May ’18 news bits

It’s been a busy month and my twitter feed isn’t working right tonight as I write this, so I’m not going to be able to put in direct links or accurate quotes.

But it has been an interesting month in the security world! You may have heard about some of these in the news. Some highlights (and lowlights):

Major DDOS cyber crime website shut down –

“Drupalgeddon” touches off arms race to exploit powerful web servers (the bug was patched in March, but many have not installed the patch).

Site linked to bank hackers is closed down. Site was responsible for selling a tool which enabled some 4 million cyberattacks.

Adobe patches four critical bugs in Flash, Indesign. (do your updates!)

Full article:

Podcast: How millions of apps leak private data

That’s it for this month! Stay safe out there!

Why would they hack little old me?

WordFence posted a great article on “Why is an insignificant website like mine being attached?”, a very common question asked by owners of smallish sites.

Most of it comes down to money. Here’s a quick synopsis:

1) Using your host’s server to run their own programs (the latest craze is cryptocurrency mining)

2) Leveraging your reputation

a) hosting phishing pages
b) hosting spam pages and injecting spam links
c) sending spam email
d) attacking other sites
e) hosting malicious content

3) Leveraging your site contents

a) malicious redirects
b) defacements
c) distributing malware

4) Stealing data

5) Ransomware

Full article at:

FBI warning re: W2 scam

The FBI has issued a warning about a scam which is making the rounds, asking your HR personnel to release W2 info. Be wary, especially between now and April 15th.

Captcha Bypass

We’ve seen a large uptick in the number of spam getting past the defenses in the last two weeks – it seems someone has devised a new way to get around Captcha.

The Akismet plugin has been catching most of it on those sites which have it enabled. We’re seeing 4-5 times as many spam getting caught.

The spam which has gotten through to my email accounts typically has a short message and a link for you to “check out”. I’m sure most of you are sharp enough to know this, but just in case you’re tempted: Don’t follow the link. It’s almost surely a site which will try to infect your computer with malware.

Company fined £400k for sloppy security

A UK company, CarPhone Warehouse, was fined £400k (about half a million dollars) for a massive breach basically caused/allowed by ignoring basic security rules that we all should know:

  • Use secure, unique passwords (all their servers had the same root password, which was known by 30-40 people)
  • Software kept up to date (their WordPress installations were 6 years out of date; other software also years out of date.)
  • Although the historical transactions were protected by encryption, the encryption keys were stored in plain text within the application.

“Carphone Warehouse had claimed that the attack was ‘sophisticated’, but in reality the attacker used the Nikto web scanning tool which is freely available and checks for outdated web servers, application software and common configuration errors.”

Full article at -pulse/carphone-warehouse-fined- ps400000-for-cyber-attack

January ’18 updates

WordPress core files were updated to 4.9.2 on January 16th, and WordFence saw an update to 7.1 on Jan 24. If you don’t see those on the list in your monthly report, your site received the updates as an automatic “push” from WordPress.


MalwareBytes bad update

If you use MalwareBytes (anti-malware program), they pushed out a bad update on Saturday, 1/27. 

How to resolve / verify you have the fixed update package:

Update package version 1.0.3803 or higher contains the fix.

To resolve, simply reboot your machine. In some cases, a second or even third reboot may be needed.

To verify you have this update, go to Settings -> About -> Update package version: 1.0.3803

More scary stuff

Lots more brute force attacks this month following the leak of 1.4 BILLION username/password pairs.

Away Mode

iThemes Security (installed on all the sites we manage) allows you to enable “Away Mode” – disallowing any administrator logins during hours when you’re sure nobody should be working on your site.

Hackers try to get in to sites around the clock. But are you likely to log in at 3am local time?