Category: Cybersecurity News Page 8 of 10

XSS vulnerability - cross-site scripting

The WordPress Genericons XSS Vulnerability

Earlier this week a security researcher reported a cross site scripting vulnerability, also known as an XSS vulnerability, in the WordPress icon package, Genericons.  Genericons is an icon package that was used with the default-installed WordPress theme, Twenty Fifteen.   Genericons included an HTML file, named example.html, which actually had the cross site scripting flaw.

About The Genericons XSS Vulnerablity

The XSS vulnerability was DOM, or document object model, based meaning it could potentially control how the browser handles a requested page. The victim would have to be coaxed into clicking a malicious link, reducing severity, though the exploit remains widely deployed all the same.

Read More

OTA Receives SC Magazine Editor’s Choice Award

SC magazine editor's choice awardOTA (The Online Trust Alliance) was awarded SC Magazine’s Editor’s Choice award earlier this week, thanks to the input from SC Magazine’s editors and over 40,000 readers. SC Magazine chose to award the OTA based on its efforts to improve SSL best practices, botnet frameworks, integrity in email and data breach readiness.

OTA was also cited for its work in public policy and success in convening multi-stakeholder efforts.

Read More

Magento vulnerability

The Magento Remote Code Execution Vulnerability

Earlier this week, a remote code execution vulnerability against Magento, the eBay-owned free and paid eCommerce platform, was released. Security researchers chained together multiple smaller vulnerabilities to ultimately run arbitrary code on the server Magento is hosted on.

Read More

XSS vulnerability - cross-site scripting

XSS Vulnerability Found In WP Super Cache Plugin

A cross-site scripting (XSS) vulnerability was recently revealed in the WordPress caching plugin, WP Super Cache.

What Does The WP Super Cache Plugin Do?

WP Super Cache converts dynamic WordPress pages into static HTML.  This creates pages that are quicker to serve to visitors than a database-generated page. Great for high traffic sites, WP Super Cache’s popularity has garnered over a million downloads.

Read More

OTA’s 2015 Data Protection and Breach Readiness Guide

The Online Trust Alliance (OTA) recently released its 2015 Data Protection and Breach Readiness Guide for its seventh consecutive year. This guide helps provide businesses with prescriptive advice to help optimize data privacy and security practices to prevent, detect, contain and remediate the risk and impact of data loss incidents and breaches.

Read More

Don’t FREAK: Key Facts About the Latest OpenSSL Vulnerabilities

Factoring Attack on RSA-Export Key (FREAK)FREAK (Factoring Attack on RSA-EXPORT Key) is one of the latest web security threats to go public, which works by weakening users’ encrypted connections on SSL and TLS, allowing a hacker to intercept and decipher data.

The threat affects mostly mobile device browsers, such as Apple’s Safari and Android device browsers, but it also affects older versions of OpenSSL including 1.0.2, 1.0.1, 1.0.0 and 0.9.8. Version 1.0.2 of OpenSSL has been classified under a “high” severity of vulnerability.

Read More

Yoast SQLi injection

SQL Injection Vulnerability In Yoast WordPress SEO  

This past Wednesday, Yoast, makers of one of the most popular WordPress plugins, WordPress SEO by Yoast, disclosed a blind SQL injection vulnerability against authenticated users given a successful cross site request forgery (CSRF) attack.

What is blind SQL injection and CSRF, how can the WordPress SEO vulnerability affect your site, and what should you do about it?

Read More

Malware

The State of Cybersecurity in March 2015

cybersecurity

Protect your website from hackers and cybercrime.

With the shortest month of the year now in the books, it’s time to look at the top trending cybersecurity stories for March. Below are our picks for the top three security stories you should be reading this month:

The Latest FREAKy Web Security Bug

A new web security bug was discovered recently, leaving some Apple and Google device owners vulnerable to attack when visiting “secure” websites. It’s called FREAK (which stands for Factoring Attack on RSA-EXPORT Key), and works by weakening encrypted connections on SSL and TLS, which in turn allows an attacker to intercept and decipher the “secure” data.

Apparently the security flaw has been around for more than 10 years, but a fix is quickly on the way. Not to fear, SiteLock TrueShield customers are protected from this vulnerability. Learn more about FREAK here on PCMag.

Uber Finally Admits Data Breach

Almost a year later, on-demand taxi service Uber has announced that over 50,000 of its drivers’ personal information was stolen in May 2014. The cause? Apparently an unauthorized third party got access into Uber’s database. The hack was patched back in September, and Uber has provided one year of free credit monitoring to affected drivers. Learn more about the cybersecurity breach here on The Drum.

The Rise and Fall of Superfish

Did you know that Superfish was once a promising and rapidly growing Silicon Valley startup? They ended up striking a deal with PC manufacturer Lenovo, to have its software installed on their consumer PCs. Little did the public know, the Superfish software was logging online movement of its users, and hijacked online security systems, as revealed by a security researcher early this year.

The results were catastrophic, and Lenovo went into damage control mode. The company eventually released a Superfish uninstaller software, but by then a lot of damage had been done. Unfortunately, you don’t always know what you are getting when it comes to free software (“freeware” as it’s been coined recently). You can check out more info on the story here.

Stay Out of the News

No one wants to be featured in a headline about the latest data breach. Explore the comprehensive, cloud-based security solutions offered by SiteLock.

What You Need to Know About the FancyBox for WordPress Vulnerability

wordpress fancybox vulnerabilityFancyBox for WordPress is a plugin which provides stylized, Lightbox-like decoration for blog images. It’s a popular plugin with around half a million downloads, even though it hadn’t been updated in years. Posts emerged on the WordPress community support forum about malware injections and a vulnerability was discovered in the FancyBox plugin.

SiteLock scanners detected the malware — a Javascript payload with an iframe pointing to 203koko[dot]eu — before the vulnerability was known.

Here are three things to consider before moving forward with FancyBox:

Update FancyBox as soon as possible

The initial response to the FancyBox hack was to remove it immediately. Since the vulnerability released, the FancyBox developer released an update which corrects the issue and provides support for WordPress 4.1. If you’re uneasy about using FancyBox, Easy FancyBox is an actively developed alternative, though official Easy FancyBox support caps at WordPress 4.0.1.

Scan for Malware and use a WAF

One of the best ways to secure your website is to scan for malware and vulnerabilities on a daily basis and use a Web Application Firewall (WAF). The WAF will block potential threats from entering your website (e.g. DDoS attacks) while the daily scans will identify malware and vulnerabilities that have been placed on your site.

Update your WordPress plugins and themes

WordPress has done a wonderful job facilitating near-painless backups for its users. Once you get to the late 3.x releases, upgrades are essentially automatic. But what about plugins? More plugins, more problems, as the saying goes. Sometimes it’s not easy to wrangle the compatibility issues which come with the amazing and broad capabilities plugins add to a WordPress site.

Take it one plugin at a time. Research the plugin’s compatibility with the WordPress version you have, and then test it (with the previously mentioned backup at the ready).

SiteLock’s team of experts, expert services and products constantly monitor site files and traffic for malicious indicators. As with FancyBox, we’ll continue to find and mitigate malware even before before a vulnerability becomes known.

Contact SiteLock today to learn how website security software can help protect your website.

 

Website protection

The 7 Biggest Cybersecurity Scoops from February 2015

Cyber security February 2015

One year ago in February, the major eBay hack was in progress, eventually resulting in over 233 million passwords being stolen. Fast forward to 2015, and we’ve had several trending cyber security issues appear in just these first few weeks.

Below are 7 trending cyber security stories that you should read for February 2015.

Read More

Page 8 of 10