May ’18 news bits

It’s been a busy month and my twitter feed isn’t working right tonight as I write this, so I’m not going to be able to put in direct links or accurate quotes.

But it has been an interesting month in the security world! You may have heard about some of these in the news. Some highlights (and lowlights):

Major DDOS cyber crime website shut down –computerweekly.com

“Drupalgeddon” touches off arms race to exploit powerful web servers (the bug was patched in March, but many have not installed the patch).

Site linked to bank hackers is closed down. Site was responsible for selling a tool which enabled some 4 million cyberattacks.

Adobe patches four critical bugs in Flash, Indesign. (do your updates!)

Full article: https://threatpost.com/adobe-patches-four-critical-bugs-in-flash-indesign/131097/

Podcast: How millions of apps leak private data https://threatpost.com/roman-unuchek-on-apps-leaking-private-data/131332/

That’s it for this month! Stay safe out there!

January ’18 updates

WordPress core files were updated to 4.9.2 on January 16th, and WordFence saw an update to 7.1 on Jan 24. If you don’t see those on the list in your monthly report, your site received the updates as an automatic “push” from WordPress.

 

MalwareBytes bad update

If you use MalwareBytes (anti-malware program), they pushed out a bad update on Saturday, 1/27. 

How to resolve / verify you have the fixed update package:

Update package version 1.0.3803 or higher contains the fix.

To resolve, simply reboot your machine. In some cases, a second or even third reboot may be needed.

To verify you have this update, go to Settings -> About -> Update package version: 1.0.3803

Automatic Updates

We’ve had another round of important updates this month, including WordPress 4.8.3 to 4.9.0 early in the month, followed by 4.9.0 => 4.9.1 on the 29th. You may not see that one in your monthly report from us, as WordPress automatically updates the “dot” releases (those taking you from #.#.X to #.#.Y).

Sometimes the automatic updates get it done before we do!

New WordPress feature: Log in with Username, Email, or both

Since your email address can often be found ‘in the wild’ and your user name can be any dang (hard to guess) thing you want it to be, we strongly suggest that you use the User Name option. We’ll be setting everyone’s login to ‘User Name only’ unless I hear otherwise from you.