Best Served When Chilled
As my years of IT security experience taught me, the insider is the most dangerous threat.
I guess I know what I’ll be doing this weekend…making sure none of the Hostgator servers under my control were rooted. At least it sounds like the situation was mitigated.
You all might want to check your servers, if you have any with Hostgator.
Yesterday I got the email that millions of other people got in regards to Evernote resetting my password due to someone hacking into their user data system.
The investigation has shown… that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts, and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)
After following the very geeky discussion about it in /r/netsec I was left wondering if I was placing too much faith in Evernote to protect all the brain dumps, notes, files, and private information I like to store in it.
After stumbling across this blog post entitled “Evernote doesn’t really care about security” I became convinced that it was time to leave Evernote. The security breach was actually the last straw in a number of things that have been bugging me more often than not — frequent crashes being the chief one.
Sometime around when Evernote added Skitch, the whole shebang started crashing on me frequently. I’m a premium Evernote user, and dealing with the app crashing multiple times a day quickly became aggravating. It has been almost unusable at times. That does not bode well for something you need to access frequently throughout a given day.
Then there were the issues where my notes were not synching between my laptop and my desktop, which I don’t really need to go into. You’ve probably had them too, if you are an Evernote user on more than one computer.
Lastly, I mentioned I was a paid Evernote user, but I never found myself using the paid features. The other big issue for me was with tagging – I would add tags to notes but then forget about them and never use them to find things. The inability to organize notes hierarchically is very necessary to me as someone who thinks that way due to my years as a sysad and developer, and I couldn’t get used to everything having to be arranged with tags.
So my question yesterday became: “Where do I put all this info I have in Evernote that is more secure and can be synched and access between my phone, laptop, and desktop?”
Security experts mostly agree that putting secure information in the cloud is not a very good idea. But I want to have faith that it can be, and there are companies making an effort in that regard. I turned to a solution that was right under my nose: Google Drive.
Why Google Drive over Dropbox or some other service? Because it integrates easily with everything I already use, and more and more features and interactions with it are becoming available. I, for one, welcome our new Google overlords.
I’m still working on moving everything over from Evernote to Google Drive, and it’s not a simple process, but I think I will be able to live with it. I’ll also be able to rest a little better knowing that, while my data is still in the cloud, Google seems to value it more than Evernote.
Other fed up users are coming up with their own solutions for replacing their faith in Evernote.
What will be yours?
An older vulnerability that got ignored in 2007 is showing up again.
According to Acunetix’s Bogdan Calin, this particular vulnerability is exploitable through the platform’s XMLRPC API (through XMLRPC.PHP). Attackers could try and guess hosts inside each network they target, port scan those hosts, reconfigure internal routers and launch large scale DDoS attacks.
From the details it doesn’t sound extremely dangerous, but something that should be fixed sooner rather than later. You can bet that we will see WordPress 3.5.1 pretty darned soon!
That square QR barcode on the poster? Check it’s not a sticker
A pretty ingenius, but evil hack: make your own QR codes, print them out on sticker paper, then slap them on a well-known company/movie/band/product poster or billboard. Point them at an exploitive website and you’ve got yourself a bunch of trusting visitors on mobile phones.
Kinda scary, really.
I have been cleaning up a lot of hacked websites/malware and doing security updates and hardening for WordPress websites lately. Ideally I’d be able to lock down a client’s server more thoroughly, implement a good firewall, and run some intrusion detection software, but since many people can’t afford this sort of thing and are on shared hosting environments, I have to lock down what I can.
For hardening WordPress I have traditionally been a fan of Secure WordPress, but lately it has seemed a little too simplistic and not proactive enough. Malware infestation on websites has been spreading like wildfire lately for whatever reason, so staying on top of things is a must.
WordPress Firewall 2 seemed to work pretty well in the past, but it would often kick back false positives which caused issues with plugins and prevented things from working that should otherwise not have a problem. Not to mention it hasn’t been updated in a while.
I was happy to see that Sucuri made their premium plugin free recently. It is pretty slick and has some cool features, and I really like what Sucuri does for web security. But with this plugin they are trying to walk the line between simplicity for the end user and comprehensiveness for being secure. It’s kinda weird to use for that reason, as you don’t really get a good understanding of what is being done behind the scenes.
I tried this a few weeks ago and orginally gave it up, but I have since returned to Better WP Security, especially now that I can specify an email address to send notifications to and can disable warnings in the WP admin area. These are things that mattered a lot to me, as they would inevitably lead to clients or bosses emailing me asking what all these warnings were. The recent update to the plugin fixed all that, and I’m a happy camper.
I really like that the plugin shows you what needs to be done, makes it easy to do it, and keeps you well informed about what is going on behind the scenes. There is intrusion detection, there are logs, there are password strength policies, there are database tweaks, there are database backups, and there are many other ways to tighten up security. You don’t find so many useful tools in one place with any other plugin.
You should try it – Better WP Security (website) – Plugin Download
Well, this doesn’t look good. Perhaps most disturbing is all the secrecy surrounding the issue on behalf MC and Visa. Security breaches require transparency, not secrecy.
