Amazon’s Ring may not be all that secure

Five U.S. Senators are demanding that Amazon disclose how it is securing Ring home-security device footage – and who is allowed to access that footage.

The demands come on the heels of several security vulnerabilities and privacy-related incidents surrounding Amazon-owned Ring devices.

“Ring devices routinely upload data, including video recordings, to Amazon’s servers,” the senators wrote, Wednesday. “Amazon therefore holds a vast amount of deeply sensitive data and video footage detailing the lives of millions of Americans in and near their homes.

Last week, researchers discovered a (now-fixed) vulnerability in Ring doorbells that left Wi-Fi network passwords exposed. Previous vulnerabilities have been discovered over the past year, including a flaw reported in February that could allow an attacker to spy on families’ video and audio footage.

separate report earlier this year alleged that Ring employees in Ukraine were provided with “virtually unfettered access” to a folder containing every video created by every Ring camera globally, and that some U.S. Ring executives and engineers were given “highly privileged access to the company’s technical support video portal, allowing unfiltered, round-the-clock live feeds from some customer cameras.”

Other reports have drawn privacy concerns about the video footage collected by Ring doorbells. Ring has acknowledged that it’s partnering with more than 600 police departments across the country to allow them to request access to camera footage from camera owners, drawing concern from privacy and consumer advocacy groups.

Amazon said that it does not require law enforcement to delete materials shared through a video request after a certain period of time. Furthermore, if videos are downloaded by law enforcement, they may become public records, Amazon said.

“Amazon plays on people’s fears to sell them surveillance products, and then turns around and puts them and their neighbors in danger,” said Evan Greer, deputy director of digital rights advocacy group Fight for the Future, in an email. “Through consumer products like Ring, Amazon is collecting footage and all the data needed to build a nationwide surveillance network. They leverage government relationships to promote their own products, gain consumer trust and secure their position in the market. This is an unprecedented assault on our security, constitutionally protected rights, and communities. Amazon’s admissions to Senator Markey show that we need an immediate full scale Congressional investigation into this tech titan’s surveillance practices.”

According to reports, Ring has also applied for a “facial recognition patent” and employees a “head of facial recognition research.” Senators asked Amazon to describe its plans regarding facial recognition for Ring devices – including Amazon’s own platform, Rekognition.

Full article here

Malvertising Campaign targets WordPress

In this campaign, known vulnerabilities in WordPress plugins are exploited to inject malicious JavaScript into the frontends of victim sites, which causes the sites’ visitors to be redirected to potentially harmful content like malware droppers and fraud sites. Where possible, the payloads are obfuscated in an attempt to avoid detection.

The plugins currently under attack in this campaign are:

We’re relieved to report that none of our client’s sites are using any of these plugins.  Wordfence Security, which we install on most if not all of our client’s sites, blocks the exploit.  So you and your site’s visitors are all safe for now.

Increased attack rates continue

We’ve gotten reports from the security software from yet more sites we manage of “increased attack rates” over the past few weeks. Unfortunately, this is something which happens regularly several times a year – when schools let out in May, when school starts in the fall, and around the end of the year. These all seem to be the times of year that “script kiddies” are most active.

Fortunately they’re attempting to hit old, well known exploits which are not a problem for up to date WordPress software. We’ll of course be keeping you up to date and will be keeping an eye out for any problems these attacks might cause.

Increased attack rates

We’ve gotten reports from the security software from around 10% of the sites we manage of “increased attack rates” over the past few weeks. Unfortunately, this is something which happens regularly several times a year – when schools let out in May, when school starts in the fall, and around the end of the year. These all seem to be the times of year that “script kiddies” are most active.

Fortunately they’re attempting to hit old, well known exploits which are not a problem for up to date WordPress software. We’ll of course be keeping you up to date and will be keeping an eye out for any problems these attacks might cause

WooCommerce Checkout Manager exploit

This is one that was announced by the company discussed in Big Trouble In Plugin Land. They dropped details and proof-of-concept exploit for a critical flaw in a widely-used WordPress plugin.

No fix is available, and the plugin has been pulled from the WordPress repository. (But that doesn’t help anyone who already has it installed and is dependent on its features.)

Social Warfare plugin flaws allow both Cross-Site Scripting and Remote Code Execution

A zero-day exploit was recently discovered in the popular Social Warfare plugin which allows both Cross-Site Scripting and Remote Code Execution. The Remote Code execution problem was found by security researchers as they examined the code behind the initial attack. Both problems have been fixed in the most recent release.

This is a good example of why we update plugins (and themes and WordPress core code) as soon as a new version is released.

What does that all mean?

Zero Day exploits generally refer to a security hole in some software which someone, somewhere has found, but the software developers don’t know about it yet. They have literally had zero days to fix it.

Cross-Site Scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy.

Remote Code Execution The ability to trigger code execution over a network. In the case of exploits, the code is malicious code which is placed on the site by the hacker.

https://en.wikipedia.org/wiki/Cross-site_scripting

https://www.wordfence.com/blog/2019/03/unpatched-zero-day-vulnerability-in-social-warfare-plugin-exploited-in-the-wild/

https://www.wordfence.com/blog/2019/03/recent-social-warfare-vulnerability-allowed-remote-code-execution/

Severe PHP Exploit Threatens WordPress Sites with Remote Code Execution

(but probably not yours…)

Researchers have created a proof-of-concept exploit that would enable bad actors to target a severe vulnerability in the PHP programming language behind several major CMS companies, including WordPress. The vulnerability remains unresolved – more than a year after it was reported.

[Editor note: “Proof of concept” means that they’ve figured out how to do this in a security research lab. As far as we know this exploit has NOT been found “in the wild”. So between that and the required privileges described below, you’re probably safe.]

The researchers at Secarma who uncovered the exploit said it enables bad actors to potentially open up thousands of WordPress sites (and other web applications) to remote code-execution.

“For WordPress, an attacker would need privileges to upload and modify media items to gain sufficient control of the parameter, researchers said.”

Full article: https://threatpost.com/severe-php-exploit-threatens-wordpress-sites-with-remote-code-execution/136649/

Arbitrary File Deletion Flaw Present in WordPress Core

This recently discovered security hole requires that a malicious actor has access to an account with Author or higher abilities, so it probably won’t be a big concern for most of our clients. We expect an update of WordPress to correct this problem soon.

In the meantime, we suggest that you review the Users section of your site for any Author or Admin accounts which are no longer needed. You can either downgrade them to simple Subscriber level access or “No role” access. If you choose to delete an account which was used to post valuable information on your site, you can transfer ownership of those posts to an account you will retain.

More details at https://www.wordfence.com/blog/2018/06/arbitrary-file-deletion-flaw-present-in-wordpress-core/

Why would they hack little old me?

WordFence posted a great article on “Why is an insignificant website like mine being attached?”, a very common question asked by owners of smallish sites.

Most of it comes down to money. Here’s a quick synopsis:

1) Using your host’s server to run their own programs (the latest craze is cryptocurrency mining)

2) Leveraging your reputation

a) hosting phishing pages
b) hosting spam pages and injecting spam links
c) sending spam email
d) attacking other sites
e) hosting malicious content

3) Leveraging your site contents

a) malicious redirects
b) defacements
c) distributing malware

4) Stealing data

5) Ransomware

Full article at: https://www.wordfence.com/blog/2018/03/ask-wordfence-why-is-an-insignificant-site-like-mine-being-attacked/

Captcha Bypass

We’ve seen a large uptick in the number of spam getting past the defenses in the last two weeks – it seems someone has devised a new way to get around Captcha.

The Akismet plugin has been catching most of it on those sites which have it enabled. We’re seeing 4-5 times as many spam getting caught.

The spam which has gotten through to my email accounts typically has a short message and a link for you to “check out”. I’m sure most of you are sharp enough to know this, but just in case you’re tempted: Don’t follow the link. It’s almost surely a site which will try to infect your computer with malware.