Page 54 of 64

PCI compliance

PCI Compliance: The Dangers of Noncompliance

If you accept credit card payments, you’re likely familiar with PCI compliance and what it entails. If you accept credit card payments, or are considering it, and are NOT familiar with PCI compliance, be sure to take accurate notes on the information that follows.

PCI DSS Overview

Created in 2004 by the five global payment brands — Visa, Mastercard, American Express, Discover and JCB — the Payment Card Industry Data Security Standard (PCI DSS) is a security compliance requirement for businesses that handle credit cards. It was created to protect customer and cardholder data from cyber attacks and fraud.

Read More

What You Need to Know About the FancyBox for WordPress Vulnerability

wordpress fancybox vulnerabilityFancyBox for WordPress is a plugin which provides stylized, Lightbox-like decoration for blog images. It’s a popular plugin with around half a million downloads, even though it hadn’t been updated in years. Posts emerged on the WordPress community support forum about malware injections and a vulnerability was discovered in the FancyBox plugin.

SiteLock scanners detected the malware — a Javascript payload with an iframe pointing to 203koko[dot]eu — before the vulnerability was known.

Here are three things to consider before moving forward with FancyBox:

Update FancyBox as soon as possible

The initial response to the FancyBox hack was to remove it immediately. Since the vulnerability released, the FancyBox developer released an update which corrects the issue and provides support for WordPress 4.1. If you’re uneasy about using FancyBox, Easy FancyBox is an actively developed alternative, though official Easy FancyBox support caps at WordPress 4.0.1.

Scan for Malware and use a WAF

One of the best ways to secure your website is to scan for malware and vulnerabilities on a daily basis and use a Web Application Firewall (WAF). The WAF will block potential threats from entering your website (e.g. DDoS attacks) while the daily scans will identify malware and vulnerabilities that have been placed on your site.

Update your WordPress plugins and themes

WordPress has done a wonderful job facilitating near-painless backups for its users. Once you get to the late 3.x releases, upgrades are essentially automatic. But what about plugins? More plugins, more problems, as the saying goes. Sometimes it’s not easy to wrangle the compatibility issues which come with the amazing and broad capabilities plugins add to a WordPress site.

Take it one plugin at a time. Research the plugin’s compatibility with the WordPress version you have, and then test it (with the previously mentioned backup at the ready).

SiteLock’s team of experts, expert services and products constantly monitor site files and traffic for malicious indicators. As with FancyBox, we’ll continue to find and mitigate malware even before before a vulnerability becomes known.

Contact SiteLock today to learn how website security software can help protect your website.

 

content delivery network

Three Ways to Boost Website Security and SEO at the Same Time

Seo Key On Computer KeyboardSEO (Search Engine Optimization) is the process of improving your website’s ranking among search engines like Google and Bing. Over the past few years, SEO has greatly evolved. Keywords and backlinks (other websites linking back to yours) used to have a huge impact on SEO rankings, but have since been taken over by new and improved algorithms such as Google’s Penguin and Hummingbird, which aim to decrease black-hat (negative) SEO techniques such as link spam.

With cyber attacks on the rise, search engines have been increasingly factoring spam injections, malware infections, and website speed into their SEO algorithms. Properly securing your website can provide a large boost to your SEO rankings. Below are 3 ways you can improve the SEO ranking of your website by securing your website.

1. Moderate comment spam

Malicious links hosted on your website can negatively impact your SEO and, worst case, can flag your website as malware or spam, preventing users access to it.

One of the easiest ways for hackers to place malicious or irrelevant links on your site is through comments on your blog. These links damage your site’s authority and credibility so managing them is critical. Fortunately, there are several things you can do to automate the moderation process of comments:

  • If you’re using a Content Management System (CMS) like WordPress, look into one of their comment system plugins
  • Enable CAPTCHAs when possible, as an extra layer of security
  • Disable anonymous posting, and only allow registered users to post comments
  • If you have an active moderator, require that comments be approved before they are posted on your website
  • Enable a web application firewall (similar to our TrueShield WAF) which will block malicious bots from accessing your site to begin with
  • If you’re still having trouble with comment spam, you should disallow hyperlinks in comments altogether

2. Regularly scan your website for malware

Often times, malware and malicious links can be injected into the code of your website without notice, negatively affecting your SEO, and potentially harming your visitors. Reversing the whole process is both difficult and time consuming, since injected malware is usually hidden and made to look like regular code, and your hard-won SEO rankings may be lost in the meantime.

A website malware scanning tool can scan your code each day for malware (and suspected malware) and in some cases automatically remove the threats or point you directly to the suspected malware. This means  you don’t have to search line-by-line  through code in the event that your website is compromised. The SiteLock Website Scanning and Malware Removal product provides automated alerts to help you avoid search engine blacklisting, saving your business’s reputation and SEO positions.

3. Cache website data with a CDN

Malware can dramatically increase the time it takes a website to load, if it allows it to load at all. But even a  malware-free website can improve its SEO, performance, and security at the same time. A CDN (Content Delivery Network) is a website optimization infrastructure that works by caching website’s content across data centers around the globe. This results in quicker  website load times since content is served locally to visitors. It also improves website security since, as is the case of the SiteLock CDN, data is fully encrypted both in transit, and at rest.

Major search engines like Google factor load times into their SEO algorithms (time to first byte – TTFB), so by using a CDN, your website can experience a boost in SEO while improving security at the same time.

Want to see how your SEO stacks up? Many online tools can scan your website and provide suggestions to improve your SEO. Contact a SiteLock Security Consultant today to learn what solutions are the right fit for your site.

 

Website protection

The 7 Biggest Cybersecurity Scoops from February 2015

Cyber security February 2015

One year ago in February, the major eBay hack was in progress, eventually resulting in over 233 million passwords being stolen. Fast forward to 2015, and we’ve had several trending cyber security issues appear in just these first few weeks.

Below are 7 trending cyber security stories that you should read for February 2015.

Read More

UpdraftPlus Presents Website Security Concerns

UpdraftPlus is a premium WordPress plugin that automates WordPress file and database backup as well as restoration to the cloud. The free version prior to 1.9.51, and versions without the “automatic backups” or “no adverts” add-ons, are vulnerable to security token, or nonce, disclosure which allows malicious actors outside your company to perform administrative-level actions like downloading sensitive configuration files and uploading remote control shells.

What should you do as a WordPress and UpdraftPlus user?

If you’re a SiteLock customer with TrueShield, breathe easy. Thanks to the TrueShield Virtual Patching, patching UpdraftPlus is automatic.

SiteLock protects WordPress site owners from the UpdraftPlus vulnerability with the SiteLock TrueShield web application firewall with Virtual Patching, regardless of UpdraftPlus version. TrueShield analyzes site traffic and stops attempted unauthorized security token use, again, even before the patch is applied.

If you don’t have SiteLock, you’ll need to update UpdraftPlus to version 1.9.51 as soon as possible. With disclosure, automated attacks follow, and without a firewall like TrueShield, or SiteLock’s SMART scanner which finds malicious code as soon as it hits your site, updates are your best defense.

For more information on SiteLock security solutions call 877.563.2791.

Infographic: How to Beat a Web Hacker

Did you know that hacking was the number one crime Americans feared in 2014, above car theft, burglary and terrorism? Take a look at SiteLock’s new infographic below, for more web security statistics and five things you can do to mitigate cyber attacks.

SiteLock-HowToBeatAWebHacker-Infographic-v6_s

Ready to protect your website from hackers? Call SiteLock at 877.563.2791.

ghost vulnerability

The GHOST Vulnerability: What You Need to Know

GHOST vulnerabilityGHOST is now a household name to those even peripherally involved in information security. GHOST is the buffer overflow vulnerability found in certain versions of glibc, the GNU C library, and it’s named after the functions used to reach the exploitable code in the library, gethostbyname() and gethostbyname2().

What has SiteLock done to address the GHOST scourge, and what do SiteLock customers need to know moving forward?

SiteLock patched all TrueShield and TrueSpeed servers against the GHOST vulnerability on September 28, the day after disclosure. Signatures mitigating XML-RPC exploits, which could be used against WordPress installs for example, were implemented beginning the week of February 2nd. And as always, our security team is constantly on the lookout for signs of new GHOST exploitation use.

As a SiteLock customer, we recommend patching all servers using vulnerable versions of glibc, glibc-2.2 to glibc-2.17, to glibc-2.18 or higher.  All major Linux vendors released patches for glibc and they should be applied and servers rebooted as soon as possible.  Also be aware of SUID-root programs on servers which use gethostbyname*().  To find SUID binaries on a system — a sound security practice regardless of GHOST — open a root shell and run the following command.

# find / -user root -perm -4000 -exec ls -ldb {} ; | tee suid.list

For assistance with the GHOST vulnerability call the SiteLock team at 877.563.2791.

 

DDoS: How to Prevent Hackers from Overloading Your Web Server

DDoS AttackWeb security has become one of the hottest topics of the past few years, with cyber attacks originating in many forms. In 2014 alone, we had the Snapchat hack, Heartbleed, Shellshock, SoakSoak and many other attacks (you can learn more about each of them here).

Read More

Why Data Privacy Day is Important for the State of Web Security

Data privacy dayAs technology continues to evolve, web security threats are on the rise with an estimated 160,000 samples of malware  detected around the world each day. Unfortunately, 70% of these attacks are targeted at small businesses and other particular industries (e.g. retail, healthcare and hospitality).

Fortunately, web security has come a long way in just a few years. Thanks to national events like Data Privacy Day (DpD) which bring together privacy professionals, law enforcement and industry leaders alike, fostered communication helps to ensure the long-term viability of our digital ecosystem.

Read More

The Top 5 Website Security News Stories of 2014

website security news 2014The month of January is often a time for reflection. We’ve wrapped up an entire year and look optimistically to the year ahead of us. What we also typically do is look to the past year to see what we can learn. Now that 2015 is upon us, it’s time for reflection. What can we learn when we look at the news from the website security landscape of 2014? Below are five events we think helped change the face of website security.

1. The Snapchat Hack

Snapchat is a popular photo-messaging app, known for letting its users send photos and videos that disappear from existence shortly after the recipient views them. In August 2013, Australian security firm, Gibson Security, contacted the Snapchat team to notify them of a vulnerability in their API that would allow hackers access to user data. Snapchat didn’t respond, and on December 31st 2013, Gibson Security released the source code for the API exploit publicly (a common Google practice)..

Snapchat was hacked immediately after the code was released, and over 4.6 million usernames and phone numbers were exposed as a result.

What did we learn from the Snapchat hack? First and foremost, never ignore web security threats or they will be exploited, resulting in data loss or data exposure. Secondly, it’s important to make sure that all of your APIs contain no loopholes or backdoors into your server. Employ an expert that specializes in API development if you have to.

Lastly, if your business does become victim to a cyber attack, respond appropriately in a transparent manner and take full responsibility – even if the hack wasn’t your intentional doing. Snapchat failed to respond appropriately, and it led to massive backlash from both its users and the press.

2. Heartbleed

Heartbleed was perhaps the most infamous web security exploit of 2014. It alone put 17% (over 500,000) of the Internet’s certified web servers at risk causing mass panic and huge financial damages.

A member of Google’s Security Team, Neel Mehta, discovered the bug in April 2014. He learned that OpenSSL, a popular open-source cryptographic security software, could be exploited by allowing a hacker to easily retrieve private data on a web server, due to a programming bug. It was later named “Heartbleed” by an engineer at cyber security company, Codenomicon.

What did we learn from Heartbleed? Any software or business, including the well-established ones such as OpenSSL (around since before the dot-com era), is susceptible to a cyber attack. Regularly scanning your website for vulnerabilities, backing up private data, and archiving inactive data are all important things your business can do to help prevent and minimize cyber attacks.

3. The Fappening

During summer of 2014, The Fappening was one of the internet’s top trending stories – a massive leak of nearly 500 private (and mostly NSFW) celebrity photos originated on Imgur, Reddit and 4Chan. But, how did hackers get the photos?

According to several sources, the breach didn’t happen all at once – photos were slowly accumulated over a long period of time, using brute-force password cracking techniques to access celebrities’ iCloud (and other cloud computing) accounts. At the time, services such as iCloud were found to have a weak data access policy, giving hackers a backdoor into customers’ private data.

What did we learn from The Fappening? Ensuring that all of your business’s online access points are secure should be one of your top priorities, otherwise you risk exposure of customers’ private data. On the other hand, it’s worth educating your customers on the importance of secure passwords, lest they end up like these folks.

4. Shellshock

Shellshock became a popular security threat back in September of 2014, after being discovered by a few Unix/Linux technology specialists. Alternatively known as “Bashdoor”, Shellshock is a family of security bugs that allows hackers unauthorized access to someone’s computer through a backdoor in the Unix operating system. Once in, computers were used as part of a greater (and more dangerous) effort to create botnets and conduct DDOS attacks.

A patch for Shellshock was released within a matter of days but it was estimated that 1.5 million attacks and probes were executed per day during that time.

What did we learn from Shellshock? It’s important to have a Web Application Firewall (WAF) installed to block malicious traffic, such as “bad” bots and hackers, from attacking your website. Fortunately, SiteLock’s TrueShield WAF blocked Shellshock almost immediately after the threat was discovered.

5. SoakSoak

2014 didn’t exactly go out with a bang – near the end of December, a new strain of malware called SoakSoak was discovered, compromising more than 100,000 WordPress websites. As a result, 10,000+ domains were also blacklisted by Google, making them inaccessible to the public.

How does SoakSoak work? The malware injects malicious code into local WordPress installation files using a vulnerability in the popular RevSlider plugin, to make the victim’s website redirect to an infected URL, soaksoak.ru. Since over 74 million websites are hosted with WordPress, the SoakSoak hack evolved to include multiple strains of malware.

What did we learn from SoakSoak? Keep all of your WordPress installations up to date, and more importantly, always make sure your plugins are updated as well. Thankfully, it’s a relatively easy since the WordPress community is quick to patch issues.

An eventful 2014 taught us…

  • To stay educated about relevant security issues and respond to incidents appropriately
  • That no software or system is invulnerable
  • To secure data egress points as well as ingress
  • A web application firewall is as important as a network firewall
  • Update, update, update

Contact SiteLock today to start a free consultation with our website security specialists and learn how to protect your site.

Page 54 of 64

Powered by WordPress & Theme by Anders Norén