Monthly Archives: April 2011

Security

WordPress Hacked

Leave a comment

WordPress.com has reported a breach of their site — root access was obtained but the exposure was contained.

While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

Some ask in the WordPress.com blog comments whether “sensitive bits” could be API keys and tokens for partner sites like Twitter. So far WordPress has downplayed this risk.

WordPress.com also notes their password hashes are stronger than just unsalted MD5 thanks to Solar Designer’s phpass. They incorporated the stronger hash algorithms with salt since the beginning of 2008 (version 2.5).

It might be worth noting that Solar Designer is known also for developing John the Ripper, a password cracking tool, and he has warned of potentially weak implementations of phpass.

The openness of WordPress.com and the details of their password security practices should be seen as a sliver of good news, at least when compared with the Barracuda and HB Gary incidents that brought to light unsalted MD5 hashes. The risk may be lower with salted and strong hashes but even they can be recovered so WordPress gives the following usual advice to their users as a response.

  • Use a strong password, meaning something random with numbers and punctuation.
  • Use different passwords for different sites.
  • If you have used the same password on different sites, switch it to something more secure.

The breach does not affect independent and self-hosted WordPress sites.

Food, Security

The Poison of Sugar

1 Comment

Gary Taubes gives an extremely thorough and supportive review in the NYT of Robert Lustig’s argument that sugar should be evaluated as poisonous. It’s a sticky issue (pun intended) as illustrated with feats of acrobatic marketing by the junk food industry.

In the early 1980s, high-fructose corn syrup replaced sugar in sodas and other products in part because refined sugar then had the reputation as a generally noxious nutrient. (“Villain in Disguise?” asked a headline in this paper in 1977, before answering in the affirmative.) High-fructose corn syrup was portrayed by the food industry as a healthful alternative, and that’s how the public perceived it. It was also cheaper than sugar, which didn’t hurt its commercial prospects. Now the tide is rolling the other way, and refined sugar is making a commercial comeback as the supposedly healthful alternative to this noxious corn-syrup stuff. “Industry after industry is replacing their product with sucrose and advertising it as such — ‘No High-Fructose Corn Syrup,’ ” Nestle notes.

But marketing aside, the two sweeteners are effectively identical in their biological effects. “High-fructose corn syrup, sugar — no difference,” is how Lustig put it in a lecture that I attended in San Francisco last December. “The point is they’re each bad — equally bad, equally poisonous.”

As much as I hate both sugar and high-fructose corn syrup, I disagree. Here’s how he tries to drive the point home.

Because each of these sugars ends up as glucose and fructose in our guts, our bodies react the same way to both, and the physiological effects are identical.

I disagree because there is weak evidence that our bodies are the same, let alone that each body will “react the same” to different sugars. This difference in effect is no great secret if you look at the study and evolution of sports nutrition.

A related example is how some are affected differently by the lactose of various milks. Some people digest all forms of milk without noticing any differences. Those more sensitive to lactose, however, typically reject cow milk yet have few issues with camel or goat milk.

Along these lines, since I was a child I have run numerous tests (granted, not always very scientific or blind) that consistently demonstrate to me that high-fructose corn syrup has a very different effect on me than other forms of sugar.

The culmination of my research was in 2000 when I would eat two to three “health bars” during the day. I noticed right away that the days when I ate bars with high-fructose corn syrup I was less productive, less focused in my writing. I then started to isolate the bars by ingredients.

After just three weeks I found that Luna bars, sweetened without any high-fructose corn syrup gave me a boost of energy yet any bar that had high-fructose corn syrup would slow me down and sometimes even prevent me from thinking clearly.

Like removing caffeine or alcohol from a diet, after I had eliminated all high-fructose corn syrup from my diet the effect of it became even more pronounced. Very soon after high-fructose corn syrup now I notice a significant negative effect on mental acuity. Taubes points out a difference in “chronic toxins” and “acute toxins”. With that in mind it seems I treat high-fructose corn syrup as acute and other forms of sugar as chronic.

At the same time, despite all the non-fat marketing and advice, I have not found any link from the fat in nuts, vegetables and meat to obesity. I never accepted skim or low-fat milk as a step to health. It simply does not make sense to me and I have never noticed that effect. This is raised by Taubes as well.

…many of the key observations cited to argue that dietary fat caused heart disease actually support the sugar theory as well. During the Korean War, pathologists doing autopsies on American soldiers killed in battle noticed that many had significant plaques in their arteries, even those who were still teenagers, while the Koreans killed in battle did not. The atherosclerotic plaques in the Americans were attributed to the fact that they ate high-fat diets and the Koreans ate low-fat. But the Americans were also eating high-sugar diets, while the Koreans, like the Japanese, were not.

Strange that is taking so long for nutritionists to move ahead and advance their research and understanding of risks. Apparently there is very little work done in America on clinical trials that would help understand sugar and high-fructose corn syrup. That makes risk management far more difficult for consumers than necessary or safe. It is like being told to run a network without the means to look at the logs for breaches or inspect any traffic for malicious code.

Security

The Art of Remembering Everything

Leave a comment

The New York Times, in a book review of Moonwalking with Einstein by Joshua Foer, makes some interesting points related to information security and metaphysics.

…memory is intricately tied to identity; we are a product of our own experiences. What we perceive is shaped by what we have perceived before; what we learn is bootstrapped on past learning. Amnesia seems to many so horrifying because it robs us of our own autobiography, and thus, it seems, ourselves. If on no other ground, most Americans are joined in our shared desire to improve the curious, elusive faculty we call “memory.”

[…]

This seeming sleight of hand — memorize X in order to remember Y — takes advantage of a simple fact of human cognition: we naturally remember visual images.

Energy, Security

Barracuda Networks Breached via SQL Injection

3 Comments

HMSec claims a Barracuda Networks “customer_verticals.php” page has led to a breach of the company’s sensitive data. A list of databases, usernames, and password hashes have been posted as proof of the exploit.

Barracuda Networks is perhaps best recognized for developing a fleet of tired old fuel guzzling vehicles they drag around for marketing campaigns to promote “email and web security” products.

Barracuda Gas Burner

At RSA 2011 in San Francisco the company publicized that they were sparing no expense to rent a strip club for an invitation-only “VIP” party. Although they did their best to promote the event as exclusive and posh, little could be done to hide the fact that the club is known locally for its $5 buffet including peep show.

The company may be asking itself now whether the cost spent appealing to desires of a certain demographic was balanced versus the cost of securing sensitive customer data against the much larger and greater diversity of attackers…. Could this be a good candidate for a MasterCard “priceless” commercial?

Back to the point, the evidence posted shows not only the continued risk of remote SQL injection, including blind attacks, but yet another database of unsalted MD5 hashes (note the duplicate hash values — root has the same as another user) has been exposed within a security product company.