Partly for myself and partly for any interested readers I wanted to note down how melodiouscode.net works; what technologies and providers are used and for what purpose. This is not going to be a deep technical article but more of an overview and the basis for some more technical articles in the future.

Although this is a just a simple blog (for now anyway!) I have been using it to learn more about the systems that are out there to support and secure a larger website. Much of the work I have done is overkill for a small blog but I couldn’t talk about security if I wasn’t secure myself!

There are a number of components to melodiouscode.net the larger of which are listed here.

Componants

• The Ghost Blog engine
• Digital Ocean
• Cloudflare
• Cloudflare Workers
• Report URI
• Zapier
• Unsplash
• Grammarly

The Ghost Blog Engine

Previous blog sites that I have run over the years have used the WordPress engine which has unfortunately become rife with questionable plugins and vulnerabilities, some of which have been rather nasty. On top of that, it requires so much maintenance and configuration that I never got around to writing any articles, instead spending my time upgrading, backing up, and tweaking appearances.

Shortly before I started up this new blog site (melodiouscode) I watched a talk called “Hack your Career”  by Troy Hunt; in it, Troy recommends the Ghost Pro platform for anyone tempted to set up a semi-professional blog. I decided to take one step back from the Ghost Pro hosted offering and take a look at the Ghost Blog engine which is released as open source under the MIT licence.

Ghost is a simple and clean blogging engine aimed at writing articles, not creating some all singing all dancing website with integrations up the wazoo. Hopefully using a simple engine to run my blog will mean I write a few more articles!

Digital Ocean

Digital Ocean provides what they call droplets for you to run web-based systems on; at the basic end, they cost just $5 a month (the droplet I am running this site on is a $5 droplet). Droplets are effectively just virtual servers with a public IP address; Digital Ocean provides DNS features allowing you to map your domain name to their platform.
Although using Digital Ocean does require me to update the software/operating-system on my droplet semi-regularly, this is easily automated (I use an Ubuntu Droplet so can set a cron job to run apt). They also have a quick one-click setup for Ghost allowing you to create a droplet pre-configured to use Ghost and LetsEncrypt.

You can help me out with my hosting costs by following this referral link when checking out Digital Ocean.

Cloudflare

This is where the fun begins, Cloudflareprovides a number of services (many for free): enhanced security, caching, DDOS protection, application firewalls, and much more. All of this is available in a basic sense using their free website plan but for the purposes of learning and playing, I have chosen to use one of the paid plans as it grants access to some more features.
Through Cloudflare, I am able to provide a secure connection to my site with little configuration, including HSTS Pre Loading, automatic HTTPS rewrites, and TLS 1.3. Along with the security enhancements they also provide an aggressive caching layer which keeps the site fast and removes the load from my origin Digital Ocean server.

Cloudflare Workers

Along with the security and caching layers Cloudflare also provide a service called “Cloudflare Workers”; this allows me to run custom code on the edge of the Cloudflare estate moments before the webpage is sent to the client’s browser. Following the advice of Scott Helme I have taken his Security Headers Cloudflare Worker and modified it a little to serve my CSPand other security headers without the need to modify my web server or Ghost installation.

ReportURI

Created by Scott Helme, ReportURIis a service which receives CSP/etc reports when a site breaches the policy set in its security headers. Such as when an unexpected javascript resource is included in the page, or an iframe is injected into the view. Without a service like ReportURI I would not be able to tell if the CSPI have set is functioning correctly; and ReportURI has a free basic tier which is more than enough to run a personal blog! If you intend to implement a CSP there is no reason not to pick up the free account on ReportURI, if you run a larger business site you should definitely look at their paid-for offerings.

Zapier

Much like the service IFTTT, Zapierallows you to create simple logic flows to automate processes. I use it simply to tweet a link to a new article after I have posted it. I could do this myself, but why not have something do it for me! Zapieris also free for basic “zaps” and ties in directly with Ghost.

Unsplash

Unsplash.com is a fantastic resource of high-quality royalty free images which you can use for any purpose. I use images from Unsplash for all the header pictures for each post and page on this site; you do not have to provide attribution when you use an unsplash image but it is good karma if you do (see the bottom of this post for an example).

Grammarly

Write good, I often do not! Grammarlyis a program that provides spell checking, grammar reviewing, and sentence structure suggestions. The Grammarly system is slowly helping me to write better content. Improving upon my typically lax language and sentence structure.

In Summary

Melodiouscode.net is made up of several parts, the basics of which are outlined above and will at some point form the parts of a more detailed write-up!

The header image for this post was provided for free on unsplash.com by Vadim Sherbakov. Thanks Vadim!

Read more

Two of my employers’ largest clients are law firms, and being law firms they regularly receive instructions from insurance firms for claims to be processed. This is where I come in, over the years I have created (or incremented) many instruction feeds that allow the insurance firms to electronically (normally via XML) instruct the law firms to investigate a claim. These services get hit hard and often; in some cases receiving hundreds of fresh client instructions an hour, this creates a lot of data and transactional records. Storage of this data is the subject of this blog post.

Anyone who has been in a car crash and reported it to their insurer will know that it causes a lot of questions detailing every aspect of the incident. All these questions and answers (plus the schema data) can make for thousands of lines of XML (sometimes tens of thousands if the schema was badly designed!). Be it a good idea or not every service I have worked on has always had a project requirement to keep a copy of the XML in a place that is human accessable; this often ends up being the file system.

You guessed it, I am writing this quick article because I have just been bitten by a system which stored hundreds of thousands of little files in one big folder (it was not written by me).

The Problem

Windows has a limit on how many files should sit in a directory; depending on the level of resources available to the machine it can even crash explorer when you open a folder that contains a large number of files. You guessed it, this is where the ‘folders, folders, always folders’ subject comes in. When you store a large number of files in a folder over a large time period (think several years), you need to break up the folder structure. Nothing is easier than simply placing files in a Year, Month, Day directory structure.

\\SomeServer01\SomeShare\2018\07\14\Instruction001.xml

There are of course other options:

• Store the files in the database
• Store them in some sort of NoSQL store
• etc

I used the word simple for a reason, and don’t forget those project requirement documents!

Why dates?

Humans understand dates, when a member of the helpdesk needs to locate an instruction file they can easily work out where it is based on the date it was processed/received/etc.

Archiving

Any developer knows that systems often run out of storage space because the IT Systems Team were busy with something else and didn’t notice, or the email alerts went to a folder rather than their inbox! Date formatted folders can easily be archived/zipped/etc.

GDPR!

In this new post GDPR world we should always think about how and for how long we store data, files stored in a date structured folder are very easy to locate and trim based on how old they are (not the only reason for deletion, but one of the many).

Summary

To put it simply, don’t forget how you store your data dumps. If you put a large number of files in a folder over a prolonged period of time, store them in a date formatted structure!

\\SomeServer01\SomeShare\2018\07\14\Instruction001.xml

The header image for this post was provided for free on unsplash.com by Samuel Zeller. Thanks Samuel!

Read more

Our dog, Daisy the West Highland White Terrier, decided she desperately needed a pee at 5:50 am on Saturday; and the weekend makes it my turn to get up with her! After dealing with her needs and turning on the coffee machine I didn’t fancy picking up the project I have been working on and decided to try something new.

I needed a link for the password reset and password change pages of the project I am working on. I wanted to present the user with some simple to understand advice on how to pick a good password; don’t get me wrong there are some great resources out there but none of the ones I came across was simple enough for what I wanted. Being the over the top domain name owner that I am (seriously I have a problem) I went and bought some more.

On Saturday morning I wrote a simple one-page website that is now hosted on be-a-password.ninja (and beapassword.ninja just for completeness sake). It is a work in progress and just a simple site for the moment, as brain power and time allows it will become more detailed and hopefully more useful to the world. But for now, go and become a password ninja!

If anyone has any suggestions or comments (make them constructive) please leave a comment here!

And for those who don’t know, this is Daisy!

The header image for this post was supplied by @lasayehommes on unsplash.com. Thanks!

Read more

No matter how strong your technical security is (antivirus, firewalls, security headers, well-written applications, etc) there is always one sure route to failure, social engineering. If a privileged user can be convinced to perform nefarious acts on a system that system is compromised. That being said most professionals are not going to fall for that (although I know one who did fall for a variant the old Nigerian finance scam to the tune of several thousand pounds); the less initiated are a different story and we as IT professionals have a duty to help them!

IT Support scams appear to be on the rise again; I am aware of at least ten people who have received calls claiming to be from Microsoft in the last year. Luckily for them (and me) most of them realised what was going on before it was too late, some were less savvy and their machines required a lot of my time.

What is a support scam?

IT support scams almost always start off with an unsolicited phone call. The scammers have either acquired the victim’s number on the black market (data breaches, stolen files, etc) or they are just simply dialling every number one at a time (read about auto-dialers here).

Once a scammer gets ahold of their intended victim they claim to be from a trustworthy firm, typically Microsoft (or Apple, Google, etc). The scammer uses the victim’s trust in a well-known firm to build a conversation and start engineering their way into the victim’s system.

How many of the uninitiated (think your grandparents or that little old lady who is a friend of your mothers) understand half of the notifications their laptop shows them? The scammer preys on this; telling them that “Microsoft has detected some problems with your machine”, asking them if they spotted that “update alert” the other day. The odds are that windows update has popped up an alert (or perhaps some anti-virus software has) in the last week and the user has ignored it. The scammer will walk the victim through some screens on their machine claiming that common files are viruses or getting them to look at the system event log to see all the “critical system errors” it shows (we know that badly written applications like to error, your grandparents do not).

Eventually, when the scammer has convinced the victim that they are at risk they encourage them to install some remote access software, sometimes a custom remote access trojan (RAT)) other times just something simple like TeamViewer. With remote access the scammer can do as they please, stealing documents, leaving malicious payloads (ransomware, keyloggers, etc), once they become embedded they often ask the victim to hand over their credit card details to pay for “a cleaning service” which they have no intention of providing.

How can we stop the spread?

Simply put making the vulnerable users security as simple to understand as possible is the first step; if they know they are secure because someone they trust told them so (hopefully they trust you) and showed them how to know they are secure then they are less likely to be scared into acting by a scammer. Most importantly tell them about these scams, make sure they understand that anyone who calls them about their computer is almost certainly lying if they have any doubt they should hang up and call you for assistance!

Make sure they have antivirus and firewall

For most standard users the built-in Windows 10 security software is more than enough, especially from a firewall perspective. If you want to go one step further and install one of the many free antivirus programs be careful which one you pick. All the freemium products try and force their paid for products on you with every update, our potential victims are just going to click past the update messages because they mention spending money. Pick an antivirus program which is not just free as a hook for the paid software; Sophos provide a good product which is less needy (thanks to their top line coming from corporate subscriptions and not one-off payments). Depending on who the user is (friend or family) you may be willing to install the good stuff, add them to your personal subscription (I use ESET Nod for security and it costs all of $5 a year to add another user) that way they will never get nagged about converting to a paid subscription.

Keep them up to date

Provide a simple way for them to keep all the little bits of software (Adobe, Java, etc) up to date. The more up to date their software the more secure they will be, free programs such as Adobe Software and Java are often filled with security holes, keeping them updated is especially important. I use a product called Ninite Pro to silently push updates to family machines, for the machines that I do not want to spend money on (think friends rather than family) I place a copy of the Ninite Updater on their desktop named “UPDATE” and tell them to run it once a week, this ensures all those little programs are kept up to date without the user having to understand what they are!

Educate!

Explain how to be secure online, what to do and what not do to (don’t forget the dangers of oversharing on social media!). Antivirus is useless if they don’t understand the popups, show them what they look like and explain the jargon (write it down for them).

But most of all, tell them to contact you if they are concerned! It may seem like an invite for countless support calls but one or two calls a year which can be dealt with over the phone are better than a week of extracting malicious software from their laptop (and them being scammed out of a few hundred pounds).

TLDR;

• Educate your friends and family about IT support scams so they don’t fall victim!
• We need to work together on this!

The header image on this post was provided for free by @rawpixel via unsplash.com. I chose it because it looks like us all fist bumping when we agree to work together on this!

Read more