WordPress Password Fiasco

Fair or not – “You don’t know what you don’t know” is a throwaway phrase, often used to describe a typical Internet users range of knowledge as it applies to security risks. What’s worrisome about relying on the truth of this statement is – it can be applied much more broadly – it doesn’t just apply to casual computer users. It applies equally to you – and, to me.

Virtually on a daily basis, another previously unknown (or, undisclosed), vulnerability in an application, operating system, website, cloud service, or in an Internet protocol is discovered by “security researchers”. Here’s today’s, from my Daily Net News column.

Improper SSL Implementations Leave Sites Wide Open to Attack – Security researchers are buzzing about the flaws in the Secure Sockets Layer system and the fact that a significant portion of the Internet is vulnerable to attack.

I’ll venture a guess and suggest – you didn’t know about this. Nor, did I. More to the point perhaps, what needs to be asked is – did cyber criminals know?

What about this one from two days ago?

 Kaspersky: 12 different vulnerabilities detected on every PC – Researchers from Kaspersky have sampled their customer base, and found out that on average, every PC has 12 different vulnerabilities.

The vulnerabilities described are not self inflicted – instead, they are specified, or unspecified, vulnerabilities in Flash, Adobe Reader, Java, and Adobe Shockwave. There’s no need to wonder if cyber criminals are aware of these vulnerabilities – they most assuredly are.

WordPress Password – I didn’t know, that I didn’t know.

More than once, I’ve made the point here, there are certain companies which put forward unrealistic assertions that their Web operations are inviolate – they can’t be hacked. One of those companies is WordPress.com.

So, I was hardly taken by surprise when I received the following email from WordPress, yesterday. Not surprised – but, pretty pissed at the approach taken by WordPress to describe a potentially devastating circumstance for WordPress bloggers who run popular sites.

Hello Bill Mullins,

We recently found and fixed a mistake that we’d like to tell you about. Passwords on WordPress.com are saved in a way that makes them extremely secure, such that even our own employees are unable to see your actual password – the one you enter to login to your WordPress.com account.

However, between July 2007 and April 2008, and September 2010 and July 2011, a mistake in one of our systems used to find and correct bugs on WordPress.com accidentally logged some users’ passwords in a less secure format during registration.

We’ve updated our systems to prevent passwords from being logged this way in the future, so this will not happen again. We don’t have any evidence that this data has been accessed maliciously or misused, but to be on the safe side we are resetting your password since your account is among those affected.

Please change your password using this link or copy and paste the URL below into your web browser:

https://wordpress.com/wp-login (I have removed certain parameters here)

If the password you used when you registered on WordPress.com was one you use elsewhere, you should change it there, too. In the future, remember that it’s good practice to always use unique passwords for different services.

We are terribly sorry about this mistake. No one likes having to create new passwords and we’d like to include a 15% off coupon to say we’re sorry. The coupon can be used for a custom domain, a design upgrade, VideoPress, or a storage space increase. Just use the code below on any of the upgrades on the WordPress.com Store:

pc21d064ae

If you have any questions, please reply to this email and one of our Happiness Engineers will get back to you as soon as possible.

Thank you,
The WordPress.com Team

Some salient points:

Why on earth would WordPress send an email that has all the hallmarks of a phishing scam – quote: “to be on the safe side we are resetting your password since your account is among those affected”. Huh – you’re going to reset my password? So there was zero chance of me clicking on the password reset link. The only secure method was a password reset from this blog’s Dashboard.

“A mistake in one of our systems” – At the desk I’m sitting at, I tend to call this type of “mistake” a vulnerability.

“In the future, remember that it’s good practice to always use unique passwords for different services.” Yeah, sure – WordPress is just about the last organization I’d take advice from in terms of password control!

Offering a 15% discount on WordPress products “to say we’re sorry”, is ill advised and inappropriate. This “bad news” – “good news” approach, is out of bounds.

Finally, referring to support staff as “Happiness Engineers”, makes me wonder what these people smoke after breakfast. It’s a little late for ‘60s terminology, it seems to me.

I titled this article “WordPress Password Fiasco”, not because WordPress found itself in an unknown vulnerable position, which by extension applies to me as well – but because the manner in which a serious situation was handled, is appalling. At a minimum, WordPress has an obligation to disseminate news of this potential breach widely on the Internet. This is not business as usual.

Consider the number of serious breaches that occurred in the last year, which initially were classified by the victimized organization as inconsequential. Until, that is, information slowly leaked, that in many cases, the penetrations were disastrous. Think Sony.

I’m hopeful, that months from now, I won’t have to replace “Think Sony” with -“Think WordPress”. But, then again – “I don’t know what I don’t know”.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Test Your Browser’s Security With Free Qualys BrowserCheck

Data released this week, by Qualys, a security industry leader in vulnerability assessment and management, at the RSA Conference in San Francisco, continues to indicate that Browser plug-ins are frequently outdated and easily attackable.

Analysis of scanned data captured from 200,000+ Qualys BrowserCheck users’ worldwide, indicates that approximately 70% had a least one plug-in vulnerability.

No great surprise that Sun Java, and Adobe Flash and Reader, led the pack.

This research suggests, that you can load up your Internet Browser with every security add-on you like, but if there’s even one security hole – you’re still at risk.

Regular readers will remember that we’ve previously reviewed and recommended Qualys BrowserCheck, which will check your Web Browser for selected security holes in both the browser, and browser plug-ins.

BrowserCheck is itself a plug-ins, and like most plug-ins, it’s very easy to install. Simply visit the Qualys site; install the plug-in, revisit the Qualys site (if necessary) – and you’re all set to launch the test.

My first test run was on Internet Explorer 8, as the following screen captures show.

As the scan results indicate – my Internet Explorer 8 is in terrible shape. I should point out however, that I never use any version of Internet Explorer.

With Firefox running, the results looked like this.

It seems I’ve been bad, and not kept my java Runtime updated – the very plug which is most likely to be hacked! The only defense I have (and it’s a poor one at that), is – this is a test machine which is rarely connected to the Internet. As well, my PDF reader has an update available.

Continuing with the test, I clicked on the  “Fix it” button which immediately took me to the Java update site so that I could download the latest version of Java Runtime.

Following the installation of the Java update, I reran the test to ensure the vulnerable condition had been closed.

Fast facts: The following items are detected:

Windows OS support expiration

Browser version (IE 6.0+, Firefox 3.0+, Chrome 4.0+)

Adobe Flash Player

Adobe Reader 5.x and above

Adobe Shockwave Player

Apple Quicktime

BEA JRockit

Microsoft Silverlight

Microsoft Windows Media Player

Real Player

Sun Java

Windows Presentation Foundation (WPF) plug-in for Mozilla browsers

Additionally, you can test your currently installed Browser for security holes, by taking the free Browser Security test offered by Scanit, a technology company which provides services ranging from high-tech penetration testing over application source code review, risk assessments and management-level security audits, to security courses.

The test is fairly comprehensive and supports Internet Explorer, Mozilla Browsers (Firefox), and Opera. Additional components check for vulnerabilities in selected plug-ins, including Flash and QuickTime.

To test your Browser go to Browser Security test, and follow the simple instructions.

Note: This morning, I had some difficulty loading the Scanit site. Hopefully, this is not permanent.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Firefox Update (3.6.12) Fixes Zero Day Vulnerability

Yesterday, we reported on a critical zero day vulnerability in both Firefox 3.5, and Firefox 3.6., which could have allowed remote code execution in the Browser.

Mozilla jumped on this issue immediately, and has provided a fix by releasing Firefox version 3.6.12. Firefox 3.5 users, can ensure protection is in place against this vulnerability by updating to version 3.5.15.

If you haven’t updated your version of Firefox yet, then go to Help – Check for updates. Not all users allow automatic updates and installation – I’m one, as the following graphic illustrates. However, I do allow the update to download.

For an overview of Browser security add-ons you should consider installing, read – An IT Professional’s Must Have Firefox and Chrome Add-ons, here on this site.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Free Qualys BrowserCheck – Spot Plug-in Security Flaws In Your Browser

Yesterday, I wrote on the Secunia Personal Software Inspector (PSI), and I mentioned in the article, that each week I receive the Qualys Vulnerability Report from Qualys, a security industry leader in vulnerability assessment, and vulnerability management.

Although Qualys is a major player in the enterprise market, at the personal consumer level, most users will not be familiar with this company. I found it interesting then, that Qualys recently released a free consumer level security tool, BrowserCheck, which will check your web browser for selected security holes in both the browser, and browser plug-ins. Not add-ons, but plug-ins.

Take a look at what Qualys CEO, Philippe Courtot has to say on Browser plug-ins, and security –

Almost 100 percent of all browsers we have surveyed have plug-ins installed that enable the user to play music, watch video, visualize PDF files and play games.

Frequently these plug-ins are overlooked by the users and are not updated, representing a significant security exposure – both for end-users and corporate clients.

I must admit, I find nothing to disagree with in that statement.

BrowserCheck is itself a plug-ins, and like most plug-ins, it’s very easy to install. Simply visit the Qualys site; install the plug-in, and you’re all set.

My first test run was on Internet Explorer 8, as the following screen captures show.

As the scan results indicate – my Internet Explorer 8 is in good shape.

With Firefox running, the results looked like this. It seems I’ve been bad, and not kept my Firefox updated. There’s good reason for this – FF 3.6.6 is slower than molasses (at least on my test machine), and I choose to roll back to FF 3.6.4

Nevertheless, to complete the test, I clicked on the  “Fix it” button which immediately took me to the Firefox update site, so that I could download the latest version of Firefox.

Fast facts: The following items are detected:

Windows OS support expiration

Browser version (IE 6.0+, Firefox 3.0+, Chrome 4.0+)

Adobe Flash Player

Adobe Reader 5.x and above

Adobe Shockwave Player

Apple Quicktime

BEA JRockit

Microsoft Silverlight

Microsoft Windows Media Player

Real Player

Sun Java

Windows Presentation Foundation (WPF) plug-in for Mozilla browsers

As an added security measure, take BrowserCheck for a test drive. According to available information, all major Windows web browsers are supported.

If you found this article useful, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Smart Meters Make Us Dumb

So what did Shakespeare mean, when he wrote “A Rose by any other name would smell as sweet”. Simply this  –  what something is, matters; not what it is called.

I can’t recall that electric meters were ever referred to as “dumb meters”, nevertheless, we now have a new breed of meters that the industry is calling “smart meters”. But are they really?

More to the point, are we being smart in adopting this new technology without a complete and probing review of the security implications posed by the rush to implement this technology? (I was forced to accept the installation of a smart meter earlier this year).

Smart Meters, on the face of it, sound ultra cool.  A Smart Meter, by definition, can monitor electricity usage and communicate with your electricity supplier. The supplier will then bill you on factors that include your consumption, cost adjusted, based on the time of day and the season. Use during high demand, or peak periods, will cost more money.

The stated objective is – billing consumers by how much electricity is consumed, and at what time of day, will force us to adjust our consumption habits to be more responsive to perceived savings, or additional costs. Hopefully, according to energy gurus, this will delay or eliminate the construction of additional generating facilities, and the associated environmental costs.

So what could be the downside to getting on board the speeding locomotive called the “green movement”, which is designed (we’re told), to make all of us more environmentally conscious?

Well here’s the rub with smart meters – according to industry sources, communication technologies being considered, or already in use for smart meters, include cell and pager networks, licensed radio or unlicensed radio, power line communication, and others.

So here’s my question – haven’t we learned anything when it comes to cost benefit and risk association?

The one indisputable commonality of communication technologies is this: each and every one can be intercepted, or hacked – and hacked easily.

Should we worry, should we be concerned, that the major lifeline (try living without electricity), to our way of life can, or will, be compromised? You bet!

In a recent article “Building the Smart Grid: Proven Methods to Secure the Future” by Joshua Pennell and Michael Davis, of security firm IOActive

They wrote:

“IOActive researchers were able to identify multiple programming errors on a series of smart meter platforms ranging from the inappropriate use of banned functions to protocol implementation issues.

The research team was able to “weaponize” these attack vectors, and create an in-flash rootkit, which allowed them to assume full system control of all exposed smart meter capabilities, including remote power on, power off, usage reporting, and communication configurations.

The initial attack vector could also be leveraged to deploy a worm, much like the Blaster worm that wreaked havoc on computer systems in 2003. The consequences of such threats are potentially widespread and devastating”.

Still not convinced; then read the CNN report by Jeanne Meserve, CNN Homeland Security Correspondent, “Smart Grid may be vulnerable to hackers”

Excerpt:

…… cyber security experts said some types of meters can be hacked, as can other points in the Smart Grid’s communications systems. IOActive, a professional security services firm, determined that an attacker with $500 of equipment and materials and a background in electronics and software engineering could “take command and control of the (advanced meter infrastructure) allowing for the en-masse manipulation of service to homes and businesses.”

Experts said that once in the system, a hacker could gain control of thousands, even millions, of meters and shut them off simultaneously.

A hacker also might be able to dramatically increase or decrease the demand for power, disrupting the load balance on the local power grid and causing a blackout. These experts said such a localized power outage would cascade to other parts of the grid, expanding the blackout. No one knows how big it could get.

Not worried yet? Then you should be. If you’re unfamiliar with the prevalence of hacking and cybercrime, let me offer you this quote from my good friend TechPaul, “The Internet shadow economy is worth over $105 billion/year.  No country, no person, no business and no government is immune from Cybercrime”.

I find it impossible to believe that cyber criminals will not take advantage of the enormous attack surface that smart meters will present. These are the same cyber criminals, who frequently hold individual Internet connected computers for ransom using a vicious form of malware.

I don’t know about you, but I’m very tired of being held as a “hostage to fortune” in a present, and a future, created by and large, by the same illogical thinking patterns and by the same careless people (I’m being kind here), who in many cases, are responsible for the economic meltdown we are now forced to deal with.

Whatever happened to the application of logic? We need to stop listening to these morons – right now. They certainly don’t have your best interest at heart.

If you enjoyed this article, why not subscribe to this Blog via RSS, or email? It’s easy; just click on this link and you’ll never miss another Tech Thoughts article.

Smart Meters – How Dumb Are They?

Several weeks ago while writing a report for a client; I was interrupted by my local electricity company who asked that I shut down my machines so that they could install a “Smart Meter”, on my electricity service.

Smart Meters to monitor electricity usage are just one of the latest technology advances to ensure we take the “green movement” seriously. A Smart Meter, by definition, can communicate with your electricity supplier who will then bill you, based on factors that include your electrical consumption based on the time of day and the season.

The stated objective is – billing consumers by how much electricity is consumed, and at what time of day, will force us to adjust our consumption habits to be more responsive to perceived savings, or additional costs. Hopefully, according to energy gurus, this will delay the construction of additional generation facilities.

Pretty cool – right? So what could be the downside to getting on board the speeding locomotive called the “green movement”, which is designed to make all of us more environmentally conscious? Or so we’re told.

Well here’s the rub – according to industry sources, communication technologies being considered, or already in use, include cell and pager networks, licensed radio or unlicensed radio, power line communication, and in my view, the most startling of all – the use of TCP/IP technology as a widespread communication method for Smart Meter applications.

TCP/IP technology has been with us since the 1970’s, and the one thing we know about this technology is – it can be hacked easily. So, of course, can all of the other technologies either in use, or being considered as a communication platform for Smart Meters.

Should we worry, should we be concerned, that the major lifeline (try living without electricity), to our way of life can, or will, be compromised? You bet!

In a recent article “Building the Smart Grid: Proven Methods to Secure the Future” by Joshua Pennell and Michael Davis, of security firm IOActive they wrote:

“IOActive researchers were able to identify multiple programming errors on a series of smart meter platforms ranging from the inappropriate use of banned functions to protocol implementation issues.

The research team was able to “weaponize” these attack vectors, and create an in-flash rootkit, which allowed them to assume full system control of all exposed smart meter capabilities, including remote power on, power off, usage reporting, and communication configurations.

The initial attack vector could also be leveraged to deploy a worm, much like the Blaster worm that wreaked havoc on computer systems in 2003. The consequences of such threats are potentially widespread and devastating”.

Scary stuff to say the least!

Now I don’t know about you, but I’m very tired of being held as a hostage to fortune in a present, and a future, created by and large, by the same illogical thinking patterns and by the same idiots who, in many cases, are responsible for the economic meltdown we are now facing.

Whatever happened to the application of logic?

I’ll leave it up to you as to what you see as the solution to this untenable situation.

Microsoft Pulls the Plug on Office 2000. How Will This Affect Your System Security?

Guest writer Rick Robinette, one of my favorite Blogging buddies, explains why MS Office 2000 is poised to become a security risk.

You have heard it here, and on other blogs associated with “What’s On My PC…” – “Keep your software up-to-date!” (to protect yourself from potential security vulnerabilities, or weaknesses).

But, what do you do when the software maker stops supporting a specific product version? The common sense approach is to upgrade; however, in some cases where economics (cost to upgrade) becomes a factor, the user will stick with the version that has economically worked for them.  A good example of this scenario are the people still using Microsoft Office 2000.

I really do not know what the numbers of actual users (or businesses) are, but if you are a Microsoft Office 2000 user, be warned that the lifecycle for Microsoft Office 2000 comes to an end on July 14, 2009.

Microsoft initially retired “Mainstream Support” for Office 2000 in mid-2004; however, extended support (for critical updates, patches, and fixes) continue to be available until July 14, 2009.

To put this in perspective:

Office 2000 has been patched 15 times so far this year alone, 12 of which were labeled “critical,” Microsoft’s most serious threat ranking.

Just last week, Microsoft patched 10 bugs in PowerPoint 2000, the presentation maker in Office 2000.

[ Source: Computerworld ]

If you are connected to the internet (or any network for that matter) and are still using Office 2000, after July 14th, 2009, then you are at risk of being targeted for any future potential security vulnerabilities (i.e. hijacking).

In a sense, Microsoft Office 2000 will become a security vulnerability in itself and a potential avenue for bot infections, etc. It is advisable that you upgrade to a newer version of Microsoft Office, prior to July 14, 2009, to protect yourself and other users.

Free alternatives exist to replace Microsoft Office; perhaps the most popular is the outstanding open source application Open Office 3.1. Many software application reviewers consider Open Office to be the equal of MS Office in most respects.

For information on this excellent free suite of office tools, checkout OpenOffice.org for information and download links.

This is a guest post by Rick Robinette, who brings a background as a security/police officer professional, and as an information technology specialist to the Blogging world.

Why not pay a visit to Rick’s site at What’s On My PC. Like me, you’re sure to become a frequent visitor.

Taking A Byte Out of Malware

This is a guest post by Rick Robinette, who brings a background as a security/police officer professional, and as an information technology specialist to the Blogging world.

Why not pay a visit to Rick’s site at What’s On My PC.

Taking A Byte Out of Malware

When I mention the term “malware” around my friends and family, I get some really strange looks. Most people are not absorbed into the tech side of protecting their PC’s and really do not care what the name of the current disease is.

It is an attitude and approach similar to the government; “wait till it happens, then fix it”. Fixing a PC after a malware infection can be like the government trying to fix the economy. You try to fix it and the problem does not go away, resurfaces, and in turn progressively worsens.

When you own a computer, the user must develop the attitude of prevention and protection. If you do not heed this advice, trust me, you will be in a position where you will be trying to fix your own economy…

It is important to educate yourself about the threats, before the threats educate you. Malware today has developed into a threat with such magnitude that it is predominantly the preferred avenue of attack against everyday computer users.

What is malware?

In short it is “malicious software” that installs on your PC without your consent. It is designed to compromise your privacy, steal your money & identity, AND contaminate your PC. Basically, it just shows up in one form or another. (Obvious signs can be: as a popup, a browser redirect, suspicious security software, fake security warnings, your PC consistently runs slow, etc…).

How is it delivered?

Usually through misrepresentation or trickery… You click on a link in an email or a link on a web page that misrepresents what it really is and you’ve been had. Peer-to-Peer (P2P) file sharing, software pirating sites, porn sites are also favorite launching points for malware.

How to take the byte out of malware?

Layers of protection…What this is referring to is multi-layers of protection such as your firewall and various types of security software (e. g. anti-virus, anti-spyware, anti-malware, browser protection, windows updates, software updates, etc…). It is important to maintain and keep these layers of protection in place.

One layer of protection that I currently use, and highly recommend to all of my friends and family, to combat the threat of malware, is a program called “Malwarebytes’ Anti-Malware”. Malwarebytes’ Anti-Malware is an anti-malware application that can thoroughly remove even the most advanced malware.

(Click pic for larger)

I use this program to manually scan my PC on a regular basis. There is a “FREE” and “PAID” version. The difference is that the real-time protection, scheduled scanning, and scheduled updating features are not activated in the “FREE” version.

Performing manual routine updates and scanning is sufficient in most cases. Just the fact that you have it installed and ready to go on your PC, in the event of a malware threat, is a big plus.

Most tech people, without software such as this, will look you in the eye and tell you, formatting the hard drive and doing a complete operating system rebuild is the only way they will touch your PC. Due to the complexity of malware and today’s operating systems, no one can guarantee that your PC will be completely cleaned after a malware infection.

I highly recommend that you download and install this software today.