So, what do you know about the WordPress REST API? If you’re like me, the answer is “not much”. So it came out of the blue when a friend of mine contacted me last week about problems he was having with the REST API. The Issues 1) The URL https://www.example.com/wp-json/wp/v2/users can return information about ALL […]
Hardening the Apache Webserver
One thing that should be done for those hosting their own Apache Webservers is to remove any unneeded information from Apache Error responses: Apache/2.4.48 (Ubuntu) Server at example.com Port 443 In the standard setup for Apache, Apache reveals it’s version number as well as the underlying O/S that it is running on. Why make it […]
Numb to it all
Wow. It has certainly been quite the ride the last few years. From endless SPECTRE and MELTDOWN bugs in the AMD and Intel microprocessors, the out-of-control ransomware variants, to the incessant breaches and release of otherwise private information. This is a mess. So, before you do something stupid and idiotic, let me remind you, SECURITY […]
Secure Your Amazon S3 Buckets
We all have S3 Buckets, don’t we? Dark Reading has a good tutorial on how to secure your bucket, including access AND encryption: https://www.darkreading.com/edge/theedge/how-to-prevent-an-aws-cloud-bucket-data-leak–/b/d-id/1337093
It’s almost too easy
From Garth Algar in Wayne’s World. Still funny after all these years! “OK… First I’ll access the secret military spy satellite that’s in a geosynchronous orbit over the Midwest.” “Then, I’ll ID the limo by the vanity plate “MR. BIGGG” and get his approximate position.” “Then, I’ll reposition the transmitter dish on the remote truck […]
Tech Support Scams
So, in the first week in December, I got a call from a number listed as being from “Seattle, WA”. I was greeted by a gentleman with an East-Indian accent: Caller: “Hello. This is Samir from Microsoft Tech Support. I’m here to help you with your login problem.” Me: “I have no login problems.” Caller […]
Apple Fixes Critically Stupid Error in High Sierra
ZDnet broke a story about a critical error in macOS 10.13.0, 10.13.1 (current), and 10.13.2 Beta. The issue is that the system allows login of the “root” user, with no password. Simply wake up the Mac, go to the logon screen, and select “Other User”. Enter a username of “root” with a blank password. Enjoy the […]
Update Your Dahua NVR & IP Cameras
Positive Technologies has outdone themselves. They have discovered a critical vulnerability in Dahua IP Cameras and NVR systems and has documented it here. CERT has a good write-up available as well. I’ve always liked Dahua because for their relatively low cost and durability. Their cameras and NVRs are built like brick houses. There are software […]
Intel Inside? Better get it out!
Alas, poor Intel. What a mess you’ve made. On November 17, 2017 I wrote an article describing the work Positive Technologies had done in researching the Intel Management Engine and discovering the NSA’s HAP (High Assurance Program) boot mode. They found a bunch of flaws in the Intel architecture which has the industry buzzing. The […]
Hacking VoIP Phones
Business Insider has an interesting article on how they were able to attack and exploit Cisco VoIP phones. After all, as they point out, what is a VoIP phone? It’s a computer with a microphone! Their article can be viewed here: http://www.businessinsider.com/hackers-can-turn-office-phone-into-remote-listening-device-cybersecurity-hack-cisco-spying-tap-2017-11 Yes, your VoIP phones fall squarely into the category of Internet of Things. and […]