Posted by:
admin
13 years, 4 months ago
Two recent blog posts by Ethicalhack3r discuss authentication attacks against Wordpress sites. The first post discusses two vulnerabilities in Wordpress including one vulnerability from 2009. Both leak username information. As a follow up, Ethicalhack3r released a video (no code) of a brute-force attack tool he wrote over a weekend.
My thoughts:
As Ethicalhack3r points out, there is nothing surprising here for Information Security. It seems to have surprised others, though. That speaks negatively about the information security community's ability to affect product development. The vulnerability has existed since 2009.
It also means that we are not able to promote products that are secure. I'm sure that there are blogging platforms that are more secure or react faster to vulnerabilities than Wordpress. These vulnerabilities aren't even that complex.
I'm also reminded of something Adam Shostack told me: There have always been vulnerabilities and there always will be vulnerabilities. So, we need to deal with them. Luckily in this case, you can by protecting your Wordpress login with two-factor authentication. (What I don't know is what affect this has on commenters. I don't the login requirements to comment on a blog post or the options for that.)
Share on Twitter Share on Facebook
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)