Sunday, July 15, 2018

Site allows you to check if your email passwords have been stolen

“Pardon the interruption, your passwords are leaking”.  It’s a kind of incontinence.
So Geoffrey Fowler writes in the Washington Post Business, “StolenPassword, Here’s What to Do About It?” 

He gives a site “Have I Been Powned” here. 

One of my emails was found on seven sites that had been breached, but not on any dark web sites themselves.
Fowler recommends changing every password every 90 days with 2-step authentication and the use of really long hashed (like MF5) passwords with a professional app.

Tuesday, July 10, 2018

"Dbsync" files with 0 bytes loaded by some adware on some sites

A recent Salon article stalled when I was scrolling in Google Chrome in Windows 10.  When I viewed it in Mozilla, it scrolled fine but Mozilla asked me if I wanted to download called “dbsync” with zero bytes.  I let it go. 

Afterwards I restarted and ran a full scan in Trend Micro and it came up clean.  The file seems like a pivot got adware, which is probably not malicious but would be removed as “bloatware” by some security products.
On Google searches, Trend warns of some fraudulent anti-virus products that claim they will removed dysync.

Thursday, July 05, 2018

US Cert would do well to publish more on SQL Injection issues

I wanted to take a moment and gather some material from US-CERT in Pittsburgh on SQL Injection attacks.

The main primer dates back to 2012, and has link here. Note that CERT reports a large number of attacks in 2008 through Microsoft IIS. The recommendations in the paper relate mainly to larger organizations and tend to suggest theft of user PII is the biggest danger.

In 2016 CERT warned that SQL injection attacks might be attempted by foreign adversaries on voter databases, here

NICCS offers tuition-based classes for companies on preventing SQL injections.  Usually these mean employers send tech support staff to cities (like Seattle) for travel for several days.  

The scale of the training required makes security a difficult matter for individual bloggers to handle on their own.  Wordpress and Automattic need to remain aggressive in fixing vulnerabilities that seem to be found at times, and bloggers should upgrade to latest versions quickly when offered. This is more true now than it was a few years ago because of the tense political climate, domestically and worldwide.
Blogger has never attracted attention for vulnerabilities like this because it uses a totally proprietary database.

Wednesday, June 27, 2018

Wordpress password change on hosted sites needs a little SQL knowledge

If you blog on Wordpress on a hosted platform, the procedure for changing a user password is more complicated than with a free blog. It’s a good idea to do this at some unpredictable intervals.
Generally, you go into MyPhPAdmin, look for the database that corresponds to the blog (you need to look in the File Manager if you have more than one), look for the tables, lock for the user table, and then enter a new password and then choose an encryption method (usually MD5) from a drop down. BlueHost is pretty typical.
The actual physical password is encrypted, not what you enter on the Wordpress login screen.
I don’t get why on thus video you need to regenerate it on Wordpress itself, but I’ll look into it.

Monday, June 25, 2018

Primers on Wordpress and SQL Injection vulnerabilities

There are reports of potential vulnerabilities being found on Wordpress sites for javascript statements with “1=1” parameters (always true) that seem to open the door for possible SQL Injection attacks later.

Here’s a typical story

The statement may occur in a theme, or in the wo/includes directory.

It is unclear how they are put there.
Here is a primer on how SQL injection attacks work.

Friday, June 15, 2018

Apple fixes lingering security flaw in iPhone that enables law enforcement investigations on locked phones

My own iPhone updated to IOS 11.4 a little while ago. 

Apple has announced a security fix to prevent hackers from getting into a locked phone, but that would also preclude law enforcement from getting into one. The New York Times story by Jack Nicas is here
Tim Cook has always said that allowing anyone but a phone owner to open it post-mortem would be a kind of “cancer”.

Thursday, June 14, 2018

Security companies need more transparency in how they report customer site risk, even to hosting providers

There has been some controversy (since mid 2017) over how security companies like SiteLock mark websites as “high risk” with apparently no transparency as to what the risk factors are.
This is also an issue because security companies usually work with hosting providers who do the billing and who might have some concerns over their own downstream liability for customers (as this climate has been changing rapidly, as with FOSTA, for example). 
Forbes had a piece in August 2017 by Kalev Leetaru, and Whitefirdesign has several articles from 2017, for example this one.
There are reports of hosting providers threatening to cut off customers who experience one malware hacking attack.  There are also reports of telemarketing calls selling site security services, which would dilute the credibility of the services if the calls weren’t legitimate.
It is not clear whether site risk is based on the technical components (use of specific Wordpress plugins, for example) or its content (whether it is controversial according to the “skin in the game” theory, which has percolated for years while getting very little media attention). 
One concern is that with network neutrality gone, telecoms could (with public pre-notice first) block sites rated as risky, either bu anti-virus companies that they acquire through mergers, or even through content delivery security services like SiteLock, Cloudflare, and the like.  We already know that Cloudflare has blocked or closed accounts of some objectionable publishers (so far limited to white supremacy).
This is an evolving issue that may change with time and generate new incidents and controversies.