Archive | Security

Security is not a feature; it’s a process. Notes on issues, patches and essays on security.

New Version: WordPress 2.1

Development Blog › WordPress 2.1 Ella: “On behalf of the WordPress.org community of commiters, contributers, and volunteers, I’m very proud to announce the immediate availability of WordPress 2.1 “Ella”, named for jazz vocalist Ella Fitzgerald. Here’s a sampling of what’s in the new version:”

Attempting to update to version 2.0.7, I noted that the links go to the brand-new (16 hours as I write this) version 2.1 and there may be significant issues with less-well-know plugins. If plugins are an important part of your blog, check out their list of compatible plugins first, then consider if now is a good time to upgrade. The downside I fear, though, is that the security flaws originally fixed with 2.0.7 may be getting exploited out in the wild. Darned if you do and darned if you don’t.

UPDATE: All looks fine here. My plugins appear to be working. Upgrade instructions (with lots of backups) worked just fine. If anyone notices problems, please don’t hesitate to add a comment below.

New Version: WordPress 2.0.7

Development Blog › WordPress 2.0.7. I missed this first time it came around: a security-fix for WordPress, upgrading to version 2.0.7: “Recently a bug in certain versions of PHP came to our attention that could cause a security vulnerability in your blog. We’re able to work around it fairly easily, so we’ve decided to release 2.0.7 to fix the PHP security problem and the Feedburner issue that was in 2.0.6. It is recommended that everyone running WordPress 2.0.6 or lower upgrade to this new version.”

CentraLUG, 5-Feb-2007: Matt Brodeur and GnuPG, OpenPGP, keysigning

The monthly meeting of CentraLUG, the Concord/Central NH GNHLUG chapter, happens the first Monday of most months on the New Hampshire Institute Campus starting at 7 PM. Next month’s meeting is on February 5th at 7 PM.

Directions and maps are available at http://www.centralug.org and on the NHTI site at http://www.nhti.edu/welcome/directions.htm. This month, we’ll be meeting at our usual location in the Library/Learning Center/Bookstore, room 146, marked as “I” on that map. The main meeting starts at 7 PM, and we finish by 9 PM. Open to the public. Free admission. Tell your friends.

At this month’s meeting, Matt Brodeur will present an introduction to e-mail and file security using Pretty Good Privacy (PGP). The talk will cover basic concepts of encryption and digital signatures. Examples and demos will use GNU Privacy Guard (GnuPG), a free (GPL) implementation of the OpenPGP standard available for most modern operating systems. Following the presentation, a PGP keysigning event will be held. Anyone interested in exchanging key signatures with other local PGP users can find details on our website,… as soon as we’ve set it up. Stay tuned.

Matt Brodeur is a Quality Assurance Engineer at Red Hat in Westford, MA and volunteer in local LUGs. He has previously presented OpenPGP talks at the Boston Linux & Unix User Group.

More details on the group and directions to the meeting can be found at http://www.centralug.org and at http://www.gnhlug.org.

Microsoft leaves Word zero-day holes unpatched

CNET News.com is reporting Microsoft leaves Word zero-day holes unpatched. Hmmm… is it still a zero-day hole if it has been around for a while? I’m afraid the term has lost its punch. Nonetheless, Cnet goes on to say,

Microsoft on Tuesday released fixes for vulnerabilities in its Windows and Office software, but left several known Word zero-day flaws without a patch.

As part of its monthly patch cycle, Microsoft published four security bulletins with fixes for 10 vulnerabilities. Three of the bulletins are deemed “critical,” the company’s most serious rating; the fourth is tagged “important,” a notch lower. All bulletins, however, address flaws that could allow an attacker to commandeer a PC.

Nasty stuff. It’s the second week of 2007, and Microsoft patches are already up to MS07-08, although four of the patches were pulled from this release. I wonder if they’ll still be “zero-day” next month?

Hit the Microsoft site at http://www.microsoft.com/security if you need more information on these patches. Get patching!

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System

In the SANS – Internet Storm Center Handler’s Diary on December 29th 2006 they describe the troubles that can occur when a user innocently chooses a likely search result from a popular search engine in “Pain reliever with serious side effects.” A chilling story. The moral of the story: anti-virus and anti-malware and firewalls aren’t sufficient. You must also stay up to date on all the latest patches. What if the patch isn’t out yet?

In related news, Microsoft will unprotect millions of Windows 2000 users tonight as their version of “Windows Defender” expires, with no update planned for the “unsupported” operating system. If you’ve been a depender on defender, it’s time to be a decider and a finder and find another product. Good luck, and happy new year!

esr plans World Domination, sophomore edition

Eric S. Raymond posts World Domination 201, the second part (here’s the first) of the Free/Open Source Software/GNU/Linux cabal’s plan to take over the world. I don’t find this anywhere near as scary as the Halloween Documents. I would like a set of codecs to legitimately play my legitimately owned/viewed Quicktime, MP3, and DVD collections. I think everyone would. It’s disturbing to consider that this might be the only thing hampering Linux acceptance as a desktop, and that the copyright and patent licenses intended to foster free trade and promote the Arts & Sciences are in fact doing the opposite.

FireFox and Thunderbird security updates…

Security is a process and not a feature. One of the easier tasks is keeping up with updates. FireFox (2.0 and 1.5) and Thunderbird each have security updates coming.  They should automatically notice the new versions and offer to update it, but you may need to force it manually if you've somehow disabled updates, or you are working with an older (pre-auto-update) version.

Skype worm: click here if you're foolish…

SANS Internet Storm Center, InfoCON: green reports “Skype 'worm' whinnies…, (Tue, Dec 19th). It appears that the possible Skype “worm” that we reported on yesterday is actually more of a Trojan Horse…”

One more time: an attachment, whether it shows up in email, IM, Skype, floppy disk, USB tab or in the transporter room, is from an untrusted source until you can confirm what it is, where it comes from, why its here and whether you should click on it. There are no trusted sources. “Click here for something really cool” is not an offer you should be taking up!

Spam surging in volume again; what's behind it?

Perhaps it's not your imagination. Over at eWeek, Larry Selzer asks “Who's Behind the Spam Surge?”. “As I discussed several weeks ago, everyone's seen that there has been a massive surge in spam over the last couple of months. More researchers are weighing in on what's behind it.”

Powered by WordPress. Designed by Woo Themes

This work by Ted Roche is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States.