Multithread - MultiCall Mimic

Yet another reason to update your WordPress install

Today, I wanted to talk a bit about some false positives that I have been getting when testing the notorious XMRPC brute force hack. Part of my security consulting is to attack a clients website and software for penetration testing. It has taken me almost 9 months to figure out why the level of successful XMLRPC brute force attempts have fell to zero using my traditional means of testing. This is due to the multiCall method patch that was applied in WordPress version 4.4. You can find the patch by visiting https://core.trac.wordpress.org/attachment/ticket/34336/34336.diff. The patch effectually prevent the multiCall method from being brute force attempt attacked by using a boolean variable “auth_failed“. This patch works by setting “auth_failed” to true on the first failed login attempt that fails. The way the multiCall method in the XMLRPC works is that you send multi calls in one push to the XMLRPC server and then WordPress loops through these methods one by one. Even with multiCall the session for the call is the same and thus the local variable is still set to true while running though the methods.

There is no way to use the XMLRPC multiCall method anymore which is great for the WP world but hurts my workflow. So if you provide penetration testing and running tests against the XMLRPC multiCall method, you are wasting your time.

The patch was applied in 4.4 so that means that older version my be exposed if auto updates were not turned on. I am not sure how far back the core team has patched this but I would imagine that the patch goes way back.

If you want to be protected against the exploit, you MUST keep updated. Although there is other ays to get around the patch, they are not made public and I will soon be presenting a patch myself to prevent my new method.

Keep and eye out.

 

 

New Author of Velvet Blues URL Updater

Today I would like to mention that I have taken over the responsibilities of a great little tool. The plugin Velvet Blues URL Updater was developed by a company called Velvet Blues. The plugin has become popular for making it extremely easy to update WordPress urls when migrating. The original developer has done some decent work but has failed to keep up on the plugin.

The plugin has roughly 200k active users (which can be kinda scary) and was last updated almost a year ago. The latest versions of WordPress brought issues for version 3.2.4 and caused the plugin to break and not work. I saw this and attempted to make contact directly with the author. After about 3 weeks, I contacted the plugins team and ask for the process to be reviewed for ownership. Their attempts to contact the developer was unsuccessful and I was greeted with access to take over the plugin.

Today I pushed version 3.2.5 to the WordPress repository which contained UX and bug fixes for the latest version of WordPress. If you are a user of the plugin like me, rest assured it is now working again :).

Installing LetsEncrypt Using Plesk

So today I was surprised to find that this whole process of installing LetsEncrypt on Blackbird Digitals dedicated server was so much simpler that it was a year ago.

Things you will need

Installing

Log into Plesk and navigate to the extensions page. For me, I am using Plesk 12.5.30 Update #30 and the Reseller View. The Power User view may look different. You can find the “Extension” page in the left navigation bar under the “Server Management” section.

Extensions Menu
Located in the Server Management section in the left navigation

You will see a list of installed extensions. You will either need to upload the LetsEncrypt package or you can browse the extension catalog. I suggest you choose to browser the extension catalog, then simply click “Extension Catalog” at the top of your installed extensions. From there you can search for the Let’s Encrypt extension. It will look something like the following.

 

Screen Shot 3

 

Find Let’s Encrypt and click the “Install” button next to it. Follow the instructions and enjoy your free SSL/TLS certificates! When ever you want to add a certificate to a domain, you will visit the Let’s Encrypt extension and click on the desired domain to generate a SSL/TLS Certificate. The extension will automatically assign the SSL certificate to the domain.

 

 

 

 

Combating Chip Cloning – Encrypted Cloud Storage

By now I am sure that you have heard about the fight between the FBI and Apple. FBI finally got into the device and as of now, the FBI have not released what their finding have been. I am sure if they found anything, they would have released it in spite of Apple not folding when given the order to “help” break into the phone.

The technique used to break into the phone is still unknown. It is only a matter of time before it is leaked. Until that time, we can only speculate as to how the the iPhone was unlocked without wiping the data. In my personal opinion, I do not think that software was the weak point. The software is pretty well ironed out (that I am aware of currently).

One possible and VERY LIKELY technique is cloning the NAND chip. This chip is the flash memory for the device. Once the NAND is pulled it can then be cloned using a very generic reader. How can you clone NAND with encrypted data? Well, Easy! Cloning is simply making a copy of the encrypted data and other information about the flash drive. The data is copied in encrypted form but is there. At this point, anyone can simply take the cloned NAND, place it back into the phone and attempt to go through the pass codes. They would replace the NAND once all attempts have been made without entry (1-10). At this rate it would take weeks to crack the password but it would be possible.

There is 10,000 possible combinations.  Once the NAND was cloned, one could simply fire up unlimited amount of devices to break it in a few hours/days.

So how do you combat this?

Anyone that knows about encryption; encryption is only as good as the storage and key location. If the data is storage locally, then the data is not secure even in encrypted form. The idea is to keep the data out of the hands of exploiters / hackers as much as possible (even if the data is encrypted).

One idea to make cloning obsolete is to use “streaming/handsakes” of sorts. Instead of having your contacts on your phone, they would be stored on a cloud server of your choice. When you click the contacts app, it would stream your contacts. This techniques can be used for just about everything including, videos, photos, notes, contacts and other data that you want to encrypt and keep hidden. End-to-end encryption is the way to go. This make “wire-tap” orders no longer effective. This forces super computers to break keys since they always change and data is never storage in its entirety or in one location for long periods of time. Gaining entry into a device and data would be a multi-part process.

Although I am sure there is holes in this idea, there are many people smarter than I that could make it work. The government hates these apps that encrypt communication like WhatsApp because it makes invading privacy damn near impossible. End-to-end encryption what “WhatsApp” calls it model. Data is encrypted at all levels and decrypted device level on demand. The removed once the user has no more use for it.

 

OAuth2 Alternative to WP OAuth Server

About 4 years ago, I embarked on a journey to developer a solution for SSO for a client that was running WordPress. Instead of WordPress using social media to log users in, WordPress would be the provider. After looking for solutions in the form of plugins, I was confronted with having to development something. Taking what I learned from the project, I decided to build a plugin that turned WordPress into a OAuth2 Server. The project turned into WP OAuth Server and soon became very popular with large companies.

For the past few months (well since WP REST API) was merged into WP Core, I have monitored chatter and been approached multiple times about WP OAuth Server and its support for WP-REST API. About a year ago, I added support for for WP-REST API into WP OAuth Server which made the process of using OAuth2 possible with WP-REST API. There was and is an issue looming. WP OAuth Server is designed and intended to be used by business’s and comes with a license fee.

I have decided to completely develop a new OAuth2 Server from the ground up designed for free and unrestricted use for the general public. The plugin will be developed in a way that it uses 100% Native WP functionality with a simple to use UI. The plugin will also have WP CLI for better administrative support. The idea is to provide an free consumer level alternative to WP OAuth Server all together.

 

If you are interested in helping with the project, please shoot me an email contact me on Slack @justingreerbbi.

6 Common Misconceptions About WordPress

All to often when the name WordPress is mentioned in a corporate environment, there is always push back from an IT team or some stuck using ColdFushion (yes developers and companies still use this). Why is this? This is why I wanted to post my experience with 5 common misconceptions about WordPress.

 

  1. WordPress is insecure – This is the farthest things from the truth. WordPress has been deemed by the public and experts as being one of the most secure CMS. Server configuration, bad plugins and theme theme development are the leading cause of insecurities.
  2. WordPress is just for Blogs – Nope, no it is not. WordPress has evolved into a super flexible CMS that can be used for any kind of website that needs a CMS.
  3. WordPress is Free, Paid is better – WordPress is Free and being open source, it has the smartest people working on the system. Most all contributors are volunteers and are very good at what they do.
  4. It is Open Source and any Joe and add to it – True and false! Joe can write and contribute any code he see’s fit no matter the quality of the work. Then Senior developers commented to WordPress vet Joe’s code. They test is against ever known situation they can through at it. If the code is not inline with WordPress’s values or roadmap, Joe’s code will never make the cut.
  5. WordPress can never stand against Enterprise CMS – First off, this one bugs me the most. If you ever developed for a so called enterprise system, you know that they are clunky, extremely overpriced, and outdate so fast with little upgrade support. But what is enterprise or what does it mean? Well this is straight from Wikipedia:

    Enterprise software, also known as enterprise application software(EAS), is computer software used to satisfy the needs of an organization rather than individual users. Such organizations would include businesses, schools, interest-based user groups, clubs, charities, or governments.

    Lets look at some examples of so called sites that fall under the category of needing to use an “enterprise” system BUT use WordPress. TechCrunch, The New YorkerSony Music, Best Buy, Fortune, The Rolling Stones and AMC with all the individual show sites as well. There is many more which I would be happy to provide if you would like.

  6. WordPress is not for large sites with high traffic – WordPress.com is ran using the WordPress CMS and is among the top 100 most visited sites in the USA (as of Aug 2015  Stats). Developers of Windows Technology and other CMS communities will say that WordPress is not powerful enough but the stats do not lie. WordPress is just as powerful if not more powerful as any Enterprise system.

WordPress is growing and as of now (the time writing this post) is currently at 25% of all websites running a CMS. WordPress is not going any where. It is not for every one or every site but I encourage you to at least look and try before you spend 17K a year on “enterprise” CMS that will leave you spending 25K-100K a year for a system and team that just traps you in a corner.

Please Update or Go Home

I see it almost every day and there is not much more that bothers me than someone running old and out-date software complaining about an issue. My first questions are:

  1. What version of WordPress are you running?
  2. Are you on shared hosting?
  3. What version of PHP are you running?

For the most part, people have little to no clue what I am talking about. I forgive them for this though, but at the same time “ignorance of updating” is never a valid argument. They are ignorant to the facts of updating. Everyone knows that updating anything = important but some just choose to ignore it as long as things are working.

When I log into a WordPress install that is having issues and I see that their WordPress install in running on anything more than 1 version behind the latest, I instantly want to through a brick (foam of course). This is because the first course of action to any issue is going to be updating. More times than not, clients installs are running several major version behind which ultimately is the root cause of a lot of issues. Yes, updating could also be the cause of issues but the risk is well worth the reward.

Here are some things to remember and note:

  • If you are on shared hosting and your site is slow, upgrade to VPS or DV. Shared hosting is not what you are looking for.
  • If your host is running older version of PHP and or MySQL, ask to be upgraded or find a new host. Any PHP version below 5.4 is completely uncalled for and the horse should be shot.
  • If your site is having issues, make a backup and update EVERYTHING! Not just what you want. If things break, that means some plugin, theme or your hosting was not managed correctly. Let the host, plugin/theme author know or find a better product!

 

</end rant>

The Next Step in Awesomeness

If you have not heard the buzz on the internet about Let’s Encrypt, then you may want to catch up. Let’s Encrypt is a project that spear heads the advancement into a 100% TLS standards for all browsing. As a matter of fact, the project is pushing to deprecate the less secure HTTP protocol. Mozilla and Chromium are wanting to start displaying a warning message for websites that do not use a TLS connection. They are doing this by offering free SSL/TLS certificates to counter the “WTF”. I am here to tell you that “It needs to happen”.

But wait, there is more! I have to be honest and say that I have not been a fan of DreamHost for a long time but what they just did may have just changed my mind. Today DreamHost posted that all their clients are now able to enable free SSL/TLS using the technology behind Let’s Encrypt.

This is HUGE in my eyes. Although you could of got a free SSL/TLS certificate for years, the process was bulky and took time. DreamHost has just set the bar high and makes it as easy as clicking a button. Did I mention it is FREE? Yes, it is 100% free!

You can read more about this on DreamHost’s blog: https://www.dreamhost.com/blog/2016/01/20/free-ssltls-certificates-at-dreamhost-with-lets-encrypt/.