What is a SQL Injection? Is My Site safe?

wefightforsecurityMarch 31, 2021March 31, 2021sql injections

What is a SQL injection?

A sql injection put simply is when someone injects their own code or information into your site or apps database. The way this happens is usually due to a vulnerable piece of code that didn’t put in security measures around the interaction allowed with the database.

What is a database?

A database stores everything you write, all your images, everything. Personal information including usernames, and any personally identifying information is stored there.

How do I know if my site can be hacked with a sql injection?

If you aren’t a developer and don’t know how to read code, the short answer is you don’t know. Many developers tell you everything is secure, when it certainly most isn’t. 3rd party companies like ourselves are able to check the security of your site for you and coordinate with the developers to make it more secure.

Do sql injections cause bad publicity or put companies out of business?

Yes, they do. Whenever you hear a company has been breached and the database has been compromised, that most likely was a sql injection. While there are other ways to get into the database, a persistent xss, a sql injection is very common and quite often the culprit.

WordPress is_admin unsafe & On Your Site

wefightforsecurityMarch 30, 2021March 31, 2021wp security

What is WordPress is_admin and how is it on my site?

is_admin is a WordPress function used for plugins and themes, which developers misunderstand. The WordPress function is_admin sounds like code that would make sure the user is an admin, but that isn’t the case. Instead is_admin() checks to see if you’re on an administrator page. Unfortunately, WordPress designed some administrator pages, that anyone can access without being logged in. This makes is_admin useless as a security measure, which they note on the documentation page.

How is it on my WordPress site? Is this a WordPress vulnerability?

The majority of plugins developers don’t understand exactly how is_admin works, so your site is extremely likely to be unsafe. Is it a WordPress vulnerability? Yes! WordPress invented is_admin as a function for themes and plugins, despite warnings from the community, that this would confuse developers. They didn’t care or try to patch it. A vulnerability is a weakness, so by that definition, yes, WordPress created a weakness that impacts most sites. It’s worth noting that WordPress thought putting in the documentation that it is insecure was a good enough safety measure, unfortunately that isn’t the case.

How can WordPress plugin and theme developers make things only for admins?

Our favorite method to secure WordPress administrator only code is using WordPress roles and capabilites. Roles and capabilities breaks down who and what can access certain areas. Our favorite function for security is current_user_can. One capability exclusive only to admins is manage_options. If you write if(current_user_can(“manage_options”) ) this means only the admin can access that code.

If you want to write as bullet-proof code as possible, we have even stronger versions that you can write listed below.

if(current_user_can(“manage_options”) && is_user_logged_in() )

// write your code here

We handle people who don’t fit the code snippet by using the exclamation mark. In PHP the exclamation mark means “not”. So, if(!current_user_can(“manage_options”) && !is_user_logged_in() ) then you can assign a different level of access for users who aren’t admins and aren’t logged in. You can tell people to leave, after the if statement just write die(“You don’t have access to this area.”);

Now if you want a different level of access for logged in users, who aren’t admins, you write if(!current_user_can(“manage_options”) && is_user_logged_in() ) . So now they are logged in and not an admin.

What if I adopted an old plugin that uses is_admin and I don’t want to re-write the entire thing?

You can write code to fix this, you simply put if(current_user_can(“manage_options”) && is_admin() ) and now only admins can access it. This can have a negative impact on users if it used to allow users to access an administrator page.

Does this mean never to use is_admin()?

is_admin can be used to say this is an administrator page, but as long as you don’t put security measures listed above, you’re risking a security breach. Some argue, accurately that is_admin is safe if you only write certain code that no one can engage with. The problem with this argument is that the majority of people do not know what people can and can not interact with, so the best technique is to always secure anything admin side.

In conclusion, it is better to use the best security methods always, because you never know when your code will change years down the road or if it is already vulnerable.

What Are NFTS & How They Work For Artists

wefightforsecurityMarch 9, 2021March 9, 2021Uncategorized

Written by Planet Zuda Staff and Luciolle24

Non fungible tokens, also known as NFTs have exploded in popularity recently. The Covid pandemic has lead to artists trying to find new ways to make money and NFTS provide them with the creative outlet they need.

How do NFTS help artists make money?

Artists can sell original prints or copies of their art and digital art to people who are buying. They can list it on opensea.io or rarible.com, among many other sites. Our founder decided to experiment with rarible.com and put up some of his art, but sadly discovered it was pretty expensive (around $100 USD per piece of art uploaded), so only two pieces of art were uploaded as an experiment to Rarible.

When our founder wrote about this on twitter, his friend Alon Goren, who’s been working at Goren Draper And Holmes, decided to teach him how to use openminter with tezos, we will of course pass that knowledge on to you.

I’ll also teach you guys how to do this on #Tezos! Running openMinter is fun!
— Alon Goren ₿ | Ξ alon.eth (@AlonGoren) March 9, 2021

We are going to find out the cheapest way to upload your NFT art so you can make money during the pandemic and afterwards.

What does a NFT do for my art exactly?

NFT’s are a form of smart contracts for the block chain, which shows without a shadow of a doubt, that you purchased or uploaded that piece of art. This would help enforce your rights for that piece of art, you are also the ONLY one who gets any additional offerings that creators offer, like our founder offers animation for one piece.

What collector sites will be going to NFT?

It is rumored that Quidd will soon be moving to NFT’s in the near future for their digital collectible marvel cards, basketball cards, and a lot more awesomeness. Which our owner and our assistant writer are also experimenting with…

What is great about Quidd is as of the moment this was written you can still get free cards and cards for coins, the game in-app currency (you can earn that currency by watching ads or completing offers), which you can then sell for real money. That’s right, get free stuff, make real money. It is that simple.

NFTS Just Says I Own Something?

When you get down to the nitty gritty of it, yeah that is the simple answer. It links you to what you purchased and that token, so you own that non fungible token, which is linked to whatever you purchased.

We will continue updating this article with more info on NFTS, keep up-to-date with this article.

Holding 8 Million Dollars Of Bitcoin needing recovery In my Hand

wefightforsecurityMarch 6, 2021March 8, 2021Uncategorizedbillion dollars, billion dollars bitcoin, bitcoin password recovery, bitcoin recovery

This is an experience our founder had with what he thought he was told was a billion dollars of bitcoin. It turns out it was only 8 million dollars of bitcoin at that point in time.

If you think your holding a billion dollars of bitcoin in your hand it is a strange feeling. I contacted John Paukilis, who was the middle man who informed me it was only 800 bitcoin, which means I held 8 million dollars at that point in time. The only way to hold bitcoin is if it is stored in hardware. n this case it was in a USB drive, also known as a flash drive.

This 8 million dollars of bitcoin belonged to a gentlemen who appeared out of nowhere. He asked my good friend, John Paukilis whose known in the bitcoin community if it can be retrieved. I noticed my friend smile across the room and said to me “come here”. I walked across the room to be told it had a ton of bitcoin on it and it needed to be recovered. I told my friend that wasn’t a problem. I held the flash drive in my hand and while physically it was just a flash drive, it felt like I was holding a very expensive item in my hand.

My friend took the flash drive full of bitcoins back and gave it to its owner, who said he would be in contact and dissapeared faster then he appeared.

The owner of the bitcoin most likely still can’t get access to his bitcoin which would be worth way more. It still can be recovered for free, we just get a percentage.

How Web Hosts Exposed Your Data & We Fixed It

wefightforsecurityMarch 5, 2021March 6, 2021Uncategorizedcyber security, data security, godaddy security, server security, web host security, website security

An image of a chalkboard that says web hosting. — The words web hosting on a picture

This is a piece to show you what happens and has happened behind the scenes here at Planet Zuda to help the cyber security of the world.

The year we are discussing is 2010. Bitcoin had been invented a year prior so, this was a different era. Everyone cared about their website, but we were more interested in the security or lack thereof, of the webhosts for websites.

A company named after a color and that hosted websites didn’t keep their servers secure. You could find command line access to some of their server instances by google dorking. They did not respond to emails, they did threaten to sue us by voice, however. This was common place in this time period, but they never sued.

The lack of security of this one web-host got us looking into every web-host. Almost every single web-host in that time period leaked databases onto google.

We & GoDaddy Secured Your Data On Other Hosts

We teamed up with GoDaddy and their CISO Todd Redfoot. GoDaddy was very competent with their security and they became one of our clients. Basically the best client for this situation, that we could hope for.

Once we teamed up with GoDaddy, we contacted every single webhost via proxy of Godaddy’s security team. We were able to tell them how their server files were exposed right down to /bin/, to databases. There are two web-hosts that had good security posture during this era, lunarpages and MTMII. MTMII is a web-host our founder volunteered with.

Webhosting was the wild wild west for cyber-security, as there were no consequences for insecurity at that time except for negative articles. Still Many webhosts fixed their security posture when issues were reported to them by Godaddy. They did tighten up their security over the next 2 years of us working with Godaddy.

Now web hosts are way more secure, so you can’t just google dork and find their info in Google cache. Google dorking is completely legal, so all this info was legally available.

We hope you find these articles interesting and informative.