Tag: heartbleed

Website protection

The 7 Biggest Cybersecurity Scoops from February 2015

Cyber security February 2015

One year ago in February, the major eBay hack was in progress, eventually resulting in over 233 million passwords being stolen. Fast forward to 2015, and we’ve had several trending cyber security issues appear in just these first few weeks.

Below are 7 trending cyber security stories that you should read for February 2015.

Read More

The Top 5 Website Security News Stories of 2014

website security news 2014The month of January is often a time for reflection. We’ve wrapped up an entire year and look optimistically to the year ahead of us. What we also typically do is look to the past year to see what we can learn. Now that 2015 is upon us, it’s time for reflection. What can we learn when we look at the news from the website security landscape of 2014? Below are five events we think helped change the face of website security.

1. The Snapchat Hack

Snapchat is a popular photo-messaging app, known for letting its users send photos and videos that disappear from existence shortly after the recipient views them. In August 2013, Australian security firm, Gibson Security, contacted the Snapchat team to notify them of a vulnerability in their API that would allow hackers access to user data. Snapchat didn’t respond, and on December 31st 2013, Gibson Security released the source code for the API exploit publicly (a common Google practice)..

Snapchat was hacked immediately after the code was released, and over 4.6 million usernames and phone numbers were exposed as a result.

What did we learn from the Snapchat hack? First and foremost, never ignore web security threats or they will be exploited, resulting in data loss or data exposure. Secondly, it’s important to make sure that all of your APIs contain no loopholes or backdoors into your server. Employ an expert that specializes in API development if you have to.

Lastly, if your business does become victim to a cyber attack, respond appropriately in a transparent manner and take full responsibility – even if the hack wasn’t your intentional doing. Snapchat failed to respond appropriately, and it led to massive backlash from both its users and the press.

2. Heartbleed

Heartbleed was perhaps the most infamous web security exploit of 2014. It alone put 17% (over 500,000) of the Internet’s certified web servers at risk causing mass panic and huge financial damages.

A member of Google’s Security Team, Neel Mehta, discovered the bug in April 2014. He learned that OpenSSL, a popular open-source cryptographic security software, could be exploited by allowing a hacker to easily retrieve private data on a web server, due to a programming bug. It was later named “Heartbleed” by an engineer at cyber security company, Codenomicon.

What did we learn from Heartbleed? Any software or business, including the well-established ones such as OpenSSL (around since before the dot-com era), is susceptible to a cyber attack. Regularly scanning your website for vulnerabilities, backing up private data, and archiving inactive data are all important things your business can do to help prevent and minimize cyber attacks.

3. The Fappening

During summer of 2014, The Fappening was one of the internet’s top trending stories – a massive leak of nearly 500 private (and mostly NSFW) celebrity photos originated on Imgur, Reddit and 4Chan. But, how did hackers get the photos?

According to several sources, the breach didn’t happen all at once – photos were slowly accumulated over a long period of time, using brute-force password cracking techniques to access celebrities’ iCloud (and other cloud computing) accounts. At the time, services such as iCloud were found to have a weak data access policy, giving hackers a backdoor into customers’ private data.

What did we learn from The Fappening? Ensuring that all of your business’s online access points are secure should be one of your top priorities, otherwise you risk exposure of customers’ private data. On the other hand, it’s worth educating your customers on the importance of secure passwords, lest they end up like these folks.

4. Shellshock

Shellshock became a popular security threat back in September of 2014, after being discovered by a few Unix/Linux technology specialists. Alternatively known as “Bashdoor”, Shellshock is a family of security bugs that allows hackers unauthorized access to someone’s computer through a backdoor in the Unix operating system. Once in, computers were used as part of a greater (and more dangerous) effort to create botnets and conduct DDOS attacks.

A patch for Shellshock was released within a matter of days but it was estimated that 1.5 million attacks and probes were executed per day during that time.

What did we learn from Shellshock? It’s important to have a Web Application Firewall (WAF) installed to block malicious traffic, such as “bad” bots and hackers, from attacking your website. Fortunately, SiteLock’s TrueShield WAF blocked Shellshock almost immediately after the threat was discovered.

5. SoakSoak

2014 didn’t exactly go out with a bang – near the end of December, a new strain of malware called SoakSoak was discovered, compromising more than 100,000 WordPress websites. As a result, 10,000+ domains were also blacklisted by Google, making them inaccessible to the public.

How does SoakSoak work? The malware injects malicious code into local WordPress installation files using a vulnerability in the popular RevSlider plugin, to make the victim’s website redirect to an infected URL, soaksoak.ru. Since over 74 million websites are hosted with WordPress, the SoakSoak hack evolved to include multiple strains of malware.

What did we learn from SoakSoak? Keep all of your WordPress installations up to date, and more importantly, always make sure your plugins are updated as well. Thankfully, it’s a relatively easy since the WordPress community is quick to patch issues.

An eventful 2014 taught us…

  • To stay educated about relevant security issues and respond to incidents appropriately
  • That no software or system is invulnerable
  • To secure data egress points as well as ingress
  • A web application firewall is as important as a network firewall
  • Update, update, update

Contact SiteLock today to start a free consultation with our website security specialists and learn how to protect your site.

11 Things You Should Know About the Heartbleed Bug

heartbleed bugIt won’t actually make your heart bleed and you can’t catch it. But it has caused a lot of heartburn since it was announced and probably caused lots of websites to bleed valuable data. Here is a list of eleven things you should know about the Heartbleed bug.

  1. It’s an exploit in OpenSSL, a type of security that protects a user’s communications with a website (the s in https) and around half a million secure web servers may have been affected.
  2. “Open” means it’s open source and free for anyone to use. It also means all the code is freely available and has been since Open SSL was first introduced more than 15 years ago.
  3. It’s a very big deal. According to Bloomberg “Heartbleed appears to be one of the biggest flaws in the Internet’s history, affecting the basic security of as many as two-thirds of the world’s websites.”
  4. It was discovered just recently by a security firm. But it’s apparently been known to the criminal community for a couple of years, and they may have been quietly exploiting it all that time.
  5. Heartbleed is not actually a virus or malware or a hack but simply a mistake in software coding made, probably innocently, by one of the many contributors to the Open SSL project.
  6. It can steal user passwords and credit card numbers – things that are most often protected by SSL.
  7. Some of the biggest sites on the web have been affected, from Gmail and Yahoo, to Facebook, Instagram, Pinterest, Google, Amazon, Netflix, and YouTube. However, it’s unlikely your bank’s website has been affected because few banks actually use Open SSL.
  8. A number of news outlets say that criminal weren’t the only ones who knew about Heartbleed and were quietly exploiting it. Some are accusing the NSA of knowing about Heartbleed for nearly two years and using the flaw as a spying tool.
  9. If in doubt, change passwords for all your important websites, then change them again in a few weeks. Some websites are slow to fix the flaw, so it might be safer to change passwords more than once.
  10. If you want to check whether or not a website is still unpatched and vulnerable to Heartbleed, there are plenty of places to do so. Try https://filippo.io/Heartbleed/.
  11. If you host a website, make sure you apply the security update. You can get more information at http://www.openssl.org/.

To help keep your website protected, all SiteLock plans SecureSpeed and higher include daily vulnerability scanning that detect Heartbleed and similar issues. To learn more call 855-378-6200.

Powered by WordPress & Theme by Anders Norén