Recently in security Category

I hate paying to attend events. More often than not the organisers use the event as a "money spinner" and attendees get very little value from it.

So it's nice to see that another event is taking place next month which is going to be free to attend and promises to be interesting.

IRISS-CERT's Annual Conference is being held on November 19th in the D4 Berkley Court hotel. While details on the day's sessions are a bit scant at present I'm sure they will be interesting. What's also interesting is that they are also organising "Hack Eire" on the same day:

"HackEire, will be held to identify Ireland's top cyber security experts.  HackEire will see 10 teams, up to a maximum of four people per team, compete against each other in a controlled environment to see which team will be the first to exploit weaknesses in a number of systems and declare victory.  The purpose the HackEire competition is to demonstrate how attackers could gain access to your systems and allow you to learn from the event on how to prevent such attacks from impacting your network."

More information will presumably be available on the IRISS site

At some time in the last couple of months an Irish website got hacked and its member database was stolen. The database contained email addresses and the associated passwords to login to the website.

The list of email addresses and these passwords was published on a website which has since been taken offline (though you could find it in Google's cache as recently as 48 hours ago).

While some of the email addresses and password combinations could give you access to a lot of things this would only happen where the person used the same password for everything.

The list was NOT a list of email account passwords ie. if you could actually use the password to access the person's email account it was purely coincidental.

How do I know this?

My email address is on the list, as I was informed by someone a couple of days ago.

Though even the person who informed me was doubtful that I'd have opted for such a stupidly weak password for something as important as my email. They'd be right. I hadn't! I had used a weak password on several websites - in some cases semi-intentionally

Unfortunately some people seem to like scaring people and also have zero respect for privacy and zero understanding of security or anything else, so you'll find the list of email addresses published on at least one Irish website. (I'm not going to link to them, since they don't deserve a link if they're going to be that careless with other people's data, but I do hope that someone flags their idiocy with the data privacy people)

On the plus side, hopefully some people will realise that having a password policy wouldn't be such a bad idea after all ....

High profile websites are always going to attract attention and Microsoft Ireland is no different.

The main page of the Irish branch of Microsoft was defaced earlier this morning.

See screenshot below (courtesy of CJB):

The guys at XKCD have done it again!

I took delivery of some of their tshirts this morning, as well as my Top Gun tshirt

Either there's an upsurge in Amazon phishing emails or the phishers only got my email address recently.

I've had about half a dozen phishing emails today purporting to be from Amazon regarding my "seller" account.

To start with I don't have a seller account.

The other giveaway sign is that although the links are similar to Amazon domains, they aren't Amazon domains.

They all seem to be subdomains of by.ru, which appears to be some sort of free hosting solution based in Russia (I don't speak Russian, so I'm only making an educated guess)

Unfortunately, while Amazon do have a facility for reporting phishing emails it is clearly not aimed at the "casual" end user or anyone who is short of time. It consists of a rather convoluted series of web forms instead of a simple email address.

While the likes of Paypal, Ebay and most of the major financial institutions make it relatively easy for even a novice to report phishing emails Amazon dare to be different.

While they may be getting the reports in from honeypots etc., surely it would make more sense to facilitate end user reports?
Am I missing something?

UPDATE: Over 24 hours later I got a reply from Amazon with the email address to use for reporting phishing emails.
In case anyone else needs it the email address is: stop-spoofing@amazon.com
If you forward phishing emails to that address as an attachment they get sent to their security team.

The Irish media must have been really bored this morning or just looking for a big headline. I guess its all an anticlimax now that Bertie Ahern is gone and thew new cabinet are in place.

According to RTE there was a "security breach", while Morning Ireland used the term "hacker".

What were they talking about?

Was a major ecommerce site hacked?

Did private and confidential information leak into the public domain?

No. All that happened is that Damien Mulley worked out where a file was on the Data Privacy Commissioner's site before they announced it to the public.

Hardly newsworthy and hardly a "security breach".

The report itself is a totally different matter, however.

 

I feel sorry for the Wordpress developers, but I feel even more sorry for their users.

Over the past year WP users who have been keeping track of updates etc., have had to update and upgrade their installs so many times that it's not funny.

The way I see it Wordpress users fall, broadly speaking, into two main categories:

• Casual users
• Geeks

Casual users want a CMS to use for their website or blog. They like the way it's easy to install and they've heard good things about it. Lots of webhosts offer easy installers for Wordpress.
Lots of designers like working with the Wordpress templates.

Neither the casual user or the designer is going to be signed up for security alerts from Secunia or Security Focus  or any of the other security sites.

Geek users are probably more likely to play with stuff and are probably going to install lots of plugins.

Now a hardcore geek might check into the source of a plugin to see if the code is "sane", but the average blog jockey probably isn't that concerned with security.
They're not going to worry about the security holes that CMS with php code in its templates could actually cause.

Why would they?

So Wordpress has had security issues in the past.
Surely the latest version resolves all of these?
Surely a major update would bring more than just eye candy?

Seemingly not.
According to Security Focus WP 2.5 is open to SQL injections.
What does that mean in English?
It means, simply, that an evil person could inject data into your blog's database ie. content

There's a longer article discussing some of the implications over here with some back and forth between the author and Mr Wordpress - Matt Mullenweg.

In typical fashion Mullenweg tries to attack the author instead of addressing user concerns.

A simple "we aren't aware of any issues" or something along those lines would have been so much more graceful, but no, that was not the case.

I'm no longer a Wordpress user, so I can't tell first hand, but is there a glaring big flashing light going off on WP installs if the software is out of date and needs to be upgraded to address security issues? Is there?

Open X has had that for ages. It practically forces you to upgrade as soon as you login to an out of date install. They also don't mind telling users about security holes, instead of adding them as an afterthought.

Now whether or not the latest security hole is a real danger or not is irrelevant. It doesn't matter. Seriously.

What does matter is that people trusted Wordpress, but are now being embarrassed when their sites are defaced or hijacked

Transparency and honesty nearly always win out and taking a proactive stance on webapp security should be part and parcel of any developer's modus operandi. Shiny interfaces may help the bubble 2.0 crowd, but when the bubble bursts it would be nice to see things with a proper foundation.

(And WP isn't the only webapp with a dire security history - I'm looking at you Joomla and you PhpBB)

Nice to see this nice BIG warning on the login page for AIB personal banking:

Apple users used to love mocking Windows users when it came to security issues, however the upsurge in the popularity of the Mac platform, combined with an ever expanding range of products is not without its downfalls.

Earlier this morning Secunia reported a serious issue that affected users of both the iPhone and the iPod touch.

The solution? Simply run an update.

But is it that simple?

Well it might not be if you are running a cracked Apple iPhone. Due to Apple's rather odd marketing / sales strategy, which favours the creation of monopolies, a lot of people have been buying Apple iPhones to use with their "normal" SIMs...

And there I was toying with the idea of picking up an iPhone this week ...

Maybe I'll just get some nice games for my Apple MacBook Pro :)

Age of Empires anyone?