Category: Security

There are 13 posts filed in Security (this is page 1 of 3).

Replied to Proposal: Treat FLoC as a security concern (Make WordPress Core)

Google is rolling out Federated Learning of Cohorts (FLoC) for the Chrome browser. TL;DR: FLoC places people in groups based on their browsing habits to target advertising. Why is this bad? As the …

I’m responding to this on my own site because I can’t get the interface on the Make blog to do the click right when attempting to reply over there.

I 100% agree with this proposal. Users can only choose to opt in or out if they’re able to make an informed decision about this, and for better or worse, they can’t do that. I’m pretty sure Google will market this as some sort of user-beneficial feature, assuming they tell non-technical users anything at all about this. WordPress, according to its own “bragging”, (I’m using that loosely), powers something like 40% of the web. We can’t continue as a project to pretend we have no impact on it.

Read WordPress 5.2: Mitigating Supply-Chain Attacks Against 33% of the Internet by Scott Arciszewski

WordPress 3.7 was released on October 24, 2013 and introduced an automatic update mechanism to ensure security fixes would be automatically deployed on all WordPress sites, in an effort to prevent recently-patched vulnerabilities from being massively exploited in the wild. This is widely regarded by security experts as a good idea.
However, the WordPress automatic update feature had one glaring Achilles’ heel: If a criminal or nation state were to hack into the WordPress update server, they could trigger a fake automatic update to infect WordPress sites with malware.
This isn’t just a theoretical concern, it could have happened if not for WordFence’s security researchers finding and disclosing an easy attack vector into their infrastructure.
WordPress 5.2 was released on May 7, 2019 and provides the first real layer of defense against a compromised update infrastructures: offline digital signatures.

Read VPN – a Very Precarious Narrative by Dennis Schubert

A very long article about commercial VPNs, their marketing strategies, and the truth behind their privacy and security claims.

[…] another worrying aspect of today’s market of VPN services is the large amount of misinformation end users are exposed to, which makes it hard for them to properly tell apart vague and bold claims typical of product advertisement campaigns with actual facts.

That quote is four years old, and just as relevant today as it was when it was written. The article I’m linking here does a really good job explaining what a VPN (virtual private network) is and what it is not, and it makes sure to use as few technical terms as possible. It also goes into detail about what a VPN is good for, not just what they’re not good for.

Read Grep for forensic log parsing and analysis on Windows Server IIS by JAN REILINK

How to use GnuWin32 ported tools like grep.exe and find.exe for forensic log file analysis in Windows Server. In this article I’ll give some real live examples of using these ported GnuWin tools like grep.exe for logfile analysis on Windows servers. The article provides three example, as an alternative to LogParser, because finding spam scripts fast is often very important.

Read XSS in hidden input fields

At PortSwigger, we regularly run pre-release builds of Burp Suite against an internal testbed of popular web applications to make sure it’s behaving properly. Whilst doing this recently, Liam found a

I can absolutely see a case where users would interact, and and therefore become vulnerable to this exploit: Keyboard-only users, screen reader users, and speech recognition users. So this might be worth looking into, especially if you’re adding a ton of keyboard shortcuts to your app and calling it an accessibility improvement.

A critical bug that can leak secret cryptographic keys has just just been fixed in OpenSSH, one of the more widely used implementations of the secure shell (SSH) protocol.
The vulnerability resides only in the version end users use to connect to servers and not in versions used by servers. A maliciously configured server could exploit it to obtain the contents of the connecting computer’s memory, including the private encryption key used for SSH connections. The bug is the result of code that enables an experimental roaming feature in OpenSSH versions 5.4 to 7.1
“The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys,” OpenSSH officials wrote in an advisory published Thursday. “The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.”

Source: Bug that can leak crypto keys just fixed in widely used OpenSSH

The OpenSSH maintainers have released a patch that fixes this, so if you’re using OpenSSH, update. It’s always important to make sure you’re running the latest versions of the things you depend on, especially when security fixes are involved.

And if you haven’t done so already, please consider contributing to free software like this. Free, (as in freedom) is everyone’s responsibility, and even if you’re not a coder, you can still contribute. All of the security, server-side software, and the client-side software used to interact with the server, which is widely used is free software. In order for that to remain the case, the upkeep of said software/tools canot be left to “other people.” so if you haven’t done so already, consider giving something back to the communities whose software you freely use to get your work done, or daily tasks completed. Your contributions, whether in time and talent or monetary form, make a difference.