A new paper out this week details the exploit of MD5 and Certificate Athorities (CA). What makes this such a scary and threatening attack is the use of MD5 to secure a website identity. Using the HTTPS protocol, web surfers verify the identity of secure sites by checking for the lock icon and the use of HTTPS in the web address.

Using this exploit, an attacker can fake the authenticity of a website by giving the user a genuine certificate.

What can you do to protect the identity of your site, and sites you visit?

The first thing is to make sure the CA is using SHA-2 instead of MD5. Next is to make sure the CA of the sites you visit do the same. Sure, this isn’t the best advise, and not everyone will take it, but at the moment, it is the only way to be sure you are safe.

Please read through the paper here. It is quite detailed, and will let you know exactly how the exploit was achieved.

WordPress Hacker

I have recently come across a series of posts regarding the elusive task of securing a WordPress installation. I was curious about how this works, and wondered why this would be needed since the WordPress development community does a fantastic job of release security updates to prevent attacks on millions of blogs run by the publishing software.

In reading on this subject, I found a website called wordpresssecured.com. I thought to myself how odd it would be for millions of people to be using an unsecure code set to run their business, or personal blog.

Rest assured, if you have the latest version of WordPress and keep it updated when security patches are released, you are as secure as you can be. The folks over at wordpresssecured.com are preying on the fears of many by using attacks as a means to make money.

They claim WordPress “as-is” is insecure and that hackers can gain access to your blog within minutes with any WordPress installation. Sure, if you have an out-of-date version of WordPress, it is true there are documented security risks and exploits to attack. However, if you are running the latest version you are safe. Here is what they are claiming they can do…

Close and block all exploits that hackers know about
Block unwanted BadBots from your site
Stop any and all SQL injection attacks
Block all folders that are open to a hacker’s attack
Stop Kiddie Hackers dead in their tracks
Protect your sales. Google ads and reputation

They claim to have hundreds of satisfied customers and have some recommendations, but no specifics are ever given. I decided to dig a little deeper. Who is behind this site and what claims can they justify, also, what claims are they just making up?

Who is making these claims?

The person behind the site is James Stein. His biggest attribute to his success is simply that he has been online for more than 20 years and has been doing web development for 15.

How does his secured installation work?

Mr. Stein alleges that hackers know all of the code for wordpress and that any version of wordpress, be it an old version, or the version that came out yesterday are all completely vulnerable, simply because people know all of the code associated with it.

Fact is updating means nothing, the code is not encrypted and hackers have access to the code just like you do..

If you change how wordpress functions then it is very obvious that hackers can not hack it as they will have no idea what changes you made.

His installation technique is to change how WordPress functions. This is ludicrous! By changing how WordPress functions, he removes what makes WordPress powerful… an entire community of developers and users working together to make everything work together seamlessly.

Separating Truth from Marketing Hype

The truth behind having a secure WordPress installation is not using some customized WordPress bundle, it is simply updating it as updates become available.

He claims one of the biggest reasons for insecurity with WordPress is because the code is not encrypted, therefore anyone can see it. I must admit, to the untrained eye, this seems to be a valid argument, until one considers that WordPress is open source.

If this was the truth for all open source projects then it would assert that Linux is much less secure than Windows. Rather, the complete opposite is true! Because it is open source, more developers are available to see and edit the code than commercial programmers. This alone would make Mr. Stein’s version of WordPress much less secure than the freely available package.

What People really have to say…

AskApache posted a reply on agentgenius.com about Mr. Stein:

Clearly [Mr. Stein] lacks any knowledge/experience of auditing code to find a vulnerability, then creating a custom exploit for that vulnerability, creating an agent to carry the exploit payload across Internet Protocols recognized by the target (blog on HTTP), and finally delivering and executing the payload.

I urge all of you to not fall into the marketing hype surrounding this product. I assure you, it is less secure, much more prone to attack, and will almost certaintly make you wish you didn’t spend a dime on this product. Don’t spend a dime and stick with what is free and more secure…

The latest version of WordPress!

The files changed in the latest update are as follows:

• tags/2.6.5/wp-signup.php

• tags/2.6.5/wp-login.php

• tags/2.6.5/wp-includes/post.php

• tags/2.6.5/wp-includes/version.php

• tags/2.6.5/wp-includes/wpmu-functions.php

• tags/2.6.5/wp-includes/feed.php

• tags/2.6.5/wp-includes/widgets.php

• tags/2.6.5/wp-includes/rss.php

• tags/2.6.5/xmlrpc.php

• tags/2.6.5/wp-settings.php

• tags/2.6.5/wp-admin/users.php

The latest version of WordPress MU can be downloaded here.

I have compiled a list of the files that were changed. These can be captured from WordPress Trac. 

• tags/2.6.5/wp-includes/post.php
• tags/2.6.5/wp-includes/version.php
• tags/2.6.5/wp-includes/feed.php
• tags/2.6.5/xmlrpc.php
• tags/2.6.5/wp-admin/users.php

Read about the update and download it from WordPress.org