Comments on: Anonymous Security Specialist http://bavatuesdays.com/anonymous-security-specialist/ a "b" blog Thu, 18 Mar 2010 19:50:40 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Reverend http://bavatuesdays.com/anonymous-security-specialist/comment-page-1/#comment-69126 Reverend Tue, 08 Apr 2008 21:52:05 +0000 http://bavatuesdays.com/anonymous-security-specialist/#comment-69126 @Scott: Wow, thanks for all the amazing info. This is great stuff, and it is about time the education started in earnest about the holes in WP, for every app has them. @Andre: I'd love some more details on this issue. How does this XSS hack work? All this information is great, and sharing these issues of security are key for us. @Another Victim: Robin Hood strikes again. I fully support your suggestion that we reward the A.S.S. somehow, although I imagine his line o work requires a certain amount of anonymity, but more power to him. @Scott: Wow, thanks for all the amazing info. This is great stuff, and it is about time the education started in earnest about the holes in WP, for every app has them.

@Andre: I’d love some more details on this issue. How does this XSS hack work? All this information is great, and sharing these issues of security are key for us.

@Another Victim: Robin Hood strikes again. I fully support your suggestion that we reward the A.S.S. somehow, although I imagine his line o work requires a certain amount of anonymity, but more power to him.

]]> By: Another Victim http://bavatuesdays.com/anonymous-security-specialist/comment-page-1/#comment-69058 Another Victim Mon, 07 Apr 2008 21:48:04 +0000 http://bavatuesdays.com/anonymous-security-specialist/#comment-69058 He paid me a visit as well, and sure enough i had my links full of spam. I (hopefully) cleaned everything up and upgraded wordpress. Mister Anonymous, my offer for sending you some beer money stands. Just name your poison ;) He paid me a visit as well, and sure enough i had my links full of spam.
I (hopefully) cleaned everything up and upgraded wordpress.

Mister Anonymous, my offer for sending you some beer money stands. Just name your poison ;)

]]> By: Andre Malan http://bavatuesdays.com/anonymous-security-specialist/comment-page-1/#comment-69055 Andre Malan Mon, 07 Apr 2008 20:44:34 +0000 http://bavatuesdays.com/anonymous-security-specialist/#comment-69055 As far as XSS goes, one thing that you should ensure is never to click on any link on the front end of a multi-user blog while logged in as admin. Our "support" person on UBC blogs is going to only have "subscriber" privileges. That way if someone does hack them, they can't do something crazy like delete all the blogs. admin should only ever be logged in to administrate the back end of the blog and then quickly logged out again. As far as XSS goes, one thing that you should ensure is never to click on any link on the front end of a multi-user blog while logged in as admin. Our “support” person on UBC blogs is going to only have “subscriber” privileges. That way if someone does hack them, they can’t do something crazy like delete all the blogs. admin should only ever be logged in to administrate the back end of the blog and then quickly logged out again.
]]> By: Scott http://bavatuesdays.com/anonymous-security-specialist/comment-page-1/#comment-68969 Scott Mon, 07 Apr 2008 00:44:35 +0000 http://bavatuesdays.com/anonymous-security-specialist/#comment-68969 That sucks. If you don't upgrade it's not if but when you will be hacked. What the dude did is illegal (imagine if he broke into your office and latter emailed you to say your alarm system is faulty)... but I guess it is good that he got you to act. You might want to check out this video to see how easy it is to "hack" wordpress (or any app) if you are not careful (the examples in video could have been avoided). Part 1: http://ca.youtube.com/watch?v=WZCXIrW0xZ0 Part 2: http://ca.youtube.com/watch?v=JBpG2fie_aA I think WP is secure in general it is the plugins that scare me. Often coded by newbies with little or no knowledge of info sec. Good intro article on the topic of XSS to learn more: http://www.informit.com/articles/article.aspx?p=603037 Another on RSS injection... Zero Day Subscriptions: Using RSS and Atom Feeds As Attack Delivery Systems by: Bob Auger (Presented at Black Hat USA 2006): http://h71028.www7.hp.com/enterprise/downloads/BobAuger-RSS_Security.pdf That sucks.

If you don’t upgrade it’s not if but when you will be hacked. What the dude did is illegal (imagine if he broke into your office and latter emailed you to say your alarm system is faulty)… but I guess it is good that he got you to act.

You might want to check out this video to see how easy it is to “hack” wordpress (or any app) if you are not careful (the examples in video could have been avoided).
Part 1:
http://ca.youtube.com/watch?v=WZCXIrW0xZ0
Part 2:
http://ca.youtube.com/watch?v=JBpG2fie_aA

I think WP is secure in general it is the plugins that scare me. Often coded by newbies with little or no knowledge of info sec.

Good intro article on the topic of XSS to learn more:
http://www.informit.com/articles/article.aspx?p=603037

Another on RSS injection…
Zero Day Subscriptions: Using RSS and Atom Feeds As Attack Delivery Systems by: Bob Auger (Presented at Black Hat USA 2006):
http://h71028.www7.hp.com/enterprise/downloads/BobAuger-RSS_Security.pdf

]]> By: Reverend http://bavatuesdays.com/anonymous-security-specialist/comment-page-1/#comment-68813 Reverend Sun, 06 Apr 2008 08:46:38 +0000 http://bavatuesdays.com/anonymous-security-specialist/#comment-68813 Thanks Bill, It's nice to know people who know far more than me. And I think what you said about my focus on open source applications being vulnerable is important. I, of all people, would hate to be coming off as a pill when it comes to open source application vulnerability, so that is a much needed correction to my verbiage! I can't tell you how cool this anonymous security specialist seems to me, a much needed kick in the ass is always welcome, for as you suggest, the reverend must ride, always :) Thanks Bill,

It’s nice to know people who know far more than me. And I think what you said about my focus on open source applications being vulnerable is important. I, of all people, would hate to be coming off as a pill when it comes to open source application vulnerability, so that is a much needed correction to my verbiage!

I can’t tell you how cool this anonymous security specialist seems to me, a much needed kick in the ass is always welcome, for as you suggest, the reverend must ride, always :)

]]> By: Bill Fitzgerald http://bavatuesdays.com/anonymous-security-specialist/comment-page-1/#comment-68801 Bill Fitzgerald Sun, 06 Apr 2008 07:10:41 +0000 http://bavatuesdays.com/anonymous-security-specialist/#comment-68801 Hello, Jim, I would definitely have your ISP look at your server logs to see if anything looks out of place -- But my guess is that you got lucky with this one, and that your site was surveyed by someone who knew what they were doing and had no bad intentions -- The only danger you'd have from upgrading would be if the WP downloads were themselves compromised -- not likely at all, despite the fact that it happened last year: http://it.slashdot.org/article.pl?sid=07/03/03/0427211 RE: "how vulnerable an out-of-date open source applications" -- an out of date app is vulnerable, whether it's proprietary or Open Source -- however, when another ginormous security hole appears in Windows, we think nothing of it, because it's "normal." Yet, when an open source app patches a vulnerability, it's fodder for the FUD-sters looking to point out the insecurity of open source apps. Glad to hear you upgraded. I don't want the Reverend's digital presence going down into the hellfires, brought there by the purveyors of pill-powered tumescence. Hello, Jim,

I would definitely have your ISP look at your server logs to see if anything looks out of place —

But my guess is that you got lucky with this one, and that your site was surveyed by someone who knew what they were doing and had no bad intentions —

The only danger you’d have from upgrading would be if the WP downloads were themselves compromised — not likely at all, despite the fact that it happened last year: http://it.slashdot.org/article.pl?sid=07/03/03/0427211

RE: “how vulnerable an out-of-date open source applications” — an out of date app is vulnerable, whether it’s proprietary or Open Source — however, when another ginormous security hole appears in Windows, we think nothing of it, because it’s “normal.” Yet, when an open source app patches a vulnerability, it’s fodder for the FUD-sters looking to point out the insecurity of open source apps.

Glad to hear you upgraded. I don’t want the Reverend’s digital presence going down into the hellfires, brought there by the purveyors of pill-powered tumescence.

]]>