Posted on 18 Nov 2020 by Ray Heffer
I cringe when I see a fellow IT professional use their web browser, only to see the screen is filled with ads. It’s not the content of the ads themselves that I dislike, well actually that too, but it’s the third-party tracking cookies that are part of the payload. Yes, I said payload. Much like the soldiers that hid inside of a wooden horse to enter the city of Troy, tracking cookies are also hiding inside of those ads, and sometimes they contain malware. But why should you care? After all, don’t they just serve up more relevant ads by tracking your interests?
Earlier this year (2020), The New York Times published a series of articles called The Privacy Project, and one such article highlighted this very issue, Why You Should Take a Close Look at What Tracks You. It happens in the physical world as well, with Bluetooth and WiFi beacons in stores and shopping centers, and automatic license-plate readers (ALPR) on our roads, parking lots, venues, and neighborhoods. Yes, you heard that right. Neighborhoods.
I don’t like being tracked, at all. The nothing to hide argument is also ridiculous so I won’t even entertain that here. The fact is that our data is being collected, and the organizations collecting it will invariably suffer a data breach or leak at some point in time, and I don’t want my personal information in the wrong hands. Not to mention that fact that health, home, and auto insurance companies want this data too, and depending on how they profile you, it can increase your insurance premium.
Posted on 06 Apr 2020 by Ray Heffer
AWS Secrets Manager allows you to protect critical information for your applications such as passwords, secret keys, and salts. Rather than storing these locally on an EC2 instance (or worse), including them in your code risking them getting leaked on public repositories, you can now use the AWS Secrets Manager API. In fact you can use it to store anything that you want to keep away from prying eyes. When learning more about AWS Secrets Manager, my first thought was how to use this with Wordpress.
wp-config.php file in Wordpress contains the keys to the kingdom. With most deployments, this file contains the database hostname, username, password, salts, and hashes. If a hacker gains access to this file, it’s game over. One best practice is to place the the Wordpress configuration file one level up, so it cannot be directly accessed using a browser. But that isn’t always going to keep the contents of the file secure. If for some reason, PHP fails on the web host, such as a botched patch or upgrade, there is a potential that PHP files are rendered as text.
The main concern are vulnerabilities with Wordpress plugins. For example, in 2015, an exploit was found in the Slider Revolution (revslider) plug-in, that allowed attackers to access
wp-config.php, among other critical files on the web server, by manipulating the URL (
action=revslider_show_image&img=../wp-config.php) to gain access. By the way, this is something you can also protect against with AWS Firewall Manager and AWS WAF rules. So despite the file being stored one level up, this vulnerability allowed attackers to simply access it by manipulating the URL.
Posted on 27 Mar 2020 by Ray Heffer
Without a doubt, Wordpress is the most popular and versatile blogging platform available today. It is used by both individual bloggers and large organizations alike. According to WordCamp, over 75 million sites are running on Wordpress around the world. One of the fundamental problems with this popular blogging platform, or more precisely, content management system (CMS), is keeping it secure. With over 50,000 plugins and the ease of installation, it is no wonder it has become the platform of choice by millions of websites. Unfortunately due to it’s popularity, it will continue to be pwned on a daily basis.
Wordpress can be a secure platform if deployed and managed properly. However, there will continue to be zero-day exploits that exist in many of the plug-ins used by the millions of Wordpress sites around the world. Whether Wordpress itself is secure is only part of the story. If you run a Wordpress blog, how often is the underlying server OS patched? What about the plugins, and Wordpress itself? While an unpatched server or vulnerable plug-ins is one such attack vector, there are numerous others including brute forcing XML-RPC, and exposed
wp-config.php files on GitHub.
Poor implementations of the underlying server architecture is also to blame. Wordpress requires a database, and there is no way around that. Often MySQL is installed on the webserver along with everything else. This is a LAMP stack after all! But, one of the issues with this is how MySQL is managed, using add-ons like phpMyAdmin or cPanel. As I write this, cPanel has over 360 known vulnerabilities and phpMyAdmin has over 250. Don’t get me wrong, tools like this make it easy to deploy you own Linux server and build your website from scratch, but it is a wornderland for hackers.
Posted on 25 Mar 2020 by Ray Heffer
In recent weeks we have all had to adapt to changes that the COVID-19 pandemic has inflicted on us. With the increase of people working from home, it is no surprise. With the influx of home workers, many organizations, schools, and communities are switching to video conferencing apps like Zoom, to bring their teams and students closer together. Even IT certification providers are allowing people to take exams from home, using dedicated testing software linked to a webcam and microphone.
The immediate need of home working solutions is overshadowing good privacy practices. Most of my colleagues in the IT industry think I take a very aggressive stance to privacy at the best of times. I admit that I am inclined to wear the tinfoil hat most days!
In just the last few days, I have seen several posts on Twitter of virtual happy hours and team meetings taking place at organizations around the world. As someone that has worked from home for the past 10 years, it is only in these recent circumstances that webcams are being enabled on almost every conference call. While I understand (and fully endorse) the importance of virtual meetings with webcams, we all need to be very careful about posting these on social media. I am sure my concerns are reflected at various IT security departments right now.
Note: If you are used to me posting about End-User Computing, Cloud Computing, AWS, and VMware, then don’t abandon my blog just yet! While I feel very strongly about good security and privacy practices, I’ll be blogging about these other topics again very soon! - with Privacy & Security included :)
I get it. It’s exciting to share your virtual happy hour and team get-togethers, but before posting screenshots on social media think of the consequences. I found the image above by searching Google. I also found dozens of others in my Twitter feed in just the past week alone. The problem is that every single one of these screenshots contain full names, faces, and often phone numbers for anyone that dialed into the conference. These all get scraped by various services, many of which you have probably never heard of.
What is even worse is that many of these screenshots include the Zoom Meeting ID at the top of the screen. Now anyone can listen in to future calls. The fact it has just been posted on Twitter also reveals which day and time the meeting takes place each week. Bad idea. Back in 2012, Anonymous hacked into an FBI WebEx conference call, then posted the entire call to YouTube. Next time you join a conference call, just be careful who else is listening in.