The Barking Seal

WordPress Patching Vigilance

27Feb

Author: ned Categories: Security Comments: 0

WordPress versions We run WordPress for our blog and like it. I have been debating whether to upgrade our the barkingseal.com WordPress installation – we were at version 2.6.5 and it didn’t look like there were any important security issues fixed in 2.7 and 2.7.1. Patching is all about balance – the risk of security vulnerabilities versus the risk and effort of applying the upgrade. Plus, in this case, I sure don’t want to be too far behind the Web 2.0 curve (a little bit of sarcasm).

For a little guidance, I looked to the “big dogs” – how up-to-date are the most well-known WordPress sites? Yesterday, I ran a quick scan of all 354 sites listed in the Wordpress Showcase to see how we compared. Sadly, not only are many sites not running WordPress 2.7+, but almost half (44%) are running a version older that 2.6.5. 2.6.5 was released in November, 2008 and did fix important security problems. Wow… four months later and 44% of these leading WordPress sites still haven’t updated!

Installing an SSL certificate with BEA Weblogic Server version 10

26Feb

Author: ben Categories: Infrastructure, Security Comments: 0

I was surprised to see a lack of usable documentation for installing SSL certificates on a BEA Weblogic server. Most of the big Certificate Authorities have some instructions, but they’re certainly not complete and some are outdated. BEA’s documentation is literally written in pseudo code with If-Else statements. Hopefully these instructions will help somebody out there. Read on for specific directions on generating a request and installing the certificate.

Secure Email Series: SPF Records

16Feb

Author: admin Categories: Infrastructure, Security Comments: 1

I just finished reading the most recent issue of the Barking Seal Newsletter (read it here). A particular section that caught my interest talked about using DNS to thwart spammers and specifically touched on the importance of using DNS to aid mail servers in performing sanity checks. I think the mail server is an easily overlooked component when attempting to secure an infrastructure and in this series of posts I’ll talk about what steps you can take to secure it.

Often times you’ll hear about worms or spammers that exploit open mail relay servers in order to spoof email. I’ve never really understood the purpose of bothering to find an open relay server when 90% of mail servers allow anonymous requests and do no form of reverse lookup validation (OK! 83% of facts are made up on the spot, but seriously, it’s a large percent).

That’s where SPF records come into play. It is very easy to send spoofed email to any domain whose mail server does not perform SPF record validation, that is, compare the connecting sender’s IP address to a list of verified IP addresses that are allowed to send mail on behalf of the domain that the email appears to be originating from.

What does an SPF record look like? Let’s take a look at Applied Trust’s…

Good ITIL Foundation Test Study Guide

02Feb

Author: ned Categories: IT Management, Ramblings Comments: 1

I recently passed my ITIL v3 Foundation Certification Exam, having studied both the best and worst study guides I could find. After my last bitter rant, I figured I would share a positive review. If you’re already familiar with ITIL concepts and processes, The Art of Service’s “Exam Prep Study Guid: ITIL v3 Foundation” is the golden ticket. It provides concise, 2-page summaries of each Service Design and Service Delivery process, including the process’ business goals, basic concepts, and key terms. It covers in 90 pages (with nice, fat 14-point text) what the official ITIL books cover in hundreds.

If you are new to IT operations processes (such as change/incident/problem/configuration/capacity management), you should probably attend an ITIL Foundations training course. However, if you have some hands-on ITIL experience, or experience with other comprable IT operations models (like MOF), you should buy this book today and pass your ITIL v3 Foundations test tomorrow!