Memory leakage is so much more complex than that. A slight bug in one program might interact with some other program causing increased allocations of memory until some program crashes (not necessarily the program with the leak). As a consumer, how would you know where to begin to isolate the cause? I’m not a developer, as I suspect most of us aren’t. Debugging code is best suited for the programmer geeks. I started my quest for answers with searches on Google, Bing, Yahoo and Wikipedia.

From Wikipedia
In computer science, a memory leak is a particular type of unintentional memory consumption by a computer program where the program fails to release memory when no longer needed.

• From Google – over 3.4 million results
• From Bing – over 8.1 million results
• From Yahoo – over 10.6 million results

I don’t really have time to search through 22 million results, so I’ll highlight a few results here.

Some contributing causes of serious memory leaks

• Leaks inside the operating system itself
• Leaks in system critical drivers
• Leaks in embedded devices
• Leaks in programming languages
• Leaks where programs are able to request memory that hasn’t been released, even when the program terminates

Memory Managers
Most memory managers can recover memory that has become unreachable (if it’s unreachable it retains no value), but they normally cannot free memory that remains reachable. And it’s worth noting that there are levels of reach ability – with strong or weak references. Add to that, every system has a finite amount of memory anyway, so if a memory leak is not contained (possibly by a reboot), it will eventually cause problems.

A simple Google search for Memory Management Programs returned over 68 million results. Yipes! A word of caution – many of these programs are outdated and in fact, produce some overhead of their own.

If you have a recommended program, please share its strengths and weaknesses with us here.

First, let me say once again how much I despise rogue programs, and Windows Police Pro is a nasty one. It’s of the same family as Windows Antivirus Pro, which I wrote about around April 1^st.

The first warning that you’re infected is an obnoxious pop up that states your computer is infected, and recommends you purchase their program.

Windows Police Pro also acts as ransomware because it prevents you from accessing websites to download anti-spyware or anti-virus programs like AVG or StopZilla. X’ing out of the pop up is impossible, but all is not lost.

How to remove this nasty beast from your computer

First, open up your Task Manager (control, alt & delete), then end the Windows Police Pro process. Also end the svchast.exe process. Then go to RUN, and type regedit to edit your registry. Do edit find Windows Police Pro and delete those entries. Then you should be able to access the AVG or StopZilla websites, download and install their programs, do a scan and remove the infection.

I used StopZilla on my grandchildren’s laptop and you could actually hear Windows Police Pro groan when StopZilla killed it off. LOL.