Website 1: Updated WordPress Version
This website owner updated their version of WordPress. A minor error in the administrative settings allowed a hacker to register as a user. Because the software was up to date, the hacker got no farther than joining as a subscriber. No damage was done, no reinstalling of files was needed, and no major overhauls were warranted.

Website 2: WordPress Was Not Updated
The WordPress admin for the second website did not upgrade their WordPress platform. The same minor error mentioned above allowed the hacker to register as a user. However, since the software was out of date the hacker was then able to change themselves to an administrator. They then added other fake users, hid new admins they created, and changed various settings. They also changed the permalink structure to redirect users to potentially harmful websites. An afternoon’s worth of work was required to completely sanitize the website to make it safe once again.

The Importance
Weeks ago, the WordPress community found a hole in the security and the issue was promptly fixed. Once it was resolved, an update was distributed. In fact, the past two software updates included this security patch. People who had not updated their software recently were exposed to the worm and a lot of website owners have been affected. They felt the affect of not staying on top of their updates. The rest of the community was more protected from the attack.

If you want to read more about the importance of updating your WordPress software, Matt Mullenweg wrote a good article on the WordPress blog.

Please let me know if you have any questions concerning your current version of WordPress or if you are confused about updating your version of WordPress.

Stay safe out there!

Jeff’s Advice To Me… And You
Jeff, who provided excellent customer service, and I spoke about our situation. To help you with your website, here is the rundown I received.

• Stay on top of your blog and its members. Try to catch possible issues early before users have a chance to do harm to your website.
• If you can do it, turn off the “anyone can register” option under general settings of your WordPress blog.
• Change your password frequently and use something alphanumeric with lowercase letters, capital letters, and typographical symbols.
• Check out Google Webmaster Tools. In general they provide good information for your website. An added benefit, is that if you have any red flags from being hacked they will let you know here.
• Run virus scans on your computer to make sure you do not have any viruses or spyware. This is a “just-in-case” measure for extra protection for you, your computer, and your website.

We Are Not Just About Security
I know a lot of the past few blog posts have been about personal, blog, and online security. Please know this is just a temporary subject given all of the things that have been happening around Triune Designs and the web in general. We should be resuming our “normal programming” quite soon.

In case you have not been following along on TechCrunch (TC) lately, let me fill you in. The online tech publication recently received over 300 documents from a hacker who retrieved sensitive business information from the executives at Twitter. These documents included Twitter’s financial details, executive-level meeting notes, and various documents outlining Twitter strategies, goals, and processes. Using this information, TC wrote a series of behind-the-scenes articles about Twitter and their plans for the present and future.

Security Holes
The Anatomy article reveals exactly how the hacker gained access to Twitter’s sensitive information. Hacker Croll (HC), as he wanted to be called, gained access through a Twitter employee’s Gmail account.

1. HC accessed Gmail for a Twitter employee by using the password recovery feature that sends a reset link to a secondary email. In this case the secondary email was an expired Hotmail account, he simply registered it, clicked the link and reset the password. Gmail was then owned.
2. HC then read emails to guess what the original Gmail password was successfully and reset the password so the Twitter employee would not notice the account had changed.
3. HC then used the same password to access the employee’s Twitter email on Google Apps for your domain, getting access to a gold mine of sensitive company information from emails and, particularly, email attachments.
4. HC then used this information along with additional password guesses and resets to take control of other Twitter employee personal and work emails.
5. HC then used the same username/password combinations and password reset features to access AT&T, MobileMe, Amazon and iTunes, among other services. A security hole in iTunes gave HC access to full credit card information in clear text. HC now also had control of Twitter’s domain names at GoDaddy.
6. Even at this point, Twitter had absolutely no idea they had been compromised.

Your Security
In terms of online security and privacy, this is a horror story at its finest. Jason, Freddy, and all the others would be jealous.

Web developers are always a little paranoid of security and (hopefully) try to minimize the number of security holes on a given website. This mindset should apply to everyone, though. As more of our (and our companies’) information heads on-line we need to stay mindful of keeping our data more secure.

Quick Security Tips
Here are a few quick tips for increasing your security.

• Have a different password for every on-line account.
• Change your passwords regularly
• Keep your password retrieval options up to date.
• Consider changing your security questions to things that are not true, but that you will remember.
• Keep all of your on-line apps and computer software up-to-date. (i.e. make sure you are running the latest WordPress version available. Make sure you are running the latest version of Internet Explorer, Safari, or Firefox.)
• Always be careful with email and any attachments. This is especially true if the email comes from an unknown sender or from your bank, credit card company, etc.

If you have any other online security suggestions please throw them down in the comments.

Many Thanks
Thanks to TechCrunch, Twitter (reluctantly I am sure) and H. Croll for providing us with this great example our fragile online security.

The bank vault image is courtesy of Anonymous Account and can be found on Flickr.