WordPress 3.7 was released on October 24, 2013 and introduced an automatic update mechanism to ensure security fixes would be automatically deployed on all WordPress sites, in an effort to prevent recently-patched vulnerabilities from being massively exploited in the wild. This is widely regarded by security experts as a good idea.
However, the WordPress automatic update feature had one glaring Achilles’ heel: If a criminal or nation state were to hack into the WordPress update server, they could trigger a fake automatic update to infect WordPress sites with malware.
This isn’t just a theoretical concern, it could have happened if not for WordFence’s security researchers finding and disclosing an easy attack vector into their infrastructure.
WordPress 5.2 was released on May 7, 2019 and provides the first real layer of defense against a compromised update infrastructures: offline digital signatures.
A very long article about commercial VPNs, their marketing strategies, and the truth behind their privacy and security claims.
[…] another worrying aspect of today’s market of VPN services is the large amount of misinformation end users are exposed to, which makes it hard for them to properly tell apart vague and bold claims typical of product advertisement campaigns with actual facts.
That quote is four years old, and just as relevant today as it was when it was written. The article I’m linking here does a really good job explaining what a VPN (virtual private network) is and what it is not, and it makes sure to use as few technical terms as possible. It also goes into detail about what a VPN is good for, not just what they’re not good for.
How to use GnuWin32 ported tools like grep.exe and find.exe for forensic log file analysis in Windows Server. In this article I’ll give some real live examples of using these ported GnuWin tools like grep.exe for logfile analysis on Windows servers. The article provides three example, as an alternative to LogParser, because finding spam scripts fast is often very important.
At PortSwigger, we regularly run pre-release builds of Burp Suite against an internal testbed of popular web applications to make sure it’s behaving properly. Whilst doing this recently, Liam found a
I can absolutely see a case where users would interact, and and therefore become vulnerable to this exploit: Keyboard-only users, screen reader users, and speech recognition users. So this might be worth looking into, especially if you’re adding a ton of keyboard shortcuts to your app and calling it an accessibility improvement.
A critical bug that can leak secret cryptographic keys has just just been fixed in OpenSSH, one of the more widely used implementations of the secure shell (SSH) protocol.
The vulnerability resides only in the version end users use to connect to servers and not in versions used by servers. A maliciously configured server could exploit it to obtain the contents of the connecting computer’s memory, including the private encryption key used for SSH connections. The bug is the result of code that enables an experimental roaming feature in OpenSSH versions 5.4 to 7.1
“The matching server code has never been shipped, but the client code was enabled by default and could be tricked by a malicious server into leaking client memory to the server, including private client user keys,” OpenSSH officials wrote in an advisory published Thursday. “The authentication of the server host key prevents exploitation by a man-in-the-middle, so this information leak is restricted to connections to malicious or compromised servers.”
The OpenSSH maintainers have released a patch that fixes this, so if you’re using OpenSSH, update. It’s always important to make sure you’re running the latest versions of the things you depend on, especially when security fixes are involved.
And if you haven’t done so already, please consider contributing to free software like this. Free, (as in freedom) is everyone’s responsibility, and even if you’re not a coder, you can still contribute. All of the security, server-side software, and the client-side software used to interact with the server, which is widely used is free software. In order for that to remain the case, the upkeep of said software/tools canot be left to “other people.” so if you haven’t done so already, consider giving something back to the communities whose software you freely use to get your work done, or daily tasks completed. Your contributions, whether in time and talent or monetary form, make a difference.
Malwarebytes has spotted an advertising campaign in the wild that tricks users into clicking on what looks like a notification alert that actually hides a legitimate advert, therefore abusing both the advertiser and the ad network hosting the ad (Google Ads Services).
The law applies regardless of where the website is actually hosted. Any website that is using cookies for any purpose and is targeting European users, even if not solely, must ask consent from its users to store or retrieve information from their devices. (Source)
Malwarbytes has a complete breakdown of the attack and its implementation, with screenshots, on their blog.