Archive for security

Security Flaws and Updates Galore

It’s only Tuesday, and it’s already been a very busy week for WordPress site owners and Webmasters.  Yesterday, April 20th, Securi announced the XSS vulnerability affecting multiple WordPress plugins including some of those most widely used by the community.  This has resulted in a slew of plugin updates being released.  I expect the updates to continue rolling in as additional plugin authors discover and correct the issue.  Alongside the many plugin updates, WordPress released a security update to the core system, 4.1.2 as well.

WordPress is a remarkably customizable and flexible platform.  It is constantly evolving and part of what makes it so great, the vast community of WordPress developers and plugin authors, makes it subject to security issues.  The large percentage of sites running WordPress, last reported at 23.7% of ALL websites, makes it a high-profile targets to hackers.  It is imperative that site owners and Webmasters keep their WordPress installations, including all plugins up-to-date.  Sadly W3tech reports only WPTavern reports roughly 36% of sites are running the latest version of WordPress.

Is your site up-to-date?

 

 

Open DNS Announces DNSCrypt

Credit Card Theft

DNSCrypt is a piece of lightweight software that everyone should use to boost online privacy and security.  It works by encrypting all DNS traffic between the user and OpenDNS, preventing any spying, spoofing or man-in-the-middle attacks.

It should be of particular interest to you if you frequently surf the web on open Wifi networks at coffee shops, airports, hotel lobbies, and the like.  These types of public networks are notoriously insecure, and make it easy for cyber criminals and ISPs alike to see what you’re doing online and spy, spoof and conduct Man in the Middle attacks.

DNSCrypt encrypts, or hides, the communication between your computer or tablet and Open DNS servers while you’re browsing the Web.  What?!  You are not using OpenDNS  servers? OpenDNS can help speed up your Internet service, make it more reliable, and improve your security.

Read more about DNSCrypt here

Currently as of this writing, only available for the Mac, a Windows version is on the way:

Download DNSCrypt  (mac only at the moment).  Be advised this technology is currently in preview mode and updates will likely be made as more users test it in the wild.  But I think it’s a step in the right direction.

Microsoft’s YouTube Channel Gets Hacked

Microsoft YouTube Channel Hacked ScreenshotMicrosoft’s YouTube channel has been usurped by a malicious user.  All of the official videos, including recent ad campaigns, have been removed from the account. In their place are short clips soliciting advertisers. (note: as of this writing these short videos have now been removed, and the account appears to be back in the proper hands).

Although there are no details yet, several sources are speculating how this user gained access to the account. Based on a cryptic message left on the channel, some have postulated the user established the channel back in the early days of YouTube, as a squatter on the corporate brand.  Microsoft then likely requested the channel be turned over to them.  Years later the user comes back to YouTube and finding his old email account still linked to the channel, uses YouTube’s account recovery tools to regain access to the account.

A cryptic message posted to the channel reads:

I DID NOTHING WRONG I SIMPLY SIGNED INTO MY ACCOUNT THAT I MADE IN 2006 :/

WE ARE SPONSORING SUBBOX US AND MESSAGE US TO GET AN UPLOAD !

This is the second high-profile YouTube channel to be hacked in the past week. Sesame Street’s YouTube channel was hacked last weekend, leaving its normally family-friendly content replaced with pornographic content.
At this time it is unclear where the security flaw lies.  Is it a YouTube security hole or was an employee with administrative rights to the account careless with the password?