Sometimes disasters happen… It’s an unfortunate reality. In the IT world the name of the game is reducing down time, and the best way to ensure that you reduce downtime during a disaster is to have a backup and disaster recovery plan. Here at TKG, we have a nerdy saying we like to throw around: “Secure data equals peace of mind.”
That’s why we are currently in the next phase of our (always evolving!) backup strategy to include a disaster recovery plan that ensures we can provide uptime even if our data center is wiped off the map! (We had a massive storm and tornado warning last week that made us a little fearful that might actually happen!)
This is great news for our clients, and a service that very few web hosts/data services providers can claim.
The best backup strategies include an offsite backup location to move data to, but sometimes it’s not enough to just move data offsite… It’s important to plan for a disaster, and figure out a way to put your data back in “play” after one occurs.
With VMware as the backbone to our hosting environment we are going to be able to utilize our offsite backup server as another VMware host to ensure the best possible uptime for our clients in the event of a disaster.
Virtual machines give users unprecedented flexibility to backup and restore virtual machines. There are some really great software packages that allow users to backup virtual machines such as Vranger and Veeam. I’m not going to recommend one of the other (I’ll leave the homework up to you), but it’s important to find a backup solution that fits the needs of your virtualization environment.
There’s no way around it.. Disasters suck (especially for IT people), but with good planning it is possible to ease the pain of a disaster. To learn more about what makes an ideal hosting environment, head over to the Data Services section of TKG.
The recent uproar regarding the government ordered hand-over of Verizon business customers phone metadata has many wondering what is being gathered and for what purpose? We live in an information age, but many of us don’t understand exactly what “information age” means in terms of what you are actually passing along and what is being saved for later analysis. Just as our phones contain metadata, so does the web.
“Metadata” as it relates to the web
In simple terms, it is general information encompassing further details about the actual item. You can think of it as the envelope you drop into the mailbox. The contents of the envelope are unknown to those that look at it, but the envelope itself contains details that anyone is able to read. This includes information like the origin (your address) the destination (who you’re sending it to), date it was stamped by the post office, size and weight of the package, etc.
Translating this metadata concept into modern terms, every single user of the Internet freely hands over metadata to strangers every single time they click a link. In a web request, similar envelope information is required to make sure the server gets you the information you requested. This data is passed from network to network and anyone along the way could capture this data and develop patterns on their own.
For example, as I write this I’m able to observe activity on our web server and can tell you that someone in the country of Senegal is currently interested in finding out about wedding day diamonds from one of our clients. That activity is anonymous, but it gives enough detail to observe and develop patterns of activity over a period of time.
If the thought of metadata collection makes you uneasy, the quickest and easiest way to reduce metadata sharing is to update your browser’s privacy settings. You have the ability to disable tracking cookies and browsing history for each session. For example, holding “CTRL-SHIFT-N” in chrome starts this mode. This is also available for mobile privacy through the specific mobile browser you use. Go into your settings to turn off cookies, access to your location, etc.
What are your thoughts on metadata sharing? Will you be adjusting your privacy settings? Photo credit
Virtualization is a key component to many data centers around the world today, and why shouldn’t it be? At TKG we rely on a world-class virtualization platform to house many of our critical hosting servers. Virtualization gives us the flexibility to allocate resources on-demand to different machines as needed, and it gives us a backup solution that will help decrease down time in the event of an emergency.
So, what is virtualization?
Think of it as multiple personalities for a computer. There are many different operating systems out there, and each system has its own strong suite. Linux is great for web hosting, Windows has Active Directory and Exchange, the Mac has… well the Mac actually doesn’t have the ability to be virtualized in a production environment! Virtualization software allows users to run multiple operating systems on one computer or server. You could have your Exchange server on Windows running right next to your Linux-based web hosting server on the same hardware! Think of the savings (hardware, energy, etc)!
There are two major platforms for virtualization that come to mind when dealing with server virtualization: VMWare and Microsoft.
Each system has pros and cons, and I have had experience with both. Personally, I prefer VMWare ESX over Microsoft Hypervisor simply because Hypervisor requires Windows Server to be installed on the server before being able to virtualize a system (full version of Windows = more overhead). VMWare ESX is a light-weight operating system that you install on a server and control with a program that runs on your desktop PC.
If you’re new to virtualization or just want to see what it’s all about you can download a copy of VMWare Player. VMWare Player is a FREE virtualization program that installs right on top of Windows (sorry, Mac users you have to purchase VMWare Fusion). Player allows users to run Linux, Windows or any other OS you can throw at it right on top of your current system.
I’d be happy to answer any questions you may have about virtualization, just put them in the comments!
Mobile device security has become a hot topic with the explosion of smartphone and tablet sales in recent years. Think about all of the information that is kept on your smartphone… email, calendars, personal contacts, payment information and every app that you have with saved login info is all in one easy-to-lose place – ripe for the picking! So, the question becomes, “what can I do to secure my device’s data?”
iOS (iPhone, iPod Touch and iPad) users have the luxury of Apple’s iCloud offerings and the ability to remotely lock, wipe and geo-locate a missing device right from iCloud’s website. iOS users can enable “Find My iPhone” in the Settings app under the iCloud settings. If you’re not an iOS user don’t worry, because there are third party services like Lookout for Android that give users similar functionality on different platforms.
Another must for mobile device owners is to enable a passcode before using the device, and it can be as simple as a four-digit PIN. Some devices will give users the option to have their iOS or Android device automatically wiped out after so many failed login attempts. Windows 8 has a neat feature that presents a user with a picture at the login screen, and the user must use gestures to unlock the device.
Did you know smartphones and tablets can get viruses? According to a recent CNN article Android accounts for 97% of all malware on mobile devices. Moral of the story: make sure you only download apps from trusted sources, and be sure to read the reviews of each app you download. I would encourage device users of all platforms (iOS, Android, Windows, etc) to take this to heart. Another way to prevent malware from infecting your smartphone or tablet is to refrain from jailbreaking it.
Taking a few easy steps could save you time, money and headaches if your phone or tablet comes up missing. I’ll be the first to tell you I have left my iPhone at Starbucks, but I was able to find it and secure it using iCloud. Share your lost phone story with us in the comments!
The recent Chinese attacks against various US websites as well as the security breach at Facebook and Apple has put hacking and security back in the spotlight.
While these attacks were quite focused and sophisticated, the simple fact remains that the majority of attacks target simple holes in website architecture that can be proactively closed by developers and server admins making your website safer.
Hollywood likes to make hacking look easy and instant, but this isn’t always the case.
At the end of the day an attack usually results from a series of miniature fact-finding pokes that can tell the attacker what they are dealing with. There use to be a time that this sort of information gathering required dedicated tools like Fiddler, WireShark, or NetStumbler.
Today this isn’t necessarily the case since modern web-browsers include a lot of built in developer tools meant for good, but can be used to find out enough information to attack.
For example, starting at a target’s website the first thing an attack may do is to look at the additional information the server is freely telling them. Here they find out that they are dealing with an ASP.net site, running version 2.0.50727 on IIS 6.
That may not seem like much, but it instantly focuses efforts on exploits in Microsoft technologies as opposed to blindly attacking the site with techniques that don’t apply to that environment. A quick Google search reveals this further information:
“Microsoft ASP .NET Framework 2.0.50727.42 does not properly handle comment (/* */) enclosures, which allows remote attackers to bypass request filtering and conduct cross-site scripting (XSS) attacks, or cause a denial of service, as demonstrated via an xss:expression STYLE attribute in a closing XSS HTML tag. “
How do you protect yourself from this sort of fact finding?
It’s really a very simple solution; configure the server and application to not send this information. There may be unavoidable clues like file extensions for your website, but at least that isn’t delivering exact version information to a curious set of eyes.
Another easy form of attack simply involve URL manipulation. On a website that may be presenting small thumbnails of images for purchase; an attacker would able to use the same developer tools to spot a request like the one below.
Wanting to get the image without purchase, he may notice the “width=70″ in the URL. What happens if he makes that “width=200″? He then discovers that the website has given a version of the image that is 200 pixels wide. What happens if “width” is removed? It serves back the full sized image, ready for download. If he puts a little more work into putting all of those URLs into a list, the attacker would then be able to use a small program that goes through that list requesting each image 1×1 — free of charge.
How do you protect yourself from this?
The best thing to do is to have your developer validate ALL input and set default values in the programming for values that may be missing.
SQL injection attacks take place on websites that simply take the input from the user and apply it to the programming with no validation applied. In the case of the missing width, this developer should have set a width himself if one was not present to always return back a smaller version of the picture.
At the end of the day if someone really wants to affect your website they will. But taking a few relativity easy proactive steps will not affect your true user and will make that attacker have to work quite a bit longer to get in.
Have you ever been the victim of hackers? How did you recover and what do you put in place as protection against future attacks?
From its inception in 2003 WordPress has been downloaded more than 65 million times and powers 22% of all new websites.
WordPress owes a lot of its popularity to the fact that it is easy to use. It put publishing content on the Web within reach of people with diverse backgrounds. While WordPress is undoubtedly a good thing in that it allows mass sharing of information online, it has somewhat of a bad reputation in the information security community.
Part of the information security dilemma is the trade off between security and convenience. Systems that are highly secure are usually not very convenient to use, whereas systems that are convenient to use have a tendency of not being very secure.
WordPress users have to be aware of the fact that WordPress needs ongoing attention to ensure it is installed securely and remains secure. By following well established guidelines, WordPress users can make sure their websites remain a trusted and productive conduit to their audience.
Security Tip 1: Keep Your WordPress Site or Blog Up to Date
The most basic step to ensure security in the WordPress environment is to make sure you are keeping up with the version of WordPress you are running.
If you are running an old version then you are more at risk because you don’t have the latest code. This is no different from any other software. People are well aware of the monthly Microsoft patches that get released to keep your operating system secure. WordPress users need to be aware of when WordPress releases a new version and take appropriate steps to upgrade their WordPress installations.
This awareness should extend to the WordPress themes and plugins that you install inside of WordPress. To the credit of the WordPress team their base software has gotten better over the years regarding security. Often times a WordPress installation will get “hacked” because there is a vulnerability in one of the plugins or themes that have been installed inside of WordPress.
Users need to be aware of what themes and plugins they are using and pay attention to any new updates for those themes and plugins. Along the same lines, if you installed a plugin and then decide not to use it then it should be un-installed. There is no reason to leave a plugin installed if you aren’t using it when a vulnerability in that plugin could leave your whole site susceptible to an attack.
Security Tip 2: Choose Wordpress Plugins and Themes Wisely
While we are on the topic of plugins and themes – it may be tempting to install a myriad of themes and plugins when you are first getting started.
Pay attention to information about what you are installing. Don’t install a theme or plugin that has been downloaded only 10 times in the last 5 years and don’t install a plugin that was last updated in 2009.
WordPress.org does a great job displaying information about plugins that it offers. It will display the date the plugin was last updated along with the number of downloads a plugin has. While not universally true, for the most part a more popular plugin will have active developers that care about the security of their code.
Security Tip 3: Take Additional Steps
At the heart of information security there are a few guiding principles. One of these principles is “Defense in Depth.”
If one safeguard fails you can be sure there is another safeguard at a different level that will still keep you secure. Even if they don’t realize it WordPress users should practice defense in depth. It is a good idea to install a WordPress firewall that may protect you against any vulnerabilities in the base WordPress software along with issues in plugins and themes on your site.
WordPress users should also ask their hosting providers if they offer any sort of Web Application Firewall. This is also a way to protect your website if there happens to be a vulnerability in the WordPress environment.
Security Tip 4: Don’t Forget the Simple Stuff!
The very first step towards WordPress security may be the most important and yet the easiest.
Choose strong passwords for your WordPress administrator accounts. If you follow all the advice here and set your administrator password to “123456”, “qwerty” or even “123456qwerty” then the bad guys will just take advantage of your simple password and login to your administrator interface.
Passwords matter – again it is a trade off of convenience versus security. It is harder to keep track of complicated passwords but using those stronger passwords can be the most important step to take to secure your WordPress website.
We have talked about taking some steps to achieve a more secure WordPress installation. So why does this all matter?
It boils down to a few reasons. When a website gets hacked a lot of times the attackers will cause your website to infect visitors with malware – viruses and spyware.
Your website becomes a source of an infection for people who are visiting your website — and you want to be a responsible online “citizen” – keeping your website secure is a part of that.
There is no doubt you have made an investment (time and money) into your online presence. Running a WordPress website can be a very effective method for establishing your business online and communicating a message to your audience.
This can be hampered if you don’t take some precautions to keep your website secure. You can lose the trust of your visitors and you could also lose the trust of the various search engines. If your site gets compromised then Google could label your site as one that may infect visitors. You could fall out of the Google rankings and lose any momentum you have going with the search engines. At the end of the day it is about making an ongoing investment in your website to ensure it is helping you to reach your goals.
Have you ever experienced a WordPress security threat on your site or blog? Let me know in the comments…
Over the past few weeks, we’ve introduced you to our web marketing crew, our design gurus, and our development wizards. Now it’s time to meet that strange group of guys at TKG who enjoy windowless rooms, rows of blinking lights, and sorting hundreds of cable cords. Yep, time to meet the men of the IT Data Center.
Without a reliable place to host your website, the best design, development, or web marketing implementation will only fall on deaf ears. We like to think of it as being responsible for our own actions. There’s no passing the buck and no deferring the blame when it comes to online performance here.
People passing through data services will hear a lot of things. “Availability“, “Redundancy”, and “Has anyone seen the crimpers?” to name a few. Making all these things happen on a daily basis, including the need to find one of our three pairs of crimpers to make cables, requires a great team. Please allow me to introduce.
Jeffrey Heath mans the front lines. If you’ve emailed support or called in looking for assistance, Jeff’s always at the ready. Helping out with configuring your email accounts, implementing websites from development to production and providing remote hands services to our managed service and server co-location customers just scratches the surface when it comes to Jeff’s weekly activities. Going above and beyond traditional support is Jeff’s forte. Having a problem with the email setup on your phone? If you’re local, Jeff may just recommend you bring it up to the office. Personal support and service. It’s not dead here.
A bit more behind-the-scenes sits Greg Skouby. Our resident Certified Information Systems Security Professional (CISSP), Greg keeps the firewalls, routers, switches and servers in top shape. His unique skill set effectively draws from his programming experience to stand on guard against the latest network threats and server side exploits. Greg doesn’t just sit behind a console. When not at his desk, you can probably find him behind a data center rack plotting and scheming his next cable management conquest. Who says manual labor doesn’t exist inside of IT?!?
As for me, I’m proud to head up this operation. You can learn more about me here.
It’s rare in our industry to have a Data Center we call our own. We can’t imagine it any other way. We take responsibility for our work and have a lot of pride for the lasting relationships we make with our clients. A project doesn’t end with the launch of a new website; it’s actually just the beginning. Know that the data services team has your back from supporting your email to staying ahead of the latest network mischief … even if it’s at 3am.
Stay tuned to the blog for more data center goodness in coming weeks and months. We know data services info can lean toward the technical, so we’ll be sure to keep it as relevant, interesting and and easy to understand as we possibly can.
Acquisition expands the company’s geographic reach and extends depth of services
The Karcher Group (TKG), a full service Web agency based in North Canton, Ohio, has announced the acquisition of SitesNow, a Web Design, Development and Data Services company located just outside Cleveland.
The acquisition expands TKG’s geographic reach and market share in Northeast Ohio while providing greater depth of Data Services for its clients. The move also benefits SitesNow’s clients, who now gain access to TKG’s full range of services, including Web Design, Web Development, Data Services and perhaps most notably, Web Marketing, which consists of Search Engine Optimization, Social Media, Pay-Per-Click, Content Writing, and more.
“SitesNow and TKG have remarkably similar business philosophies and histories,” said Geoff Karcher, President of TKG. “We’ve both been in business since the 1990s and have a comparable outlook on how our clients can use the web to grow their businesses. It was a natural fit to join forces.”
SitesNow was founded in 1996 by Bryan Sears. During the company’s 15-year history, Sears and his team built and cultivated one of the area’s most cutting edge and reliable data centers and also developed hundreds of website applications. At the core of their business was the protection of business data through the “CIA triad”: confidentiality, integrity and availability – an approach that will heartily benefit TKG’s clients as well.
In his new role as Director of Data Services, Sears is responsible for overseeing and growing all Data Center operations at TKG.
”TKG’s range of services and plans for strategic growth were immensely appealing to SitesNow,” said Sears. “Our role is to integrate our technical know-how by improving, expanding and strengthening what TKG has already done a fantastic job building. Pooling our experience will result in increased uptime and superior support.”
Also joining TKG is Sears’ longtime SitesNow associate Greg Skouby as Network Administrator. Skouby is a Certified Information Systems Security Professional (CISSP) which requires five years of full time security work and passing an extensive exam. He is also a Cisco Certified Network Associate (CCNA).
All SitesNow Data Center operations are now centralized at TKG’s main office and Data Center in North Canton. Additional information about the acquisition is available here.
For additional information, please contact Collyn Floyd at TKG at 800.310.0317.