LastPass keeps your passwords, secure notes, and using the matching browser extension or app on your mobile device, it can autofill passwords when you need them.

Lastpass goes one step further and lets you share a username and password with someone else without actually revealing your password. This is particularly useful when you need a staff member, or a consultant to log into one of your accounts but you don't want to actually share the password.

They're currently running a special for Earth day, offering a 25% discount. I would definitely recommend you take a look if you don't already use it. Here's the link to check it out.

The post LastPass Earth Day Sale 25% Off appeared first on Digital Marketing Through Content & Influence.

Now, 3 years later, 2017 has been deemed the year of SSL, and it even seems that maybe it will be required for some sites. Heck, Moz shows that at least half of first page results are served via https.

SSL is no longer for Ecommerce and geeks only

It used to be that you really only needed SSL if you were collecting or providing sensitive information. Personal, financial or healthcare data. But due to problems with phishing, spoofing, and the growing number of vulnerabilities, it makes sense that all websites should be "verified" through an SSL certificate.

Until the past couple of years, SSL was really only an option that bloggers would consider if they were making money because it was an added cost to hosting, domain registration and any other paid service they needed like Vimeo, or Aweber and similar.

There was also a technical challenge with setting up an SSL certificate in a shared hosting environment. I won't get into the details of it but it's a bit of a challenge to make a certificate work when there are shared accounts under one IP address --the way that most shared hosting works.

SSL is now free... mostly

But recently a few companies have surfaced that provide free SSL certificates, and they take care of the technical issues regarding multiple websites under one IP address and one server.

For the free SSL certificates offered by these companies to work, your host has to support their process. Both of my preferred hosting companies did not support this fully, until recently. Greengeeks and Inmotion required that you have a dedicated IP and at least a virtual server in order to install an SSL certificate, and you had to purchase it from them or from a 3rd party.

But to my delight and yours, Inmotion has just enabled the use of free SSL certificates in all of their service plans.

Quick guide on how to set up free SSL for your Inmotion hosting

If you have a shared hosting account, you'll find detailed instructions on how to setup the SSL certificate here. If you have a VPS account then you'll need to follow this guide instead.

In the process of doing this for my own VPS, I only had an issue with the guide because I had forgotten how to login to WHM as the root user. I tend to use SSH and I have that setup without the need for a password. But I was able to look up my password on LastPass and a few moments later, I was logged in.

To login as the root user, you need to go to the WHM address for your server directly and enter the root username and password. The URL for your WHM panel should be something like this: https://serverid.inmotionhosting.com:2087.

If you have any trouble with this, just open up a support chat with them and they'll help you right away. After I enabled auto SSL in my account, it took about 30 minutes for the SSL certificates to be ready.

I was expecting the process to be more complicated than this, but it wasn't. The next step was to activate the certificate on my WordPress blog, here at Notagrouch.com.

To "turn on" the certificate for WordPress, I used a popular plugin that takes care of most of it. The plugin is Really Simple SSL. If you want to follow my steps, then install and activate the plugin (instructions here).

Once the plugin is active, go to the Settings area in your WordPress dashboard and click on SSL. Then click on enable SSL.

Your settings screen should look like this afterwards:

The settings tab in the configuration screen also has a few options. Ideally, you should make the plugin work by using the htaccess configuration instead of the WordPress or Javascript options.

If everything works fine, you may want to try switching to using htaccess for a slight performance boost.

Once everything is installed and configured, you may get kicked out of the WordPress dashboard. This is expected, and you just need to log back in. Notice that when you log back in, you'll be accessing your site via "https" instead of regular "http."

To verify the plugin is working, just visit any page on your blog and look to make sure your browser shows that the connection is secure and the protocol (the part before the URL) says https.

Conclusion

Inmotion introduced free SSL for all plans. It's easy to install, follow the instructions for shared hosting accounts or VPS accounts. You can then use a plugin to activate the SSL on your WordPress website. Voila!

The post How to Get Free SSL Certificate from Inmotion Hosting appeared first on Digital Marketing Through Content & Influence.

I have worked with hundreds of people over the past few years. In the process of building a sales funnel, or a website or working on their email marketing, I get access to their usernames and passwords.

And I see a problem that has been happening since 1999 when I first worked on a client account. Chances are this applies to you at least to some degree.
Back in 2005 my identity was stolen. It wasn't stolen digitally, but the process of recovering it and cleaning it up sucked. And it sucked up a big portion out of 3+ years of my life with weekly and monthly calls with police and creditors and debtors and all that fun stuff.
10 years later, now everybody that does anything online faces the same risk of identity theft. Please take this seriously and read on...

First of all, when you are working with a 3rd party, you must change your usernames and passwords for all accounts that were shared as soon as that assignment or engagement is over. That includes, developers, designers, "wordpress pople," "seo people," or whoever.

So if your developer finishes your website and gives it to you on Monday, the 1st of the month, then before that day is over, you should have already changed all the usernames and passwords related to that project.

Unless of course the developer will continue working or accessing the site for additional work, but that should go unsaid.

You should change all the passwords, not because you're afraid of your developer or wordpress person or whoever it may be, but because you want to make sure you're protected. You don't know if their systems are secure.

What if you shared the username and password with them via email, or chat, or skype, and someone is snooping around their computer? Now your security is at risk!

This is not a big problem if you just share one account. Maybe it's just the Aweber account or your cPanel account. You think it's not a big deal, that's just the email list account.

But it could be a really big problem and let me explain why.

Don't share passwords with other accounts!

Now that I told you to change passwords after anyone else besides you works on your accounts, the next thing you need to do is make sure your passwords are unique to each account.

So what if someone finds out that your Aweber password is "snoopy123"? Who cares, you think?

By the way, that is an actual password someone I worked with was using (for all their accounts). Well, most people that use weak passwords, also tend to use one password, or a few different passwords for ALL their accounts.

That's the other big problem. You should not do share passwords with multiple accounts. The reason should become obvious really soon --if it wasn't already.

Here's the setting:

The post Keeping your Online Activities Safe appeared first on Digital Marketing Through Content & Influence.

Most people I've ever worked for or worked with keep very insecure passwords. But don't take it from me, check out the most used passwords for 2012. I often shake my head when someone gives me their password to work in their accounts. Their passwords are so weak! There are many ways of keeping your passwords safe and secure. But as attacks become more and more widespread, chances are that your password will be stolen or guessed at one point or another.

I recently had my Twitter account hacked and after investigating quite a bit, I still can't find how the perpetrators got a hold of my account. One more morning there were about 20 updates in Russian. I was alerted to this issue by a couple of friends in Twitter. Perhaps someone got a hold of my password, or maybe an account I granted permissions for in Twitter got hacked. For the record, I use passwords that are very "secure" with 12 - 20 characters using the full set of characters available, so I doubt that my Twitter passwords was guessed.

In any case I'm proud to say that this is the first successful hacking attempt at any of my online profiles or accounts. Ever. That's pretty good for someone that has been online for about 13 years I would say.

But obviously, nobody is exempt. You could be the target of the next attack, or simply be part of a database that will be stolen tomorrow. So how do you mitigate the damage, or at best prevent it from happening?

Use Lastpass. I've blogged about LastPass before, but I'll remind you what it is all about.

Lastpass is an easy to use, and free password manager application that works on any computer and with most web browsers. Its job is to give you a secure password whenever you need it and to save your username and password combinations for any website you use. Lastpass itself is highly encrypted and only your master password can unlock your account.

It is the best thing you can use to manage your passwords and keep unique passwords across all your accounts. Why use unique passwords? Most people use 2 - 5 passwords and they use them for all their accounts. This seems like a good idea, because you're using "different passwords right"? Wrong! Every user account should have its own password, unique from every other account. The reason is very simple in fact. Let's say you have six accounts; 2 bank accounts, 3 social media and a game you like to play online. If you share passwords between 3 accounts for example, a would be hacker only needs to break into one of your accounts to obtain the password.

The moment a hacker gets a hold of your password, you can be sure they're going to try that same password for all your known accounts, including email, instant messaging, banking, social media, etcetera. This is why you should always have unique passwords for every account. This seems like a daunting task, but if you use a good password manager then it should be very easy to achieve this goal.

Tumblr announced a security update to their software recently and they advised you to change your password. That's also a good idea, but if you had missed the announcement, you could rest assured that only one of your accounts would be compromised if your password got stolen by whatever means.

If you have a blog, social media profile, online bank account, instant messaging, even just a simple game. Use LastPass to access it. When you join a new website and create a new profile, use the lastpass password generator to create a random password that is strong. When you login, LastPass will ask if you want to save your username and password and you should.

Don't forget to keep the master password for LastPass really strong, and logout of the app, extension or website whenever you use it to minimize the risk of having your accounts hacked. Lastpass also has a security audit feature that gives you an overall grade on your accounts and helps you fix some of the most common problems.

I highly recommend this! If you aren't using a password manager already, you should and I strongly recommend you check out Lastpass. Set it up, use it. Just don't ever forget your master password.

The post Your Password will fail you. Here’s how you mitigate the damage. appeared first on Digital Marketing Through Content & Influence.

Some tweets and commentary from Wordcamp Orange County

I got to attend Wordcamp Orange County, and here are some of the highlights in forms of tweets and commentary. I tried to do this earlier this rmorning but the wifi at #wcoc wasn't working.

Ross Teasley - @RossTeasley
At #wcoc @notagrouch is plugged in, literally n figuratively. http://t.co/n67W0O98

Jeremy Lehman - @jeremylehman
Looks like all the cool people are in the end-user awareness session #wcoc #imnotcool

Jason Tucker - @jasontucker
Playing around with some query and some instagram libs: #WCOC Instagram wall http://t.co/SFbjKONn

Jason put together a nice streaming wall of instagram photos from #WCOC. check it out, definitely cool stuff.

alex vasquez - @alexjvasquez
I like hearing people say my name. #wcoc preso @zengy

Steve Zenghut from Zeek saved the day and presented on WP-Multisite and Alex became the example for the user, sites and stuff. Alex liked this. :p

Oscar Gonzalez - @notagrouch
This broken wifi business is starting to suck at #wcoc

The WiFi system was unavailable for a long time, just around 2:00 @thefrosty seems to have fixed it. Woot... live blogging and curation with @dashter is now live!

Kathy Burckhardt - @kmburck
RT @perezbox: My WordCamp Orange County 2012 – WordPress Security Presentation http://t.co/rKq5DsUX #wcoc #wordpress #security

Recap in case you missed the security session at #WCOC "End-user Awareness"

This post was generated by Dashter

The post Wordcamp Orange County recap. WCOC in Tweets. appeared first on Digital Marketing Through Content & Influence.

Apparently this phone that Boeing Co. is developing and is ready to release soon will compete with existing secure mobile phones. An example of a secure phone is the Blackberry Barack Obama uses. Other leaders of state, major CEOs and security aware millionaires are already using secure devices in their day to day activities. Will Boeing bring a viable and successful alternative to the choices these moguls have? We'll see.

The Boeing Co. is developing a mobile phone based on the Android operating system that will compete with other manufacturers offering highly secure communication devices, company officials said April 10. Roger Krone, president of Boeing Network and Space Systems, told reporters in Arlington, Va., that this was probably the first time the aerospace and defense industry giant will offer a communication device designed to use cellular networks. The company is near the end of the development cycle and getting ready to launch what he called “the Boeing phone” in late 2012, said Brian Palma, vice president of the company’s secure infrastructure group.

via Boeing to Jump into the Mobile Phone Business - Blog.

The post How Much will the Boeing Phone Cost? appeared first on Digital Marketing Through Content & Influence.

But Vupen CEO Chaouki Bekrar says he has no intention of turning over details of the sandbox escape. "That vulnerability is very rare. We'll keep it for our own customers," says Bekrar.

Vupen sells exploits against browsers to its clients, mainly government covert agencies from countries around the world. "That's life," he says.

via Contests hack the heck out of Chrome.

That quote, that's total boss!

The post Boss Contests Hack the Heck out of Chrome appeared first on Digital Marketing Through Content & Influence.

OSCAR promises to find anomalies on your logs and alert you of them, faster, and more accurately than a security professional could do, and at a fraction of the cost. Having someone parse through logs on an ongoing daily basis for example, is very expensive, so much so that only big data centers and high-tech firms can afford the 70 - 150K range for a security professional like this. Not to mention that this task is usually a waste of time for someone with the skillset to actually do it. Ironic is it not?

OSCAR claims to do this job much cheaper, better and faster. OSCAR is still in beta as of this writing, but to be frank, this is not going to be your normal webapp or virtual appliance that the general population will use. But if you're running a start-up, if you have a hosting service or manage a lot of applications, OSCAR may just be what you need. Check them out, they're accepting applicants to their beta program right now.

Some of things that made this very interesting to me:
Freemium model! It doesn't require a point to point VPN. You don't have send your syslogs to them. It uses standard SSH so it's secure and easy to implement. It will alert you via email, so you can then route that to your favorite device. And it has an easy to use Dashboard. All winner points on my book. Their alert system is based on "automated anomaly detection" which means it follows patterns and picks out the anomalies; brilliant.

Let's see how this develops, and if you want to want to take it for a spin, join the beta program.

The post OSCAR Security Event Management appeared first on Digital Marketing Through Content & Influence.

Part of your job as a System Administrator or Website administrator is to ensure the work you do is safe from attacks and vulnerabilities. Remember that movie where Michael Moore goes around in Canada trying to open doors because he heard that people there don't lock their doors? Do you remember what happened? It was true, many people simply didn't lock their doors and he waltzed right in to their living rooms. Michael Moore seems like a nice enough guy so it wasn't a big deal, but in the Internet people aren't that nice. In fact they're malicious, as many nice people as you know there are hundreds more literally out to get you, or rather, your webserver.

You're not in Canada

Leaving your server unprotected is like leaving your brand new car with your wallet on the dashboard in a crowded metropolitan city, like NY, Tokyo, Paris --someone is going to take it. People are looking for weaknesses and will take all you've got if you give them a chance.

Protect your server

Here are tips and advice to lock down your webserver and other stuff you might have running on it.

First things first. You have to address the underlying base first, the operating system. If your foundation is weak, it doesn't matter how strong your application is.

1. Remove un-needed users. As you provision your server, you may find that you've created a user to test this, or that, if you don't need a user, check the user's home directory and make a backup of any files you need, then nuke that account. There isn't a maybe option here. You either need it or you don't.
2. Establish a strong password for the remaining users. I know its convenient for you to create a user and give it the usual password you like; this isn't good. Instead of using a known password, use a strong password generator and change the passwords in any account that has login capabilities. Do NOT, I repeat do not write it down, email it or give it to someone else. Instead, use a password manager to save it safely and protect your password manager with a strong master password. LastPass for example allows you not only to lock your password database with a master password, but it also lets you lock down an individual record with one more prompt of your master password, just in case you forgot to log out or something when you go to get a cup of coffee and things like that.

1. Remove the ability to login for system and application users. Apache, MySQL, Postfix, and other applications have or require their own username to run properly. Chances are these users don't actually need
2. Update & configure SSH

. Linux distributions are getting smarter about shipping ssh configs with better settings than they did years ago, but it is still your responsibility to ensure the settings are properly configured for your environment. Furthermore, check for updates on a regular basis and stay on top of those.

1. Do not share passwords

. It is easy to give someone your username and password to do something really quick, then forget about it. Presumably, you trust this person, but what if they happen to write down the password somewhere, or save somewhere where it is insecure to do so. You see, they could become the targets for someone to get your password.

1. Configure your firewall to only allow exactly what is needed. Do I need to explain this one?

To expand on this, soon I'll post info about hardening Apache, MySQL, Tomcat, Linux, as well as WordPress, vBulletin, Wikis, maybe even Joomla and Drupal.

This is the first draft of a series of guides I'll be writing on how to lock down your stuff and hopefully make it more secure. Got a better way of doing things, why don't you send me an email or tell everyone in the comments below.

Photo by Rinaz, site seems to go up and down.

The post The hackers know this, but do you? appeared first on Digital Marketing Through Content & Influence.

WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!

It most often happens when the machine which I'm trying to connect has been re-installed. There are other reasons why you might get this but the root cause of it is exactly what the warning says. Watch out! someone could be doing something NASTY!

More often than not, this is nothing more than an annoyance because I know that the system hasn't been compromised and there is no man in the middle attack. To fix this problem, usually you have two options: you can disable strict checking of the known_hosts file, and/or you could add an exception for the IP address(es) that you want.

The best way I found to get rid of this problem, without compromising the actual security check that this system provides is to actually use the ssk-keygen utility and alias it like this:

alias ch='ssh-keygen -R'

ch stands for "clean hosts" so its easy to remember. Now, next time I see the warning, instead of manually editing the known_hosts file, or adding insecure workarounds, I just run my alias and the IP Address in question. This removes the IP from the known_hosts file and lets you continue.

The post SSH Remote Host Identification has changed. appeared first on Digital Marketing Through Content & Influence.

To fix this, I got the update directly from Apple and installed it manually, you can find it here:
http://support.apple.com/downloads/Java_for_Mac_OS_X_10_5_Update_4

It all seemed to work fine after that, I just had to install it as a normal application. I'm not sure why this happened.

Java for Mac OS X can't be installed Java Update Failed OSX Official Java download from Apple Java for Mac OS X 10.5 Update 4 package Usual yadda yadda to install Install Succeeded

The post OS X Java update failed appeared first on Digital Marketing Through Content & Influence.

Here are a few of the things that caught my eye in regards to the new features and changes:

• Revision system! while you're writing, you can go back to an earlier version of a draft, similar to the way Wikis work. It even allows for multiple author collaboration. Enterprise... here comes WordPress!
• Captions to your images. It seems that this is now nicely integrated and actually displays the caption.
• Live theme preview before you commit. You can preview then activate if you like it.
• Gears integration - works with FF2, 3, IE 6 and 7 and support for Safari 3 is on its way.
• A lot of little features that facilitate management and a few new features like more support for social
  media badges.
• Select a range of check boxes with "shift-click." This is HUGE!

It also appears that themes and plugins were mostly left alone; this means that if your themes and plugins work on 2.5.X then they should work on 2.6 seamlessly. Well anyway, there are over 194 bugs fixed in this version so its recommended that you update, especially for security reasons.

The post Keep up with the latest WordPress version, its good for ya. appeared first on Digital Marketing Through Content & Influence.

Anyway. While I was doing some research into the matter I found several comments by Microsoft fan-boys that RDP was good enough to use. Forums in the tech community were filled with these comments. So I had to find out more about this and I did. I found several articles that support these comments.

One of the features of RDP is the use of RC4 encryption. The same type of encryption sometimes used for SSL, Kerberos and a few other technologies. Of course, you should always make sure that both computers you are working with on this have the latest and greatest RDP client, and you must follow other standard security procedures like using safe passwords.

There's a slight chance that someone may setup a "man-in-the-middle" attack and try to decrypt your information. But Seriously? you think someone actually wants to go through the hassle of setting up this attack? Its expensive, time consuming, and usually reserved for multimillion dollar corporations or millionaires. Kurt, one of the bloogers I found talking about RDP put it best:

To give you an idea of the sophistication we're talking about, this hacking technique is usually reserved for attacking eCommerce sites like eBay & financial institutions like Bank of America to intercept credit cards & passwords. If someone is in fact truly attempting to use this technique against you and your computer, it's not random: You or your organization is probably important enough (or rich enough) that skimping paying $50/year for LogMeIn Pro, $200/year for GoToMyPC, or whatever support service you might otherwise be using isn't exactly your first priority. Remember: This is your Mom we're talking about... not freakin' Bill Gates.

I know that security through obscurity can be a fools errand, but you could try changing the port RDP runs on so you can prevent any automatic scripted attacks, or use some sort of port translation on your firewall --if you're connecting to a compuer across the internet. With that said, go forth and RDP into your home computer till you get sick of it. As far as the concerns for security with RDP, I think It's ok to use it.

The post Remote Desktop is not secure. Myth. appeared first on Digital Marketing Through Content & Influence.