Target Store Data Breach

Brian Krebs originally posted yesterday that Target is investigating a data breach. Today Target confirmed that 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013! Ouch. As the impact is so wide, it would either be an inside job or the internal servers were breached.

What should you do if you were on of those that shopped and bought something at Target recently?

  • Check your online statements for unknown charges. If you report a charge in a timely manner, the card company will not likely hold you accountable for the charge. But do check up on it because the longer a charge goes without question, the more likely you will be responsible for some dollar amount.
  • Replace the card. Call up the company and request new numbers.
  • Enable the fraud alert on credit companies
  • Create an Identity Theft Report with the Federal Trade Commission

Even if you weren’t impacted, this is a good reminder to check your credit scores and make sure everything is accounted for. Annual Credit Report gets it to you free due to Federal Law.

How to Maintain WordPress Software Security

Just as your desktop software, you should keep your WordPress software up to date as well. With WordPress running a majority of websites now, more attackers are looking for vulnerabilities as it would have a high return rate for them. There have been various vulnerabilities identified with WordPress in the past, and they have a good track record of addressing them in a timely manner.

If you have a recent WordPress installation (3.7 or above),  then you likely have automatic updates for WordPress core already going. That is certainly good news as its one less thing to remember, but I generally don’t like automatic updates because it doesn’t give you the ability to test and make sure your site is fully working.

As to your plugins and themes, you will want to make a habit out of logging into the WordPress admin panel and check for updates at least on a monthly basis (just as you should be doing with your normal desktop updates). Or if you want to take the automatic updates approach for plugins and themes as well, there is a plugin called Advanced Automatic Updates which will do that activity for you.

Also note that some web providers / hosts perform updates on your behalf already, so you should understand the built in options at a server and host level.

How to Know When New Security Patches Exist

While the built in tools are made to help you get notifications of new security updates, you might not notice them in a timely manner due to various factors. One way to stay up to date on when security patches are released is to subscribe to security notifications from the vendors or utilize a service that aggregates all the security information.

This is not a complete list, but a simply a list of the top vendors you should be aware about as the attack surface with those products are incredibly high.

Email or RSS based security notifications:

Where to Find Software Patches?

This will vary to what operating system and applications you are running. Based on the most common software products in use for Microsoft Windows based machines, Adobe Reader, Adobe Flash and Oracle Java are the top products have frequent updates for security patches.

Microsoft releases their security updates every second Tuesday of the month. This well-known release schedule for security updates will help you plan their deployment updates accordingly. On occasion, Microsoft will release a fix out of the standard schedule when a critical vulnerability has been identified and likely being exploited in the wild. Using the Windows Update control panel will take you through that process.

Adobe has adopted the “Patch Tuesday” Microsoft model to release their security updates on. This originated from customers wanting a single patch cycle to make it a bit easier to maintain a fully patch system. Adobe has a built in update tool with their Flash and Reader software. The Adobe Flash Player Distribution page and Adobe Reader page have direct download links.

Oracle releases Java updates three times per year in February, June and October. As the updates are concentrated in batches, they likely include a large number of security fixes. On occasion, Oracle will release an out-of-band security fix for high impact vulnerabilities. Using the Java control panel will take you through the update process.

As a good practice, I would make sure your computer is running the latest software every month.

Why Should I Apply Software Patches?

One major factor to your computer’s state of security is what software you are running. The more software in use, the more potential issues could be leveraged from an attacker. The top cause for a computer to get exploited is from running older versions of software which in turn have known vulnerabilities in them. This is why it is incredibly important to keep your devices up to date with updates. From operating systems, to applications, to browser plugins, you should maintain your computing environment to have the latest security updates. Vulnerabilities are identified frequently in products, which is why vendors put out patches to address them.

How to Setup Strong WordPress Passwords

WordPress 3.7 updated their password meter to recognize common mistakes that can weaken your password such as dates, names, keyboard patterns (123456789), and even pop culture references. While this is a good start, we recently learned how to create a strong password by using one of the password management tools or an online tool like http://passwordsgenerator.net/.

Remember to use unique strong passwords for all your accounts in WordPress such as your admin account, user account, and WordPress database user account. And of course you want to use WordPress’s secret key generator tool for the core configuration.