User and sysadmin mistakes allow intruder access in most cases

Recent studies from Verizon and Symantec show that malicious hackers almost always gain unauthorized access to computer systems because of misconfigured software and user errors. You don’t have to be a genius hacker to get into a supposedly secure system if a sysadmin left the door wide open, or if you can fool a gullible user into revealing their password.

As a user, you’re probably getting tired of being told to be careful when clicking links on the web and in email. But it’s good advice. If you receive an email message that includes a link, and tells you to click the link, think before you click. If someone asks you for your password, do not give it to them.

Chrome and Internet Explorer add security features

A new extension for Chrome called Password Alert helps users recognize when they’ve unknowingly entered their Google/GMail password on a phishing web page. The extension does this without itself compromising security. If you use Chrome, this extension is highly recommended. You can find the extension in the Chrome web store. Bruce Schneier has more.

Meanwhile, Microsoft is adding a feature to Internet Explorer that will warn users when they visit a site with ads that contain malware. The feature is expected to start working on June 1.

Update 2015May01: And just like that, Google’s Password Alert extension is shown to be extremely easy to bypass. Google issues an update, which is also shown to be seriously flawed.

Jeff Atwood on passwords

Noted technology blogger Jeff Atwood discusses passwords in a recent post on his entertaining and informative site Coding Horror.

Jeff wants web-based services to get better at both insisting on strong passwords, and helping users to choose those passwords; or to switch to authentication technologies provided by Facebook, Google, and others. Based on his testing, he also observes that passwords shorter than twelve characters are easy to crack using brute force methods.

WordPress 4.2 and 4.1.3

WordPress 4.2 was released yesterday. This version adds some new features and improves others. This is not a security-related update.

Updating to version 4.2 also seems to trigger several theme updates. On one of my sites, which uses a Twenty Eleven child theme, an update to the parent Twenty Eleven theme caused the site to stop working completely. I was able to resurrect the site by installing the Twenty Eleven theme again manually. Update: apparently one of the download servers had an incomplete copy of the theme. This problem has been resolved.

Confusingly, WordPress 4.1.3 was also released yesterday. Because it was released so soon after 4.1.2, it’s safe to assume that it contains more security fixes. However, details are sketchy at this point. There was no formal announcement of the release. The WordPress Codex entry for version 4.1.3 says ‘Fix database writes for esoteric character sets, broken in the WordPress 4.1.2 security release.’

WordPress sites configured for auto-updates will update themselves to version 4.1.3 over the next few days. Depending on the auto-update settings, WordPress sites may also update themselves to version 4.2, bypassing 4.1.3. This shouldn’t be a problem, since it’s safe to assume that any fixes in 4.1.3 are also in 4.2.

Your best bet at this point is to update your WordPress sites manually to version 4.1.3. Then start testing version 4.2; once you’re sure it’s not going to break anything, upgrade your production sites.

Critical security updates for WordPress and plugins

WordPress 4.1.2 was released on Tuesday to address a critical security vulnerability. Sites configured for auto updates will be updated over the next day or so, but you might want to consider installing the update via the dashboard right now.

In related news, security researchers at Sucuri just published a list of popular WordPress plugins that contain serious XSS vulnerabilities. Most of these plugins already have updates addressing the issue. Check your WordPress sites for these plugins, and either update or disable them.

Google extends Chrome support for Windows XP

Recognizing that millions of people are still using Windows XP, Google has extended support for that O/S in their web browser. That means they will continue to develop fixes for security issues in Chrome running on Windows XP. Anyone still using Windows XP is strongly encouraged to stop using Internet Explorer, which is no longer supported by Microsoft, and use Google Chrome instead.

Malvertising shows no sign of slowing down

Nasty malware, hidden inside a phony ad that appeared on the Huffington Post web site, was exposed to thousands of users earlier this week. The Flash-based ad was delivered via Google’s Doubleclick advertising network. And this wasn’t even the largest malvertising exposure this week.

Google had better get to work on fixing this, or it will start eating into their primary revenue source.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.