Ok -- not really serious -- however if you have seen chat roulette on the news recently, but are still wondered what it’s all about (because your adverse to trying it for yourself)… watch this guy on the piano having a go:
This made me laugh!
I think lots of pinches of salt need to be consumed whilst watching this so called leaked ad of the new iPhone HD! Nice work whoever put this together, and posted onto You Tube!
Personally I think the video ad is a definite fake -- but the name could be a winner -- especially as the camera will be higher res.
Does make sense to have an improved camera, and one for video use…. however one things for sure - the Apple rumors will continue to grow over the next few months. Roll on later this year when the updated Apple iPhone is released!
In case you missed it when this aired on free-to-air australian tv, below is the You Tube cut…
Not sure how much is fact or fiction, but makes you pause for thought. I know lots of Google lovers out there, so will be interesting to see what everyone thinks of this!?
As smartphones such as the iPhone, the Google Android, Nexus One etc become more and more popular (and bigger malware targets) it’s worth considering what lies ahead as far as new security threats in the next few years.
Here’s a recent video discussing what’s on the horizon (yes a bit geeky), but you get the idea…
For those of you who love new web technology – you may already be using location services on your iPhone or Blackberry, or using geotagging with your social online tools such as Twitter.
It’s an awesome new way to keep track of where you and your friends are, however have you considered the potential dangers? What if someone you didn’t know or trust could see your current location, and essentially know that you are NOT at home?
This week, there have been a few reports of new websites which aggregate Twitter location posts – and list potential targets based on their location. Take a look at PleaseRobMe.com or robmenow.com which offers such a service.
The founders of PleaseRobMe.com, claim to have built the site in order to raise awareness of the dangers of posting your location online.
“The danger is publicly telling people where you are,” a message on the site reads. “This is because it leaves one place you’re definitely not … home.”
“The goal of this website is to raise some awareness on this issue and have people think about how they use services like Foursquare, Brightkite, Google Buzz etc,” the site explains.
“Our intention is not, and never has been, to have people burglarised.”
Other Location Service Considerations
There are other new GPS technology offerings out there such as Google Latitude, and Apple me lost my iphone location services, however these currently appear to have effective controls in place to ensure only people you know and trust which you invite can see your location.
However, we’ll have to keep an eye on these solutions to see if any cracks appear.
Apple’s Mobileme Naughtiness…
I have seen people having fun by covertly configuring someone else’s iPhone without their knowledge so that the location services for me.com are enabled. Currently you can track multiple iPhone devices using a single me.com account and view the location of all iPhones configured with the account using the the Apple “find my iPhone” service!Useful if you want to know if your colleagues are in the office or have already gone home, but also scary if someone else you don’t trust does this. Easy way to fix this is to remove the me.com account details from your phone, but you have to go looking for this.
So now you are aware of the risks of geotagging and location services – you have been warned!
Hackers have developed a new distributed WordPress admin account cracking tool which poses a severe risk for the security of blogs whose owners select insecure passwords.
In a nutshell, a new PHP script has been developed which runs brute force attacks on random WordPress sites – hosted on virtual servers. Many sites can be attacked at the same time by the system, with results written into an associated database.
The SANS Institute’s Internet Storm Centre notes that brute force attacks against Wordpress are commonplace. The distributed nature of the latest attack marks an evolution towards blog hacking as a web service, however, thus marking it out from the crowd.
The interesting thing about the new script is that it allows distributed cracking. Information is saved in a MySQL database and the script actually connects directly to the main database. This allows the attacker to run many simultaneous scripts – each of them will take 200 new URLs and mark them with the brute forcer’s ID ($colo).
The script then takes every password from a password script and tries it on each site. The script can even be stopped and when executed next time will continue where it stopped.
“While this particular version is relatively simple, the power behind the script and the MySQL database allows the attacker to distribute the attacks not only by sites, but also by passwords tried as well.” ISC security watcher Bojan Zdrnja writes.
Blog owners and administrators are advised to use strong passwords, and to limiting access by IP address as a security precaution to prevent getting pwned.
Cisco have recently released a free iPhone app that allows users to view customised alerts relating to new security threats and other information for safe web browsing.
The iPhone app, which is now available in the Apple iTunes store, provides information about new malware signatures, bulletins for how to mitigate against threats, ways to see if particular web sites are compromised, as well as links to podcasts and videos.
The Cisco SIO To Go iPhone app gets its information from the company’s Security Intelligence Operations (SIO) system which gathers information in real time from 700,000 sensors located at customer sites, ISPs, and other sites around the world.
The data from the disparate sources allows Cisco engineers to do threat correlation to detect Internet attacks and spam campaigns.
The app is designed for professionals and security geeks, not the average consumer, said Michael Weir, Cisco security marketing director.
Download by searching the iPhone app store for “Cisco SIO”.
On Friday, Microsoft confirmed that an unpatched vulnerability exists in Windows 7, but is keeping the issue low key, saying most users may be protected from attack by blocking two ports at the firewall.
The vulnerability was intially reported by researcher Laurent Gaffie last Wednesday, when he disclosed details of the bug, and posted proof-of-concept attack code on his blog. According to Gaffie, exploiting the flaw completely grinds Windows 7 and Server 2008 R2 to a halt – and the only way to fix is to manually power off the impacted computer. Anyone else tried this yet to confirm?
When this was first publisised, Microsoft only indicated that they were looking into the issue, however it has now been confirmed, as Microsoft acknowledged that a bug in Server Message Block (SMB) a network file and print sharing protocol, could be used by attackers to cripple Windows 7 and Windows Server 2008 R2 machines in a recent security advisory.
Microsoft said it will patch the issue, however haven’t provided details of the timeframe or any commitment to an out-of-cycle update.
The next scheduled patch Tuesday is December 8th 2009.
For now, Microsoft have suggested users block TCP ports 139 and 445. In doing so, this may cause further problems for critical services, including network file sharing and IT group policies.
In Microsoft’s defence, although this is not good news it is worth noting that much fewer issues are being discovered, as compared to the initial days of XP.
Let’s hope that the Windows 7 product remains as secure as Microsoft have advertised.
If like me, you are hosting your own installation of WordPress for your online blog site, you may have some concerns about keeping your install up-to-date and as secure as possible.
Unfortunately the reality is that there have been a number of serious security vulnerabilities found with WordPress recently, and as a result a number of people have had their web sites hacked, and defaced. I personally know of a number of people who have been directly impacted over the past few months.
As social online media becomes more and more popular, celebs and high profile company executives are often looking to host their own blogs or sites. Additionally the functionality that WordPress and it’s plug-ins can provide has become a very attractive and popular solution, especially when most web hosting companies provide WordPress as a standard offering as part of their hosting service. Hence there are all sorts of WordPress hosted websites which are considered easy pickings and potential targets for hackers who are intent on breaking into and defacing – mainly because they are not managed or maintained from a maintenance / security perspective.
For anyone who is currently hosting their website on WordPress, or for anyone from a corporate or high profile – when it comes to security - you just need to ask yourself two simple questions:
1. Would you be embarrassed if your web site was hacked and / or defaced?
2. If your site was hacked – would it impact your personal brand / reputation or your companies brand / reputation?
Some people may not care, however for the majority most respond with a firm ”YES” – so obviously security is a major consideration for most people out there.
It’s not that hard to protect a WordPress site. It comes back to the process of regularly reviewing and plugging any holes to minimise the potential for a person of malicious intent in findings vulnerabilities to exploit.
WordPress Updates
WordPress have released a number of updates to fix the vulnerabilities found, however like any platform or product that has a large following or user base, there are a lot of bad guys who are focused on finding more holes due to it’s popularity. WordPress as a result have released a number of updates over the last few months.
Check the WordPress web site for further details.
Security Recommendations:
Below are a few key points and recommended plug ins which I’d suggest you follow if you want to protect your WordPress installation:
1. Make sure your WordPress installation is up-to-date, and when a new fix is made available update as soon as possible – obviously making sure you perform a full back up prior to doing so. Vulnerabilities are often found enabling the bad guys to create and use exploits in order to gain access to your web site. By ensuring your version of WordPress is up-to-date, you are minimising the potential vulnerability exposure.
2. Ensure that any WordPress plug-ins are up-to-date also. Same logic as per the point above.
3. I’d recommend that you give some thought as to the WordPress plugins you use, in order to further minimise the potential exposure. Only use plugins that provide additional features if you really really need to use them. e.g. you might have a requirement to remotely administer your site using an additional plug-in via an iPhone. How secure is this functionality and it’s related plug-in? Would it be better to just use the more secure browser based functionality?
4. For any functionality or plug-ins providing user input, ensure you use plug-ins that enable full input validation, blacklisting, IP blocking etc etc. Actively block iFrames which helps minimise the usual techniques applied in the input fields to prevent misuse. Also ensure you use a spam filter (see plug-ins below) to enable you to review and authorise feedback / comments prior to them appearing on your site… useful if you have friends or colleagues who are security professionals trying to fun-deface your web site!!
5. There are several security related plug-ins which help to minimise the potential security exposure. I’d highly recommend the following plugins. Note to my colleagues and friends who often try to hack my site – this is not a “complete” list of plug-ins I personally use, but some the core ones that I know, use and recommend to others:
There are a few more things you can do to fully protect your WordPress install, including the hosting operating system and database it sits on. I don’t want to bore you with these details, but for those who are serious about security, you are hopefully aware that there’s a bit more that can be done.
Get in touch with me direct via my contact page if you need any further info or advice.
For all you bloggers out there using WordPress on your own hosted site… it’s time to upgrade to WordPress version 2.8.5 to ensure you are protected against a number of security vulnerabilities.
Many of you may be aware of a number of previous security issues with previous versions of WordPress, so is increasingly important to ensure you are running the latest version.
Backup Backup Backup!
One piece of advice if you are upgrading your version of WordPress. Ensure you do backup your entire site, as occasionally there are some problems with the upgrade process – especially if you are running untested plugins, tools or themes.
The autoupgrade seems to work very well for most plugins or WordPress upgrades, however it’s generally better to do it manually and include creating a full backup.