Security Corner


March 15, 2014  4:21 PM

Is your site an unwitting participant in a DDoS attack?

Ken Harthun Ken Harthun Profile: Ken Harthun

In a normal DDoS attack, a botnet of hundreds or thousands of computers performs a coordinated attack against a particular website. But what if you don’t have access to a botnet? You trick WordPress sites into sending unwanted traffic to the site. Here’s how, according to a blog post by Sucuri:

Any WordPress site with Pingback enabled (which is on by default) can be used in DDOS attacks against other sites.

Just in the course of a few hours, over 162,000 different and legitimate WordPress sites tried to attack his site.

Can you see how powerful it can be? One attacker can use thousands of popular and clean WordPress sites to perform their DDOS attack, while being hidden in the shadows, and that all happens with a simple ping back request to the XML-RPC file:

$ curl -D -  "www.anywordpresssite.com/xmlrpc.php" -d '<methodCall><methodName>
pingback.ping</methodName><params><param><value><string>http://victim.com</string>/value></param><param><value><string>
www.anywordpresssite.com/postchosen</string></value></param></params></methodCall>'

How can you tell if your site is being used in an attack? You’ll have to check your web server logs. This is they type of entry you are looking for with pingbacks to random sites. If you see these, your site is being misused:

93.174.93.72 - - [09/Mar/2014:20:11:34 -0400] "POST /xmlrpc.php HTTP/1.0" 403 4034 "-" "-" 
"POSTREQUEST:<?xml version=\x221.0\x22 encoding=\x22iso-8859-1\x22?>\x0A<methodCall>\x0A
<methodName>pingback.ping</methodName>\x0A<params>\x0A <param>\x0A  <value>\x0A   
<string>http://fastbet99.com/?1698491=8940641</string>\x0A  </value>\x0A </param>\x0A 
<param>\x0A  <value>\x0A   <string>yoursite.com</string>\x0A  </value>\x0A </param>\x0A
</params>\x0A</methodCall>\x0A"

You can also check out WordPress DDOS Scanner to check if your WordPress site is DDOS’ing other websites (I checked and mine isn’t).

Here’s how to stop your site from being used for DDoS, according to Sucuri create a plugin that adds this filter:

add_filter( ‘xmlrpc_methods’, function( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
} );

 

March 15, 2014  2:37 PM

PWN2OWN cracks Reader, IE, Flash, Firefox and Chrome, but not Java

Ken Harthun Ken Harthun Profile: Ken Harthun

laptopthiefThe first day of the PWN2OWN 2014 competition, an elite hacking competition that runs each year in parallel with the CanSecWest security conference in Vancouver, Canada, was held Wednesday 12 March 2014. Right out of the box, Adode Reader, IE 11, Adobe Flash and Mozilla Firefox were PWNed. An attack on Java was not attempted, presumably because it was considered too difficult a target. What a change that is!

Day two saw both Chrome and Safari PWNed.

You can get a full recap of the results of the competition here.

Since attackers must responsibly disclose how they accomplished their hacks as a condition of entry, we can expect patches for the vulnerabilities in the next round of security updates for the affected apps.


March 13, 2014  12:56 AM

iOS 7.1 released to patch bugs and fix the White Screen of Death

Ken Harthun Ken Harthun Profile: Ken Harthun

On Monday, Apple released iOS 7.1 for iPad and iPhone and recommended that users update as soon as possible. The update comes just a few weeks after Apple released an emergency update for iOS that fixed a critical security hole that could have allowed hackers to intercept secure communications between your iPhone and SSL-protected websites.

According to security expert Graham Cluley (GCHQ: Graham Cluley’s security newsletter), “If you didn’t install that update (and you really should have done if possible), don’t waste any time and leapfrog up to iOS 7.1 as soon as you can.”


February 28, 2014  10:28 PM

MasterCard uses geo-location to reduce card fraud

Ken Harthun Ken Harthun Profile: Ken Harthun

This is a great idea and one that may turn out to be the simplest way to implement two-factor authentication for credit card companies. In fact, this is similar to what Only Coin plans to implement as part of its security suite.

From nakedsecurity:

MasterCard announced on Tuesday that it has partnered with Syniverse, a mobile technology company, in order to minimise unauthorised purchases made with stolen plastic.

The two companies are currently running an opt-in pilot scheme which allows users to make a credit card transaction only when they have their mobile device switched on and to hand in a specific location.

The service providers then cross-check the locations of both the credit card and the mobile device at the time a transaction is made. If they match, bingo. Otherwise, if the card is in Toronto, for example, and the smartphone is in London, the transaction will be denied.

Go for it!


February 28, 2014  10:21 PM

Two factor authentication becoming a necessity

Ken Harthun Ken Harthun Profile: Ken Harthun

With the password’s fading usefulness, we have to seriously consider two-factor authentication as the minimum level of security for any site dealing with sensitive information. I have been using the PayPal “football” for years as a second factor on both PayPal and eBay. I’ve implemented Yubikey and Google Authenticator on LastPass and Google Authenticator on Dropbox. But these aren’t the only ones out there. There is, of course, the well known RSA SecureID, but here’s a few two factor authentication providers you may want to look into.

  • Yubikey – a USB hardware token that is in essence a second authentication method based on a unique physical token which cannot be duplicated or recorded, providing a credential based on something only an authorized user possesses. Used with a standard username and password, the YubiKey provides a strong, two-factor authentication to any site, service or application.
  • Google Authenticator – provides a six digit one-time password users must provide in addition to their username and password to log into Google services. The Authenticator can also generate codes for third party applications, such as password managers or file hosting services.
  • PayPal Security Key – The PayPal Security Key creates random temporary security codes that help safeguard your PayPal account when you log in. There are two types: A credit-card sized device (the “football” is no longer available); and, security codes sent by text message to your mobile phone. (I actually use both.)
  • Duo Security – Uses a mobile phone similar to Google Authenticator. Duo’s solution is cloud-based.


February 27, 2014  2:33 AM

Mac OS X 10.9.2 released to fix critical SSL security hole

Ken Harthun Ken Harthun Profile: Ken Harthun

They promised “as soon as possible” and they delivered. Here are the details straight from the OS X App Store.

osx-109-2-1


February 27, 2014  2:12 AM

Why passwords alone are no longer sufficient security

Ken Harthun Ken Harthun Profile: Ken Harthun

We have all see this coming for a long time; in fact, I’m surprised it has taken this long to become obvious that passwords are no longer sufficient security. Sure, they’re OK for things that really don’t matter like news sites and entertainment sites — any site that doesn’t store sensitive information about you — but for all other things they’re just not enough anymore.

Passwords are the “something you know” part of security and therefore the easiest factor to guess or otherwise obtain. Beyond the fact that people tend to use passwords that are easily guessable, here are three other reasons why passwords alone are no longer sufficient security.

1. Duplicate passwords. People tend to use the same password in multiple locations, often using the same one for everything. I don’t know how many times I’ve had people tell me, “I always use xxxxx for my password” meaning, of course, that when asked to create a password for anything, that’s the one they use.

2. Keylogger infections. Every day, I see computers with bogus “system cleaners,” “system optimizers,” “pc boosters,” etc. infecting them. I can only assume that beyond these junky scams, there is more sinister stuff installed. People just don’t know any better and if it sounds good to them, they click OK. I envision that some sort of message like “Please click here to protect your bank account from unauthorized access” would be a quite effective technique.

3. Phishing scams. I’ve seen some of these in my own inbox that made me do a double take until I dug a bit deeper. If I almost got phished, I promise you someone else really did. Then, once the hacker had the password, he probably tried it on every site the person had, and was probably successful at gaining access to several of them.

Bottom line: Two-factor authentication is not only long overdue, it’s critical if we ever hope to prevent the huge data breaches like Target’s and others that have been in the news.


February 23, 2014  6:21 PM

Update your iOS to 7.06 on iPad and iPhone!

Ken Harthun Ken Harthun Profile: Ken Harthun

ios-706Apple has released a security update for iOS. (Use this URL: http://support.apple.com/kb/HT6147 for details.) Here’s what Apple says about it:

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.

Basically, this means you are open to a man-in-the-middle (MITM) attack. Engineers at CrowdStrike (see this post) describe the vulnerability and the attack method.

To pull off the attack an adversary has to be able to Man-in-The-Middle (MitM) network connections, which can be done if they are present on the same wired or wireless network as the victim. Due to a flaw in authentication logic on iOS and OS X platforms, an attacker can bypass SSL/TLS verification routines upon the initial connection handshake. This enables an adversary to masquerade as coming from a trusted remote endpoint, such as your favorite webmail provider and perform full interception of encrypted traffic between you and the destination server, as well as give them a capability to modify the data in flight (such as deliver exploits to take control of your system).

This has NOT been patched for OS X, which also has this vulnerability, so Mac users are still at risk until Apple issues a patch.

You can check gotofail.com to see if your device is vulnerable. I checked my MacBook Pro with both Safari and Google Chrome. Safari is vulnerable, Chrome is not, so I suggest you not use Safari on your Mac until after Apple issues the patch.


February 22, 2014  4:33 PM

C’mon Adobe, get your act together!

Ken Harthun Ken Harthun Profile: Ken Harthun

adobe_hackedI’ve made no secret of my dislike for all things Adobe and their dismal security.  Now this from nakedsecurity:

Adobe has just updated its Flash product for the second time this month, pushing out an emergency patch for an RCE exploit that has been seen in the wild.

This update covers vulnerabilities numbered CVE-2014-0498, CVE-2014-0499 and CVE-2014-0502 if you care to look them up. The last one is known to have been exploited in the wild and the other two are being patched as a precautionary measure. Adobe’s next update isn’t due until April.

In all fairness, it’s not just Adobe who frustrates me; any software company who puts out a product full of holes is responsible. The current production model:

  • Slap together a product
  • Run superficial testing
  • Release to the public (and hackers) for real-world testing
  • Fix the vulnerabilities they should have caught in the lab

This just doesn’t work anymore if, in fact, it ever did.

C’mon, people. ALL of you get your acts together.


January 31, 2014  7:24 PM

Hacking Skills Challenge – Realistic 1

Ken Harthun Ken Harthun Profile: Ken Harthun

hacker_1My hacking skill challenges are still very popular posts, particularly Hacking Skills Challenge – Level 7, so I’m going to pick them back up. Since I have previously presented all 11 of the basic challenges from HackThisSite.org, let’s move on to some realistic ones. Here’s the description from the site for the first Realistic Challenge:

Uncle Arnold’s Local Band Review
Your friend is being cheated out of hundreds of dollars. Help him make things even again! Difficulty rating: Easy.

The challenge is for you to hack a band review site and move your friend’s band, Raging Inferno to the top of the list.

Hints: 1. You’re going to need some way to edit the page “live;” and, 2. There are some numerical values you will need to change.

Give it a try and post your results in the comments. I’ll present the solution in a future post.

Good luck!


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: