Category: Security

August 31, 2015

Hosting Related, Security, Security Related

Reading Time: 5 minutes

The above diagram shows you the architectural difference between cloud hosting solution and traditional hosting solutions. Cloud service partitioning of the overall system stack, as outlined above, only started to become generally promoted in 2008-2009. Traditional dedicated servers, shared server hosting accounts, and VPS hosting were offered all over the internet more than full decade before the word ‘cloud’ became the latest buzzword. This article is a bit different than most every other ‘cloud hosting’ article published so far. How? Well, there has been alot of hype over the past several years about the cloud approach to web hosting. Although cloud hosting is becoming an increasingly popular method of web hosting, there are some disadvantages to that arrangement. As with each kind of hosting, there are pros and usually at least one drawback associated with each type; and each has a significantly different cost. Hosting a website in a public cloud offers some benefits that we will review below, but there is one very significant drawback - which is an inherent lack of control over security/privacy of a company’s business data. This means that your information could be vulnerable to hackers and unauthorized users. After all you would be storing your ‘private’ business information out there in some unknown rather geographical location in ‘the cloud’. Would you simply trust that? If you just have a small website, that showcases your company with some simple functionality such a contact form, then a traditional shared hosting account or VPS (Virtual Private Server) is completely adequate; as it has been for a long time. Shared hosting has been the status-quo since the late 1990s’. Regarding software applications and databases that deal with your actual business data: such as your customer lists, their ordering information, your customer’s personal information or credit-card/banking information, you would logically want that information to be kept ‘in-house’ or internal. Your company’s most important data is usually the proprietary software that your company has developed (usually at great expense), or your company’s entire customer database (which is usually tied together with your customer’s personal credit card or banking details). This is something that you would not normally want to have...

May 26, 2015

Domain Related, Security, Security Related

Reading Time: 3 minutes

Click on image to see it full zize. Even before whistle blowing hero Edward Snowden revealed the deep penetration the US government has impinged on it’s citizens privacy as you use the internet, there were many reports of government institutions spying on citizens, and cellphone records have often been mentioned in those reports. In spite of this, we have as a whole ‘learned’ to accept it. Cell phone use records offer tremendous insight into any investigation, because of the sheer amount of detailed information about the individual suddenly under the microscope. Apart from basic contractual information like a subscriber’s name and address, lots of other data is also gathered and stored on file by mobile providers; such as everywhere you have been with your phone. This database of data includes who you phoned (and they have the same type of data warehoused on your friends too of course), who you received calls from, who you sms’d, what you said, who said what to you, your tweets and facebook activity, your photographs are up for grabs, videos, and again, everywhere you have been. There is not much left, as the above is already above most people’s imaginations. read_more Mobile operators also record all ip-addresses and even which websites users visited on the Internet. All this information is available to any government agent with a higher level of clearance than a police officer (or investigator). From the information which is gathered, mobile operators can apply algorithms to find out when you prefer to wake up, perhaps even how many times you tap snooze, when you went to sleep or other usage patterns. App downloading is recorded, and perhaps every-time, how often, you launch your favorite game. With the right surveillance order (or perhaps without one) a mobile operator can also relay information about who you associate with. Armed with a valid subpoena, police and other government agents can retrieve recordings of your calls and all your SMS’s; warehoused digitally for years. A 2013 CNN report exposed that US operators use this data, for marketing purposes in conjunction with third parties. While even though Americans are told that the...

May 13, 2015

Security, Security Related

Reading Time: 6 minutes

This blog concerns the topic of what is known as “Ransomware”. It is becoming a ever more prevalent annoyance that has been circulating around the internet. The devilish hackers behind it are attempting to extort money from common people. Like its name implies, "Ransom-ware holds your computer hostage, subsequently demanding payment in order for the person to be able to boot or log into their computer again.", says Eric Rainbolt, 4GoodHosting’s support manager. It goes onto a victim’s computer through unpatched software vulnerabilities to silently install itself, and sometimes through social engineering tactics too. “Cryptolocker” is ransom-ware that can spread quickly through email a affects a person’s file that on drives that are mapped to a hard-drive (of SSD) using the drive letters D: , E, or F:. This can also include USB memory sticks, ext. hard drives, or from a network or cloud folder. Paying the criminals, which we don’t advise, may or may not let you access to your system or your data back, but there have been plenty of cases where the ranson-ware’s decryption key isn’t emailed or when sent doesn’t even work. Tens of thousands of machines have been affected in the past couple of years – after the ransom-ware pirates have sent millions of emails. So what can be done about ransom-ware? read_more Ransom-ware is is not only disruptive and intimidating, your subsequently encrypted files can often be considered damaged and oftentimes beyond repair. But if you have adequately safeguarded your system, then it is becomes nothing more than a nuisance. Here are some methods to negate the threat of ransom-ware. Mirror your drive to a backup drive at least once a month. Having a regularly updated backup is essential. If your computer is infected with ransom-ware it may cause you to lose work-in-progress documents. To avoid this it it better to use an external drive or backup service, particularly one that is not assigned a drive letter or is often not plugged in. Patch or Update your software Malware authors rely on people running outdated software with known vulnerabilities, which they can exploit to silently get onto their system. Updating your software often will...

February 23, 2015

Domain Related, Hosting Related, Security, Security Related

Reading Time: 5 minutes

What happens if we simply allow governments to make all the regulations and rules, not us, and let corporations argue about it, not us? That would be the clear merger of state and corporate power, which are the only two ingredients in the recipe for fascism; which has always occurred through all of the past two centuries of history under similar circumstance. Our case in point for this article is: Google Claims Opposition to New (without public consent) Rule that Gives American Federal Judges and their Government Omnipresent-Global Search Warrant Powers. The American “Advisory Committee on the Rules of Criminal Procedure” is quietly and slying consider changing a rule would allow judges to issue “ global warrants” to search computers (ie. your/anyone’s computer) and networks which are outside of the judge’s district. So, they wish to give the already outrageous NSA-spylike powers to all of their federal judges? If so, shouldn’t the American people be having some say on that particular huge issue? But they seem so utterly passive. Do the American people really need a “congress” to echo their concerns and trust that their elected officials vote likewise -> when today people can theoretically all take a vote simultaneously on the internet? The simple point is that individual citizens should claim their right to express their opinion publicly or privately over the internet without government suppression of it, nor interference. And why should we care? Because what happens in America certainly affects us here too; especially when pertaining to the internet. Back to the current scoop... Google has again surprised us all by just suddenly announcing an always-untimely proposed change to a procedural rule; which the google representative says could have “profound implications for the privacy and security of all web users”. read_more Into the nitty-gritty - American Federal Rule of Criminal Procedure 41 dictates that federal judges cannot issue warrants to search things outside of their district, with specific exceptions. The US Department of Justice asked the Advisory Committee to make changes to allow the government to conduct “remote access” searches of content stored in a location “concealed through technological means,” { they are also saying they don’t...

January 27, 2015

Domain Related, Hosting Related, Security, Security Related

Reading Time: 3 minutes

Forward: Pretty much all of us have heard or know that privacy rights no longer exist in the United States. Gone, finished, beyond recourse (except through using end-to-end encryption techniques ; however the NSA can probably still secretly grab your screenshot or logged keystrokes or live microphone through a backdoor partnership with Microsoft and Apple). Any per-existing privacy laws have been overwritten by new creepier laws that have paved the way for absolute intrusion into the American people’s personal world by their out-of-control government. Even if there are a few scraps of privacy protection in the states, it has become clear that any such laws are completely ignored by large and sophisticated spy organizations such as a the NSA. Edward Snowden’s whistle-blowing reports are a case in point. But did you know our home country of Canada has some of the most protective laws regarding internet privacy in the world, at least on paper? Our nation even has appointed a “Privacy Commissioner”: The Commissioner is currently Daniel Therrien. He was appointed on June 5, 2014. [ There have been eight Privacy Commissioners since the office was established in 1977. ] You even have the right to contact him or his office with your own related personal privacy concerns, anytime. More info: http://en.wikipedia.org/wiki/Privacy_Commissioner_of_Canada Here is his youtube channel: https://www.youtube.com/user/PrivacyComm The first incarnation of a privacy law came in 1977 when the Canadian government introduced data protection provisions into the Canadian Human Rights Act. read_more Then in 1982 The Canadian Charter of Rights and Freedoms stated that Canadians have "the right to life, liberty and security of the person" and "the right to be free from unreasonable search or seizure"; but strangely avoided using the word ‘privacy’. The following year, in 1983, the Federal Privacy Act regulated how federal government collects, passes around and utilizes people’s personal information. In the 90’s and 2000’s, other privacy legislation placed restrictions on the archival, the use and disclosure of citizen’s personal information by territorial and provincial governments, and likewise also by companies and institutions within the private sector. The latest ruling to emerge out of this fray is the recent June 2014 Canadian Supreme Court...

December 29, 2014

Domain Related, Hosting Related, Security, Security Related

Reading Time: 1 minutes

... the Pentagon has quietly built a multibillion-dollar cyberwarfare capability and trained its commanders to integrate these weapons into their battlefield plans. U.S. Cyber Command was officially stood up in 2010, based at Fort Meade in the Maryland suburbs of the nation’s capital, consolidating intelligence and cyberwarfare capabilities of the Army, Air Force, Navy and Marines under one house. Soon, billions of dollars were being invested in the concept that cyberattackers targeting America should be prepared to sustain their own damage. Little has been discussed in public about U.S. Cyber Command’s specific capabilities since, though budget documents detail a growing commitment to this form of warfare. The Pentagon’s cyberwarfare budget has grown from $3.9 billion in 2013 to $4.7 billion in 2014 and an estimated $5.1 billion in 2015. More at: original Washington Times December 22nd Article Link For an additional layer of internet security from many forms of spying and hacking, see information about our SSL certificates .

December 15, 2014

Domain Related, Hosting Related, Security, Security Related

Reading Time: 15 minutes

What are we talking about in this creative original blog post? How about a freshly deployed “blank content” completely-isolated-new-private-virtual-internet-environment; just like a starter internet on a different planet. In other words, imagine being on an internet where you and your friends are the only inhabitants of Mars but you are all connected through a common (and private) internet on the surface of that distant planet. We think you should be able to deploy and command your own completely isolated Virtual Private Internet (VPI) or perhaps better marketing name Virtual Private Planet (VPP); just add users! ) In this new age of omnipresent internet surveillance/spying/intrusions/ddos attacks, etc and creeping and shadowy “Orwellian” state takeovers, we here at 4GoodHosting thought thinking-up a new service offering, as private and secure as possible, could be a big value-add overall for our customers. So does the idea of a Virtual Private Server(VPS) still sound impressive? Well, try this instead... Virtual Private Internet(VPI) - or Virtual Private Planet (VPP - as private and secure as you and your friends and family living on another extremely distant planet and interacting over your own private internet). "Imagine" a virtual instance of an entirely other pre-configured "encapsulated internet" with almost no content stored in it, maybe just a couple of images and some started 'hello world!' webpages and templates and web builder programs. What if all “content” and logfiles were deleted from this internet, with just open-source webservers and virtualization software (vps - virtual private servers, instead of physical ones) and applications, programming languages, and scripts left on it? And then compiled and condensed into a VPI/VPP container with extra starter terabytes of storage (deeply encrypted by the VPP container) available only to itself and using its own entirely unique ip address protocol? As the whole container is encrypted other than its login sevice, so ,you would need to authenticate into, to get onto, that virtual private internet. Inside it, or on it, you could only request webpages and emails and voice communications from the other users within that self-contained virtual internet. Your ‘allowed-in’ VPI/VPP users can even pick their fantasy geographical location in your virtual fantasy world. Your...

December 9, 2014

Hosting Related, Security, Security Related

Reading Time: 4 minutes

A Scandinavian technology company, Fox IT, was one of the first discovers of a new threat to PHP based programs (such as WordPress, Drupal, Joomla, etc. ) The Fox IT CryptoPHP white paper is quite technical but we will summarize the issue for you here. It is about something termed ‘Nulled Scripts’ and given another label too, CryptoPHP. This is perhaps a new term to most of our customers. So what exactly are these so-called Nulled Scripts? Nulled scripts are scraps of PHP code, which can be found on free or otherwise non-approved WordPress plugin sites or even in WordPress theme archives; which have had their copy-protection removed. Various *pro* plugins and themes come with a serial number, or key, which enables paid features or provides access to download free upgrades. Nulled scripts have such protections removed (so that it is become ‘free’). There are many websites that are offering these nulled-scripts and also nulled WordPress plugins and theme installers. They shouldn’t be used because of the following problem: CryptoPHP explained The programmers who published the white paper have witnessed a drastic increase in the availability of nulled/corrupted scripts. read_more Of course it is not “new” news that alot of “free” WordPress plugins might have this kind of malware embedded in it; if it was not downloaded from a trusted source such as WordPress.org, WooThemes, WooThemes, Theme Forest, Drupal.org Joomla.org, etc. But this particular kind infection is more of a threat than previous malware because in it encrypts data before transmitting it back to its controlling servers; which of course can be located anywhere in the world. Identifying the infection is rather simple though: For example take this line of code: include('wpassets/images/someimage.png'); A web developer that could be reviewing the code should be suspicious of it because an 'image' is not supposed to be included this way into an PHP script. This “ include() “ function call is supposed to be used for importing PHP code. So this has turned out to be be a way of injecting malware PHP code contained in a fake image file. This devious technique isn’t readily detected by malware/virus scanners because most of the...

November 25, 2014

Hosting Related, Security, Security Related

Reading Time: 3 minutes

Do you ever feel like somebody is watching your back (and not your computer screen) when you are on the internet? Well Canada’s privacy law is still protecting you when you are online surfing. Our fellow Canadian Social media users are shielded from the complex details Terms of Service on many popular social services. Just because you are forced to check the many lengthy terms of service, that of course most of us don’t sit there for a half and hour and actually read, our privacy law trumps any provision that is against the grain of our current privacy law. "This overriding provision in our federal privacy legislation actually does provide protection for unexpected, unreasonable uses, even with consent," stated a Toronto-based lawyer and expert on internet law Barry Sookman. "So I actually think there is a standard here that applies that is fairly useful and is consumer friendly." “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances." reads Canada's Personal Information Protection and Electronic Documents Act. This means that "the person has to agree to the terms," Sookman said. "So a person who simply accesses a social networking site and hasn't seen or hasn't had a reasonable opportunity to review the terms wouldn't be bound by them." If the policy had terms that a reasonable person wouldn't consider appropriate, then those terms may not be binding. "There’s two good examples of when a service’s privacy policy wouldn't be enforceable: either when a person hasn’t been put on notice that there’s going to be a policy that’s binding, or when it’s an unreasonable term." Depending on the service, when somebody accesses their website, many website companies automatically collect basic information to know, for example, where people are coming from and to know if they are a returning visitor. Those kind of data collection is rather hidden and it is automated usually to facilitate the operation of their site. When data collection crosses the line: read_more Where there is some completely unexpected use of one's personal information, matters “may go over the line.”. "So the test in...