CompuSkills Blog

For people with significant experience in the governance (management) of enterprise information technology systems, the chance to get an ISACA [wiki link] certification (without an exam) is running out.

A few months ago, ISACA extended the grandfathering deadline for the Certified in the Governance of Enterprise IT (CGEIT) qualification until 31 December 2008. This means you only have just over four weeks to get your paperwork signed off and sent in for accreditation.

You can read more on the ISACA site.

Just to let you know, if you haven’t already seen it on the dashboard, but WordPress has been upgraded to 2.6.5.

This upgrade fixes a security problem so unless you have an overwhelming reason not to, it is advised that you upgrade as soon as possible. From the WP Blog:

The security issue is an XSS exploit discovered by Jeremias Reith that fortunately only affects IP-based virtual servers running on Apache 2.x. If you are interested only in the security fix, copy wp-includes/feed.php and wp-includes/version.php from the 2.6.5 release package.

Also, as a result of the faked 2.6.4 version that was passed around, WP decided to skip this release number (which is why you should be upgrading from 2.6.3 to 2.6.5). WordPress have stated there will never be a verion 2.6.4 release.

Clickjacking has been a hot topic for the past couple of months. This is an issue that might affect pretty well any browser platform except Lynx.

Wikipedia defines clickjacking as:

a malicious technique of tricking web users into revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. A vulnerability across a variety of browsers and platforms, a clickjacking takes the form of embedded code or script that can execute without the user’s knowledge, such as clicking on a button that appears to perform another function.

Robert Hansen and Jeremiah Grossman have released a few items of information about what it is and how to prevent it but the presentation will be deferred until later this month when there should be a solution to the Adobe issue at least.

According to a story in the Register, among the most disturbing reported aspects of clickjacking is the capacity to turn the PC user’s microphone and webcam into snooping devices. This was supposedly achieved by a proof of concept game which used Flash (although it is claimed that javascript and DHTML could achieve the same results)

The proof of concept is a powerful demonstration of the spooky implications behind clickjacking. The vulnerability allows malicious webmasters to control the links visitors click on. Once lured to a booby-trapped page, a user may think he’s clicking on a link that leads to Google - when in fact it takes him to a money transfer page, a banner ad that’s part of a click-fraud scheme, or any other destination the attacker chooses.

If it’s any reassurance, the Register didn’t initially have much success at getting clickjacked in Firefox, although Internet Explorer worked immediately. Disabling your webcam when you aren’t actively using it is a very good start to prevention, although it won’t guarantee you will be protected against other intrusions.

Adobe have published instructions for a Flash Player workaround until they have dealt with the issue..