A song softly echoes away...
They ran down every lead They repeated every test They checked out all the data on their lists And then the alien anthropologists Admitted they were still perplexed But on eliminating every other reason For our sad demise They logged the only explanation left This species has exploited itself to death
Update, June 27: See this for why exploits have increased here and this Hoisted with my own Petard.
Our logs have see an explosion in code exploit attempts these last few months. Here are a few tips to drastically prevent code from being exploited.
No, this is not to install a WAF. As I've written elsewhere, "Mod Security is the new Magic Quotes".
The thing is simply programming into any new advanced and powerful software, the ability to have custom Admin, Config, Plugin, Content directories and file names.
Wordpress seems so proud of their "5 minute install" -- it's made them lazy. Spend some time to explain the vulnerabilities of default file names and locations during install. Explain to not install in the known defaults.
Like with default passwords, force your installation code to not use the defaults.
So you will have to eliminate hundreds of in-line strings like
wp-admin/ to be a variable like
$wp_admin throughout your code; and it will take a while; and there are others; and there will be much testing to do -- but do it!
Have you seen the statistics that nearly half of Internet traffic is exploit attempts? Well guess why? They all have known exploitable names and locations!
Please, let us finally see some truly advanced software for a change.
Many Cisco security appliances contain default, authorized SSH keys that can allow an attacker to connect to an appliance and take almost any action he chooses.
- - Default SSH Key Found in Many Cisco Security Appliances June 25, 2015
Here is a good Tips for Internet Security starting point for developers new and old (unless you know everything already). Like tip 5: "Change the Default CMS Settings!"
I think they should add to tip 4: "Sensible User Access", to separate User Login pages from Admin Login pages. (Hint, hint, Wordpress!)Notes
- With all due respect to Amused To Death by Roger Waters.
- They even have a function named:
- If routers and other internet hardware devices forced users to use a unique password, millions of worms, bots and cracks would have been prevented over the last 20 years.