WordPress security (revisited)

A few months ago I wrote about WordPress security. In that post I mentioned a couple of plugins that we use here at K4 Media: iThemes Security and Securi Security. While both are fine plugins, and configured correctly they should protect your site from hacks, it can be challenging to get the settings right. Very challenging, we found out.

Case in point — one of our sites running both plugins got hacked.

It wasn’t a bad hack, mind. And we caught it almost immediately. Still, having your web site hacked is bad. It rattles the confidence of your customers. Plus, cleanup is time-consuming, and the threat of re-infection is nerve-racking. As a result of the compromise, we reached out to one of our most trusted tech partners, Sydney E-Commerce. After a bit of head scratching and code re-evaluation, we are moving away from the two-plugin approach outlined previously. That security stance will be replaced by the WordPress security plugin Wordfence. Wordfence seems far easier to configure, and the reporting and monitoring is far better, which leads to a greater degree of confidence in the abilities of the plugin. Plus, it’s only one plugin, which makes management far easier.

As always, web site security is a never-ending battle. Constant vigilance is necessary. So is change.

P.S. For a great introduction to keeping your site secure, read WordPress Security: The Ultimate 32-Step Checklist.

The Teamviewer hack

This is not good.

For more than a month, users of the remote login service TeamViewer have taken to Internet forums to report their computers have been ransacked by attackers who somehow gained access to their accounts. In many of the cases, the online burglars reportedly drained PayPal or bank accounts. No one outside of TeamViewer knows precisely how many accounts have been hacked, but there’s no denying the breaches are widespread.

TeamViewer denies it has been hacked. The company has instead blamed weak passwords and password reuse for user’s woes. Regardless, if you have TeamViewer installed on your computer you should probably change your password. Or better yet, delete the program all together.

WordPress security: 3 plugins to get your site hacked

Wordpress security

Getting a solid grip on WordPress security can seem a full-time task. The web currently comprises more than a billion web sites. And as the digital universe continues to grow, it continues to attract more and more black hats prowling the web’s digital back alleys looking for an easy mark.

According to a recent report from Sucuri, the new numbers are disheartening.

As of March 2016, Google reports that over 50 million website users have been greeted with some form of warning that websites visited were either trying to steal information or install malicious software. In March 2015, that number was 17 million. Google currently blacklists close to ~20,000 websites a week for malware and another ~50,000 a week for phishing. PhishTank alone flags over 2,000 websites a week for phishing. These numbers reflect only those infections that have an immediate adverse effect on the visitor (i.e., Drive by Download, Phishing) and do not include websites infected with Spam SEO and other tactics not detected by these companies.

The report doesn’t say how many sites Sucuri included in its research, but it does say that vulnerable plugins were the number one means of site compromise. The top 3 offenders?

  1. RevSlider
  2. Gravity Forms
  3. Tim Thumb

Fortunately for WordPress users, there are good security plugins on the market. Each one approaches security a little differently; it’s more than worth the time to read up on each of them and see which one (or two) best fits your needs. Infosec give a good intro to the big 7 here.

At K4 Media, we use two: iThemes Security and Sucuri Security. What do you use?

(Interested in a professional security audit of your WordPress web site? Get in touch.)

Tim Thumb vulnerability

An exploit that allows remote attackers to take over your Web site has been found in the extremely popular TimThumb photo-resizing script.

The vulnerability allows third parties to upload and execute arbitrary PHP code in the TimThumb cache directory. Once the PHP code has been uploaded and executed, your site can be compromised however the attacker likes.

We recommend deleting timthumb.php or thumb.php if your site will work without them. If the file exists in a theme or plugin that you’re no longer using you may want to remove the entire theme or plugin directory. After you remove the TimThumb library make sure you check that your site is still working correctly.

This is potentially a massive threat because, literally, millions of Web sites use the Tim Thumb script. And every one of them needs to be updated. Help spread the word.

For complete technical details, visit the post detailing the discovery on Mark Maunder’s site.

Mac malware moves into mainstream

Wired points to a couple of recent stories by ZDNet writer Ed Bott marking the first wide-spread trojan infections in the Mac community.

The trojan horse is called Mac Defender. It’s a web pop-up containing a spoof message that tells customers their machines are infected by a virus and they must install anti-virus software. If customers agree to install the software, the program sporadically loads porn websites on their computer.

ZDNet writer Ed Bott was first to spot a long thread of complaints in Apple’s support forums related to Mac Defender, with at least 200 posts of customers reporting they’ve been infected by the malware.

“I’ve done similar searches in the past … [and] I have never found more than one or two in-the-wild reports,” Bott wrote. “This time, the volume is truly exceptional.”

This seems likely to be the first of many instances. As Apple continues to increase market share, malware writers are increasingly likely to focus their efforts on the growing Mac market.

WP 3.0.2

If you haven’t already, update your WordPress installation. It’s really easy. And 3.0.2 provides a “mandatory” security update.

The haiku:

Fixed on day zero
One-click update makes you safe
This used to be hard

One click updates! Reason No. 43,954 that WordPress is better than Joomla or Drupal. Jus’ sayin’.

Hotmail security still sucks

Robert Graham of Errata Security takes a look at the recent “Web 2.0” report card compiled by Digital Society, and remarks:

Of the major webmail providers in the U.S., only Gmail is secure against sidejacking attacks. Yahoo Mail and HotMail are insecure, and can be compromised quickly. There are still a lot of HotMail users out there — they are fools.

I talked to the people at Microsoft responsible for fixing this problem ALMOST THREE YEARS AGO. Yet, they’ve done nothing about fixing this huge hole. I just tried it out today — while FireSheep looks a bit funky (it doesn’t correctly show the user name), it easily hacks into HotMail accounts.

Among the best on the card? WordPress!

Eric Butler’s new ‘hack Facebook’ plugin for Firefox

Oh the mischief this new Firefox plugin is going to cause.

Firesheep adds a sidebar to Mozilla’s Firefox browser that shows when anyone on an open network — such as a coffee shop’s Wi-Fi network — visits an insecure site. “Double-click on someone [in the sidebar] and you’re instantly logged on as them,” said [plugin author Eric] Butler in his short description of his add-on.

Computer World says the Firesheep add-on has been downloaded more than 50,000 times since it was released Sunday. You can download Firesheep from Butler’s Web site. It’s extremely easy to install: just download the .xpi file; drag it to a Firefox window; and restart.

And it’s not just Facebook that Butler’s plugin makes double-click hackable, either. Others include:

  • Amazon.com
  • Basecamp
  • bit.ly
  • CNET
  • Dropbox
  • Facebook
  • Flickr
  • Foursquare
  • Google
  • Gowalla
  • Windows Live
  • Tumblr
  • Twitter
  • WordPress
  • Yahoo
  • Yelp
  • and others

The plugin is relatively easy to customize, too, meaning that someone with not much more than basic programming skills could easily add other domains to Firesheep’s default list. TechCrunch offers a pretty thorough explanation of how Firesheep works and the plugin’s impact, as well as a possible defense. The truth is, though, using the Internet on a public Wi-Fi network is inherently insecure. But that isn’t news, is it?

Pirates of anonymity

The perils of assuming you are anonymous.

ACS: Law, a law firm based in Great Britain that tracks down alleged illegal file sharers for the porn industry, saw its database compromised over the weekend by members of the Internet forum 4chan. In addition to private e-mails and financial data belonging to the law firm, the names of people whom ACS: Law has accused of downloading unauthorized copies of porn movies were also revealed.

That sounds bad enough. But it gets worse.

The blog Torrentfreak reported that among the information posted to the Web were e-mails from people pleading for mercy and “married men who have been confronted with allegations of sharing gay porn.”

Unfortunate, no doubt. Here in Cambodia, such high-tech attempts at tracking down online pirates seem remote. Untoward political speech and affronts to culture still remain the Kingdom’s most offensive topics. A few crude attempts appear to have been made at limiting information in this vein. Though like many law enforcement efforts, that crackdown too proved short-lived and of questionable success. Real-world piracy — that is, the millions of bootleg $2 music and software disks available in every local market — is still a much bigger problem, and costs the country far, far more money.

Weaponized software

Iran is fighting off a significant cyber attack, reports The New York Times. The worm, dubbed Stuxnet, represents a hellish breakthrough in the evolution of computer viruses.

Stuxnet, which was first publicly identified several months ago, is aimed solely at industrial equipment made by Siemens that controls oil pipelines, electric utilities, nuclear facilities and other large industrial sites. While it is not clear that Iran was the main target — the infection has also been reported in Indonesia, Pakistan, India and elsewhere — a disproportionate number of computers inside Iran appear to have been struck, according to reports by computer security monitors.

The Christian Science Monitor first reported on Stuxnet in June.  The primary source of the CSM story was computer security expert Ralph Langner, who has been chronicling his research of the virus on his Web site. Langner called Stuxnet the “hack of the century,” and said “Stuxnet is going to be the best studied piece of malware in history.”

Wired magazine, unsurprisingly, has the definitive story.

“It’s the most complex piece of malware we’ve seen in the last five years or more,” says Nicolas Falliere, a code analyst at security firm Symantec. “It’s the first known time that malware is not targeting credit card [data], is not trying to steal personal user data, but is attacking real-world processing systems. That’s why it’s unique and is not over-hyped.”

… Eric Byres, chief technology officer for Byres Security, says the malware isn’t content to just inject a few commands into the PLC [Programmable Logic Controller] but does “massive reworking” of it.

“They’re massively trying to do something different than the processor was designed to do,” says Byres, who has extensive experience maintaining and troubleshooting Siemens control systems. “Every function block takes a fair amount of work to write, and they’re trying to do something quite radically different. And they’re not doing it in a light way. Whoever wrote this was really trying to mess with that PLC. We’re talking man-months, if not years, of coding to make it work the way it did.”