Tips, Tricks, Tools & Techniques

for Internet Business, Life, the Universe and Everything

RSS Feed



Month: November, 2007

More On WordPress Security Issues (a.k.a. The Al Gore Hack)

28 November, 2007 (12:05) | Security, WordPress | By: Nick Dalton

The Symantec Security Response Weblog has a good writeup about the climatecrisis.net hack and the elaborate network scheme behind it. Their conclusions mostly match those in my post yesterday.

I still haven’t been able to track down the exact exploit used to compromise all these WordPress blogs. All the compromised blogs that I’ve examined run older versions of WordPress (<= 2.0.6). There are several older vulnerabilities that allow an attacker to assume admin privileges.
With admin privileges the attacker can use the Theme Editor to add their spam links to the footer template. Using the Theme Editor gets around the problem of knowing which file to edit since each theme is installed in a separate directory. If the attacker only had access to the file system (e.g. via ftp), then there is no easy way to know which is the active WordPress theme.

In a most likely unrelated note, GigaOM has a post about security issues in WordPress Themes. It turns out that some bad guys are taking free WordPress themes and modifying them slightly so that they can run arbitrary code on each web server running that WordPress theme. This is a huge security risk!

Follow the basic security rule: Don’t download files from untrusted sources. Just because someone is advertising their free WordPress template site on AdWords doesn’t mean that the site is legitimate.

The reason I say that the two security issues are unrelated is because the compromised blogs do not share a common WordPress theme.
If anyone who has been compromised would be willing to share their web access logs, I would be very interested in examining them.

Update:
When looking at the HTML source of web pages that have been compromised I noticed that not only did the attacker add their spam links, they also added an AdSense block. First I thought that each blog just happened to have their AdSense JavaScript in the same position at the bottom of the page. But when I saw the AdSense code on climatecrisis.net I figured that something was wrong. Why would climatecrisis.net have AdSense on their site?

After closer examination I realized that all compromised sites had the exact same AdSense code:
getme('http://pagead2.googlesyndication.com/pagead/show_ads.js? 636D6071685F676C255D5A68385E565D545C612E64334D100E4D5 45652090A0E5252564840083D414A4641354C0FF83E3E3C32F306');

Someone at Google should be able to find out who is benefiting financially from that AdSense code. Money always leaves a trail.

Don’t Get Hacked Like Al Gore – Keep An Eye On WordPress

27 November, 2007 (22:10) | Security, WordPress | By: Nick Dalton

A story has been making the news today about Al Gore’s web site being hacked. (Original story broken by Stuart @ Earners Blog.) Actually it was a blog on climatecrisis.net that appears to have been forgotten – the last post is from September 2006. Nevertheless the blog has a PageRank of 5 which is an attractive target for link hackers.

The site has been cleaned up now, but you can view a cached version of the compromised page courtesy of Yahoo. (In IE you need to view source to see the links. In my Firefox they show up as grey text links at the bottom of the page.)

The attack has at least three steps:

  1. A blog at westmont.edu was compromised and several pages were added promoting Viagra and other related pills.
  2. Several other blogs were compromised and links to the first site was added at the bottom of each page. The latter is what happened to climatecrisis.net/blog. Al Gore’s site is probably the best know of the compromised sites, but there are many more: The Cynical Traveller, Mickipedia, Astroport Le chant du pain, The Next New Networks, Librarian Activist. Just to list a few. Hopefully the site owners will see these backlinks and be able to clean up their blogs.
  3. In order to not leave a trail to their own doorstep there appears to be no outbound links on the westmont.edu blog that goes to any web site where you can actually order the drugs. Instead there are links to google.ru with queries like “Purchase Prilosec”. Presumably the perpetrator of this attack is among the first search results for these queries. By using the indirect link through Google it makes it very hard to find and persecute the guilty party. Using Google to cover your tracks is getting increasingly popular.

All the compromised sites are blogs that use WordPress 1.5 – 2.0.6. If you are running these very old versions of WordPress be sure to upgrade to the latest secure release. And regardless which software you’re using for your web site you should regularly view the HTML source of your site to make sure that you’re not serving up spam links.

Review – Life’s Golden Ticket

21 November, 2007 (12:28) | Life, Reviews | By: Nick Dalton

Have you ever met someone who’s personality is so exuberant with the joy of life that you can’t help but wonder what their secret is? I had the pleasure of meeting Brendon Burchard recently at jvAlert Live in Long Beach. He gave the most amazing presentation of the entire conference.

Brendon used to work for Accenture where he was on a fast-track to becoming a partner. (I used to work for a big consulting company so I can tell you that becoming a partner is a *big* deal.) But he left his career at Accenture to write an inspirational novel: Life’s Golden Ticket.

The premise of the book is:

If you were given a ticket that could magically start your life anew, would you use it?

Stop and really think about that for a moment. Would you? Why or why not?

If there are aspects of your life that you are not entirely happy with, how much pain do you need to experience to change? Do you have to be attacked by lions like the main character in the book?

On the surface the book is an entertaining read about a young man’s visit to an amusement park. But each adventure in the park is a not-so-subtle metaphor for things that have gone wrong in his life. In the bumper boats ride kids self-select into two different groups: the explorers who set out to reach the other end of the pool as quickly as possible to explore new areas and new experiences, and then there are the spinners who spin their boats around and around in one place. Are you an explorer or a spinner?

Life is a wonderful gift, you must not waste it! Brendon was given a second chance after surviving a car accident ten years ago. Since then he has made it his mission to not waste a single moment, live life to the fullest and return the gift by giving to others.

Tomorrow the Thanksgiving holiday is celebrated in the U.S. But you should not limit giving thanks to one day per year. Every day is an opportunity to give thanks for the fortunate life that you’re living. Every day is an opportunity to give back to others.

Do You Reuse Your Passwords? Are They Being Recorded As You Type?

16 November, 2007 (19:16) | Security | By: Nick Dalton

My favorite tech columnist Bob Cringely has an interesting post this week about reusing passwords across multiple sites. Conceptually we all agree that using the same username and password to login to your bank as you do for your email account is a bad idea. But in reality we are all lazy and we don’t want to memorize dozens or hundreds of passwords for all the sites we need to login to.

But Bob really drives home the point with the scenario of identity thieves launching a sweepstakes website for a cruise. All you need to do to enter the sweepstakes is to register on the site. A lot of people will use the same login credentials when they register at this site as they do for their bank. And of course registration requires you full name and address which adds up to a rather complete identity profile. Even if you don’t sign-up with suspicious looking websites, one of the sites that you are already registered with may have lax security and your registration data may become exposed.

So heed Cringely’s recommendation: change your passwords NOW.

A few years ago a friend of mine was building his own house. During the construction he had a large amount of money sitting in an account waiting to be portioned out to various contractors and suppliers. To earn maximum interest on the money, he had signed up for an account that could only be managed online. With this setup he was very concerned about a keystroke logger being surreptitiously installed on his computer and capturing his username and password for the bank account.

He was even considering purchasing a brand new computer that he would only use for managing that bank account. No programs would be allowed to be installed on that computer and no web surfing beyond the bank’s website.

I told him he was being overly paranoid.

My sentiments may have been accurate back then, but that is certainly not true today. Read this article series from CIO Magazine about how sophisticated online identity theft is today. Very scary.

In my Digital Security Report I talk about how you should setup your website to avoid having your digital products indexed by search engines. Loosing future sales to free downloads is bad. Having your identity stolen and your bank account looted is a lot worse. Make sure that you follow good password practices, have updated anti-virus and anti-malware software installed on your computer. And sign up for a credit monitoring service. Do it today.

Swipe Attention Grabbing Phrases

14 November, 2007 (10:09) | Copywriting | By: Nick Dalton

Swipe files are collections of headlines, phrases, paragraphs and whole sales letters that are known to work well. Copywriters use them for inspiration whenever they write new copy. They painstakingly build their personal swipe file over their career. Not unlike programmers who maintain libraries of well working code for jump-starting the next project. Top copywriters half-jokingly say that they’d rather share their wife than their swipe file…

Rich Schefren is always sharing good information for free. You can get his latest “Phrases That Keep Attention” from his blog. No cost and no registration required.

If you’re looking for a swipe file with complete sales letter templates you should check out Yanik Silver’s classic Instant Sales Letters.

Can You Learn (But Not Master) Any Programming Language in 1 Hour?

7 November, 2007 (11:51) | Life | By: Nick Dalton

Tim Ferriss has a fascinating post today about how he deconstructs any language to determine if it’s feasible to reach fluency in that language within 3 months. Being the technology geek that I am, I wondered if the same principles can be applied to programming languages.

The foundation of Tim’s process is that you already know at least one language and what you’re really trying to discover is how different the language you’re investigating is from the languages you already know. If you are able to read Tim’s post it is safe to say that you already know at least one language (English). The same does not apply to people reading this post and programming languages. Going from 0 to 1 is always the most difficult. For this post let’s assume that you already know at least one programming language and you’re interested in picking up a new one.

Who’s in your family?

Is your target language on the same major branch of the computer languages family tree as a language that you already know? Learning Lisp from Basic is going to much more difficult than going from C++ to Java.

Looking at evolution of a language is much more useful for programming language than spoken languages, since the former typically has a very logical evolution. After all programming languages have to be understood by computers.

Functional or Procedural?

Most programming languages are procedural, i.e. code is roughly executed one line at at time in an order that resembles the order of the lines in the code. Some languages, e.g. ML, simply evaluate mathematical functions. At my university we had to learn ML as our first programming language. The theory was that going from a functional language to a “regular” programming language would be easy. I can’t vouch for that theory, but I know that the opposite was true: all of us in the class who already know how to program, were really struggling with ML.

Maybe the notation and language of higher mathematics compared to English is an equivalent analogy in the non-programming world.

Symbols and Tokens

Most programming languages use the western set of characters to write tokens (reserved words) that make up the language. The notable exception is APL, the Chinese equivalent in the programming world.

In a programming language you also need to pay special attention to the use of symbols. In many cases a semicolon is required to terminate a statement, or brackets are used to surround blocks of code. But some programming languages have an over-reliance on special symbols: parenthesis in Lisp comes to mind.

In a spoken language punctuation and diacritical symbols do not nearly carry the same weight as special symbols do in programming.

Side Effects

Unintended side effects are the hidden land mines of programming languages. For example changing the value of a global variable in one place, could have an unintended effect on another piece of code. As programming languages have evolved the goal for each new language is often to minimize the possibility to shoot yourself in the foot by limiting the side effects.

One of the few ways to really learn the side effects of a programming language is through painful hands-on experience.

Vocabulary

A larger vocabulary comes with practice both in spoken and programming languages. The size of the dictionary or available libraries of a language is not a major factor in the initial learning of the language. Unknown words or functions are easy to lookup.

Attitude

Finally there is one more crucial difference between learning a spoken language and a programming language: People who you interact with are often likely to go out of their way to try to understand what you’re saying when they realize that you’re trying really hard to learn their language. Computers are not so forgiving. Even the smallest error, for example a missing semicolon, will cause the computer to discard your entire program, even when it ’s obvious to the computer where it should be placed,