Wednesday, June 27, 2018

Wordpress password change on hosted sites needs a little SQL knowledge

If you blog on Wordpress on a hosted platform, the procedure for changing a user password is more complicated than with a free blog. It’s a good idea to do this at some unpredictable intervals.
Generally, you go into MyPhPAdmin, look for the database that corresponds to the blog (you need to look in the File Manager if you have more than one), look for the tables, lock for the user table, and then enter a new password and then choose an encryption method (usually MD5) from a drop down. BlueHost is pretty typical.
The actual physical password is encrypted, not what you enter on the Wordpress login screen.
I don’t get why on thus video you need to regenerate it on Wordpress itself, but I’ll look into it.

Monday, June 25, 2018

Primers on Wordpress and SQL Injection vulnerabilities

There are reports of potential vulnerabilities being found on Wordpress sites for javascript statements with “1=1” parameters (always true) that seem to open the door for possible SQL Injection attacks later.

Here’s a typical story

The statement may occur in a theme, or in the wo/includes directory.

It is unclear how they are put there.
Here is a primer on how SQL injection attacks work.

Friday, June 15, 2018

Apple fixes lingering security flaw in iPhone that enables law enforcement investigations on locked phones

My own iPhone updated to IOS 11.4 a little while ago. 

Apple has announced a security fix to prevent hackers from getting into a locked phone, but that would also preclude law enforcement from getting into one. The New York Times story by Jack Nicas is here
Tim Cook has always said that allowing anyone but a phone owner to open it post-mortem would be a kind of “cancer”.

Thursday, June 14, 2018

Security companies need more transparency in how they report customer site risk, even to hosting providers

There has been some controversy (since mid 2017) over how security companies like SiteLock mark websites as “high risk” with apparently no transparency as to what the risk factors are.
This is also an issue because security companies usually work with hosting providers who do the billing and who might have some concerns over their own downstream liability for customers (as this climate has been changing rapidly, as with FOSTA, for example). 
Forbes had a piece in August 2017 by Kalev Leetaru, and Whitefirdesign has several articles from 2017, for example this one.
There are reports of hosting providers threatening to cut off customers who experience one malware hacking attack.  There are also reports of telemarketing calls selling site security services, which would dilute the credibility of the services if the calls weren’t legitimate.
It is not clear whether site risk is based on the technical components (use of specific Wordpress plugins, for example) or its content (whether it is controversial according to the “skin in the game” theory, which has percolated for years while getting very little media attention). 
One concern is that with network neutrality gone, telecoms could (with public pre-notice first) block sites rated as risky, either bu anti-virus companies that they acquire through mergers, or even through content delivery security services like SiteLock, Cloudflare, and the like.  We already know that Cloudflare has blocked or closed accounts of some objectionable publishers (so far limited to white supremacy).
This is an evolving issue that may change with time and generate new incidents and controversies.

Friday, June 08, 2018

Should you change all your default privacy settings now?

Here is Geoffrey A Fowler’s moral lecture “Hands off mydata: 15 default privacy settings you should change right now”, in the Washington Post.  A Facebook friend shared this piece early Friday, and said he accepted he has no privacy online.
Facebook is the worst offender, but even Microsoft and Apple have their sins.
For most of us, this sounds like paranoia.  But it really depends on how exposed you are to meddling by others, in your personal living situation and employment.
It also depends on whether you are in a circumstance where people connected to you can be affected – especially if your online reputation matters in the workplace because you sell somebody else’s ideas.
We all depend on surveillance capitalism.

Wednesday, June 06, 2018

Trend Micro loops updating Windows 10 computer with creators updates, after returning from vacation non-use

On one Windows 10 computer, which I did not use for 11 days while on the road, Trend Micro update keeps looping.

I find that if I restart the computer, it says it is active and will let me run a scan.  But the icon that says an update is being installed persists. Of course, until the problem is resolved it cannot keep up with updates.

The computer that I took with me and used every day (also Windows 10 with the same latest features update) does not now have this problem.

There are various links available on Trend Micro Community, dating back to early 2017,  but I believe this could also have something to do with a period of non-use or recent Microsoft updates.
I’ll contact Trend Micro if I can’t get this resolved soon.

Update: June 12

A 90 minute support session where Trend applied several hotfixes fixed the problem.  Going not logged on for 11 days was only part of the problem. and were used to that the technician could work remotely. 

Sunday, June 03, 2018

New hacking group could threaten industrial control systems

A hacking group called XENOTIME has attracted attention for the capacity to hack and shut down industrial plants, after it did so in the Middle East last year.  The threat was written up by Shannon Varga in Axios here

DRAGOS expanded with more details in a blog post here

There could be dangers to water treatment plants, pipeline controls, and maybe some power plants. 
But it is not clear how they would get into a system off the public Internet.

The name of the group seems to be related to the Pokemon game.