People used to ask for it for free, but now, thanks to Symantec, you can tell everyone that they must pay you $18 first. Based on some amazing analysis of “its offices in more than 180 countries and from some of the 120 million users of its security products”, Symantec has revealed the market value:

All of your personal banking and credit card information, your birth date and your social insurance data are worth about $18 US on the Internet, according to a study released today.

But wait, there’s more. Symantec also has announced that the China is now part of Europe, and that these Sino-Europeans are to blame for a “surge” in hijacked computers world-wide. Why? Because they are so uneducated, of course. See for yourself:

Ollie Whitehouse, senior consulting services director at Symantec, said: “This rise in the number of infected computers can certainly be attributed to the rise in the online population of countries like China and Spain, in Europe [emphasis added].

“There is almost an educational curve that the users and service providers have to go through. Unfortunately when certain countries go through rapid increases in connectivity and availability of technology that curve is not always kept up.

Typo? I could not make this stuff up if I tried. Someone should tell the BBC there’s a mistake, or perhaps even whisper to Symantec that China is not in Europe. More importantly, bad software and improper default configuration or perhaps even culture probably has a lot more to do with the “spread” of hijacked OS than some measure of user “educational curve”. Even more interesting might be the fact that the curve is reversed, that the more educated the user population the more they try to hijack computers! I might just have to do the analysis on this to figure out what’s really going on.

In the meantime, here’s the icing on the Symantec cake. Warning! Warning! They warn you that hijacked PCs are on a sharp rise in the world. They say a plague of targeted attacks is coming. Oh, thank you Symantec for sounding the clarion horn in such a distressed sea of information…all of which brings me to their clever Threat-O-Meter:

Green? We’re at code green?

Yahoo! has defined this as “Recommended action: None”

Big difference, no?

Disclaimer: I was partly responsible for oversight of the new Yahoo! security site and argued extensively with the marketing folks. I would not allow the Threat-O-Meter to be on the page unless meaning was also provided (per the true intent of declaring an “alert condition” or LERTCON). I specifically fought to prohibit its use until some kind of specific action like “scan for virus x” was included for each color/number. Glad to see that this was taken to heart and is still there so I now can point to it when executive management (or anyone else, really) comes running and says “oh my goodness, have you seen the Symantec report…what do we need to do?”

An input validation flaw in WordPress has me wondering about switching platforms. It’s not the flaw itself, but the lack of notification that’s getting me.

The variable handling XSS vulnerability was reported over the weekend.

PHP_SELF variable is not properly sanitized before output and it can be used to conduct an XSS attack over the WordPress’s CSRF protection.

[…]

A successful attack would require that the logged user has write capabilities over theme files, also the attacker must know the current theme of the target site.

Here’s the supposed timeline

03/08/2007 – Bug found
03/15/2007 – Vendor contact
03/16/2007 – WordPress 2.0.10-RC2 and 2.1.3-RC2 releases

But if you look at the current upgrade page, there’s no mention of the flaw or release candidates.

The latest version, WordPress Version 2.1.2 (http://wordpress.org/development/2007/03/upgrade-212/), was released to the public on March 2, 2007.

I can certainly understand if they are hesitant to pre-announce a stable build, but a little acknowledgment/warning of the problem would be nice for those of us who would like to see an authoritative response rather than just the chatter.

UPDATE (20 Mar 2007): The attack discussion thread continues and some clever ducky has just posted a fine XSS exploit. I tested it a minute ago and it definitely works on the stable release. I still do not see any alert on the official WordPress site. Hello? Hello?