My Security Planet » Items by DK

Feeds

13620 items (0 unread) in 75 feeds

• Jeremy Zawodny's blog
• Mozilla Webdev
• Transcendental Technical Travails
• Ian Bicking: a blog
• Hackosis

WebSecurity

• Watchfire Application Security Insider
• BlogSecurity
• sirdarckcat
• Google Online Security Blog
• CGISecurity.com: Your Web Site and Application Security Resource
• Switch/Twitch
• mybeNi websecurity
• cat slave diary
• SecuriTeam Blogs
• Curiouser and Curiouser
• Alex's Corner
• Billy (BK) Rios
• Chris Shiflett
• christian's weblog
• funkatron.com
• GNUCITIZEN
• The Spanner
• hackademix.net
• Ruby on Rails Security Project
• It's a shampoo world anyway
• Web Security Blog
• ha.ckers.org web application security lab
• Yet Another Infosec Blog
• PHP Security Blog
• Security Thoughts
• Sunnet Beskerming Security Advisories
• Disenchant's Blog
• Sylvan von Stuppe
• Larholm.com
• The Turkey Curse
• Jeremiah Grossman
• Anurag Agarwal - Application Security Evangelist
• Ivan Ristic
• deep inside | security & tools
• omg.wtf.bbq.
• BlueHat Security Briefings
• Tactical Web Application Security
• .:Computer Defense:.

Security

• tssci security
• Plynt Penetration Testing Blog
• Michael Howard's Web Log
• Security Retentive
• BindShell.Net
• Dominic White's .tHE pRODUCT
• SecurityFocus News
• Justice League
• Schneier on Security
• Rational Survivability
• terminal23
• 1 Raindrop
• hiredhacker.com
• Matasano Chargen
• Security Vulnerability Research & Defense
• Michael on Security - Musings on Information Security
• Fortify blog
• The Art of Software Security Assessment
• GDS Security Blog
• Vodun.org
• Robert Penz Blog
• Mark Curphey - SecurityBuddha.com
• Liminal states
• Security Ripcord
• ModSecurity Blog
• IBM Internet Security Systems Frequency X Blog
• Suspekt...
• extern blog SensePost;
• Zero in a bit

SEO

• SEO BlackHat: Black Hat SEO Blog
• busin3ss.name

Tools

• Opensourcetesting.org News

Items by DK

BlogSecurity

• 

  WordPress Trackback < 2.8.5 Denial of Service

  Posted: January 12th, 2010, 4:00pm CST by DK

  Tags:  Advisories   [edit]

  If you are running WordPress < 2.8.5 and finding your blog inaccessible at times this post may be for you. A denial of vulnerability was released back in Oct 2009 that affects < WordPress 2.8.5. The exploit sends a continuous stream of POST requests with overly large blog titles to wp-trackback.php. This could result in the [...]
• 

  Distributed WordPress Password Guessing

  Posted: December 8th, 2009, 5:00pm CST by DK

  Tags:  Advisories   [edit]

  One of The Internet Storm Center readers recently discovered a malicious WordPress hacking script. The script is nothing more then a password guessing tool. However, what makes it unique — as pointed out by ISC, is the fact that it uses a MySQL database backend to store password attempts. This means the script could be executed [...]
• 

  BlogSecurity Upgrade and Move

  Posted: December 8th, 2009, 4:32pm CST by DK

  Tags:  News   [edit]

  Hey guys, we had loads of emails recently regarding wp-scanner just not working. Unfortunately, our old hosting company performed an upgrade which broke our DNS and configurations. To add insult to injury we were also in the process of moving to a new server at a new provider so things have been an utter a [...]
• 

  BlogSecurity Move Planned

  Posted: December 8th, 2009, 1:27pm CST by DK

  Tags:  News   [edit]

  Hey guys, unfortunately, my hosting provider recently made some changes and its broken stuff. I’ve had loads of emails from people letting me know that wp-scanner is not working. Thanks for these! Most of the emails go something like this: wp-scanner keeps telling me [DNS] enter correct URL (something like that). This is a result of the [...]
• 

  WordPress

  Posted: August 11th, 2009, 10:02am CDT by DK

  Tags:  Advisories   [edit]

  An exploit has been released for all current versions of WordPress including WordPress
• 

  Critical IPhone SMS Vulnerability

  Posted: August 11th, 2009, 9:48am CDT by DK

  Tags:  Alerts   [edit]

  Apple is releasing a critical patch on Saturday to address a recent vulnerability that was demonstrated at the infamous Blackhat hacking conference. Charlie Miller, a consultant with Independent Security Evaluators, and Collin Mulliner, a PhD student at the Technical University of Berlin, presented the details of the vulnerability at the Black Hat Security Conference in Las [...]
• 

  WordPress 2.8.3 Fixes Security Holes

  Posted: August 4th, 2009, 4:43pm CDT by DK

  Tags:  Advisories   [edit]

  If you haven’t already done so, we’d stongly recommend upgrading to WordPress 2.8.3. Also, the WordPress 2.0.x branches are now deprecated (a bit earlier then expected) and will therefore no longer be maintained. [Link] Unfortunately, I missed some places when fixing the privilege escalation issues for 2.8.1. Luckily, the entire WordPress community has our backs. [...]
• 

  WordPress Plugin DM Albums 1.9.2 vulnerabilities

  Posted: July 1st, 2009, 8:33am CDT by DK

  Tags:  Advisories   [edit]

  DM Albums™ is an inline photo album/gallery plugin that displays high quality images and thumbnails perfectly sized to your blog. Two vulnerabilities have been made public: 1. Stack released  a “remote file disclosure vulnerability” (Low-Medium Risk Level) 2. Septemb0x released a “remote file include vulnerability” (Critical Risk Level) An attacker could use these vulnerabilities to potentially gain full access [...]
• 

  WordPress Plugin Related Sites 2.1 Blind SQL Injection Vulnerability

  Posted: July 1st, 2009, 8:26am CDT by DK

  Tags:  Advisories   [edit]

  A critical vulnerability has been discovered in the WordPress Plugin Related Sites plugin. An exploit is available in the wild and available on Milw0rm, making this attack easier to exploit. Although, the vulnerability says that version 2.1 is vulnerable. You should assume previous versions are vulnerable as well. BlogSec have confirmed that the current version (at the [...]
• 

  Critical phpMyAdmin Vulnerabilities Discovered

  Posted: June 10th, 2009, 3:49pm CDT by DK

  Tags:  News   [edit]

  A number of bloggers and web site owners use phpMyAdmin for easy database administration. Two critical vulnerabilities have been discovered that could be used to gain full access to the affected server. Exploits have already been made publicly available, see GNUCITIZEN for an example: http://172.16.211.10/phpMyAdmin-3.0.1.1//config/ config.inc.php?p=phpinfo(); Description Setup script used to generate configuration can be fooled using a crafted POST [...]
• 

  Blogs and tweets in a moving business trend part1

  Posted: June 10th, 2009, 8:13am CDT by DK

  Tags:  News   [edit]

  Avoid popularity if you would have peace – Abraham Lincoln Mozilla started a blog back in 2008, after breaking the  guiness world records for the most downloads in 24 hours. Can anyone guess what blogging platform they are using? Yes you probably guessed it if you read the title of this post. Mozilla stands out with a few [...]
• 

  Tiananmen Square continues to bleed hope for freedom of speech

  Posted: June 5th, 2009, 3:13pm CDT by DK

  Tags:  Articles   [edit]

  “internet interprets censorship as damage and routes around it.” – EFF co-founder John Gilmore 2005, Yahoo provides information that helped Chinese officials convict a journalist accused of leaking state secrets. Apparently, Shi Tao, a 37-year-old writer for the Dangdai Shang Bao, released a “state secret” which contained a message to Shi’s newspaper warning journalists of the [...]
• 

  WordPress Install Files Security Risk

  Posted: May 8th, 2009, 8:35am CDT by DK

  Tags:  News   [edit]

  Jeff Starr over at Perishable Press has discovered a way to hack a WordPress blog in rare cases where the installation files have been left behind and the database is in accessible: The other day, my server crashed and Perishable Press was unable to connect to the MySQL database. Normally, when WordPress encounters a database error… The [...]
• 

  Twitter Web Worm Causes Havoc

  Posted: April 14th, 2009, 10:33am CDT by DK

  Tags:  News   [edit]

  Update: Apparently a bunch of variant worms are doing the rounds that circumvent Twitter’s recent patch to fix the problem. I’d be cautious using Twitter over the next couple weeks, see protection guidelines below or at this link. Teen exploits Twitter A 17 year-old has claimed credit for releasing a Cross Site Scripting worm that infected hundreds [...]
• 

  Facebook Faces Big Brother Monitoring

  Posted: March 25th, 2009, 4:02am CDT by DK

  Tags:  News   [edit]

  Millions of Britons who use social networking sites could be  having their accounts “secretly” monitored in the near future. Kelly was responding to a speech made by Home Office security minister Vernon Coaker on 18 March at a meeting of the House of Commons Fourth Delegated Legislation Committee. Coaker said the EU Data Retention Directive, which [...]
• 

  WordPress MU < 2.7 Cross Site Scripting Vulnerability

  Posted: March 19th, 2009, 3:32am CDT by DK

  Tags:  Advisories   [edit]

  Cross Site Scripting Vulnerability Juan Galiana Lara has released details regarding a vulnerability that affects WordPress MU versions < 2.7. Version 2.7 is NOT affected according to the advisory. So if you have upgraded to 2.7 you can ignore this advisory. Vulnerability Details WordPress MU prior to version 2.7 fails to sanitize the Host header correctly in choose_primary_blog function [...]
• 

  How to Firewall Your WordPress Blog

  Posted: March 5th, 2009, 4:22am CST by DK

  Tags:  Articles   [edit]

  You already know to use a decent password for your blog, but brute-force or dictionary attacks aren’t the only attacks used against bloggers. It’s much cheaper and faster to exploit software flaws, and that the hackers do. A programmer’s oversight may allow a hacker to gain access to your blog to insert spyware, [...]
• 

  Guvnr 10 Steps to Secure WordPress Video

  Posted: March 2nd, 2009, 6:29pm CST by DK

  Tags:  News   [edit]

  Guvnr has released a really detailed article securing a blog using our WordPress Security Whitepaper (which is due for an update soon). The article is titled, "10 tips to make wordpress hack proof". Has a nice ring to it. In addition to this, Guvnr has put together a very cool video which takes one through the [...]
• 

  Twitter Vulnerability History

  Posted: February 17th, 2009, 7:45am CST by DK

  Tags:    [edit]

  More and more bloggers are using Twitter as a micro-blog service. In Twitter’s words: Twitter is a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent answers to one simple question: What are you doing? Its interesting to me to compare vulnerabilities discovered in different web 2.0 frameworks. Can [...]
• 

  3 Tips to Avoid Dangerous Themes and Plugins

  Posted: February 9th, 2009, 8:10pm CST by DK

  Tags:  Articles   [edit]

  We all love how easy it is to install plugins and themes but how do we know there is no hidden jack in the box waiting to pop out? Viruses, worms and backdoors could be embedded into any theme or plugin and uploaded to the Internet for public consumption. Here are three easy to use ideas [...]
• 

  WordPress Developer Notes

  Posted: February 5th, 2009, 4:44pm CST by DK

  Tags:  Articles   [edit]

  Introduction WordPress scanner is a free online resource that blog administrators can use to provide a measure of their wordpress security level. It is BETA software and is continually being developed. If you have landed here directly we suggest starting at the wp-scanner launch page. This page is part of a group of pages discussing various aspects of [...]
• 

  WordPress Scanner FAQ

  Posted: February 5th, 2009, 4:12pm CST by DK

  Tags:  Articles   [edit]

  Introduction WordPress scanner is a free online resource that blog administrators can use to provide a measure of their wordpress security level. It is BETA software and is continually being developed. If you have landed here directly we suggest starting at the wp-scanner launch page. This page is part of a group of pages discussing various aspects of [...]
• 

  WordPress Scanner Next-Gen Released

  Posted: February 2nd, 2009, 6:23pm CST by DK

  Tags:  News   [edit]

  Here it is!!! Its been a long and exciting week. Not only are we experiencing the most severe snow in Kent but I’ve finally managed to role out the massively improved WordPress vulnerability scanner. It can also be accessed using the menu link above, “WordPress Scanner”. It is a complete re-write of the old scanner. I’ve not [...]
• 

  Are Political Blogs More Likely to Get Hacked?

  Posted: January 26th, 2009, 6:14pm CST by DK

  Tags:  Reflections   [edit]

  A website defacement is an attack on a website that changes the visual appearance of the site. These are typically the work of system crackers, who break into a web server and replace the hosted website with one of their own. - wikipedia Web site defacements stretch back to the birth of the Internet and continue [...]
• 

  Old WP-Forum Vulnerability Gets Disclosed

  Posted: January 26th, 2009, 6:14pm CST by DK

  Tags:  Advisories   [edit]

  An vulnerability for Fredrik Fahlstad’s WP-Forum Plugin has been made public on milw0rm. The exploit appears to affect an older version (1.7.8) of the popular WordPress plugin. The plugins homepage is already on version 2.2. This means this vulnerability was probably discovered shortly after the initial version 1.7.4 vulnerability reported by BlogSecurity in early 2008. As [...]
• 

  Twitter gets hacked with poor passwords

  Posted: January 20th, 2009, 5:30am CST by DK

  Tags:  Articles   [edit]

  Last week wired reported Twitter users falling prey to a password brute force attack. Yes you read correctly, a password brute force attack. Wired: An 18-year-old hacker with a history of celebrity pranks has admitted to Monday’s hijacking of multiple high-profile Twitter accounts, including President-Elect Barack Obama’s, and the official feed for Fox News. The hacker, who goes [...]
• 

  DNS dot DDoS Attack targetting the Internet

  Posted: January 20th, 2009, 4:47am CST by DK

  Tags:  Reflections   [edit]

  I was running tcpdump earlier this week when I noticed some odd entries queries to BlogSecurity’s DNS servers: $ sudo tcpdump port 53 10:35:29.560870 IP 69.50.142.110.50928 > blogsecurity.domain: 43135+ NS? . (17) 10:35:29.561302 IP blogsecurity.domain > 69.50.142.110.50928: 43135- 13/0/14 NS C.ROOT-SERVERS.NET.,[|domain] 10:35:31.037729 IP 76.9.16.171.10435 > blogsecurity.domain: 58781+ NS? . (17) 10:35:31.038201 IP blogsecurity.domain > 76.9.16.171.10435: 58781- [...]
• 

  Server updates currently underway

  Posted: January 18th, 2009, 10:17am CST by DK

  Tags:  News   [edit]

  Please note we are currently doing admin work on the server and DNS records. If you are unable to access the site at one point or another, please try again later. Thanks, BlogSec Team
• 

  WordPress Security Predictions in 2009

  Posted: January 15th, 2009, 4:36am CST by DK

  Tags:  News   [edit]

  Okay, deep breath, in 2008, we saw Cross-Site Scripting, SQL injection, SQL truncation, Cookie generation weaknesses, Directory Traversal, Arbitrary File Uploads and Cross Site Request Forgery attacks, to name a few? A mouth full but it made for a very interesting 2008 case study of security developments in a popular open source PHP application. The WordPress core [...]
• 

  WordPress

  Posted: January 8th, 2009, 8:35am CST by DK

  Tags:  Advisories   [edit]

  Jeremias Reith has published the advisory to Bugtraq which includes a proof of concept exploit that may allow an unauthenticated attacker access to your blog. Product affected: WordPress Version(s):
• 

  WordPress 2.6.2 Snoopy Vulnerability

  Posted: November 1st, 2008, 10:56am CDT by DK

  Tags:  Advisories   [edit]

  WordPress announced the following vulnerability in WordPress 2.6.2: A vulnerability in the Snoopy library was announced today.  WordPress uses Snoopy to fetch the feeds shown in the Dashboard. Although this seems to be a low risk vulnerability for WordPress users, we wanted to get an update out immediately. 2.6.3 is available for download right now. If [...]
• 

  WordPress 2.6.1 Weak Entropy Vulnerability

  Posted: September 11th, 2008, 5:08am CDT by DK

  Tags:  Advisories   [edit]

  iso^kpsbr has discovered a vulnerability that may allow an external attacker to gain admin access to WordPress 2.6.1.

  WordPress is prone to a weakness in the entropy of generated passwords. Successfully exploiting this issue may allow an attacker to guess randomly generated passwords. WordPress 2.6.1 is vulnerable; other versions may also be affected.

  The original advisory and proof of concept exploit is available on securityfocus.

  

  
• 

  Acunetix Advanced Web Vulnerability Scanner Review

  Posted: August 18th, 2008, 6:27pm CDT by DK

  Tags:  Reflections   [edit]

  As some of you may know, our wp-scanner project looks for common WordPress XSS issues but what about testing more advanced web sites and/or CMS (content management systems)?

  Acunetix is one of the leading commercial web applicaton vulnerability scanners on the market. The reason I mention it (other then the fact that they are one of our sponsors) is that they provide a free XSS scanner - which my work collegue describes as "awesome". So if you have enjoyed wp-scanner or have a site you’d like testing for Cross-Site Scripting vulnerabilities I’d strongly recommend giving it a go.

  For those of you looking for the full monty, Acunetix provides a reasonably priced full-featured web vulnerability scanner which I have used on a number of occasions and found extremely useful. I especially like the WSDL enumeration and testing (web services), SQL Injection fuzzer and the fact that version 5 is built around helping sites achieve the PCI standard. The interface is also very neat and extremely easy to use.

  Check out some of the screen shots:

  
  

  If you interested in more information go check out the latest version 5 features and tools.

  

  
• 

  WordPress Pwnie Awards

  Posted: August 13th, 2008, 10:08am CDT by DK

  Tags:  News   [edit]

  The Pwnie Awards, an ‘annual awards ceremony celebrating and making fun of the achievements and failures of security researchers and the wider security community’.

  It seems like hardly a week goes by without a new vulnerability in WordPress or one of its many plugins. Many of them are actively being exploited to own popular WordPress blogs and use them to serve spam or client-side exploits to unsuspecting visitors. The popularity of WordPress combined with the abysmal security practices of WordPress plugin developers places the entire Internet at risk and is worthy of a nomination.

  More info at pwnie-aware.org.

  

  
• 

  WP Contact-Form Vulnerabilities

  Posted: August 13th, 2008, 10:03am CDT by DK

  Tags:  Advisories   [edit]

  WP Contact Form is a very popular WordPress plugin.

  Mustlive has reported a number of vulnerabilities which you can view at his web page here.

  According to the plugin authors page, the latest version is 3.1.8. We went ahead and downloaded a copy to have a look. The actual contact form page that your users see is not vulnerable to these attacks. However, the "/wp-admin/admin.php?page=wp-contact-form
  /options-contactform.php" is vulnerable.

  Please note at the time of writing this article all versions appear affected (<=3.1.8). We recommend disabling this plugin until a fix can be provided.

  

  
• 

  AskApache WordPress Hardening Plugin

  Posted: August 7th, 2008, 4:48pm CDT by DK

  Tags:  Plugin Reviews   [edit]

  BlogSecurity released a popular article last year titled "Hardening WordPress with htaccess". It provided basic, yet effective techniques to harden a WordPress blog install.

  Using Apache’s mod_rewrite allows us to perform basic filtering and application firewalling. AskApache is pushing mod_rewrite boundaries to the limits with a cool plugin that will allow automated anti-hack/spam htaccess rules.

  The plugin looks like a great tool for the more tech-savvy blog user. I say tech-savvy because the plugin requires tweaking on upgrades and may require adjustments specific to your needs, however an interesting project to keep an eye on nonetheless. My personal approach would be to utilise ModSecurity which is much more powerful then mod_rewrite and which can be applied at the web server layer rather then having to have custom rules for each WordPress install.

  

  
• 

  WP Downloads Manager 0.2 Remote File Upload

  Posted: August 7th, 2008, 4:21pm CDT by DK

  Tags:  Advisories   [edit]

  The Wp Downloads Manager module is a plugin for WordPress.

  Wp Downloads Manager is prone to a vulnerability that lets attackers upload and execute arbitrary code. This issue occurs because the application fails to sufficiently sanitize user-supplied file extensions before uploading files onto the webserver via the ‘upload.php’ script.

  Successfully exploiting this issue will allow attackers to upload and execute arbitrary PHP code within the context of the webserver process. This may allow an attacker to compromise the application and the underlying system; other attacks are also possible.

  Wp Downloads Manager 0.2 is vulnerable; other versions may also be affected.

  Affected Products:

  Giulio Ganci Wp Downloads Manager 0.2

  References:

  Giulio Ganci: Wp Downloads Manager Homepage

  An exploit has been made available on Milw0rm and is publically available.

  Credits:

  Thanks to MustLive for informing us of this issue.

  More information is available at [www.juniper.net]

  

  
• 

  BlogSecurify Service Launched!

  Posted: June 23rd, 2008, 9:23am CDT by DK

  Tags:  News   [edit]

  Well the time has finally arrived! We are psyched to notify our readers, that the day has finally arrived! The initial version of the BlogSecurify project designed by GNUCITIZEN and BlogSecurity teams is now ready for testing.

  This is only the initial release but knock yourselves out! We hope this new framework will allow us to expand the service to new heights, testing multiple blog types and versions. Its modular, its fast and its powerful and supports caching!

  >>Launch BlogSecurify Next Generation!

  Note: The old wp-scanner project will still remain active until we feel that BlogSecurify has reached a level that we are happy with, but for now, enjoy!

  

  
• 

  BlogSecurify Demo Video!

  Posted: June 9th, 2008, 4:05am CDT by DK

  Tags:  News   [edit]

  You guys are going to love our new wp-scanner and blog security testing service! We’ll be adding loads more tests and support multiple blog types not just WordPress.

  Hint: Wear your earphones when watching this video to get the full vibe.

  

  
• 

  Comprehensive Vulnerability Scanner

  Posted: May 17th, 2008, 1:02pm CDT by DK

  Tags:  News   [edit]

  BlogSecurity have been discussing merging the wp-scanner project with GNUCITIZEN to provide a more comprehensive vulnerability scanning solution.

  At the moment, the WordPress vulnerability scanning will be free, however, premium services will be available to scan your entire web server for known vulnerabilities. The premium service as it stands will allow you to scan mail services, web services and much more. This means we’ll be able to provide you with a more comprehensive vulnerability scanner then just your WordPress installation. We may have to charge a small fee for the premium service to cover bandwidth costs, but wp-scanner will remain free.

  Nothing is set in stone at this time but we wanted to give you guys a chance to provide your ideas and feedback before finalising any plans. Aren’t we thoughtful? Speak now or forever hold your peace.

  

  
• 

  Vulnerability Hidden in Blog

  Posted: May 12th, 2008, 3:34am CDT by DK

  Tags:  News   [edit]

  Aviv Raff, an Israeli security researcher has made an unpatched Internet Explorer 7 & 8 vulnerability public by hiding it on his blog.

  Creating a vulnerability treasure hunt on your blog is one technique you wont find in any SEO book. We assume this is a publicity stunt, especially as an exploit of this caliber could potentially earn thousands if sold to ZDI or others.

  

  
• 

  Identity Theft 101

  Posted: May 6th, 2008, 4:56pm CDT by DK

  Tags:  Reflections   [edit]

  I phoned my bank to activate my card the other day. The automated voice required a date of birth and the number of digits in my Mother’s maiden name. Lets assume an attacker can get this information, lets be realistic, what could really happen?

  Lets explore some ideas of what an attacker could do with enough information about you:

  • apply for a credit card in your name;
  • open a bank or building society account in your name;
  • apply for other financial services in your name;
  • run up debts (e.g. use your credit/debit card details to make purchase) or obtain a loan in your name;
  • apply for any benefits in your name (e.g. housing benefit, new tax credits, income support, job seeker’s allowance, child benefit);
  • apply for a driving licence in your name;
  • register a vehicle in your name;
  • apply for a passport in your name; or
  • apply for a mobile phone contract in your name.

  The latest estimate is that identity fraud costs the UK economy £1.7 billion. Thats billion NOT million.

  More information is available at Home Office Identity Theft web site.

  

  
• 

  Facebook Top 8 Security Tips

  Posted: May 5th, 2008, 2:09am CDT by DK

  Tags:  Articles   [edit]

  This article discusses some simple, easy to follow steps to increase your personal security on Facebook.

  1. Golden Rule - Assume that the personal information and photos you display are publicly available and now just available to specific friends.
  2. Strong Passwords - It may seem obvious but make sure you use a strong password for your account. Also, I’d suggest not using that password you use for everything else, you know what I’m talking about.
  3. Secure your birth date - Birth dates are often required to validate our identity. Under Profile, you can choose to not display your birthday or alternatively you can choose not to display your year of birth.
  4. Privacy Profile Settings - We suggest setting the Profile Privacy > Basic to "only me" for items: Education Info, Work Info and Profile Privacy > Contact Information to "no one" for items: Mobile Phone, Land Phone, Current Address, Email. You may want to display your website address for advertising.
  5. Privacy Application Settings - Each Facebook application has similar settings to those of the Privacy settings. New applications are being added everyday. Its difficult to define a set policy. However, we suggest you remove any unwanted applications and/or limit there settings as required.
  6. Privacy Search Settings - Depending on your use of Facebook, you may not want to be publicly visible or you may want to limit what information is available to all users (i.e. your picture, friend list etc). We recommend changing the search settings from "everyone" to "friends of friends". You may also want to untick "view your friends list".
  7. Privacy News Feed and Mini-Feed Settings - Control what stories about you get published to your profile and to your friends’ News Feeds. You may not want to display information such as joined groups etc. Although, I don’t know how much privacy this offers as friends can view your groups anyway.
  8. Joining Groups & Networks - be cautious when joining groups. All users of a group will be permitted to see your profile data. Although, there may be a setting somewhere that restricts this as I did find some accounts that I could not access.

  

  
• 

  Feedburner Awareness API

  Posted: May 1st, 2008, 8:47am CDT by DK

  Tags:  Reflections   [edit]

  Having fun with FeedBurner Awareness API.

  The FeedBurner Awareness API (AwAPI) allows publishers of FeedBurner feeds to reuse the detailed traffic statistics we capture for any of their feeds. Third-party applications and web services that consume feeds can leverage this data to provide useful feed awareness statistics to potential subscribers… - awarenessapi

  In October 07, BlogSecurity released an article titled, "Feedburner: Show me the money". Knowing your way around Feedburner can be really useful when looking for blog partners or blogs to place ads. Awareness API makes this a peice of cake!

  What I also find interesting, is that these statistics could be used by attackers during the target profiling stage to find and sort high traffic sites with accuracy. In addition to this, a more subtle attacker may only want to deface or propogate an attack further by infecting a specific page. How would the attacker easily determine the page with the most traffic?

  Enough chit-chat, lets see Awareness API in action by viewing Problogger’s stats:

  http://api.feedburner.com/awareness/1.0/GetFeedData?uri=
  ProbloggerHelpingBloggersEarnMoney&dates=2008-01-01,2008-04-02
  

  
  <feed id="40080" uri="ProbloggerHelpingBloggersEarnMoney">
  <entry date="2008-01-01" circulation="36533" hits="61608"
  downloads="1" reach="4918"/>
  <entry date="2008-01-02" circulation="37465" hits="73923"
  downloads="5" reach="6356"/>
  <entry date="2008-01-03" circulation="37161" hits="73702"
  downloads="1" reach="6525"/>
  <entry date="2008-01-04" circulation="36983" hits="71214"
  downloads="0" reach="5976"/>
  <entry date="2008-01-05" circulation="36559" hits="60201"
  downloads="0" reach="4338"/>
  ...
  

  The boy is definately getting hits!

  Specific posts can also be queried (although this didn’t work when I was playing the second time round):

  http://api.feedburner.com/awareness/1.0/GetFeedData?uri=
  ProbloggerHelpingBloggersEarnMoney&itemurl=
  http://www.problogger.net/archives/2008/05/01/
  what-you-say-is-what-you-are-the-problem-of-blogger-inferiority-complex/
  

  <entry date="2008-04-30" circulation="47441" hits="87226"
  downloads="0" reach="7632"/>
  

  We found that Feedburner enables this service when the feedCount service is enabled. The Awareness API service does not need to be activated for your site to be displaying this information. We had mixed results when testing. If this is the case, I think this is a bad configuration on Feedburner’s part.

  Check out the Awareness API documentation for more uses.

  

  
• 

  Gravatar Secure to Use?

  Posted: April 29th, 2008, 4:33am CDT by DK

  Tags:  Reflections   [edit]

  I really love the Gravatar concept. Its simple, useful, powerful and centrally managed, but how secure is it to use on a blog or service?

  Regular users may have already seen that we have implemented Gravatars onto BlogSecurity; so its safe to use then, right?

  I made a point on our new BlogSec-News service a couple days ago when implementing Gravatars onto BlogSec. This article expands these points.

  My first thought was, creating a malicious image link and posting this on Gravatar. Imagine placing a malicious peice of code as your profile picture. Every site that has approved your previous comments are all of a sudden vulnerable! However, this thought was quickly exhausted, as Gravatar does not permit third party links. All images are uploaded to Gravatar and centrally managed. Good move!

  So what are the risks then?

  Without looking at the service in great detail, there are two obvious risks with using this service, both of which you should understand and accept before using it.

  Firstly and less likely: If the Gravatar servers are hacked, attackers could embed malicious code into links, which could be used in a variety of attacks including Denial of Service and may, although unlikely, lead to your blog being compromised. However, for this to happen, your site would have to be vulnerable to other attacks.

  Second and more likely: Users control what rating their images receive. By accepting Gravatars, you accept the possibility that some users may use inappropriate images or images of a sensitive nature. Its also difficult to detect these images, unless you were monitoring every post comment on every post (impossible). The end result may be an unhappy user or visitor who blames your site, especially when they fail to understand how the Gravatar service work.

  It is important that these risks are understood and accepted before using the service. As a community, hopefully we’ll look out for these images. When spotted, we could always inform Gravatar, who hopefully have a procedure in place to manage abuse.

  

  
• 

  Wordpress 2.5 Cookie Integrity Protection Vulnerability

  Posted: April 27th, 2008, 2:12pm CDT by DK

  Tags:  Advisories   [edit]

  Steven J. Murdoch has discovered a vulnerability in WordPress 2.5 that may allow a registered user to gain admin level access on the blog. Only WP 2.5 blogs that permit users to register user accounts are vulnerable.

  According to Steven:

  This vulnerability exists because it is possible to modify
  authentication cookies without invalidating the cryptographic
  integrity protection.

  If a Wordpress blog is configured to freely permit account creation,
  a remote attacker can gain Wordpress-administrator access and then
  elevate this to arbitrary code execution as the web server user.

  The fix is fairly straight forward and WordPress have released a fix in WordPress 2.5.1.

  
  Please note this vulnerability is different to [blogsecurity.net]

  Steven’s Advisory is available here.

  

  
• 

  BlogSecurity News Portal Launched

  Posted: April 23rd, 2008, 11:44am CDT by DK

  Tags:  News   [edit]

  We often have people emailing us to discuss a new plugin, an advisory, general news etc.

  Blogsec now offers our users the chance to submit their hot gossip via our new News portal. Check it out, sign-up for email updates, give us your feedback, knock yourselves out :)

  LAUNCH BLOG-SEC NEWS

  

  
• 

  Facebook: What they really have on you

  Posted: April 21st, 2008, 10:31am CDT by DK

  Tags:  News   [edit]

  Old clip, but its a classic, enjoy!

  
  Find more how to and instructional Web videos on 5min.com

  Check out more of our Social Networking articles here.

  

  
• 

  WordPress 2.5 Secret_Key Vulnerability

  Posted: April 16th, 2008, 4:20am CDT by DK

  Tags:  Advisories   [edit]

  José Carlos Nieto Jarquín has found a vulnerability affecting WordPress 2.5 ONLY. His advisory was released on SecurityFocus yesterday.

  Our recent "Secure WordPress Whitepaper Revision" shows the new WordPress SECRET_KEY variable in the ‘wp-config.php’ file. This SECRET_KEY must be set to something random, as specified in the WordPress documentation. If not, it may be possible for an attacker to brute force the default WordPress SALT generation process to gain access to your blog.

  The vulnerability has been reported as a Medium risk as it only affects WordPress installations matching a certain criteria. See advisory for more details.

  A proof of concept exploit is publicly available. Please ensure that you set your SECRET_KEY in your ‘wp-config.php’ file to something random.

  From wp-config.php:

  Change SECRET_KEY to a unique phrase.  You won't have to remember
  it later, so make it long and complicated.  You can visit
  https://www.grc.com/passwords.htm to get a phrase generated for you,
  or just make something up.
  define('SECRET_KEY', 'put your unique phrase here');
  

  

  
• 

  WordPress Whitepaper rev-1.2: New Release

  Posted: April 14th, 2008, 5:23am CDT by DK

  Tags:  News   [edit]

  Great news! We are pleased to announce, to our translators dismay, that we have revised our popular "How to Secure WordPress" whitepaper.

  The new revision takes a more hands-on approach making it easier to follow and implement. New sections have been added to cover important topics like Spam and Blog Encryption.

  Check out more information at the WordPress Whitepaper HomePage.