STE WILLIAMS

Grindr, the premium gay dating app, is exposing the precise location of its more than 3.6 million active users, in addition to their body types, sexual preferences, relationship status, and HIV status…

…Still.

On Thursday, the gay community blog Queer Europe reported that after five years of controversy over the app’s oversharing of highly personal data – data that can put gay men at risk of being stalked or arrested and imprisoned by repressive governments – anybody can still obtain exact locations of millions of cruising men, in spite of what Grindr has recently claimed.

Grindr itself isn’t giving away that information. Rather, it’s coming from a free, third-party app – “Fuckr” – that’s built on top of its API, without Grindr’s permission.

GitHub has been hosting Fuckr’s repository since it was released in 2015. Shortly after Queer Europe’s post, GitHub shut it down, citing the unauthorized access to Grindr’s API as the reason.

But neutering Fuckr didn’t negate the threat: as BuzzFeed News reported, as of Friday morning, there were still dozens of live forks – in other words, tweaks of the original app – out there:

dozens of forks of fuckr, an app that allows people to view the exact location of grindr users — without their cons… twitter.com/i/web/status/1…

—
nic nguyen (@itsnicolenguyen) September 17, 2018

Queer Europe also confirmed to BuzzFeed News that the Fuckr app is still working just fine, meaning that it can still make requests for up to 600 Grindr users’ locations at a time.

Fuckr locates Grindr users via a technique called trilateration: a mathematical way to determine the true position of a point by measuring the distance between a user and three or more different places near them.

Although Grindr isn’t deliberately exposing users’ locations, it hasn’t done much to keep them from being sucked up and misused by apps such as Fuckr. As far back as 2014, security researcher Patrick Wardle has cited Grindr as a case study in how location-aware apps can go wrong.

At the time, there were unconfirmed reports of gay individuals being identified by the Egyptian police using an information disclosure vulnerability found in Grindr that gave away any user’s location.

Grindr shares location-based data about users down to what Wardle called an “incredible high level of accuracy” – as in, accuracy that pinpoints someone within less than a foot.

In March, Grindr released a statement in which it claimed that malicious parties can’t obtain information transmitted via its app, given that it uses certificate pinning and encrypted communications.

“A square on an atlas”

Also, it said, it doesn’t give away exact user locations – rather, it’s “more akin to a square on an atlas – not exactly where you are.” It also turned off general location data in countries like Egypt, it said (though Queer Europe notes that it wasn’t turned off in many countries that heavily repress LGBTQ+ people, including Algeria, Turkey, Belarus, Ethiopia, Qatar, Abu Dhabi, Oman, Azerbaijan, China, Malaysia and Indonesia).

Any user, or anonymous attacker, can directly query the server to gain access to a user’s location data. Moreover, by spoofing locations, an attacker can gather information about any and all users in any location, Wardle said back in 2014. Little has changed, says Queer Europe.

What’s more, a “square on an atlas” turns out to be a lot more precise of a pinpoint than you’d want if you had reasons to keep your location from being revealed. From Queer Europe, which tested out Fuckr:

With the use of trilateration, I was able to locate users with a deviation of five to ten meters. But it was also possible to locate users even more accurately, by comparing the outcomes of several trilateration sessions. By doing so, and within a few seconds, I was able to locate cruising men with an accuracy of two to five meters, which is very precise, and accurate enough to determine in which house and room users are located. The reason why these locations can be determined so precisely, is that Grindr uses a geohash4 of 12 characters to locate users, which equals to a ‘square on an atlas‘ of 37×18 centimeters.

That finding was backed up by Robbie Techie: the user name of one of the developers who worked on Fuckr. He Tweeted this response to Grindr’s statement:

@Grindr Is extremely accurate en.wikipedia.org/wiki/Decimal_d…
8 deimals in latitude and longitude can track movements of a… twitter.com/i/web/status/9…

—
Robbie Techie (@RobbieTechie) April 01, 2018

Grindr president Scott Chen told BuzzFeed News that the app’s geolocation feature is “core to our platform and user experience,” but also acknowledged that “there are inherent challenges in the use of any app that utilizes or relies upon location information.”

He also stuck to the company’s assertion that the app isn’t pinpointing users’ locations:

We currently utilize a geohash system, which approximates, rather than ‘pinpoints,’ all location information.

Grindr will “continue trying to evolve and improve our platform,” he said, without going into details.

The author of the Queer Europe post, who asked BuzzFeed News to identify him only as S.P., got a friend’s permission to track him on a Saturday night. Using Fuckr, S.P. tracked his friend to the specific restaurants he ate in, cafes he drank at, nightclubs where he went dancing, the gay sauna he visited at 1 a.m., and the stranger’s house he wound up in at 3 a.m.

What S.P. told BuzzFeed News:

I was shocked by the accuracy with which I could follow and track his movements.

From S.P.’s article:

By making it so easy to track individuals with precision, Grindr makes its users extremely vulnerable to harassment and stalking.

S.P. also turned Fuckr on himself. It tracked him to the precise corner of his garden where he was sitting at the time.

There are simple means through which Grindr could protect users. Human rights advocacy group Article 19 says that one way would be for Grindr to show a less precise distance for users, inverse to a region’s population density. Figuring out an area’s population density might be tough for Grindr’s servers to discern, though, according to Article 19 security researcher Norman Shamas.

Another method would be to show users’ locations with far less precision, as Tinder did in 2014 after research showed that precise location data – as in, latitude and longitude – could be exploited.

But to date, the app hasn’t done any of that: likely because when it comes to dating apps, user tracking is as much an appealing feature as it is an inherently risky one.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ltRyRQl93nc/

Yet another MongoDB database instance has been found belly-up, unprotected and exposing 11 million customer records.

Former Kromtech security researcher Bob Diachenko, who made the discovery on Monday, said the database instance was revealing records that included personal details such as email addresses, full name, gender, and physical addresses (zip code, state, city of residence). The database also contained DNS data and information on server response.

To be precise, the 43.5GB dataset contained 10,999,535 email addresses, all of them Yahoo-based.

There weren’t many indications of who the database belongs to. The database name itself gave no indication of ownership – nor did the exposed data include administrator emails, system logs or host information.

But there was one hint: a small suffix in several records. Diachenko said one example was “Yahoo_090618_ SaverSpy,” while ZDNet mentioned “Content-SaverSpy-09092018”. Which lead some to conclude the database might belong to a coupon/discount company named SaverSpy: a daily deals website operated by Coupons.com.

Neither SaverSpy nor Coupons.com responded to inquiries from ZDNet and Diachenko, but within a few hours of those inquiries, the database was taken offline.

It sounds like this same database has a history of misconfiguration. Shodan had already tagged it as “compromised” as of June. Diachenko says it contained a “warning” database with a “Readme” collection and ransom note demanding 0.4 bitcoin to get the data released.

The ransomers must have screwed up the script, though, given that all the data were intact as of Monday. Diachenko:

I assume this is a result of failed script scenario used by crooks (and pure luck for the database owners).

This is the second unprotected MongoDB instance that Diachenko has spotted this month. Two weeks ago, he came across 445m records belonging to Veeam, a backup, disaster recovery and intelligent data management software company.

None of this is exactly MongoDB’s fault, it’s up to the people who use the product to configure it appropriately for online use, but there’s a reason the database crops up a lot in these kind of breaches.

On some MongoDB instances, the default configuration has the database listening on a publicly accessible port as soon as it’s installed. Admins are supposed to reconfigure the settings, but many don’t. The result is an internet-connected database with no access control or authentication.

Starting with version 2.6.0, MongoDB disallowed all that when it began denying all networked connections to the database unless explicitly configured by an administrator.

The fact that the newly discovered, maybe-SaverSpy-owned database seems to have been (unsuccessfully) ransomed just points to the fact that there are crooks out there who focus on taking advantage of misconfigured MongoDB databases. As we noted when we wrote up the Veeam leak, the database even has its own flavor of ransomware called Mongo Lock.

Aside from being vulnerable to ransomware attack, these exposed records, again, also provide lots of fodder for a plethora of other attacks: spammers, scammers, and phishers of all kinds.

It’s up to database admins to lock that database down tight.

Follow @LisaVaas
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KPJ0szisvBU/

One year to the day after iOS 11 appeared, Apple yesterday released its replacement, iOS 12.

There’s always a lot of fuss about new features, which tends to obscure the fact that iOS updates these days also come loaded with useful security upgrades and patches for software vulnerabilities.

Naked Security covered the expected iOS 12 security enhancements in August, but a quick reminder shouldn’t go amiss given that some need to be turned on by owners.

Settings you need to turn on

One of the first questions iOS 12 asks during initialisation is whether owners would like to turn on automatic iOS updating. Updating happens anyway with each major update, but without automatic updating it’s still possible to miss fixes for security issues that pop up between versions.

An interesting recent example of this is the 11.4.1 update Apple offered in July to turn on USB restricted mode in response to techniques believed to be used by GrayShift and Cellebrite to bypass the iOS lock screen – it’s turned on by default in iOS 12 but users who enabled automatic updating could have had it two months ago.

Our advice is to turn this on! You can do this manually by going to Settings General Software Update while USB Restricted Mode is enabled via Settings Touch ID Passcode (Face ID Passcode on the iPhone X) and make sure the USB Accessories toggle is off. This will require the device to be unlocked before connecting USB devices in future, which some might find inconvenient – see Apple’s explanation of the feature for background.

Another welcome edition: Users of third-party password managers can now take advantage of the autofill feature without having to resort to tedious cut and paste or Share Sheets. LastPass, iPassword, Dashlane and Keeper have issued updates to reflect the new API that makes this possible.

This must be enabled manually via Settings Passwords Accounts and activating Autofill Passwords. Authentication using Face or Touch ID is still required.

On by default

iOS 12’s password manager now comes with an audit feature that warns users when the same password has been re-used across websites. This setting counters password stuffing, complete with the ability to generate a strong password to be stored in iCloud Keychain (rival password managers can do the same job).

As promised at a presentation in June to loud cheers, iOS 12’s Safari’s browser boosts its Intelligent Tracking Prevention (ITP) to limit the way big internet companies (code for Facebook?) collect data on browsing behaviour using cross-site tracking.

Security fixes

The most topical iOS 12 fix is the Safari and Microsoft Edge browser address bar spoofing flaw Naked Security covered last week, referenced as CVE-2018-4307 (CVE-2018-8383 on Edge). The full CVE list is on Apple’s website, but other notables include:

CVE-2018-4363: A kernel-level flaw that might allow an application to read restricted memory.

CVE-2016-1777: Apple has removed support for the RC4 cryptographic stream cipher after a researcher discovered weaknesses.

CVE-2018-4313: discovered by a large group of researchers, this one’s an application snapshot weakness in Messages through which “a local user may be able to discover a user’s deleted messages.”

CVE-2018-4338: a Wi-Fi weakness that could allow a malware app to read restricted memory.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/gaVqlQGS0J0/

Dutch security firm Gemalto has said its blockchain product, slated to pilot later this year, will keep personal data off the blockchain.

According to the Dutch outfit, the forgettably named Trust ID Network is aimed at users and digital service providers that need verifiable Self-Sovereign Digital IDs where “attestations” issued by trusted parties are stored on the blockchain.

Only the “attestations” will be stored on the blockchain, keeping the personally identifiable information (PII) itself under sole control of the users.

The app will sit on R3 open-source blockchain platform from Corda.

Getting personal

A misapprehension about blockchain was that as an immutable distributed ledger it would be the perfect platform for storing PII or that such information should or would be included in each chain.

Another view held that blockchain could be used to create “attestations” on the chain that point to off-chain PII storage. It remains a controversial topic within the blockchain community.

Dan Gisolfi, IBM CTO of Trusted Identity, Blockchain Technologies, said earlier this year: “One of the most common myths surrounding blockchain and identity is that blockchain technology provides an ideal distributed alternative to a centralised database for storing personally identifiable information.

“This misconception about PII storage in the early stages of the blockchain technology adoption lifecycle is so pervasive that it inspired a Twitter thread dedicated to the debate on why putting hashed PII on any immutable ledger is a bad idea. From GDPR compliance, to correlation, to the cost of block read/write transactions, the debate continues.”

Gisolfi reckoned he was trying to debunk some myths and help people gain “an understanding for how blockchain can be used as an infrastructure for identity attestations”.

TrustedID? IDTrust? What’s it called again?

Gemalto said Trust ID Network would provide privacy, security and immutability along with a streamlined integration for service providers and the ability to support mission critical identity services.

Bertrand Knopf, Gemalto executive vice president for banking and payment, claimed in a statement that the app would solve the weaknesses of traditional, siloed identity frameworks that suffer from “clumsy user experiences”, rising costs and difficulties in complying with stricter regulations.

The EU’s General Data Protection Regulation describes pseudonymisation as an “appropriate safeguard” (recital 156) and has emphasised that it should be incentivised (recital 29). However, it does not exclude hashed or “pseudonymized” data from its remit because there is always a risk of reidentification, so this sort of solution makes a lot of sense from a regulatory point of view. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/19/gemalto_blockchain_trust_id_network/

The UK government is expanding a programme that aims to get more Brits to consider careers in information security.

The Cyber Skills Immediate Impact Fund (CSIIF) pilot, launched in February 2018, resulted in the selection of seven schemes that intend to increase diversity and widen the net in recruiting for the field.

The initiatives already picked for funding are run by CompTIA, Immersive Labs, PGI Cyber Academy, the National Autistic Society, UK Cyber Security Forum Community Interest Company, Youth Fed and Integrate Agency CIC.

Young adults, individuals on the autism spectrum, those with care commitments and those looking to change careers will be offered training and counselling through these various programmes.

The government is looking to open the scheme to fresh applications this autumn, and the Department for Digital, Culture, Media and Sport (DCMS) is holding a launch event in London on Monday 24 September.

In response to queries from El Reg, DCMS offered the following statement about the funding for the programme.

In June, the Minister for Digital and the Creative Industries announced that we will be expanding the Cyber Skills Immediate Impact Fund (CSIIF).

For the pilot we offered between £10,000 and £50,000. We are increasing the funding available for second tranche and are currently finalising details, such as the criteria and bidding ranges, ahead of the launch of the CSIIF shortly.

This Fund is part of the £1.9 billion National Cyber Security Programme to build a sustainable supply of home-grown cyber security professionals, and complements existing initiatives, like CyberFirst that help to boost the diversity of candidates entering the workforce.

Asked to comment on how many jobs DCMS hoped to create through this initiative, a spokeswoman said: “We expect to see a significant increase in both the number and diversity of candidates getting into entry-level cyber security roles.”

So no firm target then.

For the pilot, DCMS said it gave “additional scoring weighting to initiatives that looked to assist women and neurodiverse individuals get into the UK’s cyber security industry”. The expanded scheme aims to “help to identify, train and place untapped talent no matter their background”.

The more recent (ISC)² Global Information Security Workforce Survey projected a global shortfall of 1.8 million unfilled cybersecurity vacancies by 2022 and a shortage across Europe alone of 350,000. A UK-specific breakdown isn’t available. Surveys by specialist recruitment agencies speak about generous cybersecurity salaries increasing above the rate of inflation, a growth driven by supply failing to meet demand for infosec workers. ®

* The average UK infosec pro salary according to a survey run in March this year.

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/19/cyber_security_skills_gap/

It’s only September and yet 2018 is well on its way to being remembered as the year of fixing flaws we didn’t realise were possible in hardware we’d never heard of.

This theme kicked off in January with the Meltdown and Spectre CPU cache-timing flaws (and subsequent variants) and continued last week as users found themselves patching another even more obscure low-level system.

This time, the system was Intel’s component-with-many-names, the Management Engine (ME), AKA the Manageability Engine (ME), and the Converged Security and Manageability Engine (CSME).

A flaw was discovered by researchers at Positive Technologies in the security of two of the four cryptographic keys ME uses to store sensitive data. If this story seems a bit familiar, it is: the same organisation found a previous 2017 weakness in the same Intel ME system, that affected all four keys, which itself capitalised on an even older discovery.

If this is starting to sound involved, what matters is the effect: the ability to compromise and generally mess around with files stored by ME, including the key used to secure the default admin password that protects remote access to ME itself.

Identified as CVE-2018-3655, and with updates now released, the issue affects firmware versions: 11.0 through 11.8.50; 11.10 through 11.11.50; 11.20 through 11.21.51; Intel Server Platform Services firmware version 4.0 (on Purley and Bakerville only); and Intel TXE version 3.0 through 3.1.50.

In its advisory, Intel recommends administrators contact their system or motherboard manufacturer to obtain an update that addresses this vulnerability.

Why ME matters

As previously discussed, ME is a sort of computer-within-the-computer living inside every Intel PC of the last decade, which was put there to make remote troubleshooting easier.

It has its own memory, CPU, and Minix Linux OS, and can remain operational even when a PC is turned off, something that may come as a surprise to many, given how few seem to have heard of it.

With the post-Meltdown world newly aware of the potential for hardware to harbour security issues, chip makers find themselves fixing a flurry of security problems in low-level technology that seemed to be fine for years. The chips are down for companies like Intel, so to speak, so it’s encouraging to see this particular fix taking place so quickly.

Intel recommends that users of Intel CSME, Intel Server Platform Service and Intel Trusted Execution Engine (TXE) update to the latest version.

Follow @JohnEDunn
Follow @NakedSecurity

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/u3GIqGR6R4Y/

Miscreants can potentially gain admin-level control over Western Digital’s My Cloud gear via an HTTP request over the network or internet.

Researchers at infosec shop Securify revealed today the vulnerability, designated CVE-2018-17153, which allows an unauthenticated attacker with network access to the device to bypass password checks and login with admin privileges.

This would, in turn, give the scumbag full control over the NAS device, including the ability to view and copy all stored data as well as overwrite and erase contents. If the box is accessible from the public internet, it could be remotely pwned, it appears. Alternatively, malware on a PC on the local network could search for and find a vulnerable My Cloud machine, and compromise it.

According to Securify, the flaw itself lies in the way My Cloud creates admin sessions that are attached to an IP address. When an attacker sends a command to the device’s web interface, as an HTTP CGI request, they can also include the cookie username=admin – which unlocks admin access.

Thus if properly constructed, the request would establish an admin login session to the device without ever asking for a password. In other words, just tell it you’re the admin user in the cookie, and you’re in.

“The network_mgr.cgi CGI module contains a command called cgi_get_ipv6 that starts an admin session that is tied to the IP address of the user making the request when invoked with the parameter flag equal to 1,” Securify explained. “Subsequent invocation of commands that would normally require admin privileges are now authorized if an attacker sets the username=admin cookie.”

The team has posted a proof-of-concept exploit showing how the bug could be targeted with a few lines of code.

POST /cgi-bin/network_mgr.cgi HTTP/1.1
Host: wdmycloud.local
Content-Type: application/x-www-form-urlencoded
Cookie: username=admin
Content-Length: 23

cmd=cgi_get_ipv6flag=1

Securify said it reported the vulnerability to Western Digital back in April, but did not receive a response. Now, some five months later, they are finally disclosing the bug.

Western Digital did not return a Reg request for comment on the matter.

This isn’t the first time Western Digital was taken to task for lax security on the My Cloud storage line. In January, the company had to scramble out a fix after a researcher discovered a number of My Cloud devices had a hard-coded password left in their firmware. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/18/remote_access_vulnerability_western_digital_my_cloud/

The US State Department has confirmed one of its email systems was attacked, potentially exposing the personal information of some of its employees.

Uncle Sam’s officials said in a statement to The Register on Tuesday that “suspicious activity” in its email system led it to send out warnings to a number of employees whose personal information may have been exposed to network intruders.

However, it didn’t specify exactly what information had been accessed, though it noted that no classified data had been accessed – those documents are transmitted through a separate email system.

“The Department recently detected activity of concern in its unclassified email system, affecting less than 1 per cent of employee inboxes. Like any large organization with a global presence, we know the Department is a constant target for cyber attacks,” El Reg was told.

“We have not detected activity of concern in the Department’s classified email system. We determined that certain employees’ personally identifiable information (PII) may have been exposed. We have already notified those employees.”

Chinese chap collared, charged over massive US Office of Personnel Management hack

READ MORE

The State Department has promised to foot the bill for three years of credit and identity theft monitoring to those workers. According to its own estimates, the State Department employs around 69,000 people, meaning if the numbers are to be believed somewhere around 600-700 people were impacted by this incident.

So far, there is no word on who might have been responsible for the network breach and when they might have done it.

“This is an ongoing investigation and we are working with partner agencies, as well as the private sector service provider, to conduct a full assessment,” the State Department said.

“We will reach out to any additional impacted employees as needed.”

As it stands, this will not shape up to be a major data loss on the scale of, say, the 2015 OPM network breach, when hackers made off with more than 25 million government employee personnel records. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/18/state_department_hacked/

A US judge has OK’d the use of paperless electronic voting machines in Georgia – despite being “gravely concerned” about the state’s ability to defend them from hackers.

District Judge Amy Totenberg said in a ruling (PDF) issued Tuesday that the state would be allowed to use the machines to collect and tabulate votes in this November’s mid-term elections, as there simply wasn’t enough time to get a paper-based voting system set up.

The judgment was handed down in a lawsuit filed in Georgia that attempted to block the use of the electronic ballot boxes in the US state.

“While Plaintiffs have shown the threat of real harms to their constitutional interests, the eleventh-hour timing of their motions and an instant grant of the paper ballot relief requested could just as readily jeopardize the upcoming elections, voter turnout, and the orderly administration of the election,” Totenberg wrote.

“Defendants introduced substantial evidence from Elections Directors from counties with major populations regarding the fiscal, organizational, and practical impediments and burdens associated with a court order that would require immediate implementation of paper ballot and ballot scanning voting systems for the 2018 election cycle.”

This despite the judge’s scathing assessment of the plan to use the paperless voting machines. Among the issues Totenberg cited were a lack of audit trails, and that security vulnerabilities in the state’s Direct Recording Electronic (DRE) voting system were yet to be fully fixed.

“The Court is gravely concerned about the State’s pace in responding to the serious vulnerabilities of its voting system – which were raised as early as 2016 – while aging software arrangements, hardware, and other deficiencies were evident still earlier,” she noted.

US voting server in election security probe is mysteriously wiped

READ MORE

The ruling strikes down a request from plaintiff Donna Curling, who filed suit against Georgia’s Secretary of State Brian Kemp seeking to have the insecure DRE machines barred from use via an injunction. Curling’s team has already filed an appeal of the judgment.

Though the ruling will allow the November election to take place using the disputed e-voting machines, Totenberg suggested the state will have to introduce a more secure voting system that includes a paper trail ahead of the 2020 elections.

“Advanced persistent threats in this data-driven world and ordinary hacking are unfortunately here to stay,” the judge wrote.

“Defendants will fail to address that reality if they demean as paranoia the research-based findings of national cybersecurity engineers and experts in the field of elections. Nor will surface-level audit procedures address this reality when viruses and malware alter data results and evade or suppress detection.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/09/18/us_georgia_paperless_voting_security/

New data shows hackers hit websites, on average, every 25 minutes.

New data shows attackers are trying to sneak past malware scanners on websites using stealthy hacks such as cryptojacking and malicious JavaScript.

Website security service provider SiteLock analyzed data from 6 million customer websites for the second quarter of 2018 and found that a website, on average, suffers 58 attack attempts per day – or one every 25 minutes – an increase of 16% since the first quarter of this year. That jump comes after a dip in attack attempts from the fourth quarter of 2017 (63 attempts each day) to Q1 of this year (50 per day).

Why the temporary dip? “Malware detection tools are getting better,” says Jessica Ortega, a researcher with SiteLock. “Attackers had to step back and hone their skills a bit to find new and sneakier ways to get into websites.”

The latest methods of choice are cryptojacking and JavaScript-based attacks, the data shows. Cryptojacking attacks doubled from Q1, while malicious JavaScript files rose 16%. The two go hand in hand, as well, SiteLock said in its report. “This new trend is not surprising because many cryptojacking scripts use JavaScript kits to deploy and collect the mined cryptocurrency. Because cryptojacking and JavaScript are often symptomless to the website owner, they are becoming a new favorite weapon of cybercriminals,” the report said.

The two attacks are also leading the way so far in Q3, according to SiteLock’s Ortega. “They’re going to continue to grow,” she says.

But that doesn’t mean old-school website attack methods are fading away. “The old standbys – SEO and backdoor files – are not going anywhere. Nearly half of infected sites have one backdoor file on them,” she says. “That’s easy to deploy.”

Some 1% of websites in Q2 were infected with malware, with the average infection requiring cleanup of 178 files – a decline of 28% from Q1 and 91% from Q2 2017.

According to SiteLock, 9% of websites had at least one vulnerability of either cross-site scripting (XSS), cross-site request forgery (CSRF), or SQL injection. That was a 3% increase over Q1. “Those represent the three most common vulns. It’s totally possible that the sites have other types of vulns” as well, Ortega notes.

Social Malware
Websites that connect to one social media platform are two times more likely to be infected with malware, according to the study, and sites connected to three or more platforms are three times more likely to get infected.

“We know a lot of sites use plug-ins to connect to social media,” Ortega says, and that often leaves websites vulnerable to social media-borne attacks and data stealing. SiteLock recommends performing due diligence before installing any social media or other plug-ins, confirming that they provide regular security updates and patches and study reviews of the apps.

And gone are the days when small website owners can rely on search engine providers alone to alert them and visitors of an infection on their sites. “Of 19.2 million infected sites, only 3 million got flagged by search engines,” she says.

SiteLock recommends updating Web apps regularly, and deploying malware scanning and Web application firewalls.

Related Content:

• SiteLock: Website Attacks Surged 186% in Q2
• 8 Cryptomining Malware Families to Keep on the Radar
• Free Cybersecurity Services Offer a First Step to Securing US Elections
• New Hack Weaponizes the Web Cache

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/threat-intelligence/websites-attack-attempts-rose-in-q2/d/d-id/1332833?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple