STE WILLIAMS

The US House of Representatives Committee on Oversight and Government Reform has sent a letter [PDF] to White House lawyers demanding details of how many of its staffers have been using private email for government business.

On Sunday, Politico reported that the President’s son-in-law and adviser Jared Kushner used private email to conduct some government business since late last year, which could be a violation of the Presidential Records Act. On Monday, the number of staffers accused of similar had risen to six, including Kushner. Separately, documents released by an advocacy group claim the President’s daughter Ivanka Trump has been using a personal email account for government business, too, although she is not a paid staffer.

“With numerous public revelations of senior executive branch employees deliberately trying to circumvent these laws by using personal, private, or alias email addresses to conduct official government business, the Committee has aimed to use its oversight and investigative resources to prevent and deter misuse of private forms of written communication,” reads the committee letter, sent on Monday.

It’s Russian hackers, FBI and Wikileaks wot won it – Hillary Clinton on her devastating election loss

READ MORE

The memo asks for details on any staffer who has used their personal email for government duties, or text messages, or phone-based message apps. In addition they want the names of anyone who has used encryption for personal contact.

The news is embarrassing to the administration, after a presidential campaign dominated by cries of “lock her up” from President Donald Trump over Hillary Clinton’s private email server. Secretary Clinton certainly wasn’t holding back, calling the news proof of Republican double-think.

“It’s just the height of hypocrisy,” she said in an interview on Sirius XM radio this week. “It is something that if they were sincere about it, I think you’d have Republican members of Congress calling for an investigation.”

But the former secretary of state and presidential candidate rather misses the point on this. Clinton ran pretty much all her government business through a privately managed email server – and was ultimately cleared by the FBI – whereas Kushner et al are accused of using personal email inboxes every now and again to receive messages from people or forward notes to official addresses.

That’s not to say that there isn’t plenty of hypocrisy to go around. In 2007, an investigation in the Bush administration found that the Republicans had been running a domain called gwb43.com to communicate and evade the Presidential Records Act. But before an investigation could take place, the party wiped the servers, destroying some 22 million emails.

The fact of the matter is that it’s going to be near impossible for the Presidential Records Act as it is currently written to work. The legislation was passed in 1978 during the post-Watergate reforms and at a time when email, mobile phones, and encrypted messaging apps didn’t exist in the mainstream.

It’s clear that the law needs a revision, but even so it would be near-impossible to enforce. A couple of hundred dollars will buy anyone a smartphone with encrypted applications and, short of body searching people when they enter the building, there seems to be no solution. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/27/6_white_house_staff_private_email/

Oracle has stepped outside its usual quarterly security fix cycle to address the latest Apache Struts 2 vulnerability.

Ever since it emerged at the start of September, CVE-2017-9805 has been (in the words of a former Australian prime minister) “a shiver looking for a spine to crawl up”, because so many vendors use Apache to build Web interfaces and bake Struts 2 into their their Web application framework.

Big Red’s sprawling product set meant fixes had to be deployed across more than 20 products including Siebel Apps, Oracle Communications Policy Management, 21 financial services products, the WebLogic Server, the MySQL Enterprise Monitor, and its Retail XBRi Loss Prevention software.

While it was doing one out-of-cycle patch, Oracle also plugged CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, CVE-2017-9804, and CVE-2017-12611.

The unsafe Java deserialisation vulnerability in Struts 2 allowed miscreants to inject code into any server running a Struts application for complete remote code execution.

As infosec experts explained to The Register last week, Web application security is very much a “you snooze, you lose” game: any technical debt at all makes it hard to catch up with patches.

Oracle’s not the only company to find auditing a big product suite is tough work. Cisco’s scrmabled, too, and in multiple iterations of its advisory has narrowed its exposure down to four products.

Two of those – Cisco Digital Media Manager and the MXE 3500 Series Media Experience Engine – are end-of-life and won’t be patched. Cisco Network Performance Analysis has been patched and its Internet video streaming suite awaits its Band-Aid. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/27/oracle_emergency_apache_struts_2_patches/

iThing owners, do not skip iOS 11: it plugs a dead-easy-to-exploit drive-by WiFi bug.

All an attacker needed to own a phone with a vulnerable Broadcom WiFi chip was the target’s MAC address, and exploit code running on a laptop.

As shown in this now-unsealed Google bug thread, this discovery by Gal Beniamini – very like one he warned about in April – was first raised in June as an out-of-bounds write.

The thread says an oversized value can be put in the unvalidated “Channel Number” field in code handling WiFi neighbour responses. It’s the large value that lets an attacker write to an address that should be inaccessible to it.

Beniamini posted his exploit to the still-private discussion on August 23, and the post went public a week after iOS 11 landed.

“The exploit has been tested against the Wi-Fi firmware as present on iOS 10.2 (14C92), but should work on all versions of iOS up to 10.3.3 (included)” the post states. “However, some symbols might need to be adjusted for different versions of iOS, see ‘exploit/symbols.py’ for more information.”

Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip).

After that, it’s child’s play: “You can interact with the backdoor to gain R/W access to the firmware by calling the “read_dword” and “write_dword” functions, respectively.”

While it’s not the same as the bug Beniamini discovered in April, his subsequent work (in a follow-up also written in April) warned that SoCs in smartphones are a huge and unaudited attack surface. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/27/ios_11_plugs_wifi_vulnerability/

Monday’s news that multinational consultancy Deloitte had been hacked was dismissed by the firm as a small incident.

Now evidence suggests it’s no surprise the biz was infiltrated: it appears to be all over the shop, security wise.

On Tuesday, what seemed to be a collection of Deloitte’s corporate VPN passwords, user names, and operational details were found lurking within a public-facing GitHub-hosted repository. These have since been removed in the past hour or so. In addition, it appears that a Deloitte employee uploaded company proxy login credentials to his public Google+ page. The information was up there for over six months – and was removed in the past few minutes.

We were tipped off to these pages by an eagle-eyed reader, and grabbed a couple of screenshots of the potentially offending data:

Screenshot of some of the alleged VPN details for accessing Deloitte’s network that leaked onto GitHub – we’ve censored what looks like passwords

 

Screenshot of a portion of the Google+ page with Deloitte proxy login information

On top of these potential leaks of corporate login details, Deloitte has loads of internal and potentially critical systems unnecessarily facing the public internet with remote-desktop access enabled. All of this gear should be behind a firewall and/or with two-factor authentication as per industry best practices. And likely the best practices Deloitte recommends to its clients, ironically.

“Just in the last day I’ve found 7,000 to 12,000 open hosts for the firm spread across the globe,” security researcher Dan Tentler, founder of Phobos Group, told The Register today. “We’re talking dozens of business units around the planet with dozens of IT departments showing very different aptitude levels. The phrase ‘truly exploitable’ comes to mind.”

For example, he found a Deloitte-owned Windows Server 2012 R2 box in South Africa with RDP wide open, acting as what appears to be an Active Directory server – a crucial apex of a Microsoft-powered network – and with, worryingly, security updates still pending installation. Other cases show IT departments using outdated software, and numerous other security failings.

Here’s an example system with NetBIOS open:

Hey look, a deloitte server with 445 exposed to the internethttps://t.co/BMFJqG0s3m

production tax dns server

what could possibly go wrong? pic.twitter.com/IeHSf7L1Vz

— Dan Tentler (@Viss) September 25, 2017

Here’s what appears to be an Active Directory server with RDP open…

‘a;sljfasdfjadjaserfaweakjwtgfaehasrhfasd;laksfkasrohawghasedjas;faskdga’seraowhjasjdfasdlfasgajhsdfjarfhoae;ahd pic.twitter.com/54O2PDy7zV

— Dan Tentler (@Viss) September 25, 2017

…complete with administrative users and, if you look closely, Windows Updates still pending:

pic.twitter.com/iGlTg4Kqh8

— Dan Tentler (@Viss) September 26, 2017

And as other infosec experts have spotted, plenty of other stuff is sitting online, searchable using Shodan, waiting to be prodded by miscreants and other curious minds:

Deloittes’ US offices have everything from Netbios to RDP to Exchange Admin (single factor) etc etc etc. They should get an auditor. pic.twitter.com/C8aoN5YQMn

— Kevin Beaumont 🙃 (@GossiTheDog) September 25, 2017

These systems could be used as crucial footholds for hackers into the consultancy giant’s internal networks.

The Google+ page appeared to show that a Deloitte employee has been writing down VPN access controls on his personal page in full view of everyone. Using Google’s vaunted search facilities, a hacker could easily find enough information to launch an attack with a good chance of success.

All this is embarrassing for Deloitte, which billed itself as the top IT security consultancy in the industry. The firm makes millions selling its tech guru services to others for a hefty price – and yet seems to ignore potentially gaping holes in its own IT infrastructure.

The details now emerging are also rather embarrassing for analyst firm Gartner, which in June named Deloitte the world’s best IT security consultancy for the fifth year in a row. Gartner has yet to respond to a request for information on how its conclusion was reached.

It doesn’t help that Deloitte isn’t much liked by other security researchers for its business practices. The firm has a reputation for low-balling contractors on fees – particularly for penetration testing – and the schadenfreude of Deloitte being so bad at its own security has delighted some.

Deloitte always wanted to break pentest prices, less than 1k / man day. Well, now you can see what you get for that price.

— Responder (@PythonResponder) September 25, 2017

“Between Equifax and Deloitte, starting to see though the tissue paper of corporate America’s security industry companies making huge claims, when in reality it’s a whole bunch of hypocrites,” said Tentler.

“You’d think Deloitte claims to have all this super elder-god style security talent. If that was the case they might consider using that talent on its own infrastructure.”

Deloitte has not responded to a request for comment. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/26/deloitte_leak_github_and_google/

In its ongoing quest to trap and kill Android malware, Google has, as usual, turned to machine learning – and is reporting some success.

Speaking at the Structure Security conference in San Francisco today, Adrian Ludwig, head of Android security, said the ads giant has trained systems using telemetry data from handsets – information such as which apps are installed and uninstalled, the behavior of the software, and so on, presumably.

These device statistics would, we imagine, be gathered from Google Play services, which pings the California mothership with telemetry from devices. Ludwig wasn’t particular precise about this data collection, funnily enough. Ultimately, the goal is to craft an AI system capable of automatically identifying and removing malware judging from code’s behavior rather than it signatures.

Gradually, the learning system improved its game, Ludwig said: six months ago the software was only successfully flagging up five per cent of malware samples thrown at it. As of last week, that figure is now 55 per cent, meaning it’s now making a dent into Android infection rates by spotting and zapping nasties either on the Play store or on people’s gadgets, or both.

AI quickly cooks malware that AV software can’t spot

READ MORE

Google’s Play Protect system can highlight and remove any evil software discovered during scans of handhelds – presumably it could check with the Robocop AI back at base on whether or not a given app is naughty or nice. In addition to this, Google could use the AI to automatically weed malicious applications out of its Play store.

At the beginning of the year, we’re told, about 0.6 per cent of Android’s two billion user base was infected by malware. Ludwig said that figure was now 0.25 per cent, thanks to this AI software.

“When you ask where Android security was six years ago, it was nowhere near as good as desktop computing,” Ludwig told the conference. “Now we’ve left desktop computers in the dust.”

Google is, obviously, not the first to use AI for classifying malware. However, the internet goliath has a big advantage over other industry players due to the volume of data at its fingertips. Ludwig said Android users cover every country on Earth, and every socioeconomic class. We even found out today that Bill Gates is an Android user. That means there’s a wealth of Android usage data flowing into Google from all corners of the planet, and all layers of society, that can be used to train the system on what bad apps look like.

Still, it requires human supervision. Every so often, software nasties slip past Google’s code-checking systems and into the official Play store, for instance.

“Machine learning isn’t pixie dust,” Ludwig said. “You’ve got to have people reviewing and checking along the way. But it is making a major difference.” ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/09/26/google_success_machine_learning_malware_engines/

Enterprises entertaining a move to the cloud should brace themselves for a challenging path of discovery.

Enterprises that embrace a move to the cloud should prepare themselves for a run into the unknown, advises Gretchen Myers, Chevron’s team lead for security strategy and emerging technologies.

Myers, who spoke this week at the ISC(2) Security Congress in Austin, Texas, leads Chevron’s cloud efforts that kicked off in 2015. She describes the lessons learned as a journey of discovery, rather than a jump into a new technology.

As part of this journey, Chevron slogged through the thousands of employees using cloud-based services, and tackled a plan to migrate data to a cloud provider by early next year.

Chevron, as part of this cloud strategy, hired a Cloud Access Security Broker (CASB) to determine which cloud vendors employees were visiting and to manage that environment.

This process entailed determining which Web sites employees were already accessing for cloud services, such as software as a service (SaaS) provider Salesforce.com, and consumer-business services like Facebook, Myers recalled, adding that was an easy task.

But once the CASB determined which websites employees were accessing, Chevron had to determine how much company business was actually being conducted across the more than 7,000 websites, Myers said.

“We went down from more than 7,000 unsanctioned sites to 250 approved sites,” Myers said. The task of culling the list of cloud vendors was arduous, she said.

It required turning the mammoth list of websites over to IT managers, who in turn queried their employees on the purpose of the websites they were visiting. In a number of cases, the discussions led the company to block access to those sites. 

And last year, Chevron allowed restricted use of some websites, where a limited number of people needed access for work-related business. For example, Chevron employees no longer have access to Facebook on company computers, with the exception of the company’s marketing department, which uses it for work-related purposes, Myers says.

The oil giant, meanwhile, is planning to move a portion of its data to a hosted cloud environment, says Myers.

And the things that concern Myers about this transition include questions, such as, how secure is Chevron’s application program interface (APIs) to how secure is Chevron’s data if it leaves it up to the cloud service provider rather than encrypting it and holding onto the encryption master key itself.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

One of the most important lessons Myers says she has learned on her journey is to frame the problem the company faces and stick to solving it.

“People would come up and say what about this, what about that?” Myers said. “It’s easy to get sidetracked.”  

Related Content:

• Cloud Security: New Research Says IT Pros Still Skittish
• Cloud Security: It’s Become A People Problem
• How Why Cloud Security Will Empower Users

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/cloud/chevrons-jump-to-the-cloud-is-a-journey/d/d-id/1329983?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The most expensive attacks are malware infections, which cost global businesses $2.4 million per incident.

The average cost of cybercrime in 2017 was $11.7 million per organization, a 23% increase from $9.5 million in 2016 and a 62% increase over the past five years for global businesses.

In a new study, “The Cost of Cybercrime” by Accenture and the Ponemon Institute, researchers polled 2,182 security and IT pros across 254 organizations around the world. They found each company experiences 130 breaches per year, a 27.4% increase from 2016 and nearly double its count five years ago. And as cyber attacks increase, so too does their cost.

The study considered four key impacts of cybercrime: business disruption, data loss, revenue loss, and equipment damage. Forty-three percent of respondents said information loss is most damaging; the least is business disruption, which dropped from 39% in 2015 to 33% this year.

Malware infections are the most expensive type of cyber attack, at an average of $2.4 million per infection globally ($3.82 million in the United States). Web-based attacks, the second most expensive, cost $2 million per incident globally ($3.40 million per incident in the US).

Financial services and energy were the hardest-hit sectors in 2017, with average annual costs of $18.28 million and $17.20 million, respectively. Australia reports the lowest total average attack cost at $5.41 million, and the UK had the lowest year-over-year cost change ($7.21 million in 2016 to $8.74 in 2017). US companies spend more to address all types of cyber attacks.

Outside studies support the idea that cybercrime costs differ across businesses and industries. Forrester recently found data breach costs vary significantly by organization. Furthermore, publicly reported numbers typically represent short-term costs and don’t always include regulatory fines, losses in productivity, lawsuits, brand damage, and additional security and audit requirements.

Costs may also vary depending on the type of data compromised. For example, a breach of intellectual property will have different costs than a breach of customer or employee data.

Companies investing to protect themselves may benefit from a change in strategy, experts suggest. Results indicate most spend the greatest bulk of their security budgets on advanced perimeter controls but don’t see the investment pay off. Those deploying perimeter systems only see cost savings of $1 million, a sign of inefficiencies in resource allocation.

Security intelligence systems, which collect data from various sources to help identify and prioritize threats, are among the most effective tools for reducing cybercrime costs. These saved businesses about $2.8 million, more than all other technologies included in the survey.

The least popular tools are automation, orchestration, and machine learning technologies, which are deployed only among 28% of respondents. Yet these deliver the third-highest cost savings overall, at $2.2 million per organization.

Jeff Pollard, principal analyst serving security and risk professionals at Forrester, anticipates automation will become more common as security teams are overwhelmed with threat alerts from better detection tools. If you already receive 100 alerts per day and invest in a better detection tool, you’ll be challenged to handle the additional alerts.

“If you were already struggling with the 100 you were dealing with … you’re even further behind than you were before,” he says. Vendors are starting to pop up in the orchestration space to help businesses prioritize the most critical threats and ease the burden on their teams.

Researchers advise investing in basic tools like security intelligence and advanced access management to lay the groundwork for a strong strategy. On top of that, businesses should go beyond compliance and conduct extreme pressure testing to detect vulnerabilities.

Related Content:

• Why Your Business Must Care about Privacy
• Microsoft Builds Automation into Windows Defender ATP
• Breach at Deloitte Exposes Emails, Client Data
• Americans Rank Criminal Hacking as Their Number One Threat

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/cybercrime-costs-each-business-$117m-per-year/d/d-id/1329985?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

IOActive’s review of 21 of the most used mobile apps for investment trading shows a majority of them exposing users to various security risks.

Many of the most popular mobile investment trading applications that people use to buy and sell stocks, monitor positions, and conduct other transactions are riddled with vulnerabilities that have left them wide open to malicious abuse, according to research released today by IOActive.

Security vendor IOActive recently reviewed 21 of the most popular mobile trading applications on Google Play and Apple Store. The applications enable users to do a variety of things, including buying and selling stock, funding accounts, keeping track of equity and available buying power, and creating alerts for specific thresholds.

IOActive tested a set of 14 security controls across the applications, including support for biometric authentication, encryption, session management, client-side data management, secure data storage, sensitive data in logs, and root detection. The tests were conducted on trading apps installed on an iPhone 6 running iOS 10.3.3 and a rooted Android device running version 7.1.1 of the operating system.

The exercise showed that some of the most well known and most used mobile trading apps are even more insecure than some personal banking apps were back in 2013 when IOActive conducted similar tests, says Alejandro Hernandez, senior security consultant for IOActive.

Four of the applications for instance stored the user’s password in plaintext without encryption in either a configuration file within the phone or in the logging console. Most of the tested applications did not implement two-factor authentication and required only the current password to link to bank accounts.

More than 60 percent of the tested applications stored data such as account balances and investment portfolios in unencrypted fashion or in the logging console. Someone with access to a phone containing a vulnerable trading app could use the log data for a variety of malicious purposes. “The user would never have to see the logging console, but for attackers with physical access to the phone it’s a gold mine. Data in the log files can also be read by other applications, including malware, thereby opening a way for remote data exfiltration,” Hernandez says.

Several of the weaknesses that IOActive discovered in the mobile applications that it tested could only be exploited with physical access to the device on which they were installed. “On the other hand, if the phone is stolen or lost, it’s easy to extract valuable information, such as the investment portfolio and money balances,” Hernandez says.

Other vulnerabilities could be remotely exploited. Two applications, for instance, used an insecure HTTP channel to transmit and receive all information, including usernames, passwords, and all trading data. “This could be exploited by an attacker in the middle, either in the same WiFi network or at some other point [such as] a compromised switch or router in an ISP,” Hernandez says.

Of the remaining 19 applications that used a secure HTTPS channel, 13 did not authenticate the remote server with which they communicated. “This is known as SSL pinning, and if not implemented, the chance for a remote attack is higher,” Hernandez says. Attackers for instance have an opportunity to trick users into installing a false SSL certificate on their device in order to carry out Man-In-The-Middle attacks, he notes. Ten of the applications that IOActive tested were configured to execute JavaScript code, giving attackers a way to trigger Cross-Site Scripting attacks.

More than 60% of the apps had sensitive data like cryptographic keys and third-party service partner passwords hardcoded in the apps, while 10 had data, such as internal hostnames and IP addresses of the internal environments where the apps were developed or tested.

“This would give attackers [a way] to understand some of the internal network configurations of those brokerage firms or [the] companies that developed the apps,” Hernandez said.

IOActive has sent a report detailing its research findings to 13 brokerage firms whose trading apps had some of the more high-risk vulnerabilities. So far, only two have responded, the company said.

Related content:

• Cyber Security A Major Risk To US Financial System: SEC Chief
• Google Removes 500 Android Apps Following Spyware Scare
• Mobile App Security: 4 Critical Issues
• 10 Ways to Prevent Your Mobile Devices From Becoming Bots

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/vulnerabilities---threats/popular-mobile-trading-apps-riddled-with-vulnerabilities-security-firm-warns/d/d-id/1329986?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

WordPress 4.8.2 is out, featuring nine security fixes website owners will want to apply, well, now.

All told, there have been six updates this year featuring security fixes, including January’s silent patch for a nasty zero day, this being the first since May’s v4.7.5.

The maintenance side of the update features six other software updates but focussing on the bit that bothers Naked Security readers most, security, we see five Cross-Site Scripting (XSS) flaws (a perennially popular attack vector that refuses to die), two path or directory traversal issues, and one covering an open redirect.

There’s also the precautionary hardening of the $wpdb-prepare() method.

The problem isn’t a vulnerability in the core WordPress software itself, but in what the core might allow code in the vast ecosystem of WordPress plugins and themes to do:

WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability.

WordPress has a pretty slick security operation but the army of 3rd party plugins and themes are both the software’s best feature and its soft underbelly.

Most recently the Display Widgets plugin used by a reported 200,000 websites was pulled after it and three subsequent updates were discovered to contain a spam-enabling backdoor.

The hardening of$wpdb-prepare() is important because the best defence against SQL injection attacks is to ensure that SQL queries are correctly escaped. Escaping characters in a SQL query stops the database engine from treating user-supplied data as code, which stops hackers from corrupting queries to their own ends.

The best way to do your escaping, says WordPress, is by using prepare:

All data in SQL queries must be SQL-escaped before the SQL query is executed to prevent against SQL injection attacks. The prepare method performs this functionality for WordPress

So, developers will be using prepare precisely because it’s supposed to protect against SQL injection. Although updated versions of WordPress should be safe from buggy third party code, old ones may not be. Plugin and theme authors should test their code against older versions of the core.

These security fixes affect all versions before and including v4.8.1.

At least this is a relatively low-key update in what has been an eventful period for WordPress patching. As ever, the larger issue is who patches and how quickly.

Earlier this year, researchers discovered a privilege escalation flaw in a REST-API, which was quietly patched, as noted above. However, attackers were still able to exploit the issue to deface large numbers of unpatched sites even though WordPress has had automatic security updates since October 2013.

WordPress warns (its emphasis) that:

The only current officially supported version is WordPress 4.8. Previous major releases from 3.7 onwards may or may not get security updates as serious exploits are discovered.

It appears that, in this case, WordPress has backported the security fixes to every version of WordPress from the 3.7.* branch onwards. The following versions are protected: 4.8.2, 4.7.6, 4.6.7, 4.5.10, 4.4.11, 4.3.12, 4.2.16, 4.1.19, 4.0.19, 3.9.20, 3.8.22 and 3.7.22.

WordPress stats tell us that only about 40% of sites are running the officially supported version. That isn’t a surprise, independent research from 2013 showed that 73% of WordPress sites were running old software with known vulnerabilities.

That matters because criminals are looking for ways to compromise the maximum number of websites for the minimum effort and the WordPress installed base is huge: WordPress runs on around 28% of all websites.

It’s why WordPress updates release notes start with this simple advice:

we strongly encourage you to update your sites immediately.

Go and do it now.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/QxbhxxkjiXc/

Thanks to Dorka Palotay of SophosLabs for the research this article is based on.

On the surface, nRansom sounds ominous – locking up your computer and demanding not just bitcoins but nude photos, in return for giving you back control of your computer. But in the end, its biggest threat is to your precious memories of Thomas the Tank Engine and his friends on the Island of Sodor.

Distracting and foul-mouthed it may be, the work of criminal masterminds it is not.

How it works

Unlike ransomware such as Locky or WannaCry, nRansom won’t encrypt your files. It’s a screen locker that tries to stop you from accessing the things on your computer by locking the screen until you do as it asks.

If you were somehow unlucky enough to actually get nRansom on your Windows machine (Sophos detects it as Troj/LockScr-U but there’s no evidence of it spreading in the wild), your screen would be filled with this bizarre message and multiple thumbnails of the lovable little engine; an expletive across the top of each frame:

A looped version of the Curb Your Enthusiasm theme song plays in the background.

The message reads:

nRansom
Your computer has been locked. You can only unlock it with the special unlock code. go to protonmail.com and create an account. Send an entail to [redacted]. We will not respond immediatly. After we reply, you must send at least 10 nude pictures of you. After that we will have to verify that the nudes belong to you. Once you are verified, we will give you your unlock code and sell your nudes on the deep web

Got your unlock code and sent your nudes?
Submit our unlock code here

Once the nudes are “verified” by the attacker, you’ll allegedly receive a code to unlock the hijacked screen. And the code the attacker sends? That’ll be…

12345.

How to get away without paying the ransom

You’d only have to work your way down a list of the world’s worst passwords and you’ll have successfully guessed the code before you got to #6. Don’t be fooled by the giant ‘Unlock’ button that appears when you do though. It doesn’t do anything and nor will the x in the corner.

You can at least move the window out of the way and resize it, but you don’t actually have to work even that hard. Just CTRL+ALT+DEL to open the Task Manager, select nRansom and hit ‘End task’.

Did we mention it wasn’t the work of criminal masterminds?

SophosLabs researcher Dorka Palotay describes nRansom as supremely unsophisticated and easy to kill, perhaps “a test or a joke.”

A blast from the past

Tank engines aside, nRansom also caught our eye because it’s sort of full circle for ransomware, bringing us back to 2012 and the days of the Reveton screen locker, a strain of malware that locks you out of your PC under the guise of a police warning. Of course, you can bypass the promised prosecution if you pay a “fine” (in money rather than nudes) to the cybercriminals.

We doubt the authorities will be kicking in the doors and making arrests over nRansom, though seeing a sting like the Reveton ransomware gang arrests would really be something, if only for Thomas’ sake.

Defensive measures

If you’re worried about real ransomware threats, we recommend you arm your friends and family with free Sophos Home software for Windows and Mac, and check out our article about how to stay protected against ransomware.

Otherwise, the best defense here is to go back and watch some Thomas and Friends episodes to get those innocent memories back.

Follow @NakedSecurity
Follow @BillBrenner70

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/hh-qBV6ZccI/