Category: Security

There are 13 posts filed in Security (this is page 2 of 3).

Malwarebytes has spotted an advertising campaign in the wild that tricks users into clicking on what looks like a notification alert that actually hides a legitimate advert, therefore abusing both the advertiser and the ad network hosting the ad (Google Ads Services).
The rogue actors behind this fraudulent activity are cleverly leveraging a European law on the use of cookies to seemingly prompt visitors to answer a question.

The law applies regardless of where the website is actually hosted. Any website that is using cookies for any purpose and is targeting European users, even if not solely, must ask consent from its users to store or retrieve information from their devices. (Source)

Malwarbytes has a complete breakdown of the attack and its implementation, with screenshots, on their blog.

From the Linode status blog:

A security investigation into the unauthorized login of three accounts has led us to the discovery of two Linode.com user credentials on an external machine. This implies user credentials could have been read from our database, either offline or on, at some point. The user table contains usernames, email addresses, securely hashed passwords and encrypted two-factor seeds. The resetting of your password will invalidate the old credentials.

This may have contributed to the unauthorized access of the three Linode customer accounts mentioned above, which were logged into via manager.linode.com. The affected customers were notified immediately. We have found no other evidence of access to Linode infrastructure, including host machines and virtual machine data.

The entire Linode team has been working around the clock to address both this issue and the ongoing DDoS attacks. We’ve retained a well-known third-party security firm to aid in our investigation. Multiple Federal law enforcement authorities are also investigating and have cases open for both issues. When the thorough investigation is complete, we will share an update on the findings.

Now’s a good time to change all your passwords and audit your servers.

None of this means that Linode has been irresponsible, at least that we know of. Security is hard, and this kind of thing can and will happen to any and every clowd provider. It’s only a matter of time before Amazon gets hit.

Regular server audits and password changes are critical for anything that’s connected to the internet, which at this point is more and more of the things. It’s good practice to have some kind of security policy in place, regardless of the technology you’re using. Policy is just as much a part of security as the technical aspect.

CloudFlare a href=”http://blog.cloudflare.com/introducing-universal-ssl/”>announced on their blog today that they have started offering free SSL to all of their customers, both free and paid. There’s a lot of detail in that post, but the roll-out promises to be quick for everyone, within twenty-four hours. This is clourFlare’s contribution to a completely secure web. They’re hoping that their example will influence other providers to start offering SSL for free. We’ll see how this develops and what kind of influence CloudFlare has on the hosting/CDN industries. I’m completely in favor of a secure web and am glad that CloudFlare is making SSL accessible to a lot more people who might otherwise avoid it due to cost and/or difficulty in setting it up. This wouldn’t have happened if Google weren’t behind the SSL push. I can’t help but think of what could happen if Google got behind accessibility in a serious way like they are with SSL.

We normally think of HTTPS (Hyper-text Transfer Protocol Over TLS) as something e-commerce or banking websites use. There are other types of sites that use it too, (webhosts can, for example, force logins to their user administration panels using https, and any site dealing in the exchange of any personal data is using it if they want to keep their good reputation intact), but banking and e-commerce are the two types of sites most users associate with secure. As of yesterday, Google is strongly encouraging everyone to use it, whether their website has e-commerce functionality or not. Google has indicated both on its Webmaster Central blog and on its Online Security blog that whether or not a site employs https will effect its ranking within Google’s search results.

For now, Google says that the https ranking signal carries very little weight, and will effect only about one percent of all rankings, but it hopes to ramp up in the future, which means that it’s likely that, at some point, if you want high rankings, your going to have to get yourself an SSL certificate, and then either learn how to install and deploy it or get someone to do that for you. It’s not a simple process.

I can see a market segment growing up around this, in both the white-hat and black-hat SEO communities. I can also envision all manner of spam opportunities arising from this, depending on how big it gets, which is something I never thought I’d hear myself say in relation to SSL certificates. I wonder when Google’s going to take the plunge and make Blogger secure?

From the official WordPress blog:

WordPress 3.9.2 is now available as a security release for all previous versions. We strongly encourage you to update your sites immediately.

This release fixes a possible denial of service issue in PHP’s XML processing, reported by Nir Goldshlager of the Salesforce.com Product Security Team. It  was fixed by Michael Adams and Andrew Nacin of the WordPress security team and David Rothstein of the Drupal security team. This is the first time our two projects have coordinated on joint security releases.

WordPress 3.9.2 also contains other security changes:

  • Fixes a possible but unlikely code execution when processing widgets (WordPress is not affected by default), discovered by Alex Concha of the WordPress security team.
  • Prevents information disclosure via XML entity attacks in the external GetID3 library, reported by Ivan Novikov of ONSec.
  • Adds protections against brute attacks against CSRF tokens, reported by David Tomaschik of the Google Security Team.
  • Contains some additional security hardening, like preventing cross-site scripting that could be triggered only by administrators.

For more information, see the release notes or consult the list of changes.

Download WordPress 3.9.2 or venture over to Dashboard ? Updates and simply click “Update Now”.

Sites that support automatic background updates will be updated to WordPress 3.9.2 within 12 hours. (If you are still on WordPress 3.8.3 or 3.7.3, you will also be updated to 3.8.4 or 3.7.4. We don’t support older versions, so please update to 3.9.2 for the latest and greatest.) If you want to update on your own, you still have the option of manually downloading the update from your dashboard and installing it yourself.

If you’re testing WordPress beta 4.0, the third beta is now available (zip) and it contains these security fixes.

WPTouch is a plugin for WordPress that automatically enables a mobile theme for those who may be visiting your site on a smartphone or tablet. With five million downloads to date, it’s one of the most popular plugins in the WordPress plugin directory. Earlier today, Sucuri reported that WPTouch has a dangerous security vulnerability, and users are strongly advised to update immediately. The short version is, unless you’re running the latest update, WPTouch allows users who do not have administrative priveliges to upload php scripts directly to the server, meaning that someone with not-so-good intentions has the capability to take over any site running anything but the latest version of the WPTouch plugin.

The unpatched version of the plugin uses the “admin_init” hook as its authentication method. As was discussed previously, “admin_init” should not be used as an authentication method because it is invoked not only when an administrative user visits any page within wp-admin, but also when wp-admin/admin-post.php is visited, thus allowing anyone to upload potentially malicious code to an effected site.

If you’re using this plugin to create a mobile-friendly experience for your users, update it as soon as possible. Sucuri made the vulnerability known to the authors of the plugin, and they have uickly released a patch to the plugin directory. the only thing users of the pugin need do is update to the latest version.