Month: February 2015

Personal project : Kimsufi dedicated server

Hello,

Well, it’s been 2 weeks I have not posted anything and since I visited a friend yesterday who gave me a very knowledgeable security course, this is the perfect time for posting my improvements in building a secure server =)

Over the past 2 weeks, there were 1400 failed logins on ssh and 66 errors in the apache log. I manually banned more than 50 IPs. Hopefully noone broke in and these were more like ‘sympathetic’ knock-knocks from my fellow hackers =)
At least I’ve learned that ANY server (at the very least mine) is attacked on a daily basis (from 8 to 252 times a day). The security I implemented was quite enough but not as good as my friend, Matthias, told me.

Here’s what we had done for a couple of hours yesterday :

  • ssh access restricting : easiest way to protect ssh is A. to not allow root to be able to log in and B. to allow only some users who may ‘su -p’ (PermitRootLogin and AllowUsers parameters in /etc/ssh/sshd_config)
  • firewall configuring : Matthias used a set of optimized scripts from one of his previous projects; the firewall rules were finely tuned to match with my security requirements, i.e. he commented a lot of lines (some with bandwidth management, for instance)
  • administration reporting : he also installed quite a few softwares (especially Logwatch) plus more personal scripts and crontab’ed the report so I would at least get one report in my emailbox @ 7am from Logwatch and also what packages needed to be updated
  • overall optimization : 3 open sockets were removed by the firewall and also we removed unnecessary services, like bind and vsftp for instance.

I’m very happy of what we accomplished yesterday : the current security level is very high for the current non-production status of this server.
I still have some reporting tools to install like Munin and some more tuning to perform, but as it stands for now, we met my security requirements.

Next projects : web hosting and ownCloud.

Projet personnel : blog iT3k

Juste quelques news sur ce blog :

1. La migration entre blog.cybermaohi.com et cybermaohi.com/iT3k s’est très bien déroulée et bien plus vite que prévu (voir ICI)
J’aurais préféré créer un sous-domaine iT3k mais ça ne fonctionne pas, donc pour l’instant l’URL va rester comme tel, sans sous-domaine. Je réfléchirais à une solution plus tard : bien que cela soit purement esthétique, ça a son importance aussi.
NB : changer l’URL du blog en mettant en place un sous-domaine impactera évidemment sur les pushs vers mes réseaux sociaux (cf. 3. plus bas) : il faudra trouver une solution acceptable et définir le périmètre d’impact pour pouvoir migrer rapidement.

2. Puisque le blog est migré, je vais fermer le précédent au 1er mars 2015. Vous êtes prévenus ^^

3. Actuellement, je gère un petit problème avec le module Jetpack : chaque fois que je publie, le sous-module Publicize “push” mes comptes Facebook, Twitter et LinkedIn. Cette fonctionalité est vraiment géniale.
Mais puisque j’ai implémenté Publicize sur mon premier blog, les URL pointent erratiquement sur blog.cybermaohi.com.
Rien de très grave, surtout que mes comptes officiels FB et Twitter sont relativement vides. Ceci étant, autant les alimenter avec de vraies informations, c’est pourquoi je suis en contact avec l’équipe Jetpack et j’éspère résoudre le problème rapidement.
EDIT : je viens de vérifier et les liens sont OK sur LinkedIn et Facebook … Twitter est le seul rebelle ^^
EDIT 2 : j’ai fait les modifications préconisées par le support de Jetpack. J’attends leur validation : j’ai bon espoir et tout devrait rentrer dans l’ordre. Je profiterais de ce contact pour discuter de l’éventuel impact d’un changement d’URL (cf. 1.) et prendre les devants, principe de précaution oblige.

4. Depuis 1 semaine ou 2, mes publications sont très réduites : je travaille activement sur a. ma recheche d’emploi, b. mes cours de Licence E-Mi@ge et c. sur mon projet de serveur dédié …
Dès que j’aurais pris le rythme de mes modules de licence, je retrouverais progressivement plus de temps à consacrer au blogging de ma veille technologique.

 

transmission ends

Projet personnel : serveur dédié Kimsufi

Hello ^^

Bon alors, j’ai quelques nouvelles neuves!

J’ai fait une refonte complète de mon serveur : j’ai réinstallé une Debian Wheezy 64bits toute neuve ainsi qu’apache2, PHP et MySQL.

Pour l’instant je teste la sécurité du serveur et je commence à pas trop mal me débrouiller avec les services lancés et les ports associés (sshd et ceux du serveur web), les programmes de sécurité (iptables et fail2ban notamment) ainsi que leurs fichiers de log. D’ailleurs fail2ban, qui empêche les attaques par force brute, marche à merveille :

auth.log.20150208échecs d’autorisation des vilains =/

 fail2ban.log.20150208la réponse de fail2ban ^^

on remarque qu’au bout d’un certain nombres d’échecs dans un certain laps de temps, fail2ban banni l’ip du vilain temporairement <3

Ca ronronne! D’ailleurs je vais mettre en place des procédures de sécurité et écrire des scripts d’administration pour automatiser toutes les commandes de consultation des logs des différents programmes et aussi celles associées à netsat, nmap, iptables, etc.

Dans une semaine quand j’aurais un peu plus blindé mon cyberbunker, je continuerais sur mes autres projets :

  • hébergement web (pour moi essentiellement, mais j’ai déjà quelqu’un d’intéressé =)
  • cloud privé avec ownCloud
  • administration avec ISPconfig

OH! Cerise sur le gâteau, hier j’ai passé la nuit (ok j’éxagère !o) à configurer vsftpd et il est enfin fonctionnel =) Il me reste encore à tester la sécurité des échanges et gérer les utilisateurs, mais je suis pas mal fier de moi ^^

 

cybermaohi out!

 

Roundcube : new stable version 1.1.0 released

We’re proud to announce the arrival of the next major version 1.1.0 of Roundcube webmail which is now available for download. With this milestone we introduce new features since version 1.0 as well as some clean-up with the 3rd party libraries:

  • Allow searching across multiple folders
  • Improved support for screen readers and assistive technology using WCAG 2.0 and WAI ARIA standards
  • Update to TinyMCE 4.1 to support images in HTML signatures (copy & paste)
  • Added namespace filter and folder searching in folder manager
  • New config option to disable UI elements/actions
  • Stronger password encryption using OpenSSL
  • Support for the IMAP SPECIAL-USE extension
  • Support for Oracle as database backend
  • Manage 3rd party libs with Composer

In addition to that, we added some new features to improve protection against possible but yet unknown CSRF attacks – thanks to the help of Kolab Systems who supplied the concept and development resources for this.

Although the new security features are yet experimental and disabled by default, our wiki describes how to enable the Secure URLs and give it a try.

And of course, this new version also includes all patches for reported CSRF and XSS vulnerabilities previously released in the 1.0.x series.

IMPORTANT: with the 1.1.x series, we drop support for PHP < 5.3.7 and Internet Explorer < 9. IE7/IE8 support can be restored by enabling the ‘legacy_browser’ plugin.

See the complete Changelog at trac.roundcube.net/wiki/Changelog and download the new packages from roundcube.net/download.

{{ source }}

Un malware à retardement s’est glissé sur Google Play

Google Play a été purgé en urgence de trois applications qui hébergeaient un malware redirigeant vers des contenus malveillants via des messages d’alerte.

Tout est parti d’un message posté dans la soirée du 23 janvier sur les forums d’Avast. L’éditeur de sécurité IT d’origine tchèque a été informé, par l’un des utilisateurs de son antivirus mobile, de la probable présence d’un malware sur Google Play.

Il s’est écoulé dix jours avant qu’Avast ne communique l’information à Google… qui a réagi en retirant, ce mercredi 4 février, trois applications dans lesquelles l’agent malveillant en question s’était infiltré.

En tête de liste, le jeu de cartes Durak, téléchargé entre 5 et 10 millions de fois en quelques semaines, d’après les statistiques du Play Store.

Les deux autres applications touchées étaient également classées dans la catégorie « Divertissement ». La première consistait en un test de QI ; la deuxième proposait une approche ludique de l’histoire russe.

Ces trois applications – qui trouvent justement leurs racines en Russie (sans qu’on n’en connaisse précisément les créateurs) – auraient dû être bloquées selon la politique en vigueur sur le Play Store et à laquelle sont soumis les développeurs.

Un motif en particulier aurait dû motiver leur suspension : l’affichage de publicité à travers le système de notification d’Android, alors même qu’il ne s’agissait pas d’une « fonctionnalité à part entière » desdites applications. Et pour cause : c’est précisément le malware qui les déclenchait.

Alerte(s) à la pub

Plusieurs utilisateurs des forums Avast expliquent avoir signalé le problème à Google « début janvier » et déplorent l’absence de réaction du groupe Internet américain.

Ils ont tous détecté plus ou moins les mêmes symptômes : à chaque déverrouillage de leur appareil mobile (smartphone ou tablette), une page Web – ou une notification – s’ouvre pour afficher un message d’alerte.

Connexion Internet lente, infection virale, système d’exploitation pas à jour, fichiers illicites détectés en mémoire : quel que soit le désagrément, l’utilisateur est invité à prendre des mesures immédiates.

Mais s’il suit les conseils prodigués, il est redirigé vers des contenus malveillants. Aussi bien des sites Internet hébergeant des scripts malveillants que des applications volant des données personnelles ou envoyant des SMS surtaxés.

Pour ne pas éveiller les soupçons, le malware fait preuve de… patience. Il ne s’active qu’à deux conditions : que l’application infectée soit lancée au moins une fois et que l’appareil soit redémarré par la suite.

Dès lors, un compte à rebours s’enclenche. Les premiers comportements suspects ne sont généralement perceptibles qu’au bout d’une semaine. Il faut parfois même attendre jusqu’à un mois. Ce qui rend le malware d’autant plus difficile à détecter.

Trois réseaux publicitaires « légitimes » sont exploités pour afficher les messages d’alerte. Les instructions sont contenues au sein même du paquet d’installation (APK), dans un fichier nommé ads_settings.json.

Des commandes peuvent être reçues depuis un serveur distant via la composante mobi.dash.overapp.DisplayCheckService. La vérification du redémarrage de l’appareil est effectuée par mobi.dash.overapp.DisplayCheckRebootReceiver. Il est même possible de modifier la page d’accueil du navigateur avec mobi.dash.homepage.AdsHomepageUtils.

Ci-dessous, une démonstration du malware en vidéo par l’utilisateur qui a découvert le pot aux roses :

{{ source }}

New spyware targets iOS devices, steals pictures and data

A team of hackers that target governments, the military and journalists has turned its attention to the iPhone, according to Trend Micro.

The computer security company says it has discovered new spyware that infects iPhones, gathers large amounts of personal information and sends it to a remote server.

The spyware, called XAgent, is delivered via a phishing attack using a technique called island hopping. In that, the phones of friends and associates of the true target are first infected and then used to pass on the spyware link. It’s based on the assumption that the target is more likely to click on links from people they know than from strangers.

Once installed, XAgent will collect text messages, contact lists, pictures, geo-location data, a list of installed apps, a list of any software processes that are running and the WiFi status of the device. That information is packaged and sent to a server operated by the hackers. XAgent is also capable of switching on the phone’s microphone and recording everything it hears.

XAgent runs on both iOS 7 and iOS 8 phones, whether they’ve been jailbroken or not. It is most dangerous on iOS 7 since it hides its icon to evade detection.

On iOS 8 it isn’t hidden and needs to be manually launched each time the phone is rebooted—a process that would require the user to purposely reinfect their phone each time. For that reason, Trend Micro believes the spyware was written before iOS8 was launched last year.

While close to three quarters of Apple mobile devices are using iOS 8, a quarter are still running iOS7, according to data published by Apple this week.

“We’ve been monitoring the actors behind this for quite some time,” said Jon Clay, senior manager of Global Threat communication at Trend Micro, in a phone interview. “The criminals have introduced [the iOS app] as part of their campaign to move further into the [targeted] organization, using this rather than PC malware.”

While the identity of the hackers isn’t known, Trend Micro says it believes those behind what it calls “Operation Pawn Storm” to be a pro-Russian group. Past targets have included military organizations, defense contractors, embassies and media groups.

Clay says the group might have targeted iOS because it discovered or assumed that a lot of its targets use Apple devices, either as work phones or secondary personal devices.

Security software such as that offered by Trend Micro will detect XAgent, he said. Users can also look through phone logs, but manual detection of the spyware is quite difficult.

His best advice is the same that’s been offered for years: don’t click on links that appear to be suspicious, especially when they involve downloading software or entering passwords.

“The good thing for users is that this isn’t something that can be automatically done,” he said. “There are steps you have to do as a user to install this.”

{{ source }}

more on island hopping / leapfrogging

 

9 Typing Tips Every Android and iOS User Should Know

Wish it were a little easier to type in ALL CAPS on your Android or iPhone, or ever get stumped while looking for the em dash? What about typing letters with accent marks, or dealing with cumbersome URLs? Or maybe you’re just hankering for an alternative to tapping on a slippery glass screen.

Read on for 9 ways to make typing on your iPhone, iPad, or Android device a little easier, from how to turn on “caps lock” to a simple shortcut to the exclamation mark.

1. “.com” made easy (iOS)

Want to type a URL directly into the address bar in Safari (on iOS) or Chrome (for Android)? Don’t bother with laboriously tapping in “.com” or “.net”.

ios_typing_tips_dotcom-100538035-largeNever type dot-com or dot-org or dot-lots of things with this iOS trick.

Instead, just tap and hold the “.” key; when you do, a pop-up balloon will reveal a series of shortcuts, from “.com” to “.us”.

2. Accent marks (Android and iOS)

Don’t get caught skipping the accent grave in “voilà” while typing that email on your iPhone or Android phone.

android_typing_tips_accent-100538029-largeImpress your international friends with your canny use of accents and other marks.

You can access a generous portion of accent marks—acute, grave, circumflex, and otherwise—by tapping and holding a letter key (like “a”).

3. Swipe to type (Android and iOS)

Sick to death of painstakingly tapping out messages on your Android or iPhone touchscreen? Here’s a nifty trick: swiping to type.

The concept is simple: Rather than tapping each individual key when typing a word, swipe-to-type keyboards let you slide your fingertip from one key to the next.

As your finger loops around the keys, your phone predicts the work you’re trying to type—er, swipe.

Sound weird? Indeed, swiping to type does take some getting used to, but it’ll become second nature with practice.

The “stock” Android keyboard has its own built-in “swipe to type” feature. Just tap Settings > Language & Input, tap the Settings icon next to Google Keyboard, then tap the checkbox next to Enable gesture typing.

There are also plenty of third-party, swipe to type-ready keyboards in the Google Play store, with Swype being the most notable.

Wondering why there’s no Caps Lock key on the keyboard of your Android or iOS device? Well, there is, actually—it’s just well hidden.

The standard iOS keyboard lacked the swipe-to-type capabilities of Android until iOS 8 came along. That update finally brought third-party keypads—particularly Swype—to the iPhone and iPad.

android_typing_tips_caps_lock-100538030-medium4. Lock the Caps key (Android and iOS)

See the Shift key? Just double-tap it. When you do, a little horizontal line will

appear near the bottom of the Shift key, indicating that you’re in ALL CAPS mode.

 

Caps Lock has always been there, just undercover.

5. You’re so money (Android and iOS)

Want to type the currency symbols for the yen (¥), the euro (€), or the pound (£)? Simple.

Just tap and hold the key for the dollar sign. When you do, a pop-up bubble will display a series of additional money-minded options.

6. Em dash & bullets (Android & iOS)

I’ve rarely met an em dash I haven’t liked—and come to think of it, I’m also a sucker for bulleted lists. How does someone like me survive typing on an Android phone or iPhone? Easy.

ios_android_typing_tips_bullet_em_dash-100538034-largeTapping and holding symbol keys will yield buried typing treasure.

Tap and hold the dash key to reveal even more dashing buttons, including the em dash, a bullet key, and the indispensable underscore.

Bonus tip: Try tapping and holding other symbol keys. For example, you’ll find “curly” quotes by tapping and holding the quote key.

7. Emoticons galore (Android & iOS)

android typing tips emoticons
The world is not running out of emoticons anytime soon.

 

What’s a text message without a smiley? Good question. Luckily, both the Android and iOS keyboards come with more emoji (a.k.a. emoticons) than you can shake a stick at.On the stock Android keyboard, tap and hold the “Done” or carriage-return key in the bottom-right corner of the keypad, then slide your finger over the pop-up emoticon button. You’ll see the first of hundreds of available emoticons—just keep swiping to see the dizzying number of variations and categories.

android_typing_tips_dictation-100538031-largeTake a break from typing! Just press the Talk icon on your phone to dictate input.

For iOS, you’ll first need to enable the emoji keyboard. Tap Settings > General > Keyboard, tap Keyboard (again), then check to see if “Emoji” is in the list of installed keyboards. Not there? Then tap “Add New Keyboard” and find Emoji in the list. Now head to the keyboard, tap the key with the globe icon, and feast your eyes on all the emoticons.

8. Talk instead of type (Android & iOS)

It’s easy to forget that both iOS and Android phones will take dictation whenever you’re not in the mood to type.

Just tap the little microphone icon on the keyboard. For iOS, it’s to the left of the space bar, while on Android phones it’s sitting in the top-right corner (assuming you’re using the “stock” Android keyboard).

9. A shortcut for oft-used symbol keys (Android)

On the stock Android keyboard, there’s no need to flip to an alternate set of keys to get to the exclamation mark, the percent sign, or other everyday symbols. (See the lead image at the top of the article.)

Instead, just tap and hold the period key. When you do, a pop-up of more than a dozen common symbols will appear—everything from the ampersand key (&) to the question mark.

{{ source }}

NEWS : formerly posted on blog.cybermaohi.com

Published on: 27 Jan 2015 @ 17:28

GREAT! The migration of this blog is almost done to this other blog.
I had to play a little bit with phpMyAdmin, but it was not really hard to change the hard coded links in the database dump and then to inject the current content of this blog in the new blog’s database.

FINAL step : I’ll have to upload the current medias (I can count 54 of them), find the impacted posts and finally re-link medias in posts. I’ll do that tomorrow!
Although, I do believe some people already coded some automated migration procedures, it won’t take that long to do this on my own. By the way, if that task would have required more than 1-2 hrs to complete, I surely would have used such procedures ^^

EDIT : FINAL step done :: it was really easier than I thought.
I thought WP was timestamping the uploaded medias, but not at all. I tried blind and it worked ..

HENCE, this is my last post on this OVH WP module … now everything will be published here :

http://www.cybermaohi.com/iT3k/

last update :

this blog is no longer maintained

it will be closed on the 1st of march, 2015

the new version of this blog is here :

iT3k

Tech Salaries In 2015

Tech job market is hot right now. Survey results predict that there are going to be multiple job opportunities in IT in 2015. Mobile app developers, big data engineers, network administrators are going to have huge demand in coming year. Statistics say that, there is going to be 35 to 38 per cent growth in salary packages of IT employees. Today we have listed predicted salaries of IT workers in 2015.

1. IT Management

CIO : $157,000 – $262,500
CTO : $137,500 – $220,250
CSO : $134,250 – $204,750
Vice President : $138,000 – $210,250
Technology Director : $118,750 – $174,000
IT Manager $101,750 – $150,750

2. Project Management and Analysts

Manager: $103,250 – $150,750
Project Manager: $91,250 – $139,250
Systems Analyst: $79,500 – $114,500
Business Systems Analyst: $79,250 – $116,500
CRM Business Analyst: $84,500 – $116,750
ERP Business Analyst: $87,500 – $124,500
ERP Technical/Functional Analyst: $94,750 – $132,000
Developer/Programmer Analyst: $74,250 – $129,000

3. Application Development

Mobile App Developer: $107,500 – $161,500
Applications Architect: $115,750 – $159,500
CRM Technical Developer: $93,500 – $129,250
ERP Technical Developer: $99,750 – $136,750
Database Developer: $98,000 – $144,750
Lead Applications Developer: $106,250 – $148,250
Technical Writer: $55,000 – $85,250

4. Consulting and Systems Integration

Director, Consulting/Systems Integration: $119,750 – $178,750
Practice Manager: $119,250 – $164,750
Project Manager/Senior Consultant: $98,750 – $144,250
Staff Consultant: $77,500 – $108,750
Senior IT Auditor: $111,750 – $155,500
IT Auditor: $94,500 – $134,500

5. Data and Database Administration

Big Data Engineer: $119,250 – $168,250
Data Architect: $119,750 – $164,750
Database Manager: $112,250 – $160,250
Database Admin: $91,000 – $134,750
Data Analyst/Report Writer: $70,750 – $108,250
Data Modeler: $101,750 – $145,250
Data Warehouse Manager: $119,750 – $163,000
Data Warehouse Analyst: $102,500 – $142,500
Business Intelligence Analyst: $108,500 – $153,000
Electronic Data Interchange Specialist: $74,750 – $108,250
Portal Admin: $92,750 – $127,250

6. Quality Assurance and Testing

Quality Engineer – Manual: $63,750 – $88,250
Quality Engineer – Automated: $74,250 – $103,750
Quality Assurance/Testing Manager: $90,000 – $122,500
Quality Assurance Associate/Analyst: $62,000 – $97,500

7. Internet and E-commerce

Sr. Web Developer: $104,500 – $144,250
Web Developer: $73,500 – $122,000
Web Admin: $66,500 – $102,000
Web Designer: $64,000 – $105,500
Ecommerce Analyst: $84,250 – $121,500

8. Networking and Telecommunications

Wireless Network Engineer: $99,000 – $137,500
Network Architect: $115,000 – $165,250
Network Manager: $98,000 – $137,250
Network Engineer: $90,750 – $131,250
Network Admin: $71,250 – $105,750
Pre-Sales Engineer/Technical Engineer: $86,250 – $125,750
Telecommunications Manager: $86,000 – $118,500
Telecommunications Specialist: $59,000 – $91,250

9. Operations

Operations Manager: $65,500 – $93,500
Computer Operator: $34,750 – $48,000
Mainframe Systems Programmer: $61,500 – $85,000

10. Security

Information Systems Security Manager: $122,250 – $171,250
Data Security Analyst: $106,250 – $149,000
Systems Security Admin: $100,000 – $140,250
Network Security Admin: $99,250 – $138,500
Network Security Engineer: $105,000 – $141,500

11. Software Development

Software Developer: $85,500 – $136,250
Product Manager: $101,750 – $145,000
Software Engineer: $96,000 – $147,250

12. Help Desk and Technical Support

Help Desk Tier 3: $55,250 – $74,000
Help Desk Tier 2: $43,750 – $58,000
Help Desk Tier 1: $34,000 – $47,250
Manager: $80,500 – $114,750
Desktop Support Analyst: $52,000 – $77,000
Systems Admin: $65,750 – $100,500
Systems Engineer: $80,250 – $117,500
Messaging Admin: $72,500 – $105,000
Instructor/Trainer: $54,250 – $87,250
PC Technician: $33,750 – $49,750
Business Continuity Analyst: $92,500 – $132,250

{{ source }}

social CRM

Social CRM (customer relationship management) is a phrase used to describe the addition of a social element in traditional CRM processes. Social CRM builds upon CRM by leveraging a social element that enables a business to connect customer conversations and relationships from social networking sites in to the CRM process. Social CRM may also be called CRM 2.0 or abbreviated as SCRM (social customer relationship management).

See customer relationship management (CRM).

{{ source }}