Exploiting my own WordPress part 3 – ZAP and Securityheaders.io

TL;DR: 
ZAP find  almost a 1000 potential vulns in my site. I patch them with a plugin – or so I thought – and get MORE vulnerabilities – or do I? 

ZAP is a Flagship Project from OWASP. I adore OWASP for its work on Top 10 lists for Web and Mobile Vulnerabilities, and their Cheat Sheets for defense. I know it is in every pen testers arsenal, so let’s go look at it!

Continue reading “Exploiting my own WordPress part 3 – ZAP and Securityheaders.io”

Exploiting my own WordPress part 2 – online password attack

TL;DR:

When attempting an online password attack, I find that wpscan gives me false positive and false negative results . Also I find my defenses work, but not as I expect them to.

 

This is part 2 of my attempt to hack myself. After successfully DoSing my own site using a vulnerability I found with wpscan, I decide to try out wpscan’s password guessing feature. I do not expect this to be successful. An online password guessing attack will be prohibitively expensive, because I’m using a computer generated, long password that I store in my password vault. Also I only allow three login attempts and my login page is not called /wp-admin or /wp-login.php.

Continue reading “Exploiting my own WordPress part 2 – online password attack”

Exploiting my own WordPress part 1 – Objective and wpscan

TL;DR:
Using WPscan, I enumerate a wordpress site that I have set up myself. I find two vulnerabilities and I successfully exploit one of them

Objectives
Finding and exploiting security vulnerabilities in the wordpress site adaconf.org
Deepening my understanding of various attack tools
Deepening my understanding of wordpress defense plugins.

Continue reading “Exploiting my own WordPress part 1 – Objective and wpscan”

Informed Consent, Martial Arts and Privacy Data

This article has previously been posted on my Medium blog.

Did you know that Tinder has the right to read all the messages you send in your private Tinder chats? They are allowed to read your pick-up lines and your failed flirts, as well as the hot sex chats that end in exchanging of phone numbers.

Surprised?

<!–more–>

 It’s right there in plain text — paragraph 8. And you agreed to it. By ticking the “I accept Terms of Use and the Privacy Policy” box. These “click-through agreements” are common practice, and although it’s not always clear whether these contracts have any bearing in court, they are used as base to collect and process big parts of your life.

In any free society, we have the right to agree upon contracts with other entities. But in my view, this freedom should not entail the right for powerful entities to abuse the fact that the other party rarely reads the 40 page legalese jibberish.

What is Informed Consent?

It is illegal to physically assault another person. Yet, under informed consent, it is perfectly legal to hit someone in the face — It’s called Mixed Martial Arts. Or thai boxing, or ice hockey. Outside the cage these very same people are not allowed to touch another human being — including the person they just punched.

The default setting is that violence is prohibited, but there is also place to temporarily agree upon under which circumstances exceptions can be made. If this were a firewall, this rule would be called “default deny”. In the infosec world, this would be “limiting the attack surface”. In violence or in sex, this would be called “informed consent”.

This is the first part of an ongoing series where I hope to facilitate the discussion about and outline the prerequisites for an Ethical End User License Agreemenet (EULA) under the principle of Informed Consent.

An Ethical EULA:

  • Your personal information, the data and the metadata you produce is owned by you, and can be loaned by another entity by means of EULA
  • The company’s loan of your personal data is limited in time
  • The company’s loan of your personal data is limited in space
  • The company’s loan of your personal data cannot be transferred
  • The company’s loan of your personal data should be opt-in
  • The scope of the personal data loan must be proportional and minimal
  • It must be possible to agree to some parts and not to other parts
  • It must be understandable by the average person

Thing is: if you’re an EU citizen this is already the law.

The General Data Protection Regulation — GDPR — is in force since 2016, and any company that violates these simple principles by May 2018 will (hopefully) be subjected to substantial fines. I believe that the GDPR can bring great things, but I am concerned that advocacy groups and the civil societt are so quiet about what amazing new legal rights we actually are having. A right that is not claimed is not worth very much, and it’s time to step up our game.

How do I propose to do that? That’s the topic of an upcoming article 🙂

Usability versus security, or: Why I decided to become a cyborg

This article had previously been published on my Linkedin.

Some months ago, I attended an after work event where one could choose to get implanted with an nfc chip, the kind of chip that you carry on your gym card or your credit card. I went there thinking that I would never, ever do such a foolish thing. I left the place with an urge to get the implant.

What had changed?

Continue reading “Usability versus security, or: Why I decided to become a cyborg”