Category: Cybersecurity News Page 7 of 9

XSS vulnerability - cross-site scripting

XSS Vulnerability Found In WP Super Cache Plugin

A cross-site scripting (XSS) vulnerability was recently revealed in the WordPress caching plugin, WP Super Cache.

What Does The WP Super Cache Plugin Do?

WP Super Cache converts dynamic WordPress pages into static HTML.  This creates pages that are quicker to serve to visitors than a database-generated page. Great for high traffic sites, WP Super Cache’s popularity has garnered over a million downloads.

Read More

OTA’s 2015 Data Protection and Breach Readiness Guide

The Online Trust Alliance (OTA) recently released its 2015 Data Protection and Breach Readiness Guide for its seventh consecutive year. This guide helps provide businesses with prescriptive advice to help optimize data privacy and security practices to prevent, detect, contain and remediate the risk and impact of data loss incidents and breaches.

Read More

Don’t FREAK: Key Facts About the Latest OpenSSL Vulnerabilities

Factoring Attack on RSA-Export Key (FREAK)FREAK (Factoring Attack on RSA-EXPORT Key) is one of the latest web security threats to go public, which works by weakening users’ encrypted connections on SSL and TLS, allowing a hacker to intercept and decipher data.

The threat affects mostly mobile device browsers, such as Apple’s Safari and Android device browsers, but it also affects older versions of OpenSSL including 1.0.2, 1.0.1, 1.0.0 and 0.9.8. Version 1.0.2 of OpenSSL has been classified under a “high” severity of vulnerability.

Read More

Yoast SQLi injection

SQL Injection Vulnerability In Yoast WordPress SEO  

This past Wednesday, Yoast, makers of one of the most popular WordPress plugins, WordPress SEO by Yoast, disclosed a blind SQL injection vulnerability against authenticated users given a successful cross site request forgery (CSRF) attack.

What is blind SQL injection and CSRF, how can the WordPress SEO vulnerability affect your site, and what should you do about it?

Read More

Malware

The State of Cybersecurity in March 2015

cybersecurity

Protect your website from hackers and cybercrime.

With the shortest month of the year now in the books, it’s time to look at the top trending cybersecurity stories for March. Below are our picks for the top three security stories you should be reading this month:

The Latest FREAKy Web Security Bug

A new web security bug was discovered recently, leaving some Apple and Google device owners vulnerable to attack when visiting “secure” websites. It’s called FREAK (which stands for Factoring Attack on RSA-EXPORT Key), and works by weakening encrypted connections on SSL and TLS, which in turn allows an attacker to intercept and decipher the “secure” data.

Apparently the security flaw has been around for more than 10 years, but a fix is quickly on the way. Not to fear, SiteLock TrueShield customers are protected from this vulnerability. Learn more about FREAK here on PCMag.

Uber Finally Admits Data Breach

Almost a year later, on-demand taxi service Uber has announced that over 50,000 of its drivers’ personal information was stolen in May 2014. The cause? Apparently an unauthorized third party got access into Uber’s database. The hack was patched back in September, and Uber has provided one year of free credit monitoring to affected drivers. Learn more about the cybersecurity breach here on The Drum.

The Rise and Fall of Superfish

Did you know that Superfish was once a promising and rapidly growing Silicon Valley startup? They ended up striking a deal with PC manufacturer Lenovo, to have its software installed on their consumer PCs. Little did the public know, the Superfish software was logging online movement of its users, and hijacked online security systems, as revealed by a security researcher early this year.

The results were catastrophic, and Lenovo went into damage control mode. The company eventually released a Superfish uninstaller software, but by then a lot of damage had been done. Unfortunately, you don’t always know what you are getting when it comes to free software (“freeware” as it’s been coined recently). You can check out more info on the story here.

Stay Out of the News

No one wants to be featured in a headline about the latest data breach. Explore the comprehensive, cloud-based security solutions offered by SiteLock.

What You Need to Know About the FancyBox for WordPress Vulnerability

wordpress fancybox vulnerabilityFancyBox for WordPress is a plugin which provides stylized, Lightbox-like decoration for blog images. It’s a popular plugin with around half a million downloads, even though it hadn’t been updated in years. Posts emerged on the WordPress community support forum about malware injections and a vulnerability was discovered in the FancyBox plugin.

SiteLock scanners detected the malware — a Javascript payload with an iframe pointing to 203koko[dot]eu — before the vulnerability was known.

Here are three things to consider before moving forward with FancyBox:

Update FancyBox as soon as possible

The initial response to the FancyBox hack was to remove it immediately. Since the vulnerability released, the FancyBox developer released an update which corrects the issue and provides support for WordPress 4.1. If you’re uneasy about using FancyBox, Easy FancyBox is an actively developed alternative, though official Easy FancyBox support caps at WordPress 4.0.1.

Scan for Malware and use a WAF

One of the best ways to secure your website is to scan for malware and vulnerabilities on a daily basis and use a Web Application Firewall (WAF). The WAF will block potential threats from entering your website (e.g. DDoS attacks) while the daily scans will identify malware and vulnerabilities that have been placed on your site.

Update your WordPress plugins and themes

WordPress has done a wonderful job facilitating near-painless backups for its users. Once you get to the late 3.x releases, upgrades are essentially automatic. But what about plugins? More plugins, more problems, as the saying goes. Sometimes it’s not easy to wrangle the compatibility issues which come with the amazing and broad capabilities plugins add to a WordPress site.

Take it one plugin at a time. Research the plugin’s compatibility with the WordPress version you have, and then test it (with the previously mentioned backup at the ready).

SiteLock’s team of experts, expert services and products constantly monitor site files and traffic for malicious indicators. As with FancyBox, we’ll continue to find and mitigate malware even before before a vulnerability becomes known.

Contact SiteLock today to learn how website security software can help protect your website.

 

Website protection

The 7 Biggest Cybersecurity Scoops from February 2015

Cyber security February 2015

One year ago in February, the major eBay hack was in progress, eventually resulting in over 233 million passwords being stolen. Fast forward to 2015, and we’ve had several trending cyber security issues appear in just these first few weeks.

Below are 7 trending cyber security stories that you should read for February 2015.

Read More

Why Data Privacy Day is Important for the State of Web Security

Data privacy dayAs technology continues to evolve, web security threats are on the rise with an estimated 160,000 samples of malware  detected around the world each day. Unfortunately, 70% of these attacks are targeted at small businesses and other particular industries (e.g. retail, healthcare and hospitality).

Fortunately, web security has come a long way in just a few years. Thanks to national events like Data Privacy Day (DpD) which bring together privacy professionals, law enforcement and industry leaders alike, fostered communication helps to ensure the long-term viability of our digital ecosystem.

Read More

The Top 5 Website Security News Stories of 2014

website security news 2014The month of January is often a time for reflection. We’ve wrapped up an entire year and look optimistically to the year ahead of us. What we also typically do is look to the past year to see what we can learn. Now that 2015 is upon us, it’s time for reflection. What can we learn when we look at the news from the website security landscape of 2014? Below are five events we think helped change the face of website security.

1. The Snapchat Hack

Snapchat is a popular photo-messaging app, known for letting its users send photos and videos that disappear from existence shortly after the recipient views them. In August 2013, Australian security firm, Gibson Security, contacted the Snapchat team to notify them of a vulnerability in their API that would allow hackers access to user data. Snapchat didn’t respond, and on December 31st 2013, Gibson Security released the source code for the API exploit publicly (a common Google practice)..

Snapchat was hacked immediately after the code was released, and over 4.6 million usernames and phone numbers were exposed as a result.

What did we learn from the Snapchat hack? First and foremost, never ignore web security threats or they will be exploited, resulting in data loss or data exposure. Secondly, it’s important to make sure that all of your APIs contain no loopholes or backdoors into your server. Employ an expert that specializes in API development if you have to.

Lastly, if your business does become victim to a cyber attack, respond appropriately in a transparent manner and take full responsibility – even if the hack wasn’t your intentional doing. Snapchat failed to respond appropriately, and it led to massive backlash from both its users and the press.

2. Heartbleed

Heartbleed was perhaps the most infamous web security exploit of 2014. It alone put 17% (over 500,000) of the Internet’s certified web servers at risk causing mass panic and huge financial damages.

A member of Google’s Security Team, Neel Mehta, discovered the bug in April 2014. He learned that OpenSSL, a popular open-source cryptographic security software, could be exploited by allowing a hacker to easily retrieve private data on a web server, due to a programming bug. It was later named “Heartbleed” by an engineer at cyber security company, Codenomicon.

What did we learn from Heartbleed? Any software or business, including the well-established ones such as OpenSSL (around since before the dot-com era), is susceptible to a cyber attack. Regularly scanning your website for vulnerabilities, backing up private data, and archiving inactive data are all important things your business can do to help prevent and minimize cyber attacks.

3. The Fappening

During summer of 2014, The Fappening was one of the internet’s top trending stories – a massive leak of nearly 500 private (and mostly NSFW) celebrity photos originated on Imgur, Reddit and 4Chan. But, how did hackers get the photos?

According to several sources, the breach didn’t happen all at once – photos were slowly accumulated over a long period of time, using brute-force password cracking techniques to access celebrities’ iCloud (and other cloud computing) accounts. At the time, services such as iCloud were found to have a weak data access policy, giving hackers a backdoor into customers’ private data.

What did we learn from The Fappening? Ensuring that all of your business’s online access points are secure should be one of your top priorities, otherwise you risk exposure of customers’ private data. On the other hand, it’s worth educating your customers on the importance of secure passwords, lest they end up like these folks.

4. Shellshock

Shellshock became a popular security threat back in September of 2014, after being discovered by a few Unix/Linux technology specialists. Alternatively known as “Bashdoor”, Shellshock is a family of security bugs that allows hackers unauthorized access to someone’s computer through a backdoor in the Unix operating system. Once in, computers were used as part of a greater (and more dangerous) effort to create botnets and conduct DDOS attacks.

A patch for Shellshock was released within a matter of days but it was estimated that 1.5 million attacks and probes were executed per day during that time.

What did we learn from Shellshock? It’s important to have a Web Application Firewall (WAF) installed to block malicious traffic, such as “bad” bots and hackers, from attacking your website. Fortunately, SiteLock’s TrueShield WAF blocked Shellshock almost immediately after the threat was discovered.

5. SoakSoak

2014 didn’t exactly go out with a bang – near the end of December, a new strain of malware called SoakSoak was discovered, compromising more than 100,000 WordPress websites. As a result, 10,000+ domains were also blacklisted by Google, making them inaccessible to the public.

How does SoakSoak work? The malware injects malicious code into local WordPress installation files using a vulnerability in the popular RevSlider plugin, to make the victim’s website redirect to an infected URL, soaksoak.ru. Since over 74 million websites are hosted with WordPress, the SoakSoak hack evolved to include multiple strains of malware.

What did we learn from SoakSoak? Keep all of your WordPress installations up to date, and more importantly, always make sure your plugins are updated as well. Thankfully, it’s a relatively easy since the WordPress community is quick to patch issues.

An eventful 2014 taught us…

  • To stay educated about relevant security issues and respond to incidents appropriately
  • That no software or system is invulnerable
  • To secure data egress points as well as ingress
  • A web application firewall is as important as a network firewall
  • Update, update, update

Contact SiteLock today to start a free consultation with our website security specialists and learn how to protect your site.

Prepare for Trends in Website Malware Growth

As we approach the first anniversary of the massive Target data breach that opened the floodgates for thousands of other attacks, we look at whether security measures are better or worse than last year. Are we better prepared to defend against the malware that took out Target, Home Depot and thousands of smaller firms, or is the malware used in these attacks simply outrunning us?

The news is not encouraging. PandaLabs, the research arm of security firm Panda, has been tracking new malware for years. According to the company, more than 50 million new strains of malware have emerged since the Target attack, and 20 million of those strains were detected in the third quarter of this year alone. Using those numbers, that works out to a stunning 227,000 new strains of malware being introduced to the world every single day for just the last twelve weeks.

The vast majority of new malware strains and infections, more than 75% of them, were Trojans. This malware is not having much trouble finding computers and servers to infect. According to Panda, more than a third of personal computers worldwide are now infected with malware.

These statistics are even more important as we approach the busy holiday season. With more people online, surfing, searching and shopping, the spread of malware will only increase, and much of this could be Point of Sale malware.

Close cousins of the malware that was used in the massive data breaches at Home Depot and Target are now on the march. The Backoff malware, which is widely regarded as undetectable by antivirus software, increased by nearly 30% in September alone according to security firm Damballa.

Businesses are not the only targets. Researchers recently found advanced malware known as Black Energy that has been compromising industrial control systems around the world, undetected, possibly for years. As with many of the most sophisticated attacks, they have often started with a phishing email to an unsuspecting or untrained employee.

Much of this malware lies in wait for its victims. The recently discovered Dark Hotel malware has been infecting hotel Wi-Fi networks around the world. The malware lies in wait for visiting guests to use the network, then tricks them into downloading malware that includes a keylogger and other data stealing components. While all guests are vulnerable, the prime targets are traveling executives who may provide access to sensitive corporate information and networks.

So what can you do to minimize the risk? The answer is in the question. With so much malware now able to evade antivirus software, it’s time to start assuming that risk mitigation is a better and more realistic option than absolute prevention

Your best defense is a “shield’s up” approach. Identify the most common ways malware can enter your business, whether it’s through an unprotected website or a careless employee, and patch the holes in the fence.

If you’re going to assume that you can’t keep all malware out, you can still do many things to reduce the potential damage. User privilege management is one of the best defenses. If you strictly limit the access privileges of your users to just the things they absolutely need access to, you can prevent malware from jumping from the lowest level of access to the highest.

As we approach the first anniversary of the Target breach, it’s worth remembering how the attack started. Target granted almost unlimited access to a lower level employee of a small, outside, service company. Once the hackers had the user’s password, they had undetected access to Target information for months. Make sure that you’re doing everything you can to prevent these types of attacks. Don’t become the next headline. To get started on the path to a secure website, contact SiteLock for a free website security analysis.

Page 7 of 9

Powered by WordPress & Theme by Anders Norén