WordPress XSS Vulnerability

If you’re a WordPress blogger be sure to update to the latest 3.0.4 build as soon as possible, While no new features have been fixed a major security hole has been patched.
Basicly 3.0.3 allows users to insert comments with malicious code, the 3.0.3 WordPress only sanitizes lowercase HTML allowing a malicious user to pass bad code to obtain cookies of a logged in user.

For now if your still running 3.0.3 check all pending and new comments for base 64 code or JavaScript links and if you see some delete the comment right away.

See http://wordpress.org/ for the complete announcement from the wordpress team.

No tips yet.
Be the first to tip!

Like this post? Tip with bitcoin!

1FRxrBB6wQHQGRLHWZ3xjhJY1XT9WimVxw

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're not only making my continued efforts possible but telling me what you liked.

Using Secure Passwords.

Everyone has to use them; they protect our privacy so when it comes to something that grants access to things like bank accounts and private files why risk it?

Working in the IT field I can’t tell you how often I see passwords such as “123456” or “Password1” when a good password should never be a sequence of numbers or something based on a word found in the dictionary.

In fact when the application developer RockYou’s login credentials were left exposed because of a SQL injection bug  in RockYou’s website the top 10 passwords  used were listed as the following:

  1. 123456
  2. 12345
  3. 123456789
  4. Password
  5. iloveyou
  6. princess
  7. rockyou
  8. 1234567
  9. 12345678
  10. abc123

A good password should be something along the lines of “7ufebuHU” hard to remember? Yes it is but its also hard to guess and not going to be cracked in a dictionary based attack. If you really hate remembering passwords grab some kind of password database application, never settle for storing your passwords in a text or word document. I personally use 1Password (Mac Only) at home because it offers the ability to sync with the 1Password companion app on the iPhone. It also stores my passwords using AES the same encryption algorithm used as the national standard in the United States, 1Password uses 128-bit keys to encrypt your passwords. Which basically means it would take years to decrypt your data using a brute force attack, negate this altogether by changing your master password every few months.

If you don’t want to fork out any cash for a good password database, then check out KeePass which is a free alternative, which also offers encryption. A nice future the KeePass team came up with, if you don’t want to even remember the one password to decrypt your password database is the use of keyfiles, you can toss the keyfile on a flash drive and keep it with you while leaving the password database one your computer, to decrypt the database to retrieve your passwords simply plug in the flash drive and point the KeePass application at the keyfile.

With both of the above applications you can copy the passwords directly to your clipboard to paste in whatever application you need, and both also have the ability to clear your clipboard after a set number of seconds. KeePass even has the ability to automatically clear the clipboard as soon as you paste it.

So now if you’re going to store everything in the password there is no need to keep them simple, both programs offer you the ability to generate random passwords. If you don’t have ether application handy and need to generate a password, you can use a nifty tool up at the PC tools page to generate up to 50 passwords all at once.

The moral of the posts is that by making a little effort at using a secure password makes a big difference at keeping prying eyes out of your private information.

Also as a final note, looks like 1Password has already made plans and released Mockups for the iPad Interface =) I’m looking foward to that release.

No tips yet.
Be the first to tip!

Like this post? Tip with bitcoin!

1N546cNnS7iyNiDBaJKBKHByJhqSJiqs64

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're not only making my continued efforts possible but telling me what you liked.

Check out Dropbox, the Easy way to transfer files.

tour3aaStill transferring files around on a Flash drive? Why bother with that anymore when you can sign up for Dropbox and get 2GB of online storage for free.

So how does dropbox work exactly? First off its cross platform meaning the software works with Widows, Apple and Linux computers. Simply install the Dropbox client on any machines you would like to sync with. During installation on the first machine you set up you’ll be presented with the option to log into an existing account or create a new account. 

Select the option to create a new account, after setting up the account on the first machine you can select the option to log into an existing account on any additional machines you set up. After setting up the client on a windows machine you’ll see a new folder in your My Documents folder called My Dropbox any file you drop into your Dropbox folder will synchronize and be available on any other computer you’ve installed Dropbox on, as well as from the web. Also, any changes you make to files in your Dropbox will sync to your other computers, instantly.

But that’s not all, Dropbox does not only sync files it also tracks any changes made to the files, Accediently delete that presentation your supposed to give tonight? No problem log into th web interface and undelete the file, or pull up older versions of the file if you need to.

Copy LinkNeed to send someone a large file? toss it in the public folder then right click the file and select “Copy public link” you can then paste this URL into your email and any user (even users not running dropbox) can download the file.

Even if you don’t plan on sharing your data with other machines Dropbox has its benefits, Anything placed in the Dropbox directory will be immediately transported over SSL to the Dropbox server, and encrypted using AES-256.

Dropbox is also incredibly fast, say you have a 50MB file and you change one small aspect of that file, the client doesn’t bother updating the entire file, it only transmits the changes of that file to the server and then down to all the machines behind synchronized with the account, thus incredibly speeding up the process.

So head over to the Dropbox site and stop bothering with a flash drive.

No tips yet.
Be the first to tip!

Like this post? Tip with bitcoin!

19W84e9o52MPdVNcrNtBtKfNa4R6KwkHxt

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're not only making my continued efforts possible but telling me what you liked.

Here’s How to Send Encrypted Email using Apple Mail

Ever need to send information you want protected from prying eyes? You’ve come to the right place. By following the instructions found right here, you’ll soon be able to sign and encrypt your email using your Apple Mail email client.

We’ll be setting up Mac GNU Privacy Guard to do this. MacGPG for short. MacGPG uses the very secure Public-key Cryptography scheme.

Public-key Cryptography uses a Private/Public key pair. The public key is exactly like it sounds. It’s as public as you want it to be. Post it on your website, email it to your friends and co-workers, or not. It’s entirely up to you. On the other hand, the private key is kept, well, private, You only keep this key on your system, never giving access to that key to anyone.

When someone wants to send you a secret encrypted message, they need your public key. Any message encrypted with the public key can ONLY be decrypted with the associated private key. So anyone that wants to send you a secret message only needs your public key to do so. They also need to have installed MacGPG just like you did.

So, they encrypt their message using your public key and send it to you. Because you have the only copy of your private key on your computer, you are the only person able to decrypt this message and read it.

Now the same is also true in reverse. Any message encrypted with the secret key can be decrypted with the public key.

So if you want to send an encrypted message to someone:

  1. Encrypt your message using your private key.
  2. Email it to your friend.
  3. They then decrypt it by using your public key.

I know what you’re thinking.

What’s the use of encrypting a message anyone can decrypt?

The point is to prove you’re the one that created the message. Now this is a greatly simplified explanation of what actually occurs, but hopefully you get the basic idea. Lets dig in.

First you’re going to need to download and install Mac GNU Privacy Guard also kown as Macgpg.

You can get a copy from http://macgpg.sourceforge.net/

Scroll down to the area labeled “files”.

  1. Download the latest disk image for your version of Apple OS X.
  2. It should automatically mount and the image you see to the right should pop up on your desktop.
  3. Next you’ll want to double click the installer package (labeled GnuPG for Mac OS X 1.4.8 as of this writing, or whatever version you downloaded)
  4. Follow the prompts and choose your boot volume, usually “Macintosh HD” for the install location.
  5. Typically the default prompts will work fine on your Mac. You will need your admin password so you can allow the program to install itself.

Now that you have installed MacGPG, lets see about generating a “key pair”.

If you are scared of the command line (its OK really) you can opt for the GPG Keychain access GUI available from the same page.

If you prefer working at the command line you can preform the follwowing:

First launch Terminal.app.

  1. Open a new finder window
  2. Click your Applications folder
  3. Scroll down to the Utilities folder and click it
  4. Double-click Terminal.app
  5. Paste the following instruction into the open Terminal window and hit “enter”
gpg --gen-key

Typically option 1 is recommended.

  • Enter your name
  • Enter your email address
  • you don’t have to enter a comment but you can if you wish.

Once you get yourself a key pair its time to install GPGMail.

Head over to http://www/sente.ch/software/GPGMail/

  • Quick note, if your running Leopard you’ll need to download and install the Beta version of the plugin, as of this writing this will be GPGMail_d53_Leopard.dmg I’ve had no issues using this version on my primary computer.
  • download the image and mount it.

next run the Applescript “Install GPGMail” this will copy the bungle over to your Library/Mail/Bundles folder and enabe plug-in support for Mail.app.

If your running the Leopard and had to use the beta version you’ll need to copy some files into your /Library/Mail/Bundles folder (create the Bundles folder if one does not exist) and run the following 2 commands at the command prompt to enable plug in support.

Now go ahead and fire up Maill.app you’ll now see a new section called PGP in the Preferences panel (Mail > Preferences) as well as a few check boxes to to sign and encrypt your messages. now go bug a friend to set this up and send a few test messages to test it out, remember you need your friends public key before you can send them a encrypted message just as he/she will need yours before they can send you one.

To get your public key to send to your friend you only need to run the following:

 gpg --export --output key.pub

or if you installed GPG Keychain fire it up, select your key, and click the export button, thats it. Now email your friend your key. or toss it on a flash drive, once you get his you can use GPG keychain the same way but click Import this time. or if your more comfortable with the command line:

gpg --import key.pub
No tips yet.
Be the first to tip!

Like this post? Tip with bitcoin!

1A1afsKU2mr43TeKf786WkVogRpBKwd6Xx

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're not only making my continued efforts possible but telling me what you liked.

Disable SSH Password Authentication for added security.

A while ago I wrote a bit about Shared Key Authentication for SSH, and discussed a bit about the benefits of enabling this on your own servers or even desktops. one of which is protecting your server against brute force attacks. However we never discussed that in order for your system to be truly protected from a brute force attack on your password you need to disable password authentication on your server. Please note before attempting this make sure that your keys work because if your configuring your server remotely and you disable password authentication you will lock yourself out. Once you are sure that you can log into the remote host using your private key, we can safely disable the user name/password authentication.

The procedure to set this up is extremely simple. I’ll be showing you this on a Ubuntu Server install with OpenSSH but the procedure is similar on other setups. On a Ubuntu server the file will be located in /etc/ssh/sshd_config. your going to want to add the following to the config file (or change the values if they already exist.

ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

Once you save the changes you’ll need to reload the SSH server with the following command.

Update 07/17/2012: Thanks to a reeder who pointed out something I missed, Ensure you’ve enabled public key authentication, I’ve noted that most often this is enabled by default but if its not YOU WILL lock yourself out. ensure the following is set in your configuration.

PubkeyAuthentication yes

And then reload the SSH Service.

User@Host:~$ /etc/init.d/sshd reload

Thats it, your server should no longer accept user name/password authentication.

 

No tips yet.
Be the first to tip!

Like this post? Tip with bitcoin!

14qA8oVoK4RsBV3Qv7zbD9ZgnVUg9mzFXU

If you enjoyed reading this post, please consider tipping me using Bitcoin. Each post gets its own unique Bitcoin address so by tipping you're not only making my continued efforts possible but telling me what you liked.