WordPress updates

Auto-update convenience: WordPress upgrades itself to fix critical vulnerability

After yesterday’s upgrading of key WordPress plugins to fix a cross site scripting vulnerability, the WordPress team released version 4.1.2, which it described as a critical security release.

“WordPress versions 4.1.1 and earlier are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site,” the WordPress team said in a blog post announcing the release. The release also fixed 3 other security issues including an SQL injection vulnerability in some plugins.

I got the notification of the new release at past midnight. Years back, that would have meant that I’d need to stay up very late, download the latest release, upload the files to the server and perform the upgrade for each of the site I’m running. Continue reading →

Wi-Fi piggybacking widespread, anti-virus firm warns

While setting up a Wi-Fi network for the PLDT myDSL connection at home earlier this week, I got a timely warning from a press release. Anti-virus company Sophos said many people now use someone else’s wireless Internet connection without their permission.

Sophos said 54 percent of 560 respondents who took their online survey admitted to using other people’s Wi-Fi connection without their permission. The survey is not scientific and I don’t see how you can see a “widespread” trend from it. But it does provide a timely warning to home users who have gone wireless.

Sophos said “many Internet-enabled homes fail to properly secure their wireless connection with passwords and encryption, allowing freeloading passers-by and neighbors to steal Internet access rather than paying an internet service provider (ISP) for their own.”

I don’t know how common Wi-Fi piggybacking is in Cebu or in the Philippines, save for anecdotal feedback from geeks I know. I’ve heard of maybe three persons who said they were able to use an unsecured wireless network.

Still, the absence of reports should not be a reason to be complacent and just leave your home Wi-Fi network unsecured. This absence of reports may be because none have been caught.

And with more mobile devices like phones having the capability to use Wi-Fi, the risk will only get higher.

Continue reading →

Usernames, passwords of IT employment site revealed

ISAW or Internet Security and Warfare alerts users of a page in ITPros.ph that contains a listing of its members’ account details, including passwords, in plain text. ITpros.ph is designed to be “the Philippines’ key employment facilitator for the ICT industry.”

The page is searchable through Google and when I went over its listings, I spotted the account of someone that I know.

ITpros.ph EXPOSED PASSWORDS. A screengrab of account details listed in a page in ITpros.ph. The page lists the details, including passwords, in plain text. Click on photo to view larger image.

I informed the person of it and he confirmed it was indeed his old account and the password listed there was indeed the one he used. I think this is potentially dangerous as most people use the same passwords for multiple accounts. I also spotted several accounts using “password” as password.

The availability of the page shows the potential risks of signing up to websites, what with the multitude of web 2.0 services cropping all over the Web and the urge to immediately sign up for accounts. Most people I know use the same password for their e-mail and other web-based services. If one of these services is compromised and your account details are exposed, your other accounts are also at risk.

This is scary, don’t you think? I’m reorganizing my passwords. I’ll be using a different password for my blogs, GMail, AdSense and web server panel accounts. I’ll be using shorter ones for less important services. I’ll be using a new combination for signing up to websites–you know the type, the latest free web 2.0 service to be featured in Techcrunch.