Security

WordPress 3.0.4 Security Update

A WordPress security update was issued last December 29. It fixes what Matt Mullenweg referred to as a critical security bug in the HTML sanitation library. All versions of WordPress are affected by the bug, including the 2.x editions.

I recommend that you update your WordPress site as soon as possible to prevent security breaches by hackers. The update can be through the Dashboard in WordPress or you can download it here.

Bringing Social Networking Back Home With Diaspora

Facebook’s new privacy policies are confusing people just as much as the old one did and many users are closing their accounts. Two days agao on June 1, 35 978 Facebook users fufilled their commitment on QuitFaceBookDay to close their account. The reasons for them leaving are not just concerns over privacy, but also a belief that Facebook doesn’t bring anything positive to the Internet.

The QuitFaceBookDay group isn’t alone in leaving Facebook. Many high profile Internet leaders have also left (More Web Industry Leaders Quit Facebook, Call For Open Alternative). Facebook is fighting an uphill battle in keeping their users satisfied. Many people will stay on because there simply isn’t an alternative and equal site to use instead.

The Return of BBS’s

Hardly any of the new computer users today knows what a BBS is. In the 1980’s and mid 1990’s, they were doing what the Internet does today, but mainly on a local scale. People set up computers at home (or in a business) and attached a modem, phone line, and ran BBS software which allowed other people to phone their computer and run applications, which included e-mail, playing games, and downloading applications.

BBS’s connected to each other which allowed them to send e-mail between them and run newsgroups. Many BBS’s were on networks which allowed them to send mail to other systems, but this was costly because you had to pay long distance phone charges to connect to a computer in another city.

The Internet changed all of this and did everything that a BBS could do at a lower cost. There were BBS’s that charged annual fees for usage and I never subscribed to them because I thought that they were too expensive and not worth it. Today, I spend more than what they charged on Internet access, but with all of the activity that I do it would have cost me more paying for services on a BBS than what I would get from the Internet.

There are very few BBS’s running on phone lines today. Most of them can be accessed only through Telnet. The Internet has replaced the old BBS technology, but BBS’s will be returning soon in a different way.

Diaspora: Social Networking for the Masses

Wikipedia defines a diaspora as “any movement of a population sharing common national and/or ethnic identity”. Diaspora is the latest threat to modern social networks and likely the one to make the most impact on the Internet. Its developers define it as "the privacy aware, personally controlled, do-it-all distributed open source social network”.

Diaspora is an application that turns your computer into a node on part of a larger, connected social network. Your computer stores all of your private or public information and you have control over it, as opposed to giving control to it by another organization like Facebook. Your data is secure and you decide whether you want to share with other nodes on the Diaspora network. In other words, your computer becomes a BBS, or more accurately, a web server.

Project Diaspora’s goal was to raise $10 000 by June 1, 2010 to continue their software development. They raised $200 642 from 6479 supporters. Clearly, there is a great demand for an alternate, secure social networking application. The software hasn’t been released yet and their target date is the end of summer, or some time in September.

This is an interesting project and I’m curious what kind of web server they will use for running on Windows, Macs, and Linux computers. I would guess that its Apache since this software is open source and free, but hopefully it will also run on IIS in Windows.

Diaspora may start BBS-like activity which the Internet eliminated. It all depends on how easy the setup will be for it. Most computer users have very limited knowledge in computing so it will be a real challenge getting them to create and administer a web server.

WordPress 2.8.4: Security Release

An update for WordPress was released today after a minor security issue was discovered yesterday. A bug in the code allowed a blog user to reset the administrator’s password and cause a new password to be e-mailed to the admin. The attacker would not get access to the account, but the administrator would be inconvenienced by having to change their password.

The bug isn’t critical and its unlikely that most blogs would have problems with it, but its always a good idea to patch security holes as they are found.

I updated this blog through the automated update feature in WordPress. This is the best way to update software and more CMS’ should have similar functionality. Its always a good idea to backup your blog before performing an update. There is a possibility that a plugin or theme being used could fail in a new version of WordPress, so you should always have a way to go back to a previous version in case anything goes wrong.

Please Set My Password As Shoes

It never ceases to amaze me how little knowledge people have outside their area of expertise. While I do think that its important to stay focused on your core abilities in your career, it wouldn’t hurt to learn a few things outside your comfort zone. One area that people should be somewhat familiar with that affects their daily lives are computer security and social engineering.

I recently had a request from a client to set his password for an account on our server to shoes. This is a very insecure password because hackers cycle through dictionary words in their cracking attempts and it would only take a few minutes to break into this account.

A better password would have the follow characteristics:

  • More Characters: the longer the password is, the longer it will take to guess by brute-force techniques.
  • Multiple Words: with each word separated by a number.
  • Unrelated Word: choose words that have nothing to do with you, e.g. if you like pizza, don’t choose pizzaman. Social engineering experts can guess your password by learning a few things about you.
  • Don’t Show Off: resist the temptation to tell your password to your friends to show how clever you are in thinking of it.

These basic techniques would prevent most hackers from logging into your account.

Testing WordPress with WP Security Scan

In today’s world, attacks on web sites by hackers are common. We need to take precautions to prevent the security in our web sites from being compromised. There isn’t any built-in utility for WordPress to test security, but there is a plugin by Michael Torbert that can be installed for this purpose.

WP Security Scan examines a WordPress installation for security problems and if it finds them, recommends a course of action to correct them.

Some of the functions that it performs are:

  • test the strength of passwords
  • examine file permissions to prevent unauthorized usage
  • checks the security of the database
  • hides the version number of WordPress
  • protect the WordPress admin account
  • remove the WP Generator META tag from the core code

The plugin is easy to install and it found several problems on my blog, which were also easy to fix. I strongly recommend all WordPress users install this extension and properly security their web site.

You can download WP Security Scan at wordpress.org/extend/plugins/wp-security-scan/.