PSA: December Zero Day’s Announced – MySQL, FreeSSH, Free FTPD

So it looks like we’re closing out the year in style in 2012. This weekend a number of new, very serious, zero-day vulnerabilities were released for a number of very popular applications – MySQL, FreeSSH, Free FTPD.




Of the three, the most concerning is obviously MySQL. If you listen to any of our security presentations you know that your application is but one piece of the puzzle, and you environment is a critical component of that puzzle too.

MySQL is integral to any LAMP based application – LAMP = Linux, Apache, MySQL, PHP – this includes many open source content management systems (CMS) like WordPress, Joomla, Drupal, Magento, osCommerce and many more. This is exceptionally dangerous to those environments in which MySQL is being published (i.e., not bound to itself or it’s port open) to the world and applies to VPS and Shared environments alike.

Is SPAM Campaign Due to Compromise?

*****Updated – 20121019*****

Both Matt Mullenweg and Barry Abrahamson, System Wrangler with Automattic, have confirmed that there was not an environmental compromise and everything was isolated to individual user accounts.

Per their incident handling process they identified a brute force like attack which made use of a list of compromised email / password combinations derived from a third-party application[s].

People often use the same username and password on different sites, even though we all know we shouldn’t. If a password on a smaller site is compromised bad guys try it against the big ones like Twitter, Facebook, and If anything bad happens to a user we get in touch with them as soon as possible to assist them. –

At this point it’s unclear of the severity, as has not released anything public, but I would say the odds are not in their favor.

The Hacker News (THN) put out an article this morning titled: 15000 WordPress Blogs Hacked For making Money From Survey. Spam

Naturally my first reaction was, meh, it’s likely a fluke of some kind, but as I read it I became more suspicious. It all started with this email:

Read More

The Mission of Security Awareness

This article was written by Christopher Vera, CISSP, HISP, GCFA, GLEG for Sucuri.

The Mission of Security Awareness

Of all the elements of a successful cyber security program, security awareness is probably one of the least understood. Some cyber security professionals have even gone as far as to claim that security awareness doesn’t work. Their observations are not entirely unfounded. The key is that successful awareness programs must provide value to their audiences. When they don’t provide value they are ignored, and thus ineffective, plain and simple. Further, a security awareness program cannot protect a user from everything. With new platform-agnostic attacks bypassing even fully patched systems with host-based firewalls and the most recent anti-virus signatures, it’s easy to throw one’s arms up in frustration. But defense in depth is one of our most trusted principles. We understand that no one security control can protect us from every threat. Otherwise, we’d have tossed out our network firewalls years ago. The advantage of a successful security awareness program is that it’s much less expensive to implement and maintain.

Read More