InfoSecPodcast.com

I came across an interesting tool for us WordPress bloggers..WPScan from http://www.ethicalhack3r.co.uk/security/introducing-wpscan-wordpress-security-scanner/

WPScan is a black box WordPress Security Scanner written in Ruby which attempts to find known security weaknesses within WordPress installations. Its intended use it to be for security professionals or WordPress administrators to asses the security posture of their WordPress installations. The code base is Open Source and licensed under the GPLv3.

Features include:

• Username enumeration (from ?author)
• Weak password cracking (multithreaded)
• Version enumeration (from generator meta tag)
• Vulnerability enumeration (based on version)
• Plugin enumeration (todo)
• Plugin vulnerability enumeration (based on version) (todo)
• Other miscellaneous checks

This may make a good addition to the excellent WP Security Scan plugin from Semper Fi Web Design. WP Security Scan does a great job of checking for common issues with WordPress installations. I’ve used this plugin since it was released.

Do you have a favorite WordPress security plugin, tool, tip?? Let us know.

–Chris

I’ve been a fan of digital signatures ever since I worked for a PKI company (CertCo) back in 2000. I like the idea that I can send an email and the recipient can tell if someone has tampered with it. Even though I think there have been a couple “year of PKI” it has never really caught on. Client software issues, complexity to the end user, distribution of keys / certs, status checking….all have some hand in the limited adoption. Personally I think the biggest barrier is what happens when you send digitally signed email outside your organization. Unless your certificates are provided by a commercial entity (like Verisign) your email will generate a trust error when the recipient opens it.

I am starting to see some forward traction with digitally signed email, specifically in an attempt to fight phishing. The basic idea is that if everyone in your organization digitally signs their email then an un-signed email from the CEO with an attachment would stand out. Is that a cure? Of course not. Rolling out certs to your organization is no small feat. Depending on the desktop environment (OS, Mail client, etc) there may be adoption issues. That said I have found digitally signing email has benefits worth the implementation and training efforts.

–Chris

At the last meeting of the New Hampshire chapter of ISSA the subject turned to Advanced Threats (APT, SMT, etc). This was driven mostly by the RSA announcement of their breach that happened just prior to the meeting. I was asked to put something together to share at the next meeting. Most of the presentation focuses on what kinds of things you should be paying attention to on your hosts and networks, the tools and infrastructure that will help in detection and some tips on what organizations can do to make it harder for the bad guys. This information is out there in public sources but is difficult to piece together.

You do not have to be a member of ISSA International or the NH chapter to attend. It’s a good opportunity to network with your peers in other area organizations. Tonight’s meeting is at the Manchester Public Library at 405 Pins Street. Directions can be found here

–Chris

EMC has announced that their RSA division has been compromised. It seems the focus of the attack was information on their SecurID product. RSA in the letter from Art Coviello said:

While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

Not good. It is interesting that they specifically mention APT (Advanced Persistent Threat) as the “category” of attack. As anyone who deals with advanced threats will tell you, it’s not a matter of if….it is a matter of when. I have many friends over at RSA and hopefully they are able to quickly deal with this. Sorry guys….welcome to the club

–Chris

Normally I let the vendors communicate this stuff out but this is spreading like crazy. A mass-mailing worm that McAfee is calling VBMania is on the loose. We’ve stopped an ton of these this afternoon.

More information here: http://www.avertlabs.com/research/blog/index.php/2010/09/09/widespread-reporting-of-here-you-have-virus/

–Chris

Most of you have probably heard that Intel announced that it will acquire McAfee for almost $8 billion dollars. What I find interesting is that Intel paid $48 per share or about 60% more than the $30 per share where McAfee had been trading at. There are a lot of discussions about why Intel did this. Bruce Schneier has an interesting thread on this.

Having used McAfee at several companies I thought this quote particularly interesting.

McAfee may be able to optimize its notoriously performance-hungry software now that it’s a part of the company that provides the CPUs to many computers

Will we see an Intel based “antivirus chip” on mobo’s? Maybe….

–Chris

Technorati Tags: Intel, Mcafee

I will be out in Las Vegas for Defcon. Wed night I will be jumping from vendor party to vendor party. I am meeting a couple colleagues on Friday night. If anyone is interested in grabbing a few beers let me know.

Technorati Tags: Defcon

A friend of mine pointed me to a good article on securing PDF documents. http://secforall.info/2009/06/29/securing-pdfs/ It’s a good tutorial on how to password protect, digitally sign and certify PDF documents. Now if only we could have some intelligence in email clients (or maybe a setting in Acrobat Reader?) that would prohibit or at least strongly warn when a user tries to open an un-signed PDF. This would make my life much easier from a malware perspective…..I think.