Mostly Harmless » Security

Why displaying your friends list on social networking sites is a bad idea

Rowan — Sun, 12 Apr 2009 11:57:17 +0000

This is obvious, but also clever in the way of many clever things in that the attack is only obvious after it’s been explained to you. In short, if an attacker sucessfully impersonates someone you know, or gives you the impression you may / should know them, they may be able to exploit you.

Like [...]

How long can a vulnerable web script last online before it is compromised?

Rowan — Sat, 13 Dec 2008 14:10:21 +0000

Remember some years ago now all the (justifiable) furore around how long you could connect a vulnerable Windows PC to the net for before it got hacked / infected? The statistic ended up being 20 minutes, i.e not long at all.

I’ve not seen any similar research (at least as widely publicised) for popular web [...]

Hacked WordPress Recovery

Rowan — Tue, 17 Jun 2008 16:53:37 +0000

Interesting to see this post from WP developer Donnacha, on removing various popular nasties from a wordpress install after it has been hacked or compromised.

At work we often see instances where it is not possible to simply return a user’s CMS install to a pre-hack backup and then upgrade (the safest course of action) [...]

Anonym.OS alternatives? – xB Machine

Rowan — Wed, 23 Jan 2008 17:54:08 +0000

A couple of weeks ago I was wondering on what happened to Anonym.OS. After a little searching around I came across xB Machine.

Xerobank appear to be one of those “secure browsing for a fee” organisations offering browser plugins and networks in order to protect your privacy while on the web in exchange for a [...]

Read Crypto-gram and feel better?

Rowan — Mon, 18 Jun 2007 22:50:29 +0000

I’ve been a reader of Bruce Schneier’s CRYPTO-GRAM newsletter for some years now and it always inspires mixed feelings. Schneier writes with authority on security, terrorism and the psychology of both. At the danger of being misrepresentative, here’s a quote

“We worry about airplane crashes and rampaging shooters instead of automobile crashes and domestic [...]

Tracking down vulnerable web apps on a hosting service

Rowan — Sat, 03 Mar 2007 15:23:38 +0000

Looks like one of the worst things that can happen to a web app project has happened to wordpress – one of their releases was compromised by a “cracker”

http://wordpress.org/development/2007/03/upgrade-212/

I was in the “at risk” group of recent installs so have upgraded as soon as I saw the news post. The difficulty for server [...]