Original ExistDifferently.com Weblog of David, a Christian Network and Systems Manager, with topics ranging from Apologetics to Worldview, and some crypto, open source, programming, opinion, and daily life thrown in between.

Sun, 2007-03-04 (Mar 04)

WordPress 2.1.1 Dangerous, upgrade!

Filed under: Blog,General,In The News,Open Source,Programming,Security,security WordPress blog tech,Tech (General) — David @ 00:59

The official WordPress development blog is reporting that WordPress version 2.1.1 was compromised by a malicious hacker and anyone who downloaded that version in the past several days needs to upgrade immediately to version 2.1.2. Many more details at that link; I checked the two files they mentioned (feed.php and theme.php in the wp-includes folder) and I got one of the infected versions! If you do a “diff” and compare an infected file with one from the 2.1.2 download the infected line becomes obvious. The vulnerability, as far as I can tell, allows an attacker to easily execute any command on the system that’s allowed by the user PHP is running as by using a specially (but easily) crafted query string.

I’m still running 2.0.3 here as I write this, but I’m going to upgrade to 2.0.9 soon; I can’t run the 2.1.* series yet because I don’t have MySQL 4+ installed on my server yet.

Thanks to a post from security blogger Martin McKeay that was my first warning!

Tue, 2007-02-13 (Feb 13)

VA loses doctor and patient data – again!

Filed under: Blog,General,In The News,Security,Tech (General) — David @ 00:30

You’d think they’d have learned by now, but nope, 1.8 million records from patients, and doctors, too this time, have been lost or stolen from a VA research facility.ร‚ย  They aren’t sure if the data was lost or stolen yet, but, “A VA research assistant was using the physician data to analyze VA health care providers and compare them to non-VA providers, according to a statement from the department. The research assistant used the hard drive to back up information contained on an office computer, and the data is not believed to have been encrypted.” according to that article from GovExec.com.

This is the VA’s third data breach in less than a year, and I can only imagine the negative press and blog coverage this one’s going to get! At least the VA should be the most secure organization for data by the time they’re done cleaning up (again) after this mess! (Maybe that last sentence would drip with less sarcasm if this wasn’t their third breach.)

This seems to be a pretty new story, one of the earliest ones I see in Google News after a quick scan is only 19 hours old, but most places have only written about it in the last 6 hours or less. I do see a couple of stories like this one from yesterday (Feb. 11th), but they just now appear to be getting widespread.ร‚ย  Should see some comments from security bloggers like Martin McKeay and Bruce Schneier pretty soon, I would imagine.

Powered by WordPress