Posts Tagged ‘Security’

Is Nothing Sacred!!!

AddThis Social Bookmark Button

As with any ol’ political campaign, there always has to be some cracker/script kiddie advocacy/special interest group breaking the law to push their agenda.

Sarah Palin Yahoo! e-mail account cracked.

Counter-Phish, The Anti-Phishing Strategy Game

AddThis Social Bookmark Button

Apparently, sometimes corporate Risk Bulletins are useful!

Tips to protect yourself from phishing schemes:

  1. Never provide your personal information when responding to an unsolicited email request, no matter how legitimate the communication may look. Whether by phone, email or internet site, data created by phishers may look like the real thing. If you didn’t initiate the communication, you shouldn’t provide any information.
  2. Never provide a password over the telephone in response to an unsolicited request. Financial institutions should never ask you to verify your account information online.
  3. Contact the financial institution yourself, if you believe the contact may be legitimate. Phone number and websites can be found on your monthly statements from your financial institutions. You can also look up companies on the internet or in phone books.
  4. Regularly review your account statements to confirm there are no fraudulent charges. If your account statement is ever late, immediately contact the financial institution to determine why.
  5. Visit the anti-phishing working group website to obtain a list of the most recent incidents of phishing and find the latest news in the fight against phishing, www.antiphishing.orgBecoming Proactive

When you encounter a potential fraud, especially if you believe you’ve lost money, act immediately:

  • If you receive phishing emails, you can report the fraud to the FBI’s Internet Fraud Complaint Center at, and forward the email to, to pass the tip to the SEC’s Enforcement Division.
  • If you think your personal information has been compromised, visit the Identity Theft Resource Center of the Federal Trade Commission for more information on how to proceed with protecting yourself and minimizing the damage.

Yet Another Firefox Bug (YAFB)

AddThis Social Bookmark Button

Mozilla ups unpatched Firefox flaw to ‘high severity’; Preps fix by ZDNet‘s Larry Dignan — Mozilla has given a proof of concept Firefox vulnerability a “high severity” rating because an attacker can collect session information such as cookies and history, according to Mozilla security chief Window Snyder. Snyder said the vulnerability will be patched with Firefox, which will be pushed out “shortly.” On Jan. 22, Snyder confirmed a proof of concept […]

AOL’s Web Site and XSS

AddThis Social Bookmark Button

Today I received a phished e-mail to one of my many (many) free Yahoo! e-mail accounts that somehow cleared all of their SPAM algorithms. Interestingly enough, the link inside the message was to a legitimate AOL landing page. However, it was a redirect page that sent me to a phishing site site removed. I have run into this various times on a couple of client projects and it is just interesting (and worrisome) to see it happen so blatantly on other, high trafficked web sites. Here is the redirect link (notice I am appending my URL to the end of the query string.)

I attempted to locate the appropriate abuse contact at AOL, but unfortunately I do not have the time, nor patience to rummage through their site to locate their security advisers. So I will just have to notify another security expert as soon as I have time to actually figure out who that would be.

Index of /wp-content/uploads

AddThis Social Bookmark Button

Tonight, whilst experimenting with the various advanced Google search techniques (hacks) to locate web content, I had an epiphany. Any web directory/folder that has indexes enabled (show an index of the contents of the folder of no directory index file exists) will list the contents of said directory with the phrase “Index of” followed by the actual root-relative path to available list of assets. This is due to the fact that the directory/folder does not have an index document/file present, so the web server spits out the entire list of the folder’s content. But I digress.

I have been using WordPress as my blogging platform for a few years now. Before that was a hybrid of PHPBB and custom PHP application I wrote. WordPress works great and has robust features that make blogging a snap for the more technical (such as myself, ehem) and also for the less technical netizens out there. Now, one of these great features is the ability to upload pictures and files (content) through a web interface. What a great concept (this is where the epiphany came in) except if you weren’t planning on listing up the contents of your entire uploads folder to the world. which happens to be the case with some (okay a lot of) default installations of WordPress.

Lets say you “Google” the “Index of” any WordPress uploads folders (/wp-content/uploads). You don’t have to be a rock scientist (yes, that was a joke) to realize the possible implications. Let me give you an idea of the figure as of tonight: 4,143,000 indexes. That’s 4,143,000 WordPress installations that have directory indexes enabled and are completely wide open to crawlers and spiders that can pilfer (argh) their content.

Try it yourself: