Tags: hacking

Router assimilated into the Borg, sends 3TB in 24 hours [↗]

Now, two experiences don’t provide us with any statistics to rely on. But if my experience is common, then maybe manufacturers need to start producing a more extensive range of tools to recover hacked routers.

Or they could just provide more secure routers to begin with. Either way, having your router hacked sounds like a proper PITA.

WordPress REST API Vulnerability Exploits Continue [↗]

Over the weekend the attacks increased and WordPress security firms have seen more attempts blocked by their firewalls. Sucuri, the website security firm that reported the vulnerability to WordPress, was tracking the “Hacked by w4l3XzY3” campaign last week and estimated 66,000 defacements. That particular campaign has now passed 260,000 pages indexed by Google. It is one of nearly two dozen defacement campaigns targeting the vulnerability.

Ouch! The WordPress REST API has certainly gotten off to a rocky start. Personally, I love the REST API, but I’m thinking this hasn’t helped convince its detractors that it should remain as part the WordPress core.

Ignorance is Bliss? An Enormous WordPress Zero-Day has Been Secretly Fixed [↗]

WordPress 4.7.2 fixed the issue, but it was a “silent patch”. The fix was hidden within other issues in order to give everyone time to patch their systems.

At the time of 4.7.2’s release details of the flaw were kept secret, as the security community raced to ensure that as many sites were protected as possible as Aaron Campbell explained in a WordPress blog post.

Sounds like a rather nasty flaw, so it’s understandable that a “silent patch” was applied.

UPDATE: More detailed information available here.

The State of WordPress Security [↗]

WordPress is not as insecure as its reputation would suggest. Rather it is a top target due to its incredible prevalence. Yes, there are a lot of vulnerabilities in the WordPress ecosystem, but most of them are in a small percentage of the plugins. While many plugins do not contain vulnerabilities at all because of their small size, the ones that do have issues, have a lot of them. The more lines of code a plugin has, the more vulnerabilities it has on average.

I would have thought that would be pretty obvious. Still, it’s an interesting read, if only to get a list of plugins you’d probably want to avoid.

WordPress Security: This wp-config.php Protects Your Website [↗]

There are many ways to protect your WordPress-based website from getting hacked. The optimization of the wp-config.php can be considered to be an important part of a proper security strategy. Of course, the site won’t turn into the Bank of England, but you’ve made it a little harder for the hackers.

Some good tips for hardening your WordPress installation.

Internet of Stranger Things [↗]

Seb Lee-Delisle lights up our 2016 advent series with an illuminating guide to making your own Stranger Things style fairy lights to pick up messages from the upside-down (also known as the Internet).

Very cool.

hacker-scripts: Based on a true story [↗]

xxx: hangover.sh – another cron-job that is set to specific dates. Sends automated emails like “not feeling well/gonna work from home” etc. Adds a random “reason” from another predefined array of strings. Fires if there are no interactive sessions on the server at 8:45am.

Haha, I love these.

DEF CON 24 – Chris Rock – How to Overthrow a Government [↗]

Are you sick and tired of your government? Can’t wait another 4 years for an election? Or do you want to be like the CIA and overthrow a government overseas for profit or fun? If you answered yes to one or more of these questions than this talk is for you! Why not create your own cyber mercenary unit and invoke a regime change to get the government you want installed? After all, if you want the job done right, sometimes you have to do it yourself.

Thoroughly entertaining, if not a little scary.

Red Alert – Work in progress [↗]

My love of Star Trek is well known and so when I got the chance to play around with Pimoroni’s new Mote lights, well there was only one thing to do. Simulate alert statuses!

My friend @biglesp is always making cool things. I love his latest project and I’m tempted to have a go at it myself, it looks like a lot of fun.

Of Course I’ll Let You Execute Arbitrary Javascript Code in My Users’ Browsers [↗]

All about the dangers of including externally hosted JavaScript in your websites. I would have thought that most of this would be common knowledge for professional developers, but the web being the web, there are plenty of hobbyist and amateurs out there who are probably very clueless about this stuff, so I thought it was worth sharing.

Also, I found this slightly amusing:

I’ll admit it, I used this vector for some grey-hat purposes back in my college days. In college, I wrote a terrible Javascript animation library that inexplicably became very popular among Spanish-speaking web developers. In order to facilitate onboarding, I offered the library over a public CDN that anybody could use.

At its peak, the script was being loaded from a few hundred websites and receiving about 100k loads per day. Some of my friends were in a band and they were participating in a local battle-of-the-bands competition for a radio station that featured weekly online votes to move to the next round. Their voting system did nothing to defend against XSRF attacks, but did limit votes to 1 per IP address.

So naturally, my friends won by a landslide of votes, most of which originated in Latin America.

** chuckles **

◀ Older