Tag: Vulnerabilities

What You Need to Know About the FancyBox for WordPress Vulnerability

wordpress fancybox vulnerabilityFancyBox for WordPress is a plugin which provides stylized, Lightbox-like decoration for blog images. It’s a popular plugin with around half a million downloads, even though it hadn’t been updated in years. Posts emerged on the WordPress community support forum about malware injections and a vulnerability was discovered in the FancyBox plugin.

SiteLock scanners detected the malware — a Javascript payload with an iframe pointing to 203koko[dot]eu — before the vulnerability was known.

Here are three things to consider before moving forward with FancyBox:

Update FancyBox as soon as possible

The initial response to the FancyBox hack was to remove it immediately. Since the vulnerability released, the FancyBox developer released an update which corrects the issue and provides support for WordPress 4.1. If you’re uneasy about using FancyBox, Easy FancyBox is an actively developed alternative, though official Easy FancyBox support caps at WordPress 4.0.1.

Scan for Malware and use a WAF

One of the best ways to secure your website is to scan for malware and vulnerabilities on a daily basis and use a Web Application Firewall (WAF). The WAF will block potential threats from entering your website (e.g. DDoS attacks) while the daily scans will identify malware and vulnerabilities that have been placed on your site.

Update your WordPress plugins and themes

WordPress has done a wonderful job facilitating near-painless backups for its users. Once you get to the late 3.x releases, upgrades are essentially automatic. But what about plugins? More plugins, more problems, as the saying goes. Sometimes it’s not easy to wrangle the compatibility issues which come with the amazing and broad capabilities plugins add to a WordPress site.

Take it one plugin at a time. Research the plugin’s compatibility with the WordPress version you have, and then test it (with the previously mentioned backup at the ready).

SiteLock’s team of experts, expert services and products constantly monitor site files and traffic for malicious indicators. As with FancyBox, we’ll continue to find and mitigate malware even before before a vulnerability becomes known.

Contact SiteLock today to learn how website security software can help protect your website.

 

Website protection

The 7 Biggest Cybersecurity Scoops from February 2015

Cyber security February 2015

One year ago in February, the major eBay hack was in progress, eventually resulting in over 233 million passwords being stolen. Fast forward to 2015, and we’ve had several trending cyber security issues appear in just these first few weeks.

Below are 7 trending cyber security stories that you should read for February 2015.

Read More

ghost vulnerability

The GHOST Vulnerability: What You Need to Know

GHOST vulnerabilityGHOST is now a household name to those even peripherally involved in information security. GHOST is the buffer overflow vulnerability found in certain versions of glibc, the GNU C library, and it’s named after the functions used to reach the exploitable code in the library, gethostbyname() and gethostbyname2().

What has SiteLock done to address the GHOST scourge, and what do SiteLock customers need to know moving forward?

SiteLock patched all TrueShield and TrueSpeed servers against the GHOST vulnerability on September 28, the day after disclosure. Signatures mitigating XML-RPC exploits, which could be used against WordPress installs for example, were implemented beginning the week of February 2nd. And as always, our security team is constantly on the lookout for signs of new GHOST exploitation use.

As a SiteLock customer, we recommend patching all servers using vulnerable versions of glibc, glibc-2.2 to glibc-2.17, to glibc-2.18 or higher.  All major Linux vendors released patches for glibc and they should be applied and servers rebooted as soon as possible.  Also be aware of SUID-root programs on servers which use gethostbyname*().  To find SUID binaries on a system — a sound security practice regardless of GHOST — open a root shell and run the following command.

# find / -user root -perm -4000 -exec ls -ldb {} ; | tee suid.list

For assistance with the GHOST vulnerability call the SiteLock team at 877.563.2791.

 

Website Security

All a Website Wants for Christmas is Website Security

Dear Santa,

Letter to SantaThis is my first ever Christmas letter to you. I don’t like to ask for much, but I’m desperate. I’ve been a website for, gosh, going on three years now. Don’t get me wrong, I love my job. My owner’s great, new people visit me every day from all around the world, and my graphics are to die for. There’s never a dull moment, even when my owner is sleeping. Which of course, I never do.

But there’s a problem. My owner is so busy building the business, managing cash flow, and getting orders out the door, that she has little time for things like website security. Besides, she says she doesn’t have a technical background and know much about cybersecurity.

And that has left me feeling, well, vulnerable. Which is not a good thing on the Internet when I’m completely exposed to so many strangers. But my owner really needs the website to showcase her work and generate online orders. And being blacklisted by the search engines would make her very upset. But I worry about what might happen if she doesn’t put everything else aside, just for a moment, and think about website security.

With that in mind, here are just a few things that I would absolutely love this year. Not really for me, but for my owner. I’m doing all this for her, which I think is a very unselfish act. So I hope you’ll do your best to get me as many things on my list as you can.

Here goes.

  • First, I’d love someone to watch over me. I know where my weaknesses are, but my owner doesn’t, and she doesn’t have the time to guard me every second of the day. So a website security or monitoring service would be just great. Everyone can sleep easier and I’ll feel much less naked and vulnerable.
  • A new password would be great. Would it be asking too much to ask for a new website password say, every three months? Maybe one with a number or two, or heaven forbid a special character!? That could significantly reduce the chances that hackers will guess or crack my password and have access to who knows what. And a strong, random, and well-protected password would be ideal. I mean, what good is a password if it doesn’t do its job very well. Not complaining or criticizing, just saying.
  • This might be asking too much, but any chance you could help me get rid of this stuff I’m not using anymore. I feel so bogged down lately with all this old, outdated code and images that no one even uses. It takes every bit of my energy to just load a simple page. I know I could be so much faster and lighter with just a bit of a clean-up  – I’ll be a whole new website, you’ll see!
  • I don’t want to sound selfish, but could I ask for a little something else for myself? Nothing fancy, but I’ve worked so hard all year I think it would help my spirits and confidence as we get ready for yet another year. Patches. I’d like some patches, or updates. I am up to my gills in all kinds of third-party programs that the web designer thought would be so very cool to burden me with. But he’s easily distracted and he’s forgotten about most of them. Now at least half of them have serious and known vulnerabilities that have never been patched or updated.

Anyway, I hope I didn’t take up too much of your valuable time. And I hope you’ll see that what I’m asking for is not for me. I even know of a company that can help you with this. To make things easy, I’ll provide you with the number to SiteLock website security. It’s 855-378-6200. They’re available 24/7/365 to help!

 

XSS vulnerability - cross-site scripting

Beware of Cross-Site Scripting!

The popularity of blogging software, with all its vulnerabilities, has spawned thousands of malicious cross-site scripting attacks. With each technological advance, new targets are created for the unscrupulous hacker.

Who Has Been Targeted With Cross-Site Scripting?

Hackers have not neglected immense commercial sites. Facebook, PayPal, Hotmail, Gmail and Twitter have all had issues with cross-site scripting. Often referred to as XSS, cross-site scripting is a major threat to blogs. Owners of blogs should be aware of the dangers, and what actions must be taken to prevent a cross-site scripting attack on their site.

Blog Vulnerabilities and XSS

Most cross-site scripting vulnerabilities take place on server-side code, while DOM (document object model) is a method used by hackers to exploit vulnerabilities on client-side code. Running antivirus or spyware blockers provide some protection, but not nearly enough to prevent attacks from outside.

Read More

Cyber criminals

Protect Your Website From Cybercriminals

Cybercriminals are intelligent and malicious, and their sole purpose is to compromise your website security, in an effort to confiscate valuable, confidential and personal data.   No website, large or small, is exempt from unscrupulous cyber attacks.  The infamous website hackers that make headlines concentrate their efforts on major corporations, government entities and other high-profile organizations. However, there are equally dangerous cybercriminals that prey on small businesses and individuals.

Why Are Small Businesses Targets By Cybercriminals?

The vulnerability of small businesses is greater, due to a lack of expertise in the area of security and limited resources to employ a security professional. In 2010, the National Retail Federation and First Data Corporation conducted a survey targeting small to mid-sized businesses. The results were significant and revealed that more than half of the businesses surveyed thought that they were not susceptible to credit card and personal data theft. Half of the businesses surveyed had not checked the effectiveness of their website’s security system. This is the kind of news that cybercriminals love to hear.

How Cybercriminals Find Vulnerable Targets

Cyber criminals use sophisticated scanning devices to locate security weaknesses. Their goal is to penetrate the limited security most small businesses use. This can spell disaster for a company. One security breach can result in the loss of credibility, as well as the loss of your customers’ trust. USA Today and the Wall Street Journal have recently published articles referencing the increase in cyber attacks on small to mid-sized companies. They steal funds from the business, as well as the credit card information of their clients and customers. It’s a double whammy.

These Internet thieves have planted malicious software, or malware, in the terminals of computerized cash registers, lifting credit card numbers and passwords. Inserted malware links in emails entice unwitting victims to websites that harvest all of their personal information including credit card data, passwords and bank account numbers. The email claims to be from the IRS, their bank, or other financial institutions and always requires an “urgent” response. It only takes one careless employee to make the mistake that can bring a business to its financial knees.

What Can Small Businesses Do?

Internet security is a critical “must” for every business. the increase in criminal cyber attacks on small businesses has created the need for affordable and comprehensive website security. SiteLock is a company founded for the purpose of providing affordable website security solutions for small to mid-sized businesses. SiteLock’s technology specialists have developed a 360-degree website scanning system that provides deep scanning to expose any vulnerabilities on your website. If issues are detected, SiteLock can provide the service you need to remove malware, clean up your site and secure it against future attacks.

Building Online Trust

As technology advances and the global market continues to expand, small companies depend more and more on their websites to increase business. They have to assure their customers that their website is a safe place to conduct business. SiteLock builds confidence and trust with your customers and has proven to increase sales. With the SiteLock Trust Seal, your customers will feel safe conducting business on your website, resulting in increased conversions.

Don’t take chances when there is affordable security at your fingertips with SiteLock. Call 855-378-6200 to find a SiteLock security package that fits your website size and complexity.

Page 3 of 3

Powered by WordPress & Theme by Anders Norén