WordPress Security. Daily Updates. Backups. Testing. Site Hardening. Hack Repair.
A couple of weeks ago, Google announced Web Vitals — a new set of metrics to measure the speed and user experience of websites. Last week, Google announced that these metrics will make its way into a core algorithm update as new ways of judging and ranking sites based on the page experience they offer. This update is due to arrive some time in 2021.
Read up! Article by Yoast SEO: https://yoast.com/page-experience-google-ranking-factor/
Researchers find six bugs in consumer D-Link DIR-865L Wireless AC 1750 Dual Band Cloud Router.
D-Link is urging customers to replace its now obsolete line of DIR-865L Wireless Routers in reaction to a recently discovered critical command-injection bug that leaves users open to a denial-of-service attack.
The routers, first introduced in 2013, reached end-of-life support in Feb. 2016. In Aug. 2018, D-Link released a patch (1.20B01 beta) to address multiple security bugs. On Friday, Palo Alto Networks’ Unit 42 researchers publicly disclosed six additional bugs – one rated critical and five rated high severity.
“The vulnerabilities were found in the DIR-865L model of D-Link routers, which are meant for home network use,” researchers wrote. “The current trend towards working from home increases the likelihood of malicious attacks against home networks, which makes it even more imperative to keeping our networking devices updated.”
Full article: https://threatpost.com/work-from-home-alert-critical-d-link-bug/156573/
A well-connected Russian hacker once described as “an asset of supreme importance” to Moscow was sentenced on Friday to nine years in a U.S. prison after pleading guilty to running a site that sold stolen payment card data, and to administering a highly secretive crime forum that counted among its members some of the most elite Russian cybercrooks.
Aleksei Burkov of St. Petersburg, Russia admitted to running CardPlanet, a site that sold more than 150,000 stolen credit card accounts, and to being a founder of DirectConnection — a closely guarded underground community that attracted some of the world’s most-wanted Russian hackers.
As KrebsOnSecurity noted in a November 2019 profile of Burkov’s hacker nickname ‘k0pa,’ “a deep dive into the various pseudonyms allegedly used by Burkov suggests this individual may be one of the most connected and skilled malicious hackers ever apprehended by U.S. authorities, and that the Russian government is probably concerned that he simply knows too much.”
Burkov was arrested in 2015 on an international warrant while visiting Israel, and over the ensuing four years the Russian government aggressively sought to keep him from being extradited to the United States.
Full article: https://krebsonsecurity.com/2020/06/russian-cybercrime-boss-burkov-gets-9-years/
Password management company NordPass has urged the general public not to include people’s names in their passwords.
Research released by the company found thousands of netizens worldwide are opting to protect their sensitive information with a password that includes a name.
According to NordPass, the name that cropped up most frequently in passwords is “Ashley.” The company discovered that the gender-neutral moniker was used 94,557 times to protect sensitive data.
The second most common name, used 78,914 times, was the similarly gender-neutral “Charlie.” The third and fourth most popularly used names, employed 71,035 times and 64,992 times respectively, were Michael and Nicole.
….
Passwords based around names are easier for cyber-criminals to crack as the combination of characters is more predictable.
According to the Department of Homeland Security, “most people use passwords that are based on personal information and are easy to remember. However, that also makes it easier for an attacker to crack them.”
“People also shouldn’t use any other obvious choices, such as their address, favorite band, sports team, pet’s name, the word ‘password,’ and any alternations of it.”
Full article at https://www.infosecurity-magazine.com/news/netizens-urged-not-to-use-this/
Research examines the risks and design challenges of accounting for privacy threats in intimate relationships.
As technology has become more ubiquitous in people’s everyday lives, a new class of privacy threats has emerged in family, romantic, friendship, and caregiving relationships. Dubbed “intimate threats” by a recent academic paper in the Journal of Cybersecurity, these are the thorny risks that are intertwined with issues around location tracking, always-on monitoring or recording, online surveillance, and the control over technology accounts or devices.
Written by Karen Levy, a lawyer and sociologist, and information security luminary Bruce Schneier, the paper examines how the dynamics of different intimate relationships break the security model in a lot of systems. It examines real-world examples of this in action and also provides some recommendations for technology designers and security professionals to start rethinking how they build products and think about threat models and security use cases.
The use of technology in intimate relationships can quickly turn dark with very little recourse from the victim because the product was never designed to account for abuse cases.
“Facebook had a system for a while where you’d get your account back because they’d show you pictures and you’d click on the ones that are your friends, assuming that you know who they are but other people don’t,” Schneier says. “But your partner and your parents all know that stuff too. So it’s a great system, but it fails in the intimate context. It fails when your boyfriend takes over your account.”
Full article at https://www.darkreading.com/risk/when-your-biggest-security-and-privacy-threats-come-from-the-ones-you-love/d/d-id/1338053
Coronavirus-themed phishing lures are still on the rise, particularly in certain geographic locations – but most are being stopped before they reach your inbox.
Cyber criminals are tailoring coronavirus-related phishing and malware attacks to make them more effective at targeting victims in certain locations around the world, even as attackers continue to distribute millions of malicious spam emails every single day.
Google Cloud has detailed how the past month has seen the emergence of regional hotspots for COVID-19-related cyberattacks, with the UK, India and Brazil all seeing a rise in malware, phishing and spam campaigns looking to exploit fears over the virus.
In each case, the attacks and scams are using regionally relevant lures such as supposed government advice in an effort to reel victims in.
One example targeting people in the UK masquerades as an email from the Small Business Grant fund, a government imitative to help small businesses get through coronavirus. These attacks, which often involve a malicious file or phishing link, are designed to trick the victim into giving up personal information, as well as financial details.
Full article: https://www.zdnet.com/article/google-heres-how-phishing-and-malware-attacks-are-evolving/
From iThemes
Did you know that 60% of website breaches involve vulnerabilities for which a patch was available but not applied? This means having software with known vulnerabilities installed on your site gives hackers the blueprints they need to take over your site.
Our friends at Cloudflare recently revealed that hacking and phishing attempts have been up by 37% and, on some days, they are blocking between four and six times the number of attacks they would usually see, since the start of the COVID-19 pandemic.
Unfortunately, this means the risk to your website has significantly grown … and that’s why having a solid WordPress security strategy is more important than ever.
Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files.
The peak of this attack campaign occurred on May 30, 2020. At this point, attacks from this campaign accounted for 75% of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem.
Sites running Wordfence (all sites managed by ProtectYourWP.com) are protected against this campaign. If your site is not running Wordfence, and you believe you have been compromised, change your database password and authentication unique keys and salts immediately.
Full article at WordFence
And now for some good news:
Even with more security issues published on Patch Tuesdays, the total number of software flaws dropped for the first three months of 2020, according to one tally.
The number of vulnerabilities reported publicly dropped in the first quarter of 2020 for the first time in at least a decade, falling nearly 20% to 4,968 compared with the same quarter last year, according to an analysis published on Thursday by Risk Based Security.
Full story at https://www.darkreading.com