Security

Wordpress users have been encouraged to update to to the latest version of Wordpress, currently at 2.8.4. It appears there is a nasty worm going around attacking Wordpress sites.

It's not too often that you see notices from the TYPO3 group on security issues related to their CMS framework. That's why their notice last week about various security issues with several third party TYPO3 extensions caught my attention.

Several vulnerabilities have been found in the following third party TYPO3 extensions:

I found a great list on the blog/news section for the ocPortal CMS, 10 IE compatibility problems that you might not have realized. While the post is related to ocPortal, the Internet Explorer compatibility issues likely will apply to any CMS viewed by the browser.

Yesterday, PHP-Fusion announced that someone had hacked into their site and changed the download link for PHP-Fusion Version 7.

Hello all,

We had an issue a few days ago where a malicious person gained
access to our site as a super administrator via a weak account/gained
password. They apparently changed the download link of PHP-Fusion
version 7 to spendspace and it was packaged as a .rar file.

If you downloaded one of these files, please reinstall your entire site using a fresh copy from SourceForge.

While this isn't a good thing, it is a positive that PHP-Fusion disclosed the possibility that the link led to a version of PHP-Fusion that may have been maliciously changed.  I can recall a number of other projects (open source and propriety) that have found their source code made vulnerable by someone intruding into their servers.  What is always important to customers in these cases is disclosure and transparency.  So far, PHP-Fusion seems to be doing the right thing.

However, as of this Thursday morning...it looks like PHP-Fusion's hosting company has suspended their account. At the time of this writing, there is no words given as to the reasons for the suspension.  I suspect the suspension is likely to be security related.  Perhaps, we'll see an announcement at SourceForge on the status of PHP-Fusion if their home site doesn't come back online soon.

Ironic how the world can change so quickly.  Yesterday, the CIO of my organization began enforcing the use of anti-virus software on all of our Linux clients and servers.  Today, I read that Apple is telling its Mac users to purchase anti-virus software.  Something nasty is brewing out there.

Apple encourages the widespread use of multiple antivirus utilities so that virus programmers have more than one application to circumvent, thus making the whole virus writing process more difficult.

Tim Wilson, the site editor for Dark Reading, recently posted an article about recent at the AARP.org website.  In the colorfully titled article, "Porn Operators Hijack Pages on AARP Website", Wilson interviews Jeremy Yoder of MX Logic about why AARP.org's site was vulnerable.  In brief, the explanation given is that the site deployed a number of Web 2.0 features including user profile submissions which the site didn't properly filter out JavaScript redirected code.  Yoder than

Serendipty 1.3 has been released. This new version of the blogging applications introduces 41 changes. Not only are enhancements and additional features introduced, but also changes to address a nasty cross site scripting issue (security exploit).

Some of the more significant features and enhancements for Serenditpity 1.3 include:

• The karma rating plugin has been upgraded to support nice, CSS-based rating graphics and an overall rehaul on the its coding.
• Make the Spartacus plugin be able to use FTP upload, a workaround for SafeMode PHP restrictions. Also add a remote backend for plugin update checks.
• Import scripts for phpNuke and lifetype.

This is why I'm very cautious in using any type of search engine toolbar (Google, Yahoo, etc).

Google is working to fix a bug in the Google Toolbar that could allow criminals to steal data or install malicious software on a system, a security researcher warned Tuesday.

The flaw lies in the mechanism Google Toolbar uses to add new buttons on the browser. Because the toolbar does not perform adequate checks when new buttons are being installed, a hacker could make his button appear as though it was being downloaded from a legitimate site when in fact it came from somewhere else.

I felt fear, awe, and even some admiration when I read at CNET about the latest social engineering attack dreamed up by those ingenious Russian hackers.

Those entering online dating forums risk having more than their hearts stolen.

A program that can mimic online flirtation and then extract personal
information from its unsuspecting conversation partners is making the
rounds in Russian chat forums, according to security software firm PC Tools.

An excellent article at CIO Insight in their "Expert Voices" column concerning IT security.  The article is titled, "IT Security, Reconsidered":