INFOSEC 101: Breaking Down Scary Terms and What They Mean

3187207970_7dd7c42426_z

I am not a hacker. But I understand the information security world. It’s a scary place, unfortunately, to people who have no exposure to it. Yesterday, WordPress 3.0.4 was released as a critical release… and it was. Matt explained the reason for the release in this way:

Version 3.0.4 of WordPress…is a very important update to apply to your sites as soon as possible because it fixes a core security bug in our HTML sanitation library, called KSES. I would rate this release as “critical.”

Simple enough. He goes on to refer to the vulnerability as an XSS vulnerability which caused a bit of angst on Twitter about what that means and if non-technical users should be given more information due to the terminology.

So, as a public service, I give you some basic definitions and concepts of web security and what we mean. These concepts are rightly scary, but the names tend to be scarier to those who don’t understand them.

XSS

XSS means cross site scripting. Cross site scripting attacks are generally attacks that occur because something is injected into a URL or “event” on a site to make the site do something else. Do something else can mean “hijack” a site so all visitors are sent somewhere else, or special HTML is injected into a site (often in the form of hidden links that diminish Google search results for the site, etc). This was the nature of the vulnerability fixed in WordPress yesterday.

XSS attacks are almost always carried out because of JavaScript injection. WordPress does have security API that makes dangerous characters (that is, special characters that make JavaScript do things) and it is encouraged that all plugin and theme developers use these APIs. [Docs]

CSRF

CSRF means Cross Site Request Forgery. With CSRF attacks, browsers (and sometimes other things) are hijacked to “do” things to a website without a user knowing. It’s the proverbial trojan horse where there is an inherent trust from a site that the user/browser is doing something trusted and so attacks riding the coat tails of such trust are given the same trust that the user would also get.

A simple example (does not actually exist) would be that an authenticated user in WordPress with admin privileges is tricked into clicking a link (as the authenticated user) and then admin privileges are transferred to the attacker. We’ve seen this kind of attack on Facebook and Twitter before where DMs or messages are spread across Facebook walls or via Twitter DM).

SQL Injection

SQL Injection is an attack that, without going into the technical details, allows an attacker to send special queries to the database that can alter, modify or even delete a database altogether. You don’t see many of these anymore because most apps are built on frameworks or platforms (like WordPress or Drupal) that have built in routines and APIs that prevent this. In WordPress, there is a prepare() function in the database class which ensures that no SQL injection is possible.

0Day Vulnerabilities

0Day (that is Zero, not “Oh”) is a vulnerability that is exploited before it has been disclosed. Many security researchers work closely with web application developers to alert them to newly discovered vulnerabilities before they are publicly disclosed. They then work with the developers to close the hole before disclosing the vulnerability. The term 0Day comes from the idea that the web app developer knows about the exploit on the 0th day after public disclosure (it hasn’t been disclosed yet).

Denial of Service/(D)DoS

(D)DoS is a (Distributed) Denial of Service attack. These attacks are carried out by flooding a site with traffic/requests to the point where the site can no longer handle the traffic and collapses. If the attack comes from a single source, it’s a DoS but if it comes from more than one, it is a DDoS.

Obviously, there are many aspects of security. We could go way complicated on terminology and concepts, but these are some of the basics you should know when you see something about a vulnerability.

Photo Credit: heathbrandon

WordCamp Mid-Atlantic: Where It’s Been, Where It’s Going

wcmalogo

Late in 2008, while I was transitioning from life in Baltimore to life outside of Washington, D.C., I was contemplating organizing the first WordCamp event in that area. Baltimore had begun to show signs of a healthy tech community and Washington had continued to flourish as a healthy communications scene. Philadelphia, just up I-95, had a healthy design and development community and I had become somewhat familiar with that city as well.

I made a point of making my event one that would set trends and challenge the status quo.

Mid-Atlantic

One thing I did think of early on was that I detested the trend that identified an event with a singular city, especially when there were multiple cities, all offering different, yet complementary modus operandi. I bucked the trend of identifying the event by a city, eschewing names like WordCamp DC or WordCamp Baltimore. These names, while celebratory of the city that hosts them, inherently bear the problem of inferred exclusivity.

From the very first WordCamp in the region, I challenged that designation and attempted to bring the cities together. It was called WordCamp Mid-Atlantic.

Three Cities, then Two

The original plan was to bring the three cities together in Baltimore for a WordPress event. Ideally, the result would be more collaboration and resources shared between the various communities. Ultimately, Philadelphia never bought into Mid-Atlantic (and in fact, ended up with their own successful WordCamp Philly). However, Mid-Atlantic was wildly supported by both Baltimore and DC. even garnering coverage in the Baltimore Sun business publication Maryland Daily Record.

For WordCamp Mid-Atlantic 2010, the event was geared mainly to the Washington Metro and Baltimore.

Keynotes That Challenge

In both events, I wanted to bring in someone from the WordPress leadership hierarchy as a Keynote as well as someone from outside of WordPress entirely to challenge the gathered attendees. This as quite controversial, actually. In 2009, I brought in Anil Dash, founder and former SVP at SixApart. Anil was known historically as somewhat of an antagonist, but did a wonderful job in sharing and illustrating the similarities between WordPress and SixApart who provided a competing platform. His message was one of learning from each other.

This past year, I opted to bring in Marco Tabini who has also been a frequent antagonist of WordPress. His message was one from the perspective of the PHP community and reconciling how the PHP core people could learn and help the WordPress core people, and vica versa. My inbox became a little tense in the weeks leading up to the event due to other incidents involving dissenting views about the GPL license and WordPress’ interpretation of it. Needless to say, Marco did an amazing job.

It’s Not My Baby

As most of you know, I have left the Baltimore/Washington region. As a result, this past WordCamp Mid-Atlantic was my last. People have asked me quite a lot about who I would pass the baton to. This is a tricky question because the event is not mine. It’s yours.

That said, this is not for just anyone to run. I cannot put any strings on who will run the next event but I do have the platform to voice my sentiments:

  • I want to see Mid-Atlantic stay in the event. I do not want to see a fractured event where there becomes a WordCamp Baltimore and a WordCamp DC. Both cities have user groups that meet frequently. I want to see the WordCamp Mid-Atlantic event retain it’s place as a regional/local event.
  • I want to see the idea of challenging (and even dissenting) opinions welcomed to the stage, like Marco… and Anil. We should not be scared of being shaken up. We should embrace it and learn from it. That said, future organizers should be sensitive as to who you have come and speak.
  • Retain the unconference. One of the amazing success stories of WordCamp Mid-Atlantic 2010 was the unconference, organized by Steve Fisher. Besides the pre-scheduled and organized tracks that are familiar to conference goers, we provided a separate, yet equal unconference for ad-hoc discussion and talks. The only thing I’d change is to make it true barcamp style and make a no-powerpoint rule.
  • No one organizer. I became the defacto organizer for both events. While I had varying degrees of help for both, I really became the guy for the event. This was not wise on my part. There should be an organizer in each city.

This is Baltimore’s event. This is Washington’s event. This event brilliantly integrated both communities. It really, really did. I want to see it continue (obviously with new leadership), but I want it to be with people who take it seriously and can make it better than it ever was. Put your own spin on it. Make it your own, not mine.