WordPress Breach

April 15, 2011

The popular blog hosting site WordPress has been compromised – some source code and other proprietary information appears to have been copied. Apparently the intruders were not aware that most of the source code for the project is freely available under an Open Source license.

Trusted Identities

April 15, 2011

The National Strategy for Trusted Identities in Cyberspace, or NSTIC, will be publicly launched at an event at the Commerce Department this morning. The concept behind the initiative is simple: create a standardized authentication framework so that users don’t need to leave PII, or Personally Identifiable Information, in the hands of every web site where they need to handle personal matters.

There’s even an adorable little animation explaining the concept. A user can establish an account with any of a number of registrars, some of which are public and some of which are private. The registrar then issues an authentication token that can be used as proof of identity on sites that conform to the standard. Obviously, this depends heavily on maintenance of proper security at the registrar – but that’s still better than the current situation, where your doctor, your bank(s), your employer, etc. all have copies of your personal information, shielded only by a simple password.

It seems that the feds have really gone out of their way to make this vendor-neutral and decentralized; I hope it takes off. I’m sick of seeing headlines about massive data breaches harvesting tons of PII.


April 14, 2011

Another botnet, this one named Coreflood, has been taken down with the help of the courts. Court approval for the replacement of five US-based command and control servers enabled officials to dismantle the botnet, which was used for wire fraud and other illegal purposes.

Linksys WRT54G FTP Problem

April 12, 2011

An interesting post on Bugtraq this week: apparently the Linksys WRT54G home router allows for anonymous FTP. And, using that anonymous FTP connection, a file can be accessed that contains the authentication credentials for the rest of the router’s functionality.

This doesn’t look too difficult to weaponize.

Definition Monday: IPv6

April 11, 2011

Welcome to Definition Monday, where we define and explain a common technology or security concept for the benefit of our less experienced readers. This week: IPv6.

“I am a little embarrassed about that because I was the guy who decided that 32-bit was enough for the Internet experiment. My only defense is that that choice was made in 1977, and I thought it was an experiment. The probem is the experiment didn’t end, so here we are.

–Vint Cerf on IPv4 address space exhaustion

The Internet, as it has existed for a long time, is about to undergo a massive change. We are out of addresses.

The current addressing scheme for much of the Internet, especially here in the United States, is IPv4 (that is, Internet Protocol version 4). It is the “dotted quad” notation that you’ve no doubt seen before – four eight bit digits, from 0 to 254, separated by dots. Something like for the loopback address, or for your home broadband router.

Because these four digits are eight bits apiece, there is a maximum of 32 bits of address space available (actually, less than that due to various reservations and technical details, but ignore that for now). Thirty-two bits means 232, or roughly 4.2 billion addresses. Considering the world population is nearly seven billion, and that we also need addresses for servers and other network infrastructure, we clearly just don’t have enough to go around.

(I’ve mentioned in the past on this blog when exhaustion was imminent. Solutions like the Microsoft/Nortel buyout are, at best, extremely limited in the amount of time it buys.)

The solution to this, which has been available for years, is IPv6 (Internet Protocol version 6). Rather than being based around a 32 bit number for each node, IPv6 addresses are based around a 128 bit address. To the layman, this might look like a fourfold increase, but in fact, it’s much more than that. Moving from 232 to 2128 is an increase on the order of 296 times – that is, there are 7.92281625 × 1028 more addresses available in the new scheme. The assumption is that most home user Internet connections will be issued a “slash 64”, or a 64-bit address space; this is enough to host the entire current Internet, squared.


  • This should easily take care of any future scarcity issues. There are enough individual addresses in IPv6 to assign one to every molecule on planet Earth, with most of the pool left over. It’s a staggering amount of addresses.
  • IPv6 has many technical tools built into it from the ground up – things like autoconfiguration and IPsec encryption – that were clumsily grafted on to the IPv4 world.
  • This will restore the end-to-end nature of the Internet, where nodes can directly contact one another without hacks like NAT and PAT. Your home broadband router will no longer require “reserved” addresses in conjunction with port forwarding and other messy workarounds – instead, everything on your home network will have a unique, Internet-accessible address.
  • New sites, especially in China and the developing world, will be deployed on IPv6. If you want to communicate in the future with web sites that don’t exist right now, you need IPv6 connectivity.


  • Obviously, everything being directly connected to the Internet could require an increased emphasis on security. For too long, vendors have hawked NAT as a “firewall” solution, which it really isn’t – this will require some rethinking.
  • A lot of equipment will need to be replaced. Even now, in the year 2011, Cisco is selling Linksys branded network equipment that is not IPv6 compliant. And more than network equipment, everything on a network needs to be evaluated and possibly updated or replaced: firewalls, servers, SIEM systems, VPN concentrators, even simple appliances like NTP time sources.
  • The IPv6 way of doing many things is different; generally better, but different. There will be a significant learning curve, even for experienced network administrators.

All in all, the move to IPv6 will be a positive thing. But there’s a reason why the protocol has been available for a decade and we’re only now implementing it as a matter of necessity. It’s a huge, sprawling, complicated deployment, on the order of the Y2K fiasco, and it will require lots of careful thinking and analysis in your organization.


April 10, 2011

Sorry for the lack of posts last week – I was attending the EDUCAUSE Security Professionals Conference, so I wasn’t around to write anything. Things should be back to normal now that I’ve returned.

Fourth Amendment in the Cloud

April 10, 2011

According to the law currently on the books, email stored for more than 180 days in a hosting environment – including on so-called “cloud” servers like those of Hotmail or Gmail – is considered “abandoned” and can be obtained without a warrant. Efforts to rectify this mid-1980s legislative situation are being actively opposed by the Obama administration, who apparently feel that due process is a bit of a hassle and would rather not deal with the realities of how people now use email.

SQL Injection Attack

April 1, 2011

Nearly four hundred thousand URLs have been compromised by a massive spree of SQL injection attacks. The affected sites are being used to redirect visitors to fake antivirus software and other malicious content.

Happy Friday.