Tag Archives: security
May 13, 2008

Debian (and Ubuntu) SSH / OpenSSL Security Hole

ubuntulogo.png

Earlier today both Debian and Ubuntu maintainers announced a serious security issue with both Open SSH and Open SSL.

There is, of course, a post about it on SlashDot, but if you'd rather skip the crud (ie. some of the rather inane comments) and are running a Debian (or derivative system such as Ubuntu) do a dist-upgrade as soon as you can.

If you're using SSH keys you'll need to generate fresh ones, as any keys currently "in the wild" maybe vulnerable to brute force attacks.

Related Posts:

May 9, 2008

Amazon Phishing Emails – How Not To Handle Abuse

Either there's an upsurge in Amazon phishing emails or the phishers only got my email address recently.

I've had about half a dozen phishing emails today purporting to be from Amazon regarding my "seller" account.

To start with I don't have a seller account.

The other giveaway sign is that although the links are similar to Amazon domains, they aren't Amazon domains.

They all seem to be subdomains of by.ru, which appears to be some sort of free hosting solution based in Russia (I don't speak Russian, so I'm only making an educated guess)

Unfortunately, while Amazon do have a facility for reporting phishing emails it is clearly not aimed at the "casual" end user or anyone who is short of time. It consists of a rather convoluted series of web forms instead of a simple email address.

While the likes of Paypal, Ebay and most of the major financial institutions make it relatively easy for even a novice to report phishing emails Amazon dare to be different.

While they may be getting the reports in from honeypots etc., surely it would make more sense to facilitate end user reports?
Am I missing something?

UPDATE: Over 24 hours later I got a reply from Amazon with the email address to use for reporting phishing emails.
In case anyone else needs it the email address is: stop-spoofing@amazon.com
If you forward phishing emails to that address as an attachment they get sent to their security team.

Related Posts:

May 8, 2008

Irish Media Confuses Terminology Again

The Irish media must have been really bored this morning or just looking for a big headline. I guess its all an anticlimax now that Bertie Ahern is gone and thew new cabinet are in place.

According to RTE there was a "security breach", while Morning Ireland used the term "hacker".

What were they talking about?

Was a major ecommerce site hacked?

Did private and confidential information leak into the public domain?

No. All that happened is that Damien Mulley worked out where a file was on the Data Privacy Commissioner's site before they announced it to the public.

Hardly newsworthy and hardly a "security breach".

The report itself is a totally different matter, however.

 

Related Posts:

April 14, 2008

Hack Any WordPress Blogs Lately?

I feel sorry for the WordPress developers, but I feel even more sorry for their users.

Over the past year WP users who have been keeping track of updates etc., have had to update and upgrade their installs so many times that it's not funny.

The way I see it WordPress users fall, broadly speaking, into two main categories:

  • Casual users
  • Geeks

Casual users want a CMS to use for their website or blog. They like the way it's easy to install and they've heard good things about it. Lots of webhosts offer easy installers for WordPress.
Lots of designers like working with the WordPress templates.

Neither the casual user or the designer is going to be signed up for security alerts from Secunia or Security Focus  or any of the other security sites.

Geek users are probably more likely to play with stuff and are probably going to install lots of plugins.

Now a hardcore geek might check into the source of a plugin to see if the code is "sane", but the average blog jockey probably isn't that concerned with security.
They're not going to worry about the security holes that CMS with php code in its templates could actually cause.

Why would they?

So WordPress has had security issues in the past.
Surely the latest version resolves all of these?
Surely a major update would bring more than just eye candy?

Seemingly not.
According to Security Focus WP 2.5 is open to SQL injections.
What does that mean in English?
It means, simply, that an evil person could inject data into your blog's database ie. content

There's a longer article discussing some of the implications over here with some back and forth between the author and Mr WordPress - Matt Mullenweg.

In typical fashion Mullenweg tries to attack the author instead of addressing user concerns.

A simple "we aren't aware of any issues" or something along those lines would have been so much more graceful, but no, that was not the case.

I'm no longer a WordPress user, so I can't tell first hand, but is there a glaring big flashing light going off on WP installs if the software is out of date and needs to be upgraded to address security issues? Is there?

Open X has had that for ages. It practically forces you to upgrade as soon as you login to an out of date install. They also don't mind telling users about security holes, instead of adding them as an afterthought.

Now whether or not the latest security hole is a real danger or not is irrelevant. It doesn't matter. Seriously.

What does matter is that people trusted WordPress, but are now being embarrassed when their sites are defaced or hijacked

Transparency and honesty nearly always win out and taking a proactive stance on webapp security should be part and parcel of any developer's modus operandi. Shiny interfaces may help the bubble 2.0 crowd, but when the bubble bursts it would be nice to see things with a proper foundation.

(And WP isn't the only webapp with a dire security history - I'm looking at you Joomla and you PhpBB)

Related Posts:

February 24, 2008

Quick Sunday Post

Adrian Weckler's column this week doesn't mention facebook, but he does cover EULAs and the demise of HD DVDs. (I can't seem to find either article on the SBPost site)

Argos has opened in Carlow, so I'm going to see how bad the traffic is shortly. Hopefully the bypass will help take some of the traffic away from the town, as the commercial centres must be suffering. I'm currently in the market for DVD storage solutions and a new TV stand, so I'll be heading to a few of the shops around the town this afternoon to see what's available and at what price.

AJ has an interesting post about security. His focus is on what the search engines are indexing and highlights some common mistakes.

Tonight is the Oscars. I'd love to stay up and watch them live, but I've got to be awake for work in the morning! The Academy is offering some really cool posters again this year including one celebrating 80 years of best picture. It won't be shipping until after the ceremony (obviously)

While working on one of my quieter blogs I realised that Google Analytics wasn't installed BUT the Google Analytics web interface happily told me that it was. Moral of the story - don't trust them!

I'd love to be able to report some of the odd sales and support queries we get, but this week we've had one that I can mention:
- caller number 1 who wins the prize for odd sales query of the month wanted to know if we ran an escort service
- caller number 2 wanted to apply for a technical role and asked what a PDF was. And no - their native language was English!

Related Posts:

January 16, 2008

Apple Security Holes – iPhone and iPod Touch Users Beware

Apple users used to love mocking Windows users when it came to security issues, however the upsurge in the popularity of the Mac platform, combined with an ever expanding range of products is not without its downfalls.

Earlier this morning Secunia reported a serious issue that affected users of both the iPhone and the iPod touch.

The solution? Simply run an update.

But is it that simple?

Well it might not be if you are running a cracked Apple iPhone. Due to Apple's rather odd marketing / sales strategy, which favours the creation of monopolies, a lot of people have been buying Apple iPhones to use with their "normal" SIMs...

And there I was toying with the idea of picking up an iPhone this week ...

Maybe I'll just get some nice games for my Apple MacBook Pro :)

Age of Empires anyone?

Related Posts:

October 2, 2007

Tuesday Morning Quickie

Sorry about the post title :)

Pete's being spammed by Golden Spiders. He's been trying to get off their mailing list, but they're not having any of it.

Eircom's wireless DSL routers are insecure. I posted a link to my delicio.us account a few days ago that I got from someone and now the story's been picked up by just about everyone.... There's a lot of discussion over on the IIU list and the story's been picked up by most of the papers. Eircom of course are promising to warn all their clients of the potential issues

Joost seem to have launched today (or was it last night?)

Related Posts:

September 25, 2007

WordPress Release Raises Privacy and Security Concerns

The latest release of WordPress was made public earlier today. Since I've stopped using WordPress I wasn't aware of it until I caught up with my RSS feeds a short time ago.

Whether the new release brings enhancements or new features won't really matter to anyone, as the new release brings with it a new "phone home feature":

Our new update notification lets you know when there
is a new release of WordPress or when any of the plugins you use has an
update available. It works by sending your blog URL, plugins, and
version information to our new api.wordpress.org service which then compares it to the plugin database and tells you what the latest and greatest is you can use.

How?
Well it seems that it sends a lot more data back to WordPress than is actually necessary and the lead developer, Matt Mullenweg, doesn't seem to have a reasonable explanation for this.

There's a couple of posts about the issues this raises and a very long discussion of it on the a mailing list (worth reading!)
The key point being raised time and again is that people aren't given an option to opt-out of sending the data. It might also be seen as breaching EU privacy legislation according to one contributor.

UPDATE: You can disable the call home function via a 3rd party plugin. If you read the mailing list thread there's one or two options mentioned.

Related Posts:

September 17, 2007

More Geeky Photos

Paul took some photos over the weekend of our new firewalls

Related Posts:

August 27, 2007

What do you do when your phone goes missing or gets broken?

broken-mobile-phone.jpg

These days mobile phones do a lot more than simply make telephone calls.

Personally I really on my phone to get me out of bed in the morning and to keep me there (multiple alarms!).

I haven't got a huge number of contacts in my phone, but the ones I have are probably going to be quite hard to replace.

I got an email earlier today from a colleague in industry who is obviously facing the task of rebuilding his entire phonebook from scratch as his phone was stolen. I don't envy him!

So what are the options for people?

Are there any sane online backup solutions that people can use?

I know there was one Irish company trying to do something in this area, but they stopped answering my emails when I queried the veracity of their claims (which I would do when it comes to storing important data - wouldn't you?)

Has anyone used an online service for this and if so who?

Related Posts:

css.php