I just upgraded to WordPress version 3.0.2, being billed as a mandatory update for all versions (including those still running WordPress 2.x) to solve an issue that allows an author to elevate to an administrative user. Even if you have a single-author blog (like this one), there are other security enhancements and fixes that make this upgrade worthwhile. I completed it in about 30 seconds, and everything still seems to be working. If you are running a 2.x version of WordPress still, I think it’s time to upgrade — 3.0 has been very stable, and most plugins are now working with it.
We can’t trust social media anymore.
How is it that the most-followed Twitter account, @cnnbrk, wasn’t even run by CNN until a recent acquisition? Seriously — how many of you out there thought CNN ran it? I know I did. Some folks have claimed to have known the truth behind @cnnbrk for a while, but I consider myself up on social media news and this comes as a saddening shock to me.
Why saddening? Because the trust factor that endears us to social media has been shattered.
Twitter needs a mechanism to authenticate a true identity now. Not in six months, not in a year, but post-haste. Otherwise, how can we truly know that accounts performing customer service over Twitter, such as Zappos or Comcast, are legitimate? When we DM account information to a representative of a company, can we really be sure they are a representative? Are we giving our information to Comcast, or are we giving it to a phisher? It’s well-documented that the Comcast representatives on Twitter are indeed authorized agents of the company, but how can someone new to Twitter know this for sure just by looking at the Twitter site? This CNN thing really hurts any company that wants to perform customer service online, because it underscores the fact that tomorrow, I or anybody else could start an account like “@AcmeCares” and phish Wile E. Coyote for his credit card information over DM after reaching out to his reports on Twitter that his shipment of dynamite didn’t catch the Roadrunner.
We are very fortunate that @cnnbrk was not abused, and that’s likely why James Cox, the person who started the account, is not on the other end of a landmark trademark infringement lawsuit. (Because this is, in every sense of the world, a textbook case of trademark infringement. Also, I’m willing to bet that CNN’s failure to act on this sooner could be interpreted as failure to defend their trademark in a reasonable time, which could have serious legal repercussions down the road.) But this whole ordeal underscores the critically urgent need for an authentication system to be implemented. Otherwise, I will now have serious concerns over any company wishing to engage over Twitter, because there is no way to be sure that they are who they say they are — and that’s sad, because as Comcast has proven, Twitter is phenomenal for customer outreach.
So I’ll set the scene for you:
Disgruntled College of Charleston fan, home after witnessing a loss to Elon of all teams, wants to sit down, sip on some Gatorade, and work on his Facebook “25 Random Things” meme post because seven of his friends have now tagged him and he just wants to END IT (and terrorize additional people with said meme).
So, he sits down and begins writing his post, when he wants to refer to a post on his blog for some of the answers. He finds a strange white space in his layout that makes zero sense whatsoever. He goes and checks the source code…and OMG. Keywords. Lots and lots of keywords. Viagra, tablets, medicine — you name it, it was there. Site: Compromised.
Oh, and that guy? That was me. Continue reading Anatomy of a WordPress Hack
I just threw WordPress 2.3.2 on the server. It fixes a few potentially nasty security bugs, so it’d be smart if you run your own WordPress installation to upgrade to this new one. It’s a quicker upgrade than most WordPress upgrades, particularly if you were using 2.3.1 — no database changes appear to be needed.
The BBC reports that Internet security firm Sophos is recommending users to switch to Macs to avoid malware installed over the Internet.
Does this make some sense? Absolutely — there’s very little malware currently available for Mac OS X. However, security through obscurity is only a temporary condition, and that any mass exodus to Macintosh, however unlikely that may be, will ultimately bring with it a torrent of malware. Granted, the Mac OS X architecture does make it much more difficult to bundle malware applications. Not having its browser totally integrated into the OS is a good start. However, a little social engineering goes a long way. That’s how most malware is installed these days, and there isn’t — and there may never be — any effective software solution for overcoming that. Education is the key.
Personally, I think Windows Vista will improve this situation quite well for Windows users — it’s so secure, you can’t even delete a shortcut without confirming it three times. :P In all seriousness, decoupling IE from the operating system — something Microsoft once said was “impossible” (ha!) — will make a big difference on Vista. I’ve also noticed that Windows XP Service Pack 2 has had a lot to do with alleviating this problem. There’s still that lousy social engineering aspect, though, and it all comes back to user education, because no operating system is 100% secure. I’ll leave how to tackle user education to another post or 40…LOL. Time to go to bed.
Windows Defender, the anti-spyware software formerly known as Microsoft AntiSpyware, has reached Beta 2 and is now available to the public. It requires that awful Microsoft Genuine Advantage check, but it’s worth it. The interface has been completely redesigned and streamlined. Versions are available for Windows XP, 2000, 2003, and x64.
See Paul Thurrott’s review of the product for an in-depth look at the product. So far, so very, very good. I really like what they’ve done.