Author: wefightforsecurity

Did John McAfee Die In Prison? Probably Not, here’s why

Author wefightforsecurityPosted on June 23, 2021June 23, 2021Categories Uncategorized

John McAfee, the pioneer of anti-virus software is reported dead by commiting suicide in a Spain prison. Is he dead? Probably not. Based on John’s past adventures, the chance of death by suicide is extremely low.

A quick history recap, McAfee escaped Belize when the police wanted him for questioning about the death of his neighbor. Suspecting the Belize government at the time would most likely murder him, he dissapeared and got out of Belize. He ended up in prison and faked a heart attack. This just is who McAfee is.

The report of John McAfees death lasts substance, namely a picture of the body, which of course can be faked, but is a lot more substantive than the jail saying he killed himself.

If you ever spent much time talking to John, he’s the type who confronts governments and won’t back down, so allegedly committing suicide because he was being extradited doesn’t hold up to his personal character.

So is John McAfee dead or alive? Right now, we really don’t know. At this point he is schrodingers McAfee, both possibly dead and possibly alive simultaneously.

This will be updated as more data comes available.

Krypton, a new encryption — is it worth our time?

Author wefightforsecurityPosted on June 20, 2021June 20, 2021Categories Uncategorized
Krypton Encryption

Do we need a new encryption? Why do we need a new cryptography? Those are the two questions I’ve asked the creator of Krypton-320 a 320 bit Java based symmetrical encryption repeatedly for months.

Creator notaidan, believes that we do need a new cryptography, many of his answers over the months to questions are privacy driven. In the early days of krypton formerly uwucrypt, i asked why not just use AES? Notaidan pointed to that AES is government approved and we need protection from the government. While he didn’t say it nor does he believe he implied it, this argument inherently states that AES must be insecure , which no one knows of for the government to approve it. We whole heartedly disagree here, since anyone can read the code of AES that’s been available for decades.

So why krypton cryptography? Could it be that notaidan is 14 per his github site and just wants to create for the fun of it? No, he believes it is stronger than aes-256 because it is 320 bits. He has rewritten it about ten times. Whenever a bug is found, he doesn’t just patch the bug, he rewrites it entirely.

So is krypton encryption something we should use? That’s where uncertainty lies. With the codebase being rewritten all the time, it’s hard to analyze it and decide okay this is secure or insecure. What was said about Krypton earlier this week, no longer applies, so trying to form an opinion about it, is simply not doable at this time.

Is the Java libraries used safe? It uses secure random, big integer, scanner, and one other. All of these are well known, secure, libraries so yes there is no problem there. The only thing left is for some of the cryptography community to decide if the latest krypton-320 bit encryption is indeed better than AES and more secure as it is being touted. This will be updated as information becomes available.

wp_create_nonce does not secure you against CSRF or XSRF

Author wefightforsecurityPosted on March 31, 2021March 31, 2021Categories csrf, wordpress functions security, wp securityTags , , , , , , ,

What is wp_create_nonce and what is it for?

wp_create_nonce is a function for theme and plugin developers using WordPress. The majority of developers understandably believe this secures their forms from cross site request forgery, unfortunately it doesn’t. WordPress is great at making functions for developers that any reasonable person would believe has security built-in. When it comes to WordPress that isn’t the case.

How do I secure forms from hackers?

wp_create_nonce is a good starting point, but you have to use wp_verify nonce, to validate that the form protection against CSRF will actually work. If you just do wp_create_nonce, it is like putting a lock on a door, with tape, that anyone can remove. When you use wp_verify_nonce in your code, it is like properly securing the lock, which should’ve happened in the first place.

Why should my forms be secure against CSRF & hackers?

Forms interact with the users database, and many admin forms don’t prevent from malicious content being submitted. So, an attacker could inject their own malicious code, damage your site, or do anything they want as that user.

Now I can hear you rolling your eyes and saying CSRF isn’t a problem, because it requires a logged in developer to go to a malicious site. That isn’t true, yes, it requires a logged in developer going to a site, but it doesn’t have to be one that is inherently malicious. Also, interaction isn’t required, if you properly automate things. Their site can be attacked while they look at a picture or play a game. It is deceptively easy to misuse insecure forms. While CSRF isn’t as bad as sql injections or how most developers use is_admin(), it certainly needs to be secured.

In conclusion, secure all your code.

What is a SQL Injection? Is My Site safe?

Author wefightforsecurityPosted on March 31, 2021March 31, 2021Categories sql injections

What is a SQL injection?

A sql injection put simply is when someone injects their own code or information into your site or apps database. The way this happens is usually due to a vulnerable piece of code that didn’t put in security measures around the interaction allowed with the database.

What is a database?

A database stores everything you write, all your images, everything. Personal information including usernames, and any personally identifying information is stored there.

How do I know if my site can be hacked with a sql injection?

If you aren’t a developer and don’t know how to read code, the short answer is you don’t know. Many developers tell you everything is secure, when it certainly most isn’t. 3rd party companies like ourselves are able to check the security of your site for you and coordinate with the developers to make it more secure.

Do sql injections cause bad publicity or put companies out of business?

Yes, they do. Whenever you hear a company has been breached and the database has been compromised, that most likely was a sql injection. While there are other ways to get into the database, a persistent xss, a sql injection is very common and quite often the culprit.

WordPress is_admin unsafe & On Your Site

Author wefightforsecurityPosted on March 30, 2021March 31, 2021Categories wp security

What is WordPress is_admin and how is it on my site?

is_admin is a WordPress function used for plugins and themes, which developers misunderstand. The WordPress function is_admin sounds like code that would make sure the user is an admin, but that isn’t the case. Instead is_admin() checks to see if you’re on an administrator page. Unfortunately, WordPress designed some administrator pages, that anyone can access without being logged in. This makes is_admin useless as a security measure, which they note on the documentation page.

How is it on my WordPress site? Is this a WordPress vulnerability?

The majority of plugins developers don’t understand exactly how is_admin works, so your site is extremely likely to be unsafe. Is it a WordPress vulnerability? Yes! WordPress invented is_admin as a function for themes and plugins, despite warnings from the community, that this would confuse developers. They didn’t care or try to patch it. A vulnerability is a weakness, so by that definition, yes, WordPress created a weakness that impacts most sites. It’s worth noting that WordPress thought putting in the documentation that it is insecure was a good enough safety measure, unfortunately that isn’t the case.

How can WordPress plugin and theme developers make things only for admins?

Our favorite method to secure WordPress administrator only code is using WordPress roles and capabilites. Roles and capabilities breaks down who and what can access certain areas. Our favorite function for security is current_user_can. One capability exclusive only to admins is manage_options. If you write if(current_user_can(“manage_options”) ) this means only the admin can access that code.

If you want to write as bullet-proof code as possible, we have even stronger versions that you can write listed below.

if(current_user_can(“manage_options”) && is_user_logged_in() )

// write your code here

We handle people who don’t fit the code snippet by using the exclamation mark. In PHP the exclamation mark means “not”. So, if(!current_user_can(“manage_options”) && !is_user_logged_in() ) then you can assign a different level of access for users who aren’t admins and aren’t logged in. You can tell people to leave, after the if statement just write die(“You don’t have access to this area.”);

Now if you want a different level of access for logged in users, who aren’t admins, you write if(!current_user_can(“manage_options”) && is_user_logged_in() ) . So now they are logged in and not an admin.

What if I adopted an old plugin that uses is_admin and I don’t want to re-write the entire thing?

You can write code to fix this, you simply put if(current_user_can(“manage_options”) && is_admin() ) and now only admins can access it. This can have a negative impact on users if it used to allow users to access an administrator page.

Does this mean never to use is_admin()?

is_admin can be used to say this is an administrator page, but as long as you don’t put security measures listed above, you’re risking a security breach. Some argue, accurately that is_admin is safe if you only write certain code that no one can engage with. The problem with this argument is that the majority of people do not know what people can and can not interact with, so the best technique is to always secure anything admin side.

In conclusion, it is better to use the best security methods always, because you never know when your code will change years down the road or if it is already vulnerable.