Tag Archives: Wordpress

Security News for the Week Ending May 8, 2020

The Contact Tracing Horror Begins

The UK is now saying that all of the contact data that they are collecting from the app people install on their smart phones – that data may be kept by the government forever and no, you can’t ask them to delete it. Credit: The Register

Singapore will require smartphone checkins including people’s national identity number at all businesses. People have to both check in and check out. But, not to worry, it will only be used by “authorised” people. Not only will you have to do that when you enter a business, but also when you go to the mall or the park. Credit: The Register

And India made contract tracing app mandatory in ‘hot-spots’, which could be a problem given that half the population does not own a smart phone. Credit: The Register

Governments have found a great new source of data to mine and sell.

Hackers Have Figured Out How to Make a Plane Go Up or Down at up to 3,000 feet a minute

TCAS, the collision avoidance system that the aircraft industry and governments have adopted to ‘discourage’ planes from crashing into one another by telling two planes that are close to one another to move in opposite directions from each other, is, apparently, susceptible to hacking.

The hack works by presenting phantom data to a plane that it is about to collide and needs to dive or climb. Some TCAS systems can even take over the controls. As I recall, TCAS has no security protocol as part of the system and just trusts the data it receives.

While technically pilots can disable the system to mitigate the risk, we saw how well that concept worked with the now-grounded 737 Maxs. Pilot tend to trust their instruments way more than they should. Credit: The Register

Hacking Campaign Targets 900,000 WordPress Sites

Hackers targeting WordPress sites that are not current on their patches. Wordfence security saw 20 million attack attempts on over a half million servers on May 3rd alone. The attack redirects visitors to malvertising and administrators get to deploy a free backdoor for the hackers. If you are not running Wordfence on your WordPress site, do that now. If you are not current on your patches, well, it might be too late. Credit: Bleeping Computer.

Covid-19 Themed Phishing Subjects

As Coronavirus becomes the topic of the day, hackers are using themes like these:

  • Because of COVID-19, payroll is making adjustments and we need to update account information (see hyperlink)
  • Your office location is closed, please remote in today (see hyperlink)
  • Al employees are asked to sign in (see hyperlink) and update their wellness status
  • Relief donations are being solicited (see hyperlink)

Now would be a good time to up your anti-phishing training, but be understanding that this is likely a stressful time for employees. Credit: NCMS mailing list

Ransomware. Ransomware. Ransomware

New York based law firm Grubman Shire Meiselas & Sacks, who represents dozens of A-List artists such as Madonna, Lady Gaga, Elton John, Robert de Niro and many others was hacked by the Sodinokibi ransomware group.

The hackers claim to have stolen over 750 GB of data and has published snippets of a number of documents. This hacking group is very financially successful. Given who the clients are, money is not an object and their ability to sue this law firm out of existence is also probably a good guess.

I suspect a ransom payment will be made. Not in Bitcoin – too traceable. These guys only accept Monero.

For companies that store any kind of sensitive information, this is a heads up. We are hearing about this happening (stealing your information and demanding a ransom not to publish it) every single day. Good backups will not protect you from this type of attack. Credit: Bleeping Computer

Patching, Patching and More Patching – This is Ridiculous

Last Tuesday I said patching is critical and it still is.

Maybe this is a weekly post, but I hope not.

Today’s episode:

#1 – Zero day exploit for Oracle’s Virtual Box

A security researcher got mad at how Oracle treated him in the past and so, when he found a new exploit, basically gave Oracle the middle finger and published the exploit and sample code.  All the amateur hackers now have the recipe to escape from guest virtual machine and run code in the host machine.  If you use virtual box, you should patch this quickly since it came with sample code to run the exploit.  Source:  The Hacker News .

#2 – WooCommerce plugin WordPress

WooCommerce, the eCommerce tool that is used on millions of websites can be used to gain full control over a website that has not been patched.  Again, pretty easy to exploit.  The good news is that there are patches for both WordPress and WooCommerce, but you have to  install them.  Source: The Hacker News .

#3 – Apache Struts Critical Vulnerability

Yes, THAT Apache struts.  The same one from Equifax fame.  A flaw in the file upload routine in versions earlier than 2.5.12 allows a hacker to upload and execute arbitrary code.

Here is the bad news.  There is a fix.  You have to drop in a replace JAR file with the new code.  There is no new install or version update, so this will be a pain in the ………

Vendors like Cisco and VMWare, among thousands of others, who use Struts will have to update and re-release their products, so users won’t be safe until all of these vendors have updated their code.

Hackers, of course, will try to take advantage of this flaw to attack your systems knowing that it will likely take years to get rid of all the affected code.  Source: The Register .

#4 – Microsoft Edge Browser Zero Day About to be Revealed

As, apparently, the stressed relation between security researchers and vendors continues, two researchers are about to release sample code and details of an unknown (zero day) remote code execution flaw in Microsoft Edge (shades of item 1 above).  The researchers are also trying to get hacker nirvana by elevating to system level privileges as part of the exploit.

To stick their finger in the eye of Microsoft, the researcher released a video showing the hack where they got Edge to launch Firefox and have it load the Chrome download page.  (Source: Bleeping Computer).

This is but a tiny sample of this week’s high profile bugs.  Gee Wiz!