Monday, April 27, 2015

Most malware affecting US users now comes from US (Webroot study)


An article by Jai Vijayan in “Dark Reading” reports that most malicious websites that launch malware, and most phishing attacks, on American users now originate within the US.

One reason is that sites in high-risk countries are often automatically blocked.  Webroot noted that about 12 million malicious IP’s function on any given day.
    
Webroot reported that during the average user has a 30% chance of falling for a “zero-day” phishing attack without remediation.  Of course, experienced users know how to spot suspicious emails, even fake forwards from social media. 

Monday, April 20, 2015

Vulnerability in popular Wordpress plugin is reported


The Sucun blog has a warning about a seriously vulnerability in a Wordpress plugin, in the WP Super Cache Plugin, described here About one million bloggers use it.  It is fixed in Version 1.4.4.   Webroot tweeted this advisory Monday evening.
  
So It’s a good security idea to keep Plugins updated when upgrades are offered.
  
I did a quick check and it seems that I do not use it.  



Update: April 27

Wordpress (in my case, BlueHost, at around 3:30 PM today EDT) has updated all users with 4.2.1 with a patch for the problem.  Australian guru "Bogtyant" had warned Wordpress users to disable comments until problem was fixed.  Updated story on Sucuri here.

Wordpress has a press release on the "cross scripting vulnerability" here. 

Friday, April 10, 2015

Trend Micro still lectures me on privacy settings on Twitter, Facebook


Trendo Micro is still warning me about my Twitter Life, and my Facebook Life, when I use my auxillary W8.1 Toshiba Satelitte laptop. It gave me a little lecture on privacy settings.
  
Many of the points would concern people whose social media use is more integrated with that of other people on the job or in the family, than mine. 
  
I still never post anything that others can’t see.  I sometimes do send direct Messages by Twitter (as an alternative to email or to at text) if I think the recipient would want it to remain private, then it’s the recipient’s choice.
   

I also allow location tracking on cell phone when I really need the location data.  I do need it if I need to find an address on Google Maps in an unfamiliar city.  It’s amazingly hard to reconcile maps to what you see on the ground.  I guess I need Mapquest on my phone.  

Wednesday, April 08, 2015

Do some Wordpress blogs pose a "community risk" of DDOS attacks? Do tools like Askimet for comment moderation provide protection?


There is some literature reporting that Wordpress sites can be “harnessed” to facilitate DDOS (distributed denial of service) attacks against other targets thought the “pingback” mechanism, using xml-rpc.
  
For example, there is a discussion here at InfoSec, link.   The author recommends “hardening” Wordpress security.  One way to defend against misuse is to require comment moderation for pingbacks. 

It’s possible that some Wordpress bloggers will notice high page requests in their stats of a “spam” nature, which may consist of pingback requests that are held up by comment moderation.  It’s a good idea to check and mark moderation queues, as it seems Wordpress blogs really do tend to attract a lot of comment spam anyway.  Another technique is to use a comment spam product like Askimet  (which would normally prevent these large false page request counts).   
  
There are some demos of how the exploit works on YouTube, like here.

I’m not sure how real the problem of Wordpress-related DDOS is in practice.  The DDOS is directed at a different site. It seems unlikely to cause bandwidth problems for the Wordpress site itself.  One could ask about legal liability if a blog is implicated, or whether Section 230 could come into play. (Coordinated post on my main blog today.)