Well yea, wordpress known as one of the open source cms vendor with really really good care of their security, so if they release something new, it must’ve been a security fix, or features improvements. Version 2.8.6, is one of its release from their security fix outlet.

There are 2 Security Fixes:

From official wordpress blog regarding this WordPress 2.8.6 Security Release :

2.8.6 fixes two security problems that can be exploited by registered, logged in users who have posting privileges. If you have untrusted authors on your blog, upgrading to 2.8.6 is recommended.

Plain english would be read like this : There re 2 security problems which could be exploited by one of your registered user – with posting privileges and logged in. So actually, this security problem is an exploitable problem by someone who’s already in (logged in as a registered user), and has posting privilege (authors, editors, or other user with custom privileges with posting ability in it.) Long story short : Exploitable by inside man.

The 2 Security Problems Are

1. An XSS vulnerability in Press This discovered by Benjamin Flesch.
2. An issue with sanitizing uploaded file names that can be exploited in certain Apache configurations, discovered by Dawid Golunski.

Be advise, IF you guys have a blog with multiple authors, and there’s a possibility one of them has a possibility to go “bad”, this release is definitely recommended for you.
Alrite.. catch up with you later!

I ‘m not really an SEO expert, and never wanna be, though I can’t help if someday I ‘m becoming one. But this kind of text messages keep coming at my cell atleast once a month. It triggered me to start thinking, an SEO consultant would be one great income stream for me. Nah, I ‘ll keep that as a lending hand sake as usual. Well, SEO is a self doable thingy. It ‘s just took time, and lotsa efforts. I never believe if I met someone who always saying it out loud, SEO is a hard thing to do. Nope. It ‘s not. Keeping up the effort is the hard part.

Getting in to SEO

Okay so, getting into first page for certain keyword on search engine result position is always been the struggle of the century for most webmasters. Me, no exception. The real core of this are always 2 things.

First, On site – or some say – On page optimization. Last is Off page optimization. The first is the part when you ‘re optimizing your site ‘s composition from top to toe, to be optimized for certain keyword. There ‘re some parts of your site pages that need to be optimized. Title, meta keywords and descriptions, Headings, where to bold italized or underlined, how to play with alt attribute for image tag, and so on. I ‘ve mentioned this once, in my previous post, you ‘d find it in related resources just below this post.

Last, would be the Off site optimization. It ‘s all about the link building. How to get as much votes as possible for your site, or site ‘s pages. You should ‘ve heard link exchange, reciprocal link exchange, one way links, three way links, and such terms. Those are some link building practices all in all to get as much votes as possible from others.

Link Building and Quality Guidelines

Just for your real basic consideration, the volume war was over. Wake up buddy, It is 2009. The one who gets the most backlinks not always win. The one who got the most relevant does. You should always refer to G’s Quality Guidelines before you take it into an action.

Your site’s ranking in Google search results is partly based on analysis of those sites that link to you. The quantity, quality, and relevance of links count towards your rating. The sites that link to you can provide context about the subject matter of your site, and can indicate its quality and popularity. However, some webmasters engage in link exchange schemes and build partner pages exclusively for the sake of cross-linking, disregarding the quality of the links, the sources, and the long-term impact it will have on their sites. This is in violation of Google’s webmaster guidelines and can negatively impact your site’s ranking in search results.

Here ‘re the Link Schemes you should all avoid :

1. Links intended to manipulate PageRank
2. Links to web spammers or bad neighborhoods on the web
3. Excessive reciprocal links or excessive link exchanging (“Link to me and I’ll link to you.”)
4. Buying or selling links that pass PageRank

So, Which is Best?

The best link building practice would always be the natural way. Create some quality contents, created for the people and not search engines, and if it add values and people who read it find ‘em useful, you ‘ll get a link vote for your site.

The second best is, link exchange that avoid scheme #3. Reciprocal part and the most important, the excessive part. It ‘s the one way link building. It always is being considered as natural links, and won ‘t be counted as an attempt to manipulate search engine rankings. The why is, it works just exactly the natural way.

Not much I could say for y ‘all why one way links is best then reciprocal as it’s pretty obvious, straight forward and self explanatory, right after you read that quality guidelines. So what you should really take into an account is start to out your links off of some bad neighborhoods if it ‘s already out there by requesting a removal, and start to build your linking the natural way by writing great quality contents meant for this internet community, taking a look at free one way links services offer, and create your own related link neighborhood cleanly.

Lastly, but it always is not the least, it ‘s a self doable thingy. So why bother to pay somebody else to do so?

You guys know Wade Wilson, right? Which later becoming Deadpool – which is the Weapon XI, from X-men Origin – Wolverine 2009 big screen? This buddy of mine got the exact speedy tongue just like Wade. Sorta make me dizzy hearing ‘em mumbling around about everything and anything that just floated out of his mind. He ‘s even got this same answer as Wade every time ones got tired of it and shout to shut him up. “Not When I ‘m awake”.

But, this evening is a different story. I wont get tired of his speaky thingy he ‘d shoot. As I ‘d keep him busy with this some sorta challenge I got this morning in my mailbox. I ‘ve mentioned previously, I ‘m not really into Search engine optimization and such, not even an SEO analyst or make a living hourly by it. But these kind of emails keep coming in and yeah, I always try to do my best to respond ‘em. This email was asked my service – while I never really offer any SEO or SEM service – to optimize his Credit and debt consolidation site. I giggled a bit when this one coming in this morning. Not that this subject is my fave, no, it’s just.. it finally arrives, the real – like real real – moment to give this Weapon XI buddy of mine a real play. Well he ‘s always mumbling around about this mojo thingy he ‘s got to optimize any type of site quoted to his desk – while I never really see any live prove of ‘em. Ha, this is it.

He sit, grabbed my cig pack, I quickly grab my nescafe-original-can to avoid him grabbing it.
“So bud, what’s goin on with ya this evening with Vai’s Lotus Feet inside your head?” Hah, he shoot me first.
“You know, same old same old, code this code that, kinda sorta..” I shoot back,
“Hey, you know what, I got this exact cup-of-coffee of yours, thought you ‘d interested. SEO thingy, a Credit and debt consolidation site owner wanna make his site to the first page search engine position result for this debt consolidation keyword. Wanna take a look at it?”
He replied quickly, “Hell yea I wanna look at it.”

I shoot back perfectly, one bullet only, a head-shot.

I show him the email, he read it really-really carefully, while behind him, I can’t help my giggles. “Yup, this one definitely my daily cup.” He finally sat back to his chair.

“Wanna work on it? I ‘ll deal with the pricing and stuff with the client. Will make sure you get enough cut. I know your price.” I ‘m sitting back to my chair. “Sure thing, on it.” He replied.

“So what ‘s the plan? Wanna share your tipsy tricks? You know you ‘re way way above my ceiling in a matter of SEO thingy. Is it hard? Optimizing Credit and Debt Consolidation Site?.” I ‘m starting the spread of my spider web with his fave bait – flattery.

He bite, and here comes his secret to optimize credit and debt consolidation site.

1. SEO is Ain’t an Overnight Service.

“We ll, not really. First thing you need to definitely bold and underlined for this client is, there ‘re no such thing as instant in SEO. Everything should be done in a natural way. And that, took times and efforts. If he ain’t got both, that ‘s exactly why my service is around.

2. There ‘re Only 3 Search Engines in Planet Earth.

“Have you ever heard about some services that offer this auto submit to 1000 search engines and such?” He asked and light up another cig. “Uh huh, heard ‘em over and over again.” I replied lightly. “Alrite, mark this one”, he said, “In this planet there ‘re only 3 Search engines only. Which is Google, Yahoo and Live – some still mentioned it as its old name, MSN. While it’s common public miss-understand thing.” I ‘m a bit shocked with this one. Seriously, I do. He saying it out loud, plus, no paused. “So what about the others, such as askdotcom, answersdotcom, aol blah blah blah? Aren’t they also search engines.”

“Nope. They ‘re all using the same data center, which is either its Google’s, Yahoo’s, or Live’s. And do notice I always mentioned this big 3 on the same exact order. It ‘s the exact order or those 3 in a matter of how strong they are dominating this planet’s search queries.” He said it with a flat face. I was like, huh? And then completely numb. Well, he got the point. So he ‘s not making it up if in his ops search engine in this planet earth is Google, Yahoo and Live. Not really interested to ask him about what he call for the others.

3. On site / On Page Optimization is the Base

“Okay, the next buddy, would be your thing. The on-site codes. All things SEO should be started from the site. The site it self should be coded to optimize and maximized to help search engine’s crawlers to read and collect data from our site. I wont tell you the how on this, as in a matter of web coding, you ‘re the man – I ‘m not. Still see some websites being coded wrongly from the seo point of view, titles not maximized and static, headers being coded with no heading, and stuff. Really bad. So Not Bold. So I guess, the very first step for this credit card debt site is yours to re-code it.” He explained. “Gotcha,” I replied shortly. The whole onsite coding to optimize the seo thingy not really amazed me. I ‘m on this field for a long long time. I got it on my fingers already. What amazed me the most is, he tells me all those above with one single breath! Sorta reminds me how Ace Ventura do his thing when he concluded one case.

4. Unique Content, was and Still IS the King.

From this point I ‘ll cut the conversation style of writing to skip all of his real words and all of our activities while we ‘re on it to save the space. He then explaining what ‘s next after the site is done coded. It ‘s the content. He bold – highlite – and underline it. This credit and debt consolidation site should have unique contents, not copies from others, written for visitors and internet people around the globe, not for the search engine. Yup you might ‘ve heard this one also as in Google guidelines.

5. Link Building

This would be the closing part which is the part which conclude all the works. Included within are socializing, building social reputation, creating new link neighborhood, connecting to the same niche such debt consolidation loans, credit card debt relief solution, debt consolidation, loans, personal loans and other related niches, keeping this site linking within this safe and related neighborhood, and manage it for some certain time period to analyze how the link network created and grows.

My neighbors don’t.

When it comes to design stuff, it always has this need to be unique. Text, layout, graphics, shapes, colors, and such thing. It applies also to booklet printing cover design. Each type has each own uniqueness. It should. For booklets, cover always reveal its professionalism level. And this pretty much the part that would determine consumers interested to read all information carried inside or put it away.

No, I ‘m not gonna write about how to create high quality fancy graphics and some techniques on how to do that. It ‘s about how to create your Booklet printing cover that would catch the consumer ‘s eyes and interest. Which would lead them to un-cover the cover and get all things carried inside un-covered. Yeah, I mean to read it.

1. Spend the Time.

All things design need its own milestone. Regardless what type of design you ‘re working on. Each ideas, the seek of the perfect colors, the catchiest layouts, yet strongest typography possible. It needs time. So spend as much time as it needs. Don’t create things half perfect. Always work your best.

2. Typographical Thingy

Other than all the fancy graphic stuff, Typography still RULE. Choose letters with flags which joining the letter such Times New Roman, Georgia or serif fonts, for your cover. Less fancier, but for the goal of easier to read and eye catchy, this would be your first choose. Make it large, and stands out from other smaller texts.

3. Engaging Image

It would be useless creating a booklet cover with no image on it. You need to. Always add image element to your cover design which would be the accurate portrays of the booklet subject. SO it need to be engaging and accurately accurate. Feature items, for example. Some related animal photos if the booklet is all about protecting the almost extinct species. Include some tags for your images, that would encourage readers to found out more, look inside, and read the booklet.

4. Back Cover Matters

Yeah, I type it right, and you read it right. Back cover matters. Readers often glance it before they decide to read or not to read. So, never leave it blank! Don’t ever. What to put? Well, you know.. a lot. More photos of items or products, some other related images to the subjects, your photograph, your company bio, author ‘s bio, organization ‘s bio. You can also include contact point for more information, quotations from other supporters or customers, or synopsis of the written subject. See? A lot.

5. Professional Printing Service

Do consider to use professional booklet printing company. It always help to increase your booklet attractiveness. Why so? Well the why would be more into how a commercial printer can always produce smooth images and vivid color printing. Which would always make your booklet the more eye catchy than using a regular office printer. Strong binding, is another plus point of using printing company. The booklet need it strong to hold up some repeated page turning over and over and over again. Something you can’t find at regular office or home.
hing that a printing company offers.

So, you ‘re aiming the spot where clients or consumers would see for the very first sight. The exterior. Design it and design it good, to build the passion of the consumer to come inside and checking out the interior.

What do you think? Thoughts?

1. Speed and Reliability.

Web host should be fast, yet reliable. You ‘d notice this word “UPTIME” mentioned all over webhost provider. It refers to the time when this offered service is functional. Did you even know that you should go for the one with minimum uptime 99%? You heard me right, 99% is a minimum. Don’t go anything below it. In fact, 99% is too low. You should actually go with higher than 99.5% uptime. Guarantee always reflect to some amount of compensation. Be sure you got that in hand.

2. To Go or Not To Go With Unlimited

Point 2 here would be about traffic or sometimes called bandwidth which refer to the real state: Data Transfer. How much amount of bytes that your site transferred to your visitor when they ‘re on your site and browse around. To go or Not to go with Unlimited bandwidth offers, that ‘s the question. Never believe any “unlimited” terms advertised on some web host, as unlimited is ain’t really unlimited at all in the end. You ‘d never be able to use that oh-so-called-unlimited-amount, ‘coz it will always hit other limits – which sometimes specified somewhere else where you could find it being redefined to be “yeah-it-actually-is-limited” in some way. Always go for offers that stated clearly how much traffic of some offered packages allows.

Oh, if you still need me to say it out loud, the answer would always be, Not to Go. And buddy, this point is also applied for this popular term called Unlimited Disk Space. End of point 2.

3. A Real Functional Technical support

When I say functional, I mean functional. You know, when you need ‘em they around. When You ask things they answered. Do they offered a functional 24/7 support? Refers to 24 hours a day – 7 days a week. Refers to all year around? You ‘ll gonna need a webhost that have staff working on weekends and some national holidays. Things often went wrong at some of the most inconvenient times, and you ‘d be surprised that a web hosting provider that advertise 24/7 support doesn’t really have this kinda support on their end. I ‘ve got some worse moments of my own with this kind of provider. I got my self in to a webhost that run by bunch of salesmen, which have this smooth talky-talk, but not really how to fix problems. So tested it out first.

4. Some Fancy Thingy Called Software

I ‘m referring to these things : PHP, .htaccess, FTP, MySQL, Perl, SSI, telnet, crontabs, SSH, Email, POP3, Auto Responders, Mail Forwarding. Make sure, you have all that, and you can use each and every one of ‘em without asking for approval first. Yeah, there ‘re some web hosts don ‘t allow you install Perl or PHP scripts, not without their approval. You can’t really have some SEF (search engine friendly) url or customized Error pages if you don ‘t have access to .htaccess. You ‘ll gonna need MySQL to create database based kinda of websites. You ‘ll gonna need all email functions such your own email address (on your own domain name), auto responder, pop3, forwarding.

I ‘m also referring to Shopping Cart and SSL / secure server, if you ‘re planning on creating an e-commerce site that need to collect credit card for your payment. Stay clear of web hosting provider that don ‘t offer these facilities provided.

5. Your Own Administration Backend

This point here I ‘m talking about would be the Control Panel. You may find it being called with some other various names, such Control Panel, Admin Panel, Cpanel and such. A place where you could administer all things about your own hosting account on your own. You don’t wanna spend your money to a web hosting that whenever you need to create your email address, you should ask their support to do so, right? It ‘s one of the most common thing we webmaster do all the time over and over again, and it would be great great hassle if it should be a “should-wait-on-technical-support” kinda task.

6. Multiple Domain and Sub-Domains

You should definitely aim for this if, you ‘re planning on having multiple domains or multiple sub domains. Check out also, the extra amount – if there ‘re any – they would charge for this extra feature.

7. Operating System Types

Yeah, the type of server and operating system of it, is matter. Well, you can’t really go for others if you ‘d use asp programs, you would need to go with Windows server. In other flip side of it, is the more stable, feature-laden and often cheaper Unix-based systems, which runs Apache server. Me, Unix-based is my preferable and favorite choice. The why is, with the same goal of creating dynamically generated pages which access the database, writing it down on PHP is alot more MORE then tying down to ASP. I meant it. You could configure a lot of facilities with no requirement to ask your technical support to implement ‘em. Isn’ t it the coolest thing?

8. Payment Plans and Pricey Thingy

Price always is factor. And most go for the cheapest. But not in this post. It ‘s about things to help you to find the Best web hosting, and NOT the cheapest one. Based on my own personal experiences, go for the cheaper one is desirable, but the other flip side of it, is you would often get what you’ve paid for. Cheaper always means lack on something. In my experience, they always lack on support, uptime, and speed. It doesn’t necessarily always mean that the best is the most expensive one. Not always. So playing the period plans would help you a lot on testing out things. Buying a monthly package would allows you to switch quickly if your web host turned out to be dissatisfying.

9. Reseller Web Hosting

It ‘s a term of a web hosting who doesn’t really own their web servers. They ‘re a reseller of some other hosting company. It would be disadvantages, as you might be dealing with some people who don ‘t really know the what and the how the system they ‘re selling. But, not all resellers are disadvantages, as there ‘re some reliable and fast resellers which actually good and cheaper than their orig hosting company. Bottom line is, if you ‘re in this situation, your best shot is investigate both.

User Reviews

It always matters to hear things from users end. They ‘ve been there using the services, so hearing from them about their experiences on how certain web hosting services doing so far would always be great point of consideration for ya. For me it ‘s pretty much essential. Do some researches to some web hosting reviews, of some top 10 web hosting listing. Spend your time to read, you wont regret of the “found-out” you ‘d discover.

Okay so, I ‘m having this strange de-javu again by the time I read this writing. As all things above – you could find ‘em already out there. Well, atleast I write ‘em down on my own perspective. Somebody might thought my point of view is interesting, who knows? Hope it help you out in some sort of point.

Oh, maybe my first question should be.. Have you guys ever heard about Microsoft Exchange Server?

Well, some of us knew it, some don ‘t. So it ‘s always worth a defining moment, and when it comes to define stuff, where else better than wikipedia? Alrite, here ‘s what it is,

Microsoft Exchange Server is a messaging and collaborative software product developed by Microsoft. It is part of the Microsoft Servers line of server products and is widely used by enterprises using Microsoft infrastructure solutions. Exchange’s major features consist of electronic mail, calendaring, contacts and tasks; support for mobile and web-based access to information; and support for data storage.

What ‘s so Great About it?

When I started this discussion with some of web developer colleagues of mine – at some evening, sitting together having a cup of coffee at a coffee cafe around the corner – one of ‘em said,
“Well I ‘m just a web developer, we all are, how this Exchange Server would do me – or us – any good?”

To be truly honest, I ‘m having a blank moment of that very second. He got the point. Although, one part of his words still bothers me – as web developer is not just a “just” – but still, he got the point. Why would this Exchange Server do us any good, as the most busiest of us is having a dedicated server, and that’s more than enough.

Okay, blank moment is gone as in a sudden something shoot the silence – another dude sitting next to me,
“Well it may not be this time, but someday we ‘ll find it useful. That would be – you know – the time when a client come to us in need of a website, and a demand of a server that enables his site to offer comprehensive messaging services for small to medium-sized businesses (SMBs), small office/home office (SOHO) businesses, and individual information workers.”

..And this dude, totally got the core point.

Flexible Business Modeling

Based on Microsoft Exchange Server 2007 Service Pack 1 (SP1) and Windows Server 2003 or Windows Server 2008, this messaging solution provides tools for flexible business modeling. You can offer a broad range of services that go from basic e-mail up to higher value services, such as providing additional storage, hosting personal domains, and calendars. Exchange Server 2007 SP1 brings a rich set of new technologies, features, and services to this release of the solution. Exchange Server 2007 SP1 is built on the foundation of RTM, and added additional usability, performance, and scalability enhancements. That ‘s according Microsoft TechNet.

Okay so, our next discussion is all about, where you ‘d get the best exchange hosting, as there many providers offer some unbeatable features on their own terms? We who sit together that evening are bunch of web developers, so reading hosting reviews would be one of our main schedule of each day. Maybe not really each day, you know.. you ‘ll get the point. I ‘m not gonna discuss about tips to get the best exchange hosting, or what review site that have great info about any of sharepoint web hosting stuff. Herein, I ‘ll write you the real deal. Based on some researches on review sites and such. It’s SherWeb.

Competitive Advantage

The marketplace today is extremely competitive. New and innovative ways being seek and invented to stay ahead of the competition. A real constant battle for better tools, that help generate greater efficiency and productivity. If you or your company is a player in this jungle, you better boost up your employees performance with SherWeb’s hosted exchange and increase their productivity at work by improving their collaboration and communication skills.

Lowest price, Best Features, Best Support

They offers one full featured Hosted Exchange plan. Their price is pretty much competitive, $8.95/month per mailbox and there are no minimum number of users required. Each mailbox size is an incredible 3 GB and comes with the most advanced antispam solution eliminating at least 98% of junk messages. I must say it’s the most generous offer in the industry! It truly is. Seriously.

Free Sharepoint 2007

Using the combined collaboration features of Hosted Exchange and Hosted SharePoint, users in your organization can easily create, manage, and build their own collaborative Web sites and make them available throughout the organization. SherWeb ‘s Sharepoint hosting features:

• Free SharePoint for all Exchange users. All Exchange users will be able to log in using the same user name and password as their Outlook/Exchange account.
• 100 MB of disk space included. For larger SharePoint projects, you can purchase one of our Hosted SharePoint plans.
• Project collaboration. Give your teams access to password protected Web sites where they can upload and share documents, edit documents collaboratively, discuss between members etc.
• Meeting management. Manage meetings for a team all from one place.
• Discussion and Team Surveys. Members can easily create discussion groups and surveys on any subject pertinent to their work.

Peter Cassar, SherWeb CEO said,
SherWeb distinguishes itself apart by its commitment to excellence, its devotion to support and its competitive prices. We are proudly dedicated to providing a personalized service to all our customers and this is reflected in all our daily tasks.

They ‘re aiming to be a strategic business partner. Through ongoing relationship with customers, they ‘ve demonstrated their ability to build and protect their clients businesses. It ‘s personalized, reliable and responsive.

What more I can say? These dudes really are the real deal I ‘m speechless.

Stefan Esser of suspekt.org recently warned developers of the dangers of SQL Column Truncation and the weakness of mt_rand().

With his help, WordPress team worked around these problems and were releasing WordPress 2.6.2, last September 8, 2008. Yeah, I know, i ‘m a bit late to write this, but it’s always better be late then not knowing at all, right?

Should I upgrade?

If you allow open registration on your blog, you should definitely upgrade. With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another user’s password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password. Stefan Esser has already release details of the complete attack, both for SQL Column Truncation and the weakness of mt_rand(). The attack is difficult to accomplish, but its mere possibility means, upgrading to 2.6.2 is recommended.

Some bloggers and sys admin with open registration feature for their site or blog, has closed their registration temporarily until they got chances to upgrade to 2.6.2. Wiser choice I must say, couldn’t agree more.

Version 2.6.2 Bugs, Fixes and Security Patches

There ‘re some bugs found for 2.6.1 or previously 2.6, and the 2.6.2 have all the fixes and security patches. If you ‘re interested to take a look at the 2.6.2 bugs and fixes list, headed to this page of that contains a handful of bug fixes.

So, wait no more, upgrade now! For all of you who upgrade it already, congrats!

[ Indonesian version → ]

Alrite, let’s take a break for a while.. Put the whole search engine optimization tipsy tricks a side for a minute or two.. and take a look at our daily life a bit. It’s been a while since my last post about vulnerability, and it’s kinda answering my oldest call about how much I care to this security world years ago.
The subject above should tell us the idea of the topic I ‘m gonna write. Uh huh, you got it right buddy, Citibank ‘s Customers ATM PIN have been compromised! This subject is kinda spooky, but the real life situations are even more frightening!

I just finished this scary headline in yahoo, that hackers broke into Citibank’s network of ATMs inside 7-Eleven stores and stole customers’ PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.

The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs — the numeric passwords that theoretically, I repeat, theoretically, are among the most closely guarded elements of banking transactions — by attacking the back-end computers responsible for approving the cash withdrawals.

Is it even possible to do?

Well, from my experiences in the past when I still work on this “un-paid job not even a dime called being a freelance security adviser which most people not even know we were existed since we’re all writing security advisories using a cyber-nickname” group, there ‘re no such thing as “impossible” in hacker ‘s dictionary.
This group I used to work for ( for free ), our everyday activities is scanning for network vulnerabilities, and checking some software bugs, writing the advisories about it, and issued them in major security sites, contacting the vendors, and the best part of it, without getting paid. Whoa..
Yup, you heard me right, there still such people doing it, for some noble purposes. Me? I ‘m just a former, not anymore one of them now. As I built this tiny wonderful world we used to call “a family”, I should work my a55 out to monetize my expertize — ( is it even called an expertize? lol ) — to survive this rude world!

Back to the main issue, Yup it’s possible, nothing is impossible, the word impossible is not even existed in hacker ‘s glossary, not even in their vocabulary. You know most known hacker ‘s quote? “We did it because we can”. Whatta spirit!
From here, I ‘m gonna use the word “the bad guy” to replace the word hacker, coz I don’t agree to this public opinion that hackers always being referred to the bad guys.

How this Scary thing even possible from Happening?

Okay, we’re step into the mechanism, the how to, and the hole they’re into.

The bad guys are targeting the ATM system’s infrastructure, which is increasingly built on Microsoft Corp.’s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption — which means encoding them to cloak them to outsiders — some ATM operators apparently aren’t properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.

In plain english:

There ‘s a hole, which, it’s possible for us who know how to manage to get there, could take the advantages of the PIN data leaking.

This hole is created, from un-clean practices of some ATM operators who don’t properly doing the most basic known security practice called encryption.

Where’s the hole exactly? It’s between the automated teller machines and the computers that process the transactions, while in transit.

Avivah Litan, a security analyst with the Gartner research firm said:

“PINs were supposed be sacrosanct — what this (read: the hole and the PIN data leaking) shows is that PINs aren’t always encrypted like they’re supposed to be. The banks need much better fraud detection systems and much better authentication.”

The How to..

Woohoo.. The How to.. The best part of all advisories articles. Let’s conclude a bit. So.. There ‘s a hole, where the PIN data are leaking, and they’re leaking badly. How the bad guys (or should I say: we wannabe. lol) managed to get there?

Well.. It’s still a mystery.

Are you expecting some thing like: copy and paste the whole part of the script below, compile it to be a php executable file, execute it through a web interface using any favorite browser you used to use. Do you?

The most recent updates on this situation:

A critical issue in the investigation is how the bad guys infiltrated the system, a question that still hasn’t been answered publicly.

All that’s known is they broke into the ATM network through a server at a third-party processor, which means they probably didn’t have to touch the ATMs at all to pull off the heist.

They could have gained administrative access to the machines — which means they had carte blanche to grab information — through a flaw in the network or by figuring out those computers’ passwords. Or it’s possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.

All I can say is, in some hacker’s glossary meaning, it’s a direct attack.
If the bad guy finally found the leak, means the hole of this system has been there since the day its build, right? Actually it help us finally figured, that there ‘re something not right ( please notice: i don ‘t use the word “wrong”) from the first place.

Vendor ‘s Respond

Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers’ accounts were compromised. It said it notified affected customers and issued them new debit cards.
“We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts,” the bank said in a statement.

Oh well, we ‘re all agreed, the most interesting part of any vulnerability articles is the vendor responses.
The great part is It said it notified affected customers and issued them new debit cards… We do not hold them responsible for fraudulent activity in their accounts..
Refunded all the loss? Have no idea, hoping so..

Alrite guys… Be aware. Be safe.

[ Indonesian Version ]

This category was created based on that very idea, advisories, and mostly educational purposes. Some of the articles are taken from the security sites with full sincere and respects of its writer. It’s an advisories anyway. It originally found, written, and publish for its vendor and origin’s consideration. It’s an educational material for all people who have the same concern for security, and how to make this world belong to the securest system as humanly as possible.

Taking my part carrying the responsibility of spreading the knowledge to the people in this mother earth, this category was born.

So, enjoy the reading, hope you found it useful.