Commentary and OpinionsRamblings and Rants

 


Call Toll Free 855-927-7583
Email:
Get vCard

Spilled Coffee

If you lose your laptop of phone today, will you have customer data tomorrow?

I ask all my new small business clients what they will do after theft, fire, loss, or... SPILLED COFFEE. In today's business environment, everything from customer contact information to invoicing and billing through payroll and banking happens on a computer or online. At any given moment, several months of past and future business transactions may be in some form of completeness, and all of it exists on a device that may fail.

I never thought that hot coffee would ruin my only copy of Quicken.
-Could this be you?

 

 

There are options BEFORE you have an accident

  1. Understand where your data lives
  2. Establish an automated backup
  3. Backup to a verifiable, secure cloud solution
  4. Encrypt data... all of it
  5. Know the recovery plan
  6. Exercise the recovery plan periodically

For more information, call Sluf Consulting at 855-927-7583.

A little .htaccess refresher on https rewrite with Joomla

While I was working on a small project to add LetsEncrypt to a shared hosting site, I had to do a few things to make sure the .htaccess file worked with the Joomla directories to use the certificate correctly. If a user types 'TheirDomain.com', you want them to go to 'https://www.TheirDomain.com'. To make this happen, edit the .htaccess file in the root directory and add the following after "RewriteEngine On"

# redirect to www
RewriteCond %{HTTP_HOST} !^$
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteCond %{HTTPS}s ^on(s)|
RewriteRule ^ http%1://www.%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

# redirect to https
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]

This redirects the user to the 'www' site regardless of whether they are using http or https. Once the server has that correct, it enforces the https connection in the second rewrite condition.

Enjoy.

Internet of Things :: Ryobi PhoneWorks

First, let me say that Home Depot gets most of my excess funds each month. Their stores are always neat, organized, and the staff is enthusiastic and helpful nearly every time. You can do an incredible amount of self-repair through their educational classes. I highly recommend them to help you take care of your home.

 

Second, I have never had a problem with a Ryobi tool, and I was interested in the PhoneWorks brand of "smart home improvement" tools they offered. Particularly, I have needed a remote camera and they offer one for about $79 that connects to your smart phone. I purchased one a few weeks ago and set out on home improvement.

 

What caught my eye was how the device actually connects to your smart phone. You need a Ryobi PhoneWorks app installed and this application will ask for access to your camera and your photos on the phone. I allowed it. Then, in reading the device instructions, I was to turn on the device then connect to the "PhoneWorksScope######" Wi-Fi access point. It appears that each handheld device generates its own hotspot with a unique hex suffix so that each device is different. The Wi-Fi access point is protected by WPA/PSK encryption, but the default password is "123456768".

 

After connecting, I decided to investigate the connection further. My iPhone showed an IP address of 192.168.0.20 with a default gateway of 192.168.0.1. It was obvious that I would turn on the laptop and connect to the same access point. The laptop was given an IP address of 192.168.0.21, so there is a DHCP service running.

 

Next, I turned my browser on both the phone and the laptop to 192.168.0.1 and was prompted by a web server for a username and password. The logical choice is ADMIN and ADMIN, and it worked! Wireshark reported that it was the BOA 0.94 web server running a non-secure TCP http connection on port 80. Wireshark also reported numerous UDP connection attempts from the device to the iPhone (192.168.0.20) across a range of ports.

 

Ryobi PhoneWorks web server

 

On the web server, I saw many Chinese characters and was able to understand them using the Line Chinese-English Dictionary at http://ce.linedict.com/dict.html, where you can draw a character to help you determine which character it represents. This was my first time using this site, but I will definitely bookmark it. They have a great product, and highly recommend trying it.

 

The above image shows the second tab from the left hand menu... the web server on the device was able to sniff local Wi-Fi access points and reported my home network on the list. I have NOT tried to connect yet and will set up a dummy network to see if the device will automatically connect to an open network or if the device can be connected to a protected network. I will also watch the packets to see if any information leaves the network for an outside web server.

 

I will have more later, but here are a few open questions:
1) With the application running on the phone and listening on ports, what information can be pulled from the phone even when you are not actively using the application?
2) Will an application running in the background allow UDP connections on those ports to gain access to photos on the phone?
3)With the device running as designed, can an attacker gain access to photos or information on the phone since the SSID and password are known and there is no authentication between the phone and the device?

 

Search the Blog

Login Form

Who's Online

We have 9 guests and no members online

Join Our Newsletter

Get Updates, Upcoming Themes Info, and Our Great Deals!
Provided by FeedBurner at Google.

Login Form