- Offensive Tech: Systems Admins: We Need To Talk.
Mostly things that Better WP Security protects you from.
October 24, 2013
These techniques can be used to attack and break into WordPress based websites. By providing details on these types of attacks the aim is to raise awareness about the need for hardening and security monitoring of WordPress.
If an Android device (phone or tablet) has ever logged on to a particular Wi-Fi network, then Google probably knows the Wi-Fi password. Considering how many Android devices there are, it is likely that Google can access most Wi-Fi passwords worldwide.
No Facebook, No Service?
The Idaho Statesman, my sort-of-local newspaper, just announced that it will follow the lead of the Miami Herald and no longer allow readers to post anonymous comments to online stories. Starting September 15, readers who want to make comments will have to login through Facebook
100% Private Online Backup, Sync & Sharing Instantly retrieve files from any device, anywhere. 2GB Free – for life
and they used an emdash in their button!
This was once just a page that contained my public encryption key. It has now grown to become an introduction to how and why to use the GNU Privacy Guard encryption software (GPG) to protect your privacy. It is continually growing. If you have questions, corrections, suggestions, locations for tools or servers, or GPG-related interesting stuff, please contact Alan Eliasen. Thanks!
Server security doesn’t need to be complicated. My security philosophy is simple: adopt principles that will protect you from the most frequent attack vectors, while keeping administration efficient enough that you won’t develop “security cruft”. If you use your first 5 minutes on a server wisely, I believe you can do that.
Any seasoned sysadmin can tell you that as you grow and add more servers & developers, user administration inevitably becomes a burden. Maintaining conventional access grants in the environment of a fast growing startup is an uphill battle – you’re bound to end up with stale passwords, abandoned intern accounts, and a myriad of “I have sudo access to Server A, but not Server B” issues. There are account sync tools to help mitigate this pain, but IMHO the incremental benefit isn’t worth the time nor the security downsides. Simplicity is the heart of good security.
Back when our team was dealing with operations, optimization and scalability at our previous company, we had our fair share of troubleshooting poorly performing applications and infrastructures of various sizes, often large (think CNN or the World Bank). Tight deadlines, “exotic” technical stacks and lack of information usually made for memorable experiences.
The cause of the issues was rarely obvious: here are a few things we usually got started with.
There is a Java exploit out in the wild right now and Only 9 of 22 virus scanners block Java exploit.
Oracle released an emergency update (java version 7 update 7) yesterday evening (Aug 30, 2012).
This is how I manually updated my Java runtime on a windows 7 64 bit machine
- run C:\Program Files\Java\jre7\bin\javacpl.exe (note: use the control panel for the latest version your have installed on your system — on my windows 7 32 bit system it’s in C:\Program Files\Java\jre7\bin\javacpl.exe)
- click on the “Update” tab (second from the left)
- click on the “Update Now” button (bottom right)
- wait for the installer to load/ click on the obvious next buttons / make sure to uncheck whatever junk they want to install on your system (e.g. Ask toolbar, McAfee Security Scan Plus, etc.)
- wait while it installs, click on the “Close” button and Bob’s your uncle.