Using AWS Secrets Manager for Wordpress Configuration (wp-config.php)

Posted on 06 Apr 2020 by Ray Heffer

AWS Secrets Manager allows you to protect critical information for your applications such as passwords, secret keys, and salts. Rather than storing these locally on an EC2 instance (or worse), including them in your code risking them getting leaked on public repositories, you can now use the AWS Secrets Manager API. In fact you can use it to store anything that you want to keep away from prying eyes. When learning more about AWS Secrets Manager, my first thought was how to use this with Wordpress.

The wp-config.php file in Wordpress contains the keys to the kingdom. With most deployments, this file contains the database hostname, username, password, salts, and hashes. If a hacker gains access to this file, it’s game over. One best practice is to place the the Wordpress configuration file one level up, so it cannot be directly accessed using a browser. But that isn’t always going to keep the contents of the file secure. If for some reason, PHP fails on the web host, such as a botched patch or upgrade, there is a potential that PHP files are rendered as text.

The main concern are vulnerabilities with Wordpress plugins. For example, in 2015, an exploit was found in the Slider Revolution (revslider) plug-in, that allowed attackers to access wp-config.php, among other critical files on the web server, by manipulating the URL (action=revslider_show_image&img=../wp-config.php) to gain access. By the way, this is something you can also protect against with AWS Firewall Manager and AWS WAF rules. So despite the file being stored one level up, this vulnerability allowed attackers to simply access it by manipulating the URL.

Tagged with: aws linux code scripts cloud

Building a Blog with Jekyll Static HTML

Posted on 27 Mar 2020 by Ray Heffer

But… Wordpress!

Without a doubt, Wordpress is the most popular and versatile blogging platform available today. It is used by both individual bloggers and large organizations alike. According to WordCamp, over 75 million sites are running on Wordpress around the world. One of the fundamental problems with this popular blogging platform, or more precisely, content management system (CMS), is keeping it secure. With over 50,000 plugins and the ease of installation, it is no wonder it has become the platform of choice by millions of websites. Unfortunately due to it’s popularity, it will continue to be pwned on a daily basis.

Wordpress can be a secure platform if deployed and managed properly. However, there will continue to be zero-day exploits that exist in many of the plug-ins used by the millions of Wordpress sites around the world. Whether Wordpress itself is secure is only part of the story. If you run a Wordpress blog, how often is the underlying server OS patched? What about the plugins, and Wordpress itself? While an unpatched server or vulnerable plug-ins is one such attack vector, there are numerous others including brute forcing XML-RPC, and exposed wp-config.php files on GitHub.

Poor implementations of the underlying server architecture is also to blame. Wordpress requires a database, and there is no way around that. Often MySQL is installed on the webserver along with everything else. This is a LAMP stack after all! But, one of the issues with this is how MySQL is managed, using add-ons like phpMyAdmin or cPanel. As I write this, cPanel has over 360 known vulnerabilities and phpMyAdmin has over 250. Don’t get me wrong, tools like this make it easy to deploy you own Linux server and build your website from scratch, but it is a wornderland for hackers.

Tagged with: code devops lamp tutorial

Privacy Considerations Working from Home

Posted on 25 Mar 2020 by Ray Heffer

In recent weeks we have all had to adapt to changes that the COVID-19 pandemic has inflicted on us. With the increase of people working from home, it is no surprise. With the influx of home workers, many organizations, schools, and communities are switching to video conferencing apps like Zoom, to bring their teams and students closer together. Even IT certification providers are allowing people to take exams from home, using dedicated testing software linked to a webcam and microphone.

The immediate need of home working solutions is overshadowing good privacy practices. Most of my colleagues in the IT industry think I take a very aggressive stance to privacy at the best of times. I admit that I am inclined to wear the tinfoil hat most days!

In just the last few days, I have seen several posts on Twitter of virtual happy hours and team meetings taking place at organizations around the world. As someone that has worked from home for the past 10 years, it is only in these recent circumstances that webcams are being enabled on almost every conference call. While I understand (and fully endorse) the importance of virtual meetings with webcams, we all need to be very careful about posting these on social media. I am sure my concerns are reflected at various IT security departments right now.

Note: If you are used to me posting about End-User Computing, Cloud Computing, AWS, and VMware, then don’t abandon my blog just yet! While I feel very strongly about good security and privacy practices, I’ll be blogging about these other topics again very soon! - with Privacy & Security included :)

Keep Private Meetings… Private!

I get it. It’s exciting to share your virtual happy hour and team get-togethers, but before posting screenshots on social media think of the consequences. I found the image above by searching Google. I also found dozens of others in my Twitter feed in just the past week alone. The problem is that every single one of these screenshots contain full names, faces, and often phone numbers for anyone that dialed into the conference. These all get scraped by various services, many of which you have probably never heard of.

What is even worse is that many of these screenshots include the Zoom Meeting ID at the top of the screen. Now anyone can listen in to future calls. The fact it has just been posted on Twitter also reveals which day and time the meeting takes place each week. Bad idea. Back in 2012, Anonymous hacked into an FBI WebEx conference call, then posted the entire call to YouTube. Next time you join a conference call, just be careful who else is listening in.

Tagged with: privacy euc vdi security

Getting a Grip on Privacy and Security

Posted on 23 Jun 2019 by Ray Heffer

Privacy and security are not one of the same. Without security, your privacy will be compromised. This is easy enough to understand if you think about your home. The place you sleep safe at night. The doors, windows, curtains, and shutters provide you with both privacy and security. Some people might even have locks on their doors and windows!

When it comes down to our digital privacy and security, people don’t always think of it in the same way. Unlike the physical world we live in, the digital world is abundant with malware, tracking cookies, identity theft, data collection, and an exploding number of data breaches. If you fail to take any measures to protect your personal data, then that next data breach could cost you dearly.

One way to illustrate my point is to try a little experiment. Head over to HaveIBeenPwned or DeHashed, and see if your email address is found in any of the data breaches. If not then congratulations. But give it time, and check back again someday.

Another example is at-home DNA testing kits, which are becoming very popular these days. They are cheap and easy to use. However, how would you feel if you were turned down for health insurance or you have to pay a hefty premium based on your DNA? The video below, by Verge Science, shows how you could be identified via your DNA even if you’ve never taken a DNA test yourself. You may be thinking “I’m not a serial killer, so I don’t care”, but what would happen if these private DNA databases get shared with your insurance company? Worse still, your DNA profile gets leaked in a data breach.

Tagged with: privacy osint security