Interested In Security And Running WordPress?

WordPress is currently (and has been for a long time) 1 of the most popular tools for creating blogs and web sites on the internet. Due to the level of popularity that WordPress has gained it has been a target for hackers looking to deface the website, send spam or make the site a part of a bot net (and of course many other things).

The attackers use vulnerabilities that are found in the core code, plugins and yes even themes.

There are many plugins that try to help mitigate the risks but they are fighting a lost cause and really cannot combat all vulnerabilities. Continue reading “Interested In Security And Running WordPress?”

Java Revocated SSL Certificate?

Recently there have been many SSL certificates revocated due to the heartbleed issue. Yesterday, for the first time, I came across a warning advising the information for a certificate was not available. Once reading and accepting the revocation I continued on my merry way.

Today however I received another revocation notice when using the java updater.

Revocated Java Certificate

Has Java forgotten to remove a revocated certificate from their servers?

Interestingly I had carried out a search simply for sjremetrics.java.com (the certificate was created for this URL) and lo and behold the very first response was for a post on the Oracle Forum which detailed Java having exactly the same issue back in 2010.

Side note. On looking at the details of the SSL certificate I see that it was issues on 17th September 2013 and was due to expire on the 17th November 2014. A 14 month certificate? I did not know that was possible. Or was it revoked in 2013 as well?

P.S.

I have tried to submit a bug for this issue however Oracle’s bug reporting process is atrocious.

I have received an email stating that the report “will be evaluated”.  Don’t think I will bother next time.

The Danger Of Expired Domains

When thinking about domain name security I have always tended to think about ensuring that a domain name is not stolen. On reflection this really is not our only concern. Yahoo have recently announced that they are opening up email accounts that are no longer used (wired article). As you can imagine this has caused a bit of furore about the potential of emails these accounts may still be receiving.

So how does this relate to domain names? Continue reading “The Danger Of Expired Domains”

WordPress Full Path Disclosure issue.

PLEASE NOTE THIS FINALLY APPEARS TO HAVE BEEN FIXED UNCLEAR WHICH VERSION RESOLVED THE ISSUE.

I am quite interested in security so I recently installed BackTrack on 1 of my spare pc’s so that I could have a proper play about. 1 of the tools that I have played with is WPScan which is a tool for scanning WordPress blogs to try to find security holes.

Continue reading “WordPress Full Path Disclosure issue.”

Free IPv6 Magazine 27th July 2012 ONLY

I am always a fan of freebies and of course I am always eager to learn new things so when I saw a post by Admin Magazine on Facebook to advise that to celebrate Sysadmin day  2012 they have partnered with Splunk to offer a free IPv6 download special.

The special covers numerous subjects covering what IPv6 is and how it works through too how to programme using IPv6. Be aware however the download is only available today.

You can download the special here.

On a related note those interested in the free download may also be interested in a guide that Burst.net have provided regarding IPv6 as well which you can download from here.

You never know, one day the world might be ready for IPv6 and we will need to know this stuff.

Potential Security Issue With iPhone App

I recently decided to purchase an app from the iPhone app store. I do not do this often but I believe that this app would be extremely useful.

The app I decided to download was SSH Term Pro. As the name suggests this is a SSH terminal app for the iPhone and iPad. Of course this makes it extremely easy to manage your server on the move. The application allows you to add unlimited amount of servers details so you can quickly and easily connect up to a server that you manage. The application also allows you to lock it down so that you can only access the application fully once you have entered a password that you had set up.

Unfortunately on investigation everything is not as good as I had hoped: Continue reading “Potential Security Issue With iPhone App”

Are Twitter Psychic

The obvious answer to this is course  no however I did wonder for a while.

I recently signed up to Twitter (begrudgingly) and after a while I started to find people I really knew being suggested as people in my “Who To Follow” list.

This got me thinking, I have been very specific with the information that I have posted on Twitter. I have also been very specific with who I follow. None of my posts relate or are similar subjects to tweets by other people I know, nor do any of the people I follow (or follow me) have any relation to the people I know out in the real world. This of course got me somewhat confused as to how Twitter knew I had a link to these people. Continue reading “Are Twitter Psychic”

Secrets and Lies: Digital Security in a Networked World (Bruce Schneier)

While doing my usual browsing of Amazon I came across Secrets and Lies by Bruce Schneier. I of course added this to my wish list and decided I would take another look at a later date. Some time later I decided to do a cull of my wish list. Unlike most people thou when I do a cull I tend to buy the item to remove it from my wish list.

When I bought the book I though that it was a bit of a gamble but looked ok so worth the risk. How more wrong could I be, this was certainly not a gamble at all.

Bruce starts the book by requesting that you read it numerous times so that the information sinks in and so that information obtained later in the book can be better understood.

The main part and bulk of the book explains many security concerns and explains why traditional thinking of security is incorrect (such as using a 256 bit encryption key is pointless and contains little security if the key was generated from for example the word password). Many aspects of security are covered within this ranging from network security to standard O/S security. At this point the book appears very negative and seems to suggest that there is little you can do to actually stop the impending security breaches.

Luckily as the book goes on the mood changes slightly and prepares you for methods to help combat the security implications that any system will have. These methods range from creating attack tree’s and how you can best decide on the viability of any attack vector and how to start bringing things into your favor instead of the intruders.

Since this book was written there have been many security breaches that have cost the companies involved large amounts of money both from lost revenue and the cost of picking up the pieces. For example this year Sony had a succession of attacks and the cost of the clean up was estimated to be around $140,000,000, this estimate could quite easily increase substantially as Sony’s insurer is also seeking methods for removing their own liability over the issue meaning that any law suits will come out of Sony’s pocket instead of the insurer.

A short while after this Lockheed Martin were found to have been compromised. On investigation it became clear that RSA had been compromised allowing someone to obtain information on the systems which aided in the Lockheed Martin compromise. As a result of this RSA were essentially forced to replace 40,000,000 secure ID devices.

It is not only the financial cost that these companies have suffered there is also the untold damages to their company profile with which the cost can never really be calculated.

Now you may be wondering my point at this stage, well the point is that if only the security of these companies read this book they may have been better prepared. The frightening thing however is that too many companies take security as an after thought. If the price is too high they decide to disregard the advice or not bother.

Conclusion

Although this is a 10 year old book this is certainly worth a read. You can learn so much from this book and it will completely change your perception of security. This book is highly recommended.

Title: Secrets and Lies: Digital Security in a Networked World
Author: Bruce Schneier
Publisher: John Wiley & Sons
ISBN 10: 0471453803
ISBN 13: 978-0471453802
Official Site – Buy On Amazon