Unsafe cookies leave WordPress accounts open to hijacking, 2-factor bypass

Accounts accessed from Wi-Fi hotspots and other unsecured networks are wide open.

sad cookie

Memo to anyone who logs in to a WordPress-hosted blog from a public Wi-Fi connection or other unsecured network: It’s trivial for the script kiddie a few tables down to hijack your site even if it’s protected by two-factor authentication.

Yan Zhu, a staff technologist at the Electronic Frontier Foundation, came to that determination after noticing that WordPress servers send a key browser cookie in plain text, rather than encrypting it, as long mandated by widely accepted security practices. The cookie, which carries the tag “wordpress_logged_in,” is set once an end user has entered a valid WordPress user name and password. It’s the website equivalent of a plastic bracelets used by nightclubs. Once a browser presents the cookie, WordPress servers will usher the user behind a velvet rope to highly privileged sections that reveal private messages, update some user settings, publish blog posts, and more. The move by WordPress engineers to allow the cookie to be transmitted unencrypted makes them susceptible to interception in many cases.

Zhu snagged a cookie for her own account the same way a malicious hacker might and then pasted it into a fresh browser profile. When she visited WordPress she was immediately logged in—without having to enter her credentials and even though she had enabled two-factor authentication. She was then able to publish blog posts, read private posts and blog stats, and post comments that were attributed to her account. As if that wasn’t enough, she was able to use the cookie to change the e-mail address assigned to the account and, if two-factor authentication wasn’t already in place, set up the feature. That means a hacker exploiting the vulnerability could lock out a vulnerable user. When the legitimate user tried to access the account, the attempt would fail, since the one-time passcode would be sent to a number controlled by the attacker. Remarkably, the pilfered cookie will remain valid for three years, even if the victim logs out of the account before then. Zhu blogged about the vulnerability late Thursday.

In a Tweet made Thursday, WordPress lead developer Andrew Nacin confirmed that “cookies can be replayed until expiration.” He said a fix is scheduled for the next WordPress release. In fairness, the exploit doesn’t permit attackers to change passwords, since that setting requires a separate authentication cookie tagged “wordpress_sec,” containing the “secure” flag that causes it to be sent encrypted.

@bcrypt Briefly: Cookies can be replayed until expiration, as WP doesn't (yet) have sessions to invalidate. Already slated for next release.

— Andrew Nacin (@nacin) May 23, 2014

Fortunately, WordPress sites that are self-hosted on a server with full HTTPS support are not susceptible, as long as every page supports HTTPS and cookies contain the “secure” flag. Until a fix is available, WordPress users should ensure the site they’re logging into contains the full HTTPS support. If not, users should avoid logging in on unsecured networks. Even when using networks they trust, users should be aware that privileged employees at ISPs and network providers are able to intercept the unencrypted cookie, and government snoops may be able to do the same.

Republished from Ars Technica.

Sharing of data between facebook and third parties

Not worried about data transfer between facebook and third parties? Well maybe you should be.

When you click on a facebook app, have you not noticed it requires access to your personal information? Is this necessary to play a time-wasting game? Why does it need this information?

Log in to many sites and it gives you an option of facebook login rather than typing in your ID and password.

Sounds easy, one click too easy.

What data transfer takes place? Even if none, and that is doubtful, do you reallly want facebook to know all your affairs?

Privacy to facebook is an alien concept. Your personal data is a commodity to be sold to the highest bidder.

– ‘We didn’t mean to track you’ says Facebook as social network giant admits to ‘bugs’ in new privacy row
– Facebook Is Not Your Friend
– Facebook Offers More Disclosure to Users

Always log in with your ID and password, do not be tempted by the one click option.

I clicked on spotify, it came up in a search, I was actually trying to find an article in The Guardian that was referred to in an excellent podcast on spotify and why it is best avoided.

I have no wish to use spotify, no wish to join.

It came up with an on-line registration form already completed that included:

• name (incl number of friends on facebook)
• e-mail address
• sex
• date of birth
• list of facebook friends who use spotify

All neatly completed with a single click to facebook to save me the time and trouble of filling out their registration form.

But I had never asked to register, I had simply clicked on spotify. Some of the information I had deleted from facebook, and yet it was still there to be transferred to a third party.

When you are logged into facebook, it logs everything you are doing. When you log out of facebook it continues to log what you are doing via software it installs on your computer!

I have no interest being on or using spotify. Why use spotify when there is a far far better alternative, where money is gong direct to the musicians, not to global corporations, even when the artists are not on their labels?

– Why I’ve Taken My Music Off Spotify…
– Why Spotify can never be profitable: The secret demands of record labels

I will make that last point more explicit, as it is important that it is understood: In the highly unlikely event that were I to download and pay for music from spotify where the artist is on an independent label or not even on a label, the major labels get a cut, even though they have not signed the artist!

Steve Lawson is on bandcamp (he was on spotify). I can listen to either of his albums 11 Reasons Why 3 Is Greater Than Everything or Believe In Peace for free, I can share these albums with my friends, I can download for free, should I choose to pay for a download (and I set the price not Steve), bandcamp gets a cut of 15%.

The Sixteen have their own independent record label Coro. The Sixteen are on spotify but as yet not on bandcamp. Should I choose to download and pay for The Earth Resounds, the music of their Choral Pilgrimage 2012 which started last week with its premier performance in Winchester Cathedral, the major record labels take a cut, even though The Sixteen are not on a major label, have their own independent label Coro.

Why use spotify when there is bandcamp? With bandcamp at least you know the money is going to the pocket of an artist, not to a faceless coroportation.

– Slow music
– Community supported music
– A Little “Buy Music With Bandcamp” Primer…
– Tweet-Rant #2 : 23 Tweets About Bandcamp

The business model for spotify is to generate business for spotify. The business for spotify is to generate business for spotify.

Bandcamp lets you share the music you like, makes it easy to download, easy to buy. If you buy, the artist gets paid and bandcamp gets a cut.

The business model for bandcamp is to generate revenue for their artists, as it is only through generating revenue for the artists that bandcamp gets paid. Thus the interest of the artist and bandcamp coincide.

The spotify model is generate contacts off the back of the artists, which benefits spotify, not the artist.

Call this the facebook business model. The more friends you collect, the more links you make, the greater the data pool for facebook to mine.

There are four major threats to internet:

• government – censorship of what you may see, spying on what you do
• facebook – enter our walled garden and enjoy the delights within, sell your soul at the gate to gain access
• apple – enter our walled garden and enjoy the delights within, sell your soul at the gate to gain access
• corporate control of music – criminalisation of those who love and wish to share music

The UK is trying to bring in legislation to enable spying on what every citizen does on the net, every web page viewed, every phone conversation, every sms text message, every e-mail of every citizen.

– UK Police State

The music industry tried and failed to control the internet with Sopa, they are now trying again with Acta.

– Say NO to ACTA

I checked out hotels on TripAdvisor. The same hotels popped up on hotmail and twitpic.

I used google to translate Japanese. Adverts in Japanese popped up on twitpic.

There is no such thing as a free lunch. If it appears free, then you are the product on sale.

Facebook paid $1 billion for an application that turns good pictures into grotty pictures, an application that any competent software designer could knock out in a couple of weeks. Facebook paid $1 billion for the users. $1 billion is a crude measure of what your personal data is worth to facebook. One billion reasons why users of the application are deleting their accounts.

– Facebook, Instagram, Google, and the Monopoly Fallacy
– A billion reasons to beware of the latest dotcom bubble
– Don’t want Facebook to have more of your data? Here’s how to download and delete your Instagram account

Bandcamp is not free. It is free to listen to the music in the same way it is free to browse in a shop, you do not pay an entry fee at the door, do not have to fill out a registration form, show an ID. When you buy music through bandcamp, 15% of what you pay goes to bandcamp.

Top Story in Privacy Daily (Monday 16 April 2012).

Irritating unreadable characters

We have all experienced them, those irritating unreadable characters that we can barely see, let alone read.

A problem I met last night, though that was only part of the aggrevation of trying to buy tickets on-line from the British Museum, the main problem was an incredibly badly designed user-unfriendly website. A friend had tried the previous night to buy tickets and eventually gave up.

– On-line tickets for British Museum exhibition

A computer selects characters, presents them to us in an image which we then have to type in, if there is a match, we are ok. In theory, these images are difficult for a computer to read, but as pattern recognition gets better, the task for us mere humans gets harder and harder as the characters embedded in the images become more and more difficult to read.

The task takes on average ten seconds. Only a few seconds if you can read the first image shown, but as you keep cycling through the images to find one that can be read, the time taken gets progressively longer.

Can this time be put to productive use and if nothing else, partly offset our frustration?

The answer is yes.

You will have noticed now we get two words.

Many books are being scanned, digitised. The older the book, the more difficult the task with an error rate running at 30%.

Humans do better, but very costly, even if outsourced to sweat shops.

Why not use those ten seconds whilst we are trying to determine the illegible characters?

We now are displayed two words. One is as before, a computer generated word, the second one of the digitised words from a scanned book or document. If we get the computer generated word correct, and we cannot get further if we get it wrong, means there is a high probability we got the scanned word correct. But the final word is not taken from one person, several people will have ‘voted’ on the word.

Can this crowd sourcing be used in other areas?

Yes, a project called duolingo has been set up on the net for language translation.

If people were paid, even in offshore sweatshops, it would be very expensive. Why not get people to do it whilst they are learning a language?

Why would anyone do it for free?

They already do it in other areas, freely give up their time to benefit others, Open Source Source Software, this blog …

But they are not doing it for free. They are doing it whilst learning a language for free.

As with digitised words, a ‘vote’ over many translators.

WiFi Protected Setup Flaw Can Lead to Compromise of Router PINs

I’ve never trusted Wi-Fi Protected Setup. Just take the extra couple of minutes to create a nice, long gobbledygook password of your own and use that. And WPA2, of course. — Lauren Weinstein

The following was posted on Threat Post warning of a wifi security alert on wifi routers.

The US-CERT is warning about a vulnerability in the WiFi Protected Setup standard that reduces the number of attempts it would take an attacker to brute-force the PIN for a wireless router’s setup process. The flaw results in too much information about the PIN being returned to an attacker and makes the PIN quite weak, affecting the security of millions of WiFi routers and access points.

WPS is a method for setting up a new wireless router for a home network and it includes a way for users to set up the network via an external or internal registrar. In this method, the standard requires a PIN to be used during the setup phase. The PIN often is printed somewhere on the wireless router or access point. The vulnerability discovered in WPS makes that PIN highly susceptible to brute force attempts.

“When the PIN authentication fails the access point will send an EAP-NACK message back to the client. The EAP-NACK messages are sent in a way that an attacker is able to determine if the first half of the PIN is correct. Also, the last digit of the PIN is known because it is a checksum for the PIN. This design greatly reduces the number of attempts needed to brute force the PIN. The number of attempts goes from 108 to 104 + 103 which is 11,000 attempts in total,” the US-CERT advisory says.

“It has been reported that some wireless routers do not implement any kind of lock out policy for brute force attempts. This greatly reduces the time required to perform a successful brute force attack. It has also been reported that some wireless routers resulted in a denial-of-service condition because of the brute force attempt and required a reboot.”

Security researcher Stefan Viehbock discovered the vulnerability and reported it to US-CERT.The problem affects a number of vendors’ products, including D-Link, Netgear, Linksys and Buffalo. He said via email that he has received essentially no response from vendors about the problem.

“I noticed a few really bad design decisions which enable an efficient brute force attack, thus effectively breaking the security of pretty much all WPS-enabled Wi-Fi routers. As all of the of the more recent router models come with WPS enabled by default, this affects millions of devices worldwide,” Viehbock said in a blog post.

Viehbock has written a paper on the WPS vulnerability and his research and also developed a Python tool to brute-force the PINs. He hasn’t released the tool yet, but says he may do so once the code is in better shape. None of the affected vendors have released fixes or workarounds for the bug, but Viehbock says in his paper that disabling WPS looks to be the main practical mitigation, Implementing long lock-out times for multiple authentication failures would help as well.

“One authentication attempt usually took between 0.5 and 3 seconds to complete. It was observed that the calculation of the Diffie-Hellman Shared Key (needs to be done before generating M3) on the AP took a big part of the authentication time. This can be speeded up by choosing a very small DH Secret Number, thus generating a very small DH Public Key and making Shared Key calculation on the AP’s side easier.,” he says in the paper.

Posted by Dennis Fisher on Threat Post.

The wifi routers supplied by BT, for example, have on the back the name of the router and a seemingly random genererated long key of upper and lower case letters.

facebook smears google

facebook has been engaged in a systematic campaign to smear google. False stories have been planted in the media which the gullible media has happily regugurgitated as news.

The agent for this activity has been PR firm Burson-Marsteller. The involvement of PR firm Burson-Marsteller will come as no surprise to activist as PR firm Burson-Marsteller has a long history of running smear campaigns.

facebook is worried that google will move into social networking. Were it to do so, it would wipe the floor with facebook and facebook would become yet another has been internet bubble.

Users need to wake up to what these companies are really about. They are about acquiring personal information on you. And yet still users put personal information on the facebook profile, play games, do quizzes and other scams that exist to tap into their personal information.

Only a few days ago Symantec higlighted a security flaw that is leaking profile information from facebook.

– Facebook profile access ‘leaked’ claims Symantec
– Facebook exposed in Google smear campaign
– Disruption Talk
– twitpic does not own copyright to pictures uploaded to twitpic