Mack-the-Auditor Gets Audited! Part 3

This is the third of 3 posts; this post describes how I audited the auditors and my perspective on the whole thing.

Read the first post (background) and the second post (audit results).

Continue reading →

WordPress Hacked, Attackers Gain Root

On 4/13/11, WordPress announced it suffered a root-level hack of their servers and that “anything on those servers could have been revealed.”

Nothing is said about WHEN the hack occurred. From experience, I can tell you that you generally don’t announce a security incident until you’ve investigated it thoroughly, and that can take at least a day, sometimes more, depending on whether you have experts in-house or can get them in a hurry.

This attack directly affects only blogs or accounts hosted by WordPress (in other words, your blog URL ends with “wordpress.com”. If you host your own WordPress blog, you are indirectly affected. How? Since WordPress source code may have been compromised, attackers may be combing through it to find vulnerabilities that will allow them to attack any blog running WordPress, regardless of where it’s hosted.

If you have a blog or account that is hosted at wordpress.com, at least do the following immediately:

Continue reading →

Free Firewall Password (Just Ask)

A couple of weeks into a new job, I was told that I was now in charge of the Internet firewall. I suddenly realized I had two major problems:

1. I did not know squat about firewalls.
2. I did not know the firewall password.

Continue reading →

System Down + Humor – Calls = :)

Having a system go down is no laughing matter. But if you’re going to notify your users, why not do it with a little humor? It will work as long as you don’t flash the message too often.

I received the following pop-up message below from Yahoo today.

Continue reading →