WordPress weaknesses requires vigilence

As Forbes article discusses:


Update your plugins and widgets when they are vulnerable, use complex passwords, and otherwise use good security methodologies.

It is the basics that people are not doing. What is easy to use makes it less secure, thus requiring more effort by the user or administrator to make sure it is secure and safe.

I know this is an old attack (from April 13th, 2013) but the basic principles apply, as security methods never go out of style, and old attacks come around again and again.

Contact Us to discuss.

WordPress DDOS potential overplayed?

That is what Jason Cohen (CTO of WP engine) is saying at blogs.csoonline.com

He also said: (what the pingback function does, calling it “an altruistic, friendly, social system.”)

What can happen is a lot of pingbacks with the links in the comments.  If done  on many pages with a lot of effort it can happen. I recommend everyone use moderated comments to prevent automated bots if you must turn on pingbacks.

And remember – you can always turn off pingbacks.  In Settings–> Discussion Settings

we have no pingbacks in our WordPress sites.

Wifi “wardriving” with a raspberry Pi: is the size of a cellphone

Raspberry pi is a cellphone sized wafer board with circuits running a basic Linux  Operating system (Raspberry Pi).

Blog .spiderlabs.com  

Has a good article explaining how to use USB GPS, and battery to connect to a wifi antenna and a 8GB – 16GB SD Card.

But interesting to note this is the kind of article a “unethical” hacker will use to find vulnerable wifi routers and access points to attack networks.

Protect yourself scan your network using Omega(Ω) scan. We will find out if you have a vulnerable wifi system.

Microsoft Sysinternals have been updated.

Windows Sysinternals  is updating PsExec, ProcessExplorer, and PsPing

Psexec runs on port 445 and 139 which means it runs with other Microsoft programs and can hide itself within the normal funcitons of the computer.

The problem with this? hackers look for tools like this to see how they can develop a next generation malware attacks.

In the coming months we will see new and novel methods. So as a security professional one must make sure that unless your systems need this process it is wiser not to have it on your servers especially (maybe a test platform is ok).

Microsoft is always making more and easier methods to use their software, but do not give enough thought of the security implications.

This sentence is interesting:

“Specify a valid user name in the Domain\User syntax if the remote process requires access to network resources or to run in a different account. Note that the password is transmitted in clear text to the remote system.”

so basically if you want to run some commands remotely then the password will be transmitted in clear text and easily captured.

My recommendation: do not use this useful tool until you test it for security it’s implications.