Tags: security

Improve your Nginx SSL configuration [↗]

Handy tips for improving your NGINX SSL configuration. I implemented some of these tips and my site went from a grade B to grade A when I tested it with the Qualys SSL Server Test.

How To Secure Your Web App With HTTP Headers [↗]

HTTP response headers can be leveraged to tighten up the security of web apps, typically just by adding a few lines of code. In this article, we’ll show how web developers can use HTTP headers to build secure apps.

Some good advice for securing your web apps.

Router assimilated into the Borg, sends 3TB in 24 hours [↗]

Now, two experiences don’t provide us with any statistics to rely on. But if my experience is common, then maybe manufacturers need to start producing a more extensive range of tools to recover hacked routers.

Or they could just provide more secure routers to begin with. Either way, having your router hacked sounds like a proper PITA.

WordPress REST API Vulnerability Exploits Continue [↗]

Over the weekend the attacks increased and WordPress security firms have seen more attempts blocked by their firewalls. Sucuri, the website security firm that reported the vulnerability to WordPress, was tracking the “Hacked by w4l3XzY3” campaign last week and estimated 66,000 defacements. That particular campaign has now passed 260,000 pages indexed by Google. It is one of nearly two dozen defacement campaigns targeting the vulnerability.

Ouch! The WordPress REST API has certainly gotten off to a rocky start. Personally, I love the REST API, but I’m thinking this hasn’t helped convince its detractors that it should remain as part the WordPress core.

Dissecting an SSL certificate [↗]

Hello! In my networking zine (which everyone will be able to see soon), there is a page about TLS/SSL (basically this tweet). But as happens when you write 200 words about a thing on a page, there is a lot more interesting stuff to say. So in this post we will dissect an SSL certificates and try to understand it!

A good break down of TLS/SSL certificates and how they work.

Ignorance is Bliss? An Enormous WordPress Zero-Day has Been Secretly Fixed [↗]

WordPress 4.7.2 fixed the issue, but it was a “silent patch”. The fix was hidden within other issues in order to give everyone time to patch their systems.

At the time of 4.7.2’s release details of the flaw were kept secret, as the security community raced to ensure that as many sites were protected as possible as Aaron Campbell explained in a WordPress blog post.

Sounds like a rather nasty flaw, so it’s understandable that a “silent patch” was applied.

UPDATE: More detailed information available here.

Look before you paste from a website to terminal [↗]

Most of the time when we see a code snippet online to do something, we often blindly copy paste it to the terminal. Even the tech savy ones just see it on the website before copy pasting. Here is why you shouldn’t do this.

I’m well past the point of copying and pasting random commands, that said, I’d imagine this could be somewhat scary for new Linux users.

On a semi-related note, I’m sure I noticed that the default terminal app in elementary OS alerts the user whenever they paste a “sudo” command. Seems like a sensible idea.

Communicating the Dangers of Non-Secure HTTP [↗]

In order to clearly highlight risk to the user, starting this month in Firefox 51 web pages which collect passwords but don’t use HTTPS will display a grey lock icon with a red strike-through in the address bar.

This is a good move, but I wonder if the visual indicator should be stronger?

The State of WordPress Security [↗]

WordPress is not as insecure as its reputation would suggest. Rather it is a top target due to its incredible prevalence. Yes, there are a lot of vulnerabilities in the WordPress ecosystem, but most of them are in a small percentage of the plugins. While many plugins do not contain vulnerabilities at all because of their small size, the ones that do have issues, have a lot of them. The more lines of code a plugin has, the more vulnerabilities it has on average.

I would have thought that would be pretty obvious. Still, it’s an interesting read, if only to get a list of plugins you’d probably want to avoid.

About pwgenWEB Password Generator

Back in August, I created pwgenGUI, a little Python front-end to pwgen. Today, I had a day off work, so I created pwgenWEB, a little web front-end to pwgen.

To be honest, there isn’t anything special about this password generator, in fact, I’d probably recommend that you don’t use it. That said, it was fun to build and it has helped me test out a few things, including my newly designed WordPress theme.

For anyone who might be interested, the tool uses a custom WordPress REST API endpoint to call pwgen with the arguments passed via an AJAX call.

I’ve tried to include feature parity with the desktop app, namely:

  • Configurable options, including character length and the inclusion of uppercase, numeric and special characters.
  • Saves settings across sessions, enabling you to use the same password policy (handled by js-cookie).
  • 1-click password generation — generates a password on application start page load.
  • Easily copy passwords to clipboard (handled by clipboard.js).

Anyhow, feel free to use it, or not. Or, if you’re looking for something that’s a little more fun, try something like Passweird.

◀ Older