Bypassing WordPress Login Pages with WPBiff

Two-factor authentication protected WordPress login pages can be bypassed because of certain unsafe NTP practices.

The Internal clock of remote servers can be manipulated under the right conditions. Because certain WordPress Google Authenticator plugins also rely on the local timestamp, it opens up new ways to circumvent the user authentication process on the /wp-admin dashboard.

We demonstrate a practical attack against two-factor protected WordPress login pages. We are going to gain access to the dashboard without having access to the token generator app.

Read More

Tricking Google Authenticator TOTP with NTP

Because of unsafe NTP practices, internal clocks on remote machines can be manipulated under the right conditions. Once time is altered, expired SSL certificates become valid again and causes HSTS policies to expire.

But what about authentication? Certain TOTP implementations such as popular WordPress plugins also rely on the local timestamp.

This article demonstrates a proof of concept for accessing two-factor authentication protected WordPress dashboards.

Read More

War Room

Checklist for Incident Response Teams

Forming a Computer Security Incident Response Team (CSIRT) is a complex affair. It normally involves a certain combination of staff, processes and technologies.

However the essentials are the same in most situations, no matter what the mission of your CSIRT is. This publication attempts to provide a list of must-have technologies for all forming incident response teams out there.

Read More

Credentials in the Ashley Madison Sources

One of the security risks of software development is passwords and other credentials hard-coded into the source code.

A quick analysis of the leaked Ashley Madison dumps shows that software developers of AM forgot about these risks. Their source code contains AWS tokens, database credentials, certificate private keys and other secret credentials.

The consequence of this is a more vulnerable infrastructure, which probable made the lateral movement easier for the Impact Team.

Read More

5 Tips on Writing Security Policies

Even pure technologists have to write security policies in an enterprise environment. As a subject matter on something, technology experts might be asked to contribute to the Software Development or the Internet Acceptable Use policies.

However this leads to policies that nobody reads. Copy-and-paste texts, dry language and 60-page long documents. Rings a bell, anyone?

In the following post I reveal a few tricks up my sleeves for writing simple, crystal-clear and straightforward security policies.

Read More