Posted on 16 Oct 2021 by Ray Heffer
The use of VPNs is a hot topic right now. Edward Snowden recently warned people away from ExpressVPN (and rightly so). Just to be clear, I use a VPN all of the time. It’s always-on, running on my pfSense router. In fact I use multiple VPN providers for different reasons.
Recently I’ve also seen some poorly represented information about how VPNs do not provide any privacy. It appears to me that some of this information has good intentions, but doesn’t address the threat models VPNs are great for.
Making a statement like ‘VPNs do not provide privacy’ is too broad, without understanding your threat model.
Posted on 18 Nov 2020 by Ray Heffer
I cringe when I see a fellow IT professional use their web browser, only to see the screen is filled with ads. It’s not the content of the ads themselves that I dislike, well actually that too, but it’s the third-party tracking cookies that are part of the payload. Yes, I said payload. Much like the soldiers that hid inside of a wooden horse to enter the city of Troy, tracking cookies are also hiding inside of those ads, and sometimes they contain malware. But why should you care? After all, don’t they just serve up more relevant ads by tracking your interests?
Earlier this year (2020), The New York Times published a series of articles called The Privacy Project, and one such article highlighted this very issue, Why You Should Take a Close Look at What Tracks You. It happens in the physical world as well, with Bluetooth and WiFi beacons in stores and shopping centers, and automatic license-plate readers (ALPR) on our roads, parking lots, venues, and neighborhoods. Yes, you heard that right. Neighborhoods.
I don’t like being tracked, at all. The nothing to hide argument is also ridiculous so I won’t even entertain that here. The fact is that our data is being collected, and the organizations collecting it will invariably suffer a data breach or leak at some point in time, and I don’t want my personal information in the wrong hands. Not to mention that fact that health, home, and auto insurance companies want this data too, and depending on how they profile you, it can increase your insurance premium.
Posted on 06 Apr 2020 by Ray Heffer
AWS Secrets Manager allows you to protect critical information for your applications such as passwords, secret keys, and salts. Rather than storing these locally on an EC2 instance (or worse), including them in your code risking them getting leaked on public repositories, you can now use the AWS Secrets Manager API. In fact you can use it to store anything that you want to keep away from prying eyes. When learning more about AWS Secrets Manager, my first thought was how to use this with Wordpress.
wp-config.php file in Wordpress contains the keys to the kingdom. With most deployments, this file contains the database hostname, username, password, salts, and hashes. If a hacker gains access to this file, it’s game over. One best practice is to place the the Wordpress configuration file one level up, so it cannot be directly accessed using a browser. But that isn’t always going to keep the contents of the file secure. If for some reason, PHP fails on the web host, such as a botched patch or upgrade, there is a potential that PHP files are rendered as text.
The main concern are vulnerabilities with Wordpress plugins. For example, in 2015, an exploit was found in the Slider Revolution (revslider) plug-in, that allowed attackers to access
wp-config.php, among other critical files on the web server, by manipulating the URL (
action=revslider_show_image&img=../wp-config.php) to gain access. By the way, this is something you can also protect against with AWS Firewall Manager and AWS WAF rules. So despite the file being stored one level up, this vulnerability allowed attackers to simply access it by manipulating the URL.
Posted on 27 Mar 2020 by Ray Heffer
Without a doubt, Wordpress is the most popular and versatile blogging platform available today. It is used by both individual bloggers and large organizations alike. According to WordCamp, over 75 million sites are running on Wordpress around the world. One of the fundamental problems with this popular blogging platform, or more precisely, content management system (CMS), is keeping it secure. With over 50,000 plugins and the ease of installation, it is no wonder it has become the platform of choice by millions of websites. Unfortunately due to it’s popularity, it will continue to be pwned on a daily basis.
Wordpress can be a secure platform if deployed and managed properly. However, there will continue to be zero-day exploits that exist in many of the plug-ins used by the millions of Wordpress sites around the world. Whether Wordpress itself is secure is only part of the story. If you run a Wordpress blog, how often is the underlying server OS patched? What about the plugins, and Wordpress itself? While an unpatched server or vulnerable plug-ins is one such attack vector, there are numerous others including brute forcing XML-RPC, and exposed
wp-config.php files on GitHub.
Poor implementations of the underlying server architecture is also to blame. Wordpress requires a database, and there is no way around that. Often MySQL is installed on the webserver along with everything else. This is a LAMP stack after all! But, one of the issues with this is how MySQL is managed, using add-ons like phpMyAdmin or cPanel. As I write this, cPanel has over 360 known vulnerabilities and phpMyAdmin has over 250. Don’t get me wrong, tools like this make it easy to deploy you own Linux server and build your website from scratch, but it is a wornderland for hackers.