corenominal

Full stack web developer, interested in all the things, but especially the web, code, design, Linux, OS X, PHP, WordPress, JavaScript & robots.

Tagged: security

WordPress REST API Vulnerability Exploits Continue image/svg+xml

Over the weekend the attacks increased and WordPress security firms have seen more attempts blocked by their firewalls. Sucuri, the website security firm that reported the vulnerability to WordPress, was tracking the “Hacked by w4l3XzY3” campaign last week and estimated 66,000 defacements. That particular campaign has now passed 260,000 pages indexed by Google. It is one of nearly two dozen defacement campaigns targeting the vulnerability.

Ouch! The WordPress REST API has certainly gotten off to a rocky start. Personally, I love the REST API, but I’m thinking this hasn’t helped convince its detractors that it should remain as part the WordPress core.

Dissecting an SSL certificate image/svg+xml

Hello! In my networking zine (which everyone will be able to see soon), there is a page about TLS/SSL (basically this tweet). But as happens when you write 200 words about a thing on a page, there is a lot more interesting stuff to say. So in this post we will dissect an SSL certificates and try to understand it!

A good break down of TLS/SSL certificates and how they work.

Ignorance is Bliss? An Enormous WordPress Zero-Day has Been Secretly Fixed image/svg+xml

WordPress 4.7.2 fixed the issue, but it was a “silent patch”. The fix was hidden within other issues in order to give everyone time to patch their systems.

At the time of 4.7.2’s release details of the flaw were kept secret, as the security community raced to ensure that as many sites were protected as possible as Aaron Campbell explained in a WordPress blog post.

Sounds like a rather nasty flaw, so it’s understandable that a “silent patch” was applied.

UPDATE: More detailed information available here.

Look before you paste from a website to terminal image/svg+xml

Most of the time when we see a code snippet online to do something, we often blindly copy paste it to the terminal. Even the tech savy ones just see it on the website before copy pasting. Here is why you shouldn’t do this.

I’m well past the point of copying and pasting random commands, that said, I’d imagine this could be somewhat scary for new Linux users.

On a semi-related note, I’m sure I noticed that the default terminal app in elementary OS alerts the user whenever they paste a “sudo” command. Seems like a sensible idea.

The State of WordPress Security image/svg+xml

WordPress is not as insecure as its reputation would suggest. Rather it is a top target due to its incredible prevalence. Yes, there are a lot of vulnerabilities in the WordPress ecosystem, but most of them are in a small percentage of the plugins. While many plugins do not contain vulnerabilities at all because of their small size, the ones that do have issues, have a lot of them. The more lines of code a plugin has, the more vulnerabilities it has on average.

I would have thought that would be pretty obvious. Still, it’s an interesting read, if only to get a list of plugins you’d probably want to avoid.

About pwgenWEB Password Generator

Back in August, I created pwgenGUI, a little Python front-end to pwgen. Today, I had a day off work, so I created pwgenWEB, a little web front-end to pwgen.

To be honest, there isn’t anything special about this password generator, in fact, I’d probably recommend that you don’t use it. That said, it was fun to build and it has helped me test out a few things, including my newly designed WordPress theme.

For anyone who might be interested, the tool uses a custom WordPress REST API endpoint to call pwgen with the arguments passed via an AJAX call.

I’ve tried to include feature parity with the desktop app, namely:

  • Configurable options, including character length and the inclusion of uppercase, numeric and special characters.
  • Saves settings across sessions, enabling you to use the same password policy (handled by js-cookie).
  • 1-click password generation — generates a password on application start page load.
  • Easily copy passwords to clipboard (handled by clipboard.js).

Anyhow, feel free to use it, or not. Or, if you’re looking for something that’s a little more fun, try something like Passweird.

WordPress Security: This wp-config.php Protects Your Website image/svg+xml

There are many ways to protect your WordPress-based website from getting hacked. The optimization of the wp-config.php can be considered to be an important part of a proper security strategy. Of course, the site won’t turn into the Bank of England, but you’ve made it a little harder for the hackers.

Some good tips for hardening your WordPress installation.

Distrusting New WoSign and StartCom Certificates image/svg+xml

Mozilla has discovered that a Certificate Authority (CA) called WoSign has had a number of technical and management failures. Most seriously, we discovered they were backdating SSL certificates in order to get around the deadline that CAs stop issuing SHA-1 SSL certificates by January 1, 2016. Additionally, Mozilla discovered that WoSign had acquired full ownership of another CA called StartCom and failed to disclose this, as required by Mozilla policy. The representatives of WoSign and StartCom denied and continued to deny both of these allegations until sufficient data was collected to demonstrate that both allegations were correct. The levels of deception demonstrated by representatives of the combined company have led to Mozilla’s decision to distrust future certificates chaining up to the currently-included WoSign and StartCom root certificates.

Oh, that’s not good. I use StartCom services for a number of domains and so this is a worry. I should probably look at completely switching to Let’s Encrypt.