Twitter CEO’s account hacked

Twitter CEO Jack Dorsey’s twitter account was hacked on Friday, Aug 30, using a technique known as “SIM Swapping” or “SIM Hacking” to get around 2-factor authentication (2FA), essentially convincing a phone carrier to assign the victim’s number to a new phone that they control.  The hacker then receives the authentication code and uses it to gain access to the account.  Fortunately, this account was quickly locked down, but if it was your account instead of the CEO’s, do you think it would have been caught as quickly?  I doubt it.

Security expert Brian Krebs suggests “If you care about your account, get a Google Voice # to replace your mobile # in Twitter settings. Uncheck SMS. Then use only either mobile app or even better a security key for 2-factor authentication. Do this for every other account you care about that you can.”

His twitter posts (https://twitter.com/briankrebs/status/1167581370048307206) give more detail, including the inconvenient fact that Google Voice numbers don’t work in many countries outside of the US.  He clarifies later in the thread that “Basically you want to avoid any service that you can reach over the phone. Oddly enough, the lack of customer service people staffing Google Voice is a plus in this regard. If that describes another service that provides the same, then that’s probably fine, too.”

It’s those helpful customer service people who help you do the SIM swap.

 

Zoom Zero Day

Use Zoom on your Mac? There’s an easy fix to a major security vulnerability. To change Zoom to turn the camera off until you turn it on, open the terminal app (you can find it in your applications folder) and run this command:

sudo defaults write /Library/Preferences/us.zoom.config.plist ZDisableVideo 1

It will ask for your password – that’s okay.

Share with anyone who uses Zoom!

Read more at https://medium.com/

Increased attack rates

We’ve gotten reports from the security software from around 10% of the sites we manage of “increased attack rates” over the past few weeks. Unfortunately, this is something which happens regularly several times a year – when schools let out in May, when school starts in the fall, and around the end of the year. These all seem to be the times of year that “script kiddies” are most active.

Fortunately they’re attempting to hit old, well known exploits which are not a problem for up to date WordPress software. We’ll of course be keeping you up to date and will be keeping an eye out for any problems these attacks might cause

WordPress Sites Compromised via Zero-Day Vulnerabilities in Total Donations Plugin

The Wordfence Threat Intelligence team recently identified multiple critical vulnerabilities in the commercial Total Donations plugin for WordPress. These vulnerabilities, present in all known versions of the plugin up to and including 2.0.5, are being exploited by malicious actors to gain administrative access to affected WordPress sites. We have reserved CVE-2019-6703 to track and reference these vulnerabilities collectively.

It is our recommendation that site owners using Total Donations delete–not just deactivate–the vulnerable plugin as soon as possible to secure their sites. The following article details the issues present in Total Donations, as well as the active attacks against the plugin. We’ll also take a look at our disclosure process, and the steps we took in our attempts to contact the plugin’s developers to reach a resolution.

Curious Access Logs

As is the case with many investigations, this discovery was directly aided by an attacker’s mistake.

More at https://www.wordfence.com/blog/2019/01/wordpress-sites-compromised-via-zero-day-vulnerabilities-in-total-donations-plugin/

Basic security practices

I was planning on doing a handful of security tips for National Cybersecurity Month (October), but ended up getting some site de-hacking clients the first weekend (more on that below) and was booked up pretty solid the rest of the month too. But I also figured: you’re probably smart enough to know the basics by now (no re-using passwords, blah blah blah). I throw tips out on this site regularly anyway.

One of the hacked sites was a result of breaking some of the very basic rules:

1) A really lame password (it was the name of the hosting company, if you can believe that!)

2) Though the live site was entirely in html (essentially plain text files, not as prone to hacking as PHP, Javascript, and other languages which when coded badly can leave gaping security holes), there was a gallery application written in PHP which had been abandoned – but was still discoverable and reachable by hackers – and which had not been updated in 4 or 5 years (40 or 50 years in Internet dog-years).

That means that it was a very likely attack vector. Tip of the day: Don’t leave old versions of your site “stored” on your live website, unless you actively keep them updated too!

3) The hosting package was the cheapest level available. This means that the hosting company crams as many small websites on to a single server as they can possibly fit. The software running those sites is quite often not kept up to date, and because of the way this kind of shared hosting is done, once a hacker gains access to one site on the server they can often attack all the other sites as well.

So the site could have been hacked by directly guessing the password, through out of date software on the victim’s site, or through out of date software on another site on the same server.

The good news: less than 2 hours later it was cleaned up.

Stay safe out there!

Dodged this one!

None of our clients use the plugin or themes mentioned here as far as I can see. (Ultimate Member plugin and TagDiv Themes)

This August, we’ve seen a new massive wave of WordPress infections that redirect visitors to unwanted sites.

When redirected, users see annoying pages with random utroro[.]com addresses and fake reCAPTCHA images. The messages and content try to convince visitors to verify and subscribe to browser notifications without disclosing the purpose of this behavior.

Full Article: https://blog.sucuri.net/2018/08/massive-wordpress-redirect-campaign-targets-vulnerable-tagdiv-themes-and-ultimate-member-plugins.html

SuperProf private tutor site massively fails password test, makes accounts super easy to hack

“This isn’t super. The level of incompetence is astonishing”

“SuperProf, which claims to be ‘the world’s largest tutoring network’, has made its newest members’ passwords utterly predictable… leaving them wide open to hackers.” All the temporary passwords were the person’s first name with the word “Super” before it.

SECURITY HINT: If a site you signed up for ever sends you a password via email, CHANGE THAT PASSWORD IMMEDIATELY!  And if they send you THAT password in a confirmation email, let them know in no uncertain terms that this practice is unacceptable.

We had exactly that happen with the ‘service’ our son’s school used to collect *personal financial data* for scholarship applications. We contacted them and threatened to contact the Attorney General. Though it took them longer than we would have liked, they did rewrite that part of their site so that it now behaves in a much more secure manner. (They also fired the person responsible). Don’t be afraid to make a fuss!

Full article: https://www.grahamcluley.com/superprof-private-tutor-site-massively-fails-password-test-makes-accounts-super-easy-to-hack/?utm_content=76315909&utm_medium=social&utm_source=twitter

May ’18 news bits

It’s been a busy month and my twitter feed isn’t working right tonight as I write this, so I’m not going to be able to put in direct links or accurate quotes.

But it has been an interesting month in the security world! You may have heard about some of these in the news. Some highlights (and lowlights):

Major DDOS cyber crime website shut down –computerweekly.com

“Drupalgeddon” touches off arms race to exploit powerful web servers (the bug was patched in March, but many have not installed the patch).

Site linked to bank hackers is closed down. Site was responsible for selling a tool which enabled some 4 million cyberattacks.

Adobe patches four critical bugs in Flash, Indesign. (do your updates!)

Full article: https://threatpost.com/adobe-patches-four-critical-bugs-in-flash-indesign/131097/

Podcast: How millions of apps leak private data https://threatpost.com/roman-unuchek-on-apps-leaking-private-data/131332/

That’s it for this month! Stay safe out there!

Why would they hack little old me?

WordFence posted a great article on “Why is an insignificant website like mine being attached?”, a very common question asked by owners of smallish sites.

Most of it comes down to money. Here’s a quick synopsis:

1) Using your host’s server to run their own programs (the latest craze is cryptocurrency mining)

2) Leveraging your reputation

a) hosting phishing pages
b) hosting spam pages and injecting spam links
c) sending spam email
d) attacking other sites
e) hosting malicious content

3) Leveraging your site contents

a) malicious redirects
b) defacements
c) distributing malware

4) Stealing data

5) Ransomware

Full article at: https://www.wordfence.com/blog/2018/03/ask-wordfence-why-is-an-insignificant-site-like-mine-being-attacked/

Company fined £400k for sloppy security

A UK company, CarPhone Warehouse, was fined £400k (about half a million dollars) for a massive breach basically caused/allowed by ignoring basic security rules that we all should know:

  • Use secure, unique passwords (all their servers had the same root password, which was known by 30-40 people)
  • Software kept up to date (their WordPress installations were 6 years out of date; other software also years out of date.)
  • Although the historical transactions were protected by encryption, the encryption keys were stored in plain text within the application.

“Carphone Warehouse had claimed that the attack was ‘sophisticated’, but in reality the attacker used the Nikto web scanning tool which is freely available and checks for outdated web servers, application software and common configuration errors.”

Full article at https://www.accountingweb.co.uk/tech/tech -pulse/carphone-warehouse-fined- ps400000-for-cyber-attack