Monday, February 01, 2016

Wordpress vulnerabilities seem to invite "ISIS-related" hacks


There are numerous reports on the web that Wordpress sites have been vulnerable to hacks, especially related to radical Islam (for want of a better name), that is, ISIS.

Nick Fogle has a detailed post (no date) of how he solved one hack, and the technical knowledge required is considerable, although a lot of it is basic Unix, link.

In fact, on April 7, 2015 the FBI posted an advisory about Wordpress vulnerabilities lead to hacks of some sites purported to be by ISIS, but likely to be domestic imitators.  Many of the vulnerabilities are related to “themes” and maintaining security updates from Wordpress (even automating them) is considered essential.  Wordpress often puts out new versions of the basic engine to fix possible vulnerabilities, just as Microsoft does.  Wordpress sites are different from Blogger in that a copy of Wordpress lives on the customer’s rented space.

Zdnet has a story explaining which obsolete plug-ins are most vulnerable, and says that Google has blacklisted about 10000 sites from its engine because of malware.

The Huffington Post has a story on some purported attacks.

 A real attack from an overseas enemy (as with the North Korean hack on Sony) could have national security implications, even if it seems improbable for an average small user.  After 9/11, there were concerns that enemies could place steganographic instructions on amateur websites, but this has not happened much.  I haven't heard of prosecutions of website owners "framed" for possessing some sort of unlawful content (whether child pornography or support for a foreign enemy) but it sounds like something a determined enemy could conceivably pull off.  The idea of "mens rea" could possibly be critical.

Update: February 3

eWeek explains the security fixes in the new WordPress 4.4.2 update here.  Wordpress has its own explanation here.

No comments: