Recently in security Category
Earlier today both Debian and Ubuntu maintainers announced a serious security issue with both Open SSH and Open SSL.
There is, of course, a post about it on SlashDot, but if you'd rather skip the crud (ie. some of the rather inane comments) and are running a Debian (or derivative system such as Ubuntu) do a dist-upgrade as soon as you can.
If you're using SSH keys you'll need to generate fresh ones, as any keys currently "in the wild" maybe vulnerable to brute force attacks.
There is, of course, a post about it on SlashDot, but if you'd rather skip the crud (ie. some of the rather inane comments) and are running a Debian (or derivative system such as Ubuntu) do a dist-upgrade as soon as you can.
If you're using SSH keys you'll need to generate fresh ones, as any keys currently "in the wild" maybe vulnerable to brute force attacks.
Either there's an upsurge in Amazon phishing emails or the phishers only got my email address recently.
I've had about half a dozen phishing emails today purporting to be from Amazon regarding my "seller" account.
To start with I don't have a seller account.
The other giveaway sign is that although the links are similar to Amazon domains, they aren't Amazon domains.
They all seem to be subdomains of by.ru, which appears to be some sort of free hosting solution based in Russia (I don't speak Russian, so I'm only making an educated guess)
Unfortunately, while Amazon do have a facility for reporting phishing emails it is clearly not aimed at the "casual" end user or anyone who is short of time. It consists of a rather convoluted series of web forms instead of a simple email address.
While the likes of Paypal, Ebay and most of the major financial institutions make it relatively easy for even a novice to report phishing emails Amazon dare to be different.
While they may be getting the reports in from honeypots etc., surely it would make more sense to facilitate end user reports?
Am I missing something?
I've had about half a dozen phishing emails today purporting to be from Amazon regarding my "seller" account.
To start with I don't have a seller account.
The other giveaway sign is that although the links are similar to Amazon domains, they aren't Amazon domains.
They all seem to be subdomains of by.ru, which appears to be some sort of free hosting solution based in Russia (I don't speak Russian, so I'm only making an educated guess)
Unfortunately, while Amazon do have a facility for reporting phishing emails it is clearly not aimed at the "casual" end user or anyone who is short of time. It consists of a rather convoluted series of web forms instead of a simple email address.
While the likes of Paypal, Ebay and most of the major financial institutions make it relatively easy for even a novice to report phishing emails Amazon dare to be different.
While they may be getting the reports in from honeypots etc., surely it would make more sense to facilitate end user reports?
Am I missing something?
The Irish media must have been really bored this morning or just looking for a big headline. I guess its all an anticlimax now that Bertie Ahern is gone and thew new cabinet are in place.
According to RTE there was a "security breach", while Morning Ireland used the term "hacker".
What were they talking about?
Was a major ecommerce site hacked?
Did private and confidential information leak into the public domain?
No. All that happened is that Damien Mulley worked out where a file was on the Data Privacy Commissioner's site before they announced it to the public.
Hardly newsworthy and hardly a "security breach".
The report itself is a totally different matter, however.
According to RTE there was a "security breach", while Morning Ireland used the term "hacker".
What were they talking about?
Was a major ecommerce site hacked?
Did private and confidential information leak into the public domain?
No. All that happened is that Damien Mulley worked out where a file was on the Data Privacy Commissioner's site before they announced it to the public.
Hardly newsworthy and hardly a "security breach".
The report itself is a totally different matter, however.
I feel sorry for the Wordpress developers, but I feel even more sorry for their users.
Over the past year WP users who have been keeping track of updates etc., have had to update and upgrade their installs so many times that it's not funny.
The way I see it Wordpress users fall, broadly speaking, into two main categories:
Lots of designers like working with the Wordpress templates.
Neither the casual user or the designer is going to be signed up for security alerts from Secunia or Security Focus or any of the other security sites.
Geek users are probably more likely to play with stuff and are probably going to install lots of plugins.
Now a hardcore geek might check into the source of a plugin to see if the code is "sane", but the average blog jockey probably isn't that concerned with security.
They're not going to worry about the security holes that CMS with php code in its templates could actually cause.
Why would they?
So Wordpress has had security issues in the past.
Surely the latest version resolves all of these?
Surely a major update would bring more than just eye candy?
Seemingly not.
According to Security Focus WP 2.5 is open to SQL injections.
What does that mean in English?
It means, simply, that an evil person could inject data into your blog's database ie. content
There's a longer article discussing some of the implications over here with some back and forth between the author and Mr Wordpress - Matt Mullenweg.
In typical fashion Mullenweg tries to attack the author instead of addressing user concerns.
A simple "we aren't aware of any issues" or something along those lines would have been so much more graceful, but no, that was not the case.
I'm no longer a Wordpress user, so I can't tell first hand, but is there a glaring big flashing light going off on WP installs if the software is out of date and needs to be upgraded to address security issues? Is there?
Open X has had that for ages. It practically forces you to upgrade as soon as you login to an out of date install. They also don't mind telling users about security holes, instead of adding them as an afterthought.
Now whether or not the latest security hole is a real danger or not is irrelevant. It doesn't matter. Seriously.
What does matter is that people trusted Wordpress, but are now being embarrassed when their sites are defaced or hijacked
Transparency and honesty nearly always win out and taking a proactive stance on webapp security should be part and parcel of any developer's modus operandi. Shiny interfaces may help the bubble 2.0 crowd, but when the bubble bursts it would be nice to see things with a proper foundation.
(And WP isn't the only webapp with a dire security history - I'm looking at you Joomla and you PhpBB)
Over the past year WP users who have been keeping track of updates etc., have had to update and upgrade their installs so many times that it's not funny.
The way I see it Wordpress users fall, broadly speaking, into two main categories:
- Casual users
- Geeks
Lots of designers like working with the Wordpress templates.
Neither the casual user or the designer is going to be signed up for security alerts from Secunia or Security Focus or any of the other security sites.
Geek users are probably more likely to play with stuff and are probably going to install lots of plugins.
Now a hardcore geek might check into the source of a plugin to see if the code is "sane", but the average blog jockey probably isn't that concerned with security.
They're not going to worry about the security holes that CMS with php code in its templates could actually cause.
Why would they?
So Wordpress has had security issues in the past.
Surely the latest version resolves all of these?
Surely a major update would bring more than just eye candy?
Seemingly not.
According to Security Focus WP 2.5 is open to SQL injections.
What does that mean in English?
It means, simply, that an evil person could inject data into your blog's database ie. content
There's a longer article discussing some of the implications over here with some back and forth between the author and Mr Wordpress - Matt Mullenweg.
In typical fashion Mullenweg tries to attack the author instead of addressing user concerns.
A simple "we aren't aware of any issues" or something along those lines would have been so much more graceful, but no, that was not the case.
I'm no longer a Wordpress user, so I can't tell first hand, but is there a glaring big flashing light going off on WP installs if the software is out of date and needs to be upgraded to address security issues? Is there?
Open X has had that for ages. It practically forces you to upgrade as soon as you login to an out of date install. They also don't mind telling users about security holes, instead of adding them as an afterthought.
Now whether or not the latest security hole is a real danger or not is irrelevant. It doesn't matter. Seriously.
What does matter is that people trusted Wordpress, but are now being embarrassed when their sites are defaced or hijacked
Transparency and honesty nearly always win out and taking a proactive stance on webapp security should be part and parcel of any developer's modus operandi. Shiny interfaces may help the bubble 2.0 crowd, but when the bubble bursts it would be nice to see things with a proper foundation.
(And WP isn't the only webapp with a dire security history - I'm looking at you Joomla and you PhpBB)
Nice to see this nice BIG warning on the login page for AIB personal banking:
Apple users used to love mocking Windows users when it came to security issues, however the upsurge in the popularity of the Mac platform, combined with an ever expanding range of products is not without its downfalls.
Earlier this morning Secunia reported a serious issue that affected users of both the iPhone and the iPod touch.
The solution? Simply run an update.
But is it that simple?
Well it might not be if you are running a cracked Apple iPhone. Due to Apple's rather odd marketing / sales strategy, which favours the creation of monopolies, a lot of people have been buying Apple iPhones to use with their "normal" SIMs...
And there I was toying with the idea of picking up an iPhone this week ...
Maybe I'll just get some nice games for my Apple MacBook Pro :)
Age of Empires anyone?
Earlier this morning Secunia reported a serious issue that affected users of both the iPhone and the iPod touch.
The solution? Simply run an update.
But is it that simple?
Well it might not be if you are running a cracked Apple iPhone. Due to Apple's rather odd marketing / sales strategy, which favours the creation of monopolies, a lot of people have been buying Apple iPhones to use with their "normal" SIMs...
And there I was toying with the idea of picking up an iPhone this week ...
Maybe I'll just get some nice games for my Apple MacBook Pro :)
Age of Empires anyone?
