I recommend that you update your WordPress site as soon as possible to prevent security breaches by hackers. The update can be through the Dashboard in WordPress or you can download it here.

The QuitFaceBookDay group isn’t alone in leaving Facebook. Many high profile Internet leaders have also left (More Web Industry Leaders Quit Facebook, Call For Open Alternative). Facebook is fighting an uphill battle in keeping their users satisfied. Many people will stay on because there simply isn’t an alternative and equal site to use instead.

The Return of BBS’s

Hardly any of the new computer users today knows what a BBS is. In the 1980’s and mid 1990’s, they were doing what the Internet does today, but mainly on a local scale. People set up computers at home (or in a business) and attached a modem, phone line, and ran BBS software which allowed other people to phone their computer and run applications, which included e-mail, playing games, and downloading applications.

BBS’s connected to each other which allowed them to send e-mail between them and run newsgroups. Many BBS’s were on networks which allowed them to send mail to other systems, but this was costly because you had to pay long distance phone charges to connect to a computer in another city.

The Internet changed all of this and did everything that a BBS could do at a lower cost. There were BBS’s that charged annual fees for usage and I never subscribed to them because I thought that they were too expensive and not worth it. Today, I spend more than what they charged on Internet access, but with all of the activity that I do it would have cost me more paying for services on a BBS than what I would get from the Internet.

There are very few BBS’s running on phone lines today. Most of them can be accessed only through Telnet. The Internet has replaced the old BBS technology, but BBS’s will be returning soon in a different way.

Diaspora: Social Networking for the Masses

Wikipedia defines a diaspora as “any movement of a population sharing common national and/or ethnic identity”. Diaspora is the latest threat to modern social networks and likely the one to make the most impact on the Internet. Its developers define it as "the privacy aware, personally controlled, do-it-all distributed open source social network”.

Diaspora is an application that turns your computer into a node on part of a larger, connected social network. Your computer stores all of your private or public information and you have control over it, as opposed to giving control to it by another organization like Facebook. Your data is secure and you decide whether you want to share with other nodes on the Diaspora network. In other words, your computer becomes a BBS, or more accurately, a web server.

Project Diaspora’s goal was to raise $10 000 by June 1, 2010 to continue their software development. They raised $200 642 from 6479 supporters. Clearly, there is a great demand for an alternate, secure social networking application. The software hasn’t been released yet and their target date is the end of summer, or some time in September.

This is an interesting project and I’m curious what kind of web server they will use for running on Windows, Macs, and Linux computers. I would guess that its Apache since this software is open source and free, but hopefully it will also run on IIS in Windows.

Diaspora may start BBS-like activity which the Internet eliminated. It all depends on how easy the setup will be for it. Most computer users have very limited knowledge in computing so it will be a real challenge getting them to create and administer a web server.

The bug isn’t critical and its unlikely that most blogs would have problems with it, but its always a good idea to patch security holes as they are found.

I updated this blog through the automated update feature in WordPress. This is the best way to update software and more CMS’ should have similar functionality. Its always a good idea to backup your blog before performing an update. There is a possibility that a plugin or theme being used could fail in a new version of WordPress, so you should always have a way to go back to a previous version in case anything goes wrong.

I recently had a request from a client to set his password for an account on our server to shoes. This is a very insecure password because hackers cycle through dictionary words in their cracking attempts and it would only take a few minutes to break into this account.

A better password would have the follow characteristics:

• More Characters: the longer the password is, the longer it will take to guess by brute-force techniques.
• Multiple Words: with each word separated by a number.
• Unrelated Word: choose words that have nothing to do with you, e.g. if you like pizza, don’t choose pizzaman. Social engineering experts can guess your password by learning a few things about you.
• Don’t Show Off: resist the temptation to tell your password to your friends to show how clever you are in thinking of it.

These basic techniques would prevent most hackers from logging into your account.

WP Security Scan examines a WordPress installation for security problems and if it finds them, recommends a course of action to correct them.

Some of the functions that it performs are:

• test the strength of passwords
• examine file permissions to prevent unauthorized usage
• checks the security of the database
• hides the version number of WordPress
• protect the WordPress admin account
• remove the WP Generator META tag from the core code

The plugin is easy to install and it found several problems on my blog, which were also easy to fix. I strongly recommend all WordPress users install this extension and properly security their web site.

You can download WP Security Scan at wordpress.org/extend/plugins/wp-security-scan/.

• Sony VAIO VGN-TZ37CN running Ubuntu 7.10
• Fujitsu U810 running Vista Ultimate SP1
• MacBook Air running OSX 10.5.2

The purpose of this contest was to reveal possible vulnerabilities in the system so that the vendor can secure them. A $20,000 cash prize was also added as an incentive by the sponsors. All that you had to do is hack into the computer and execute some code to retrieve the claim ticket file. Then the machine is yours plus you get some cash on top of it.

It took Charlie Miller about 2 minutes to get into the Mac. With all of the bragging from Apple on the superiority of the operating system, its very surprising how easy it was to exploit flaws in it. Miller won the Mac and received $10,000 from 3Com’s TippingPoint division.

Shane Macaulay hacked into the Windows machine after 2 days of work. He used a cross platform Java bug to compromise Vista’s security.

No one managed to win the Sony VAIO computer. Hacking into Linux proved itself to be a formidable task. The attackers claimed they found bugs in the operating system, but there weren’t any willing to write the code to exploit it. The likely reason was that it would take too long to complete it.

The contest was interesting. OS X was by far the easiest to hack. Apple is very good at convincing people that Macs are better than Windows in their ads, but they were unable to produce an operating system that can give moderate security against attackers. Its not surprising that the Linux machine was the most secure. With its large community of developers and users, the end result is very secure and stable operating system.

While this is not the recommended way of managing users in phpBB, it’s highly effective and easy to use. You just have to make sure that a user has no posts when you delete them or you’ll have records in your databases that don’t link anywhere. Another risk to directly modify tables in the database is that you might corrupt it in other ways making it unusable. If your not familiar with the phpBB database structure, avoid playing with it.

I recently found a utility called PHPBB Admin Toolkit. This is a utility for controlling all of the settings for a user, including deleting users and all of their messages. Before this, when spammers posted their messages, I had to delete each message one a time. After this was done, the spam user was also deleted. I used to spend about a half hour each day cleansing my forums. I think there are better things to do with my time.

The toolkit allows the deletion of multiple users along with their e-mails. If a spammer manages to post a message, I can quickly and easily wipe out their account and messages.

Also, if a hacker manages to login with the admin account and demotes it or changes the password, the toolkit will allow you to access your forum and regain control over it.

A bonus feature that it includes is a security scan which will show if there are any issues that can compromise your forum’s security.

Overall, the PHPBB Admin Toolkit should be a part of every forum webmaster’s utilities. You can download it at starfoxtj.no-ip.com/phpbb/toolkit/.

The problem with the ease of learning PHP is that its also easy to write code that is not secure and can be exploited by hackers. This isn’t just a challenge for novices, experienced programmers also can inadvertently write dangerous code.

Apart from coding mistakes, bugs are discovered over time in PHP itself. One would think that once they are found, its developers would move quickly to fix them. According to Stefan Esser, this is not the case. Esser runs the PHP Security Blog and also the Hardened-PHP Project Forum.

He made a post to his blog last month which angered many in the PHP community. In it, Esser announced that he resigned from the PHP Security Response Team which was originally his idea to create several years ago. The main reason he quit was that PHP Group constantly blocked his attempts to improve the security of PHP. The Group preferred blaming the developer for any security issues that occur with PHP.

Esser, while still having faith in the potential of PHP, developed Suhosin. You can find it on the Hardened-PHP Project site. Briefly, to plagiarize his site,

Suhosin is an advanced protection system for PHP installations. It was designed to protect your servers on the one hand against a number of well known problems in PHP applications and on the other hand against potential unknown vulnerabilities within these applications or the PHP core itself.

Its highly recommended that you use Suhosin for any web site that is exposed to the Internet. You probably don’t have to worry much if your site is just an intranet. The National Institute of Standards and Technology (NIST) reported that PHP applications were involved in 43% of security problems in 2006. In 2005, PHP accounted for 29% of the security issues. With the growing numbers of users and applications in PHP, I expect the numbers to be even higher in 2007. All the more reason to take a closer at Suhosin.

“You could spend a fortune purchasing technology and services … and your network infrastructure could still remain vulnerable to old fashioned manipulation. … If your goal is to protect your network, you can not rely on technology alone.”

Kevin Mitnick, “My First RSA Conference”

A common perception of a hacker is that of an individual who spends countless hours trying to break into computer systems by guessing passwords or having unsuspecting users install software which will give them a back door into their computer systems. Modern technology may prevent most of these types of attacks, but even the most advanced technology will not prevent a fellow co-worker from unknowingly giving out a password to a hacker over the phone. This is known as social engineering.

Briefly, social engineering is a psychological attack. Its purpose is to obtain confidential information by manipulating legitimate users. The goal of a hacker is to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or disrupt these systems. Various techniques are used to extract sensitive information from staff members. People have a natural tendency to trust others and feel good about being helpful, which are traits that social engineers exploit to their advantage.

The most common medium for social engineering are telephones. A hacker will impersonate someone of authority or importance to retrieve information. They may even pretend to be a network administrator when requesting a password. In his interview with the BBC News Online, Kevin Mitnick explains, “how armed with a little knowledge, a hacker can sound like an employee of a firm and get other workers to inadvertently supply them with enormously useful information”.

When a call is received and information is requested, find out who is calling and what company they are with. Unless the individual is recognized and they have authorization, take their name and phone number and tell them they will be contacted shortly. Inform management. Passwords and user names should never be given over the phone.

Hackers can also retrieve useful information by going through garbage. The LAN Times listed the following items as potential security leaks in our trash: “company phone books, organizational charts, memos, company policy manuals, calendars of meetings, events and vacations, system manuals, printouts of sensitive data or login names and passwords, printouts of source code, disks and tapes, company letterhead and memo forms, and outdated hardware.”

To prevent security problems, all sensitive data should be shredded when thrown away. Magnetic media such as hard disk and floppy disks should be low-level formatted before disposal. If you are not sure how to dispose of these things, send them to your IT department.

Care needs to be made with e-mail as well. E-mail attachments can contain viruses, worms, and Trojan horses. A good example of this was an AOL hack, documented by VIGILANTe: “In that case, the hacker called AOL’s tech support and spoke with the support person for an hour. During the conversation, the hacker mentioned that his car was for sale cheaply. The tech supporter was interested, so the hacker sent an e-mail attachment “with a picture of the car”. Instead of a car photo, the mail executed a backdoor exploit that opened a connection out from AOL through the firewall.”

Below is an excerpt from a hacker web site instructing how to break into a system. This is useful because it gives an insight in what a hacker tries to do retrieve information.

• Be Professional: You don’t want someone to not buy what you’re doing. You’re trying to create an illusion. You’re trying to be believable.

• Be Calm: Make them believe you belong there.

• Know your mark: Know your enemy. Know exactly how they will react before they do.

• Do not fool a superior scammer: trying to out scam an observant or smarter person will end in disaster.

• Plan your escape from your scam: Don’t burn your bridges. Save the source.

• Be a Woman. It is proven that women are more trusted than men over the phone. Use that to an advantage.

• Watermarks: Learn to make them. They are invaluable in a mail scam.

• Business cards and fake names: Use them for professional things.

• Manipulate the less fortunate.

• Use a team if you have to: Don’t be arrogant and overly proud. If you need help, get it.

Individuals may try to get sensitive information by entering a facility and wandering around. People tend to leave user accounts and passwords around their work area because they don’t want to make the trouble of remembering them. The best places to look for passwords are areas beside the monitor (or stuck on it) or taped under a keyboard. If passwords need to be stored somewhere, create a password protected file on your computer and give it a name that is meaningful only to you, or store the password on a Java enabled cell phone (there is free software for this).

Unknown people should not be permitted to walk around unescorted. The identities of repairmen should be verified before they are granted access in a building. Also, server rooms wiring closets should be securely locked at all times.

If at any time you are not sure about someone who is on the phone or is on the premises, contact management. It is better to take a few moments to verify a legitimate individual user than permit a security breach.