OneLogin
By Lionel Thomas / Cyber SecurityWebsite Hacked / 0 Comments

This is a public service announcement from Vofer. The Password Manager “OneLogin” has had a serious security incident.

OneLogin “We detected that there was unauthorized access to OneLogin data in our US data region. All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to assess how the unauthorized access happened and to verify the extent of the impact. We want our customers to know that the trust they have placed in us is paramount, and we have therefore created a set of required actions.”

In essence, the attackers where able to decrypt the encrypted data, putting at risk user date and logins.

Here are OneLogin Suggestions for actions to take:
http://i.imgur.com/5hEyYgo.png

Blog update by OneLogin – https://www.onelogin.com/blog/may-31-2017-security-incident

WordPress Website Security

Thousands of WordPress websites have been hacked after a recent disclosure of a vulnerability in WordPress. WordPress delayed the disclosure for over a week and worked with security companies to have a patch ready, yet not all websites have patched and it’s a WordPress Hacker Smorgasbord.

Yet, even though the patch was released thousands of admins didn’t bother to update their websites either by removing the auto update or just not updating. Some admins may disable the auto update so they can run tests on patches prior to updating, yet with such patches a different approached should be deployed to ensure the website is secure.

The famous Linux distribution OpenSUSE (news.opensuse.org) was hacked, just quickly restored without further breaches in others parts of openSUSE’s infrastructure, the CIO reported.

The vulnerability is within the WordPress REST API, that allows an unauthenticated user to delete or modify pages and redirect their visitors to malicious exploits.

The security researcher at Sucuri, stated that they notices multiple campaigns running over the internet trying to find unpatched WordPress websites.

The call to update has been going for some time an if you have not updated to WordPress 4.7.2, then you should do so urgently in addition to checking your website.

This is a clear indication that websites nowadays need multiple layers of security and some suggestions to look into are:

 

hacker protection
By Lionel Thomas / HackingWebsite Security / 0 Comments

Building websites is continually becoming easier ever year, while the complexity of the world Hackers thrive in, is still very much technical with access to hacking tools being made more readily available with many resources for the novice to expert level Hackers.

No one really knows how many websites are hacked per day, yet estimates range from 30,000 to 60,000 or more; either way there is a greater need now more than ever to secure your website and hosting with multiple security levels and procedures, in addition to keeping everything up to date.

I have heard numerous business owners say, “No one would hack us, we are only small”; the thing is, it is not always banking details hackers are after, there is distribution of malware, using your server for spamming others, spoofing a webpage, attacking another web server and many more malicious activities and as the owner of the website you are responsible!

Yes, you are responsible and there have been cases where the website owners were charged for being hacked, due to the impact it caused to others. If you own a website, you need to know what security is in place, backups performed, monitoring and processes in place.

Here are 5 basic steps to help protect your website from hackers, there is much more you can do:

1. Stay Updated

Keep your website, plugins and server updated as a hack at occur at these points; if you are using a CMS such as WordPress, Joomla etc… join a security newsletter as to keep on top on any security issues as they occur. Google indexes a lot of information, yet this also helps hackers find websites with old versions and systems for easy picking.

2. Strong Organised Passwords

Where possible you want to use 2-Step authorization, yet in general organise your passwords with a Password Manager, and use the password generators that create long (12+ Characters) and strong passwords (Lower/Upper-case, Numbers, Symbols). I personally use Last Pass (https://www.lastpass.com) and KeePass (http://keepass.info); Last Pass is by far the most convenient for the non-tech savy.

Also, I do not add all passwords to Password Managers; all my Bank and Email account passwords are stored in my head. To ensure that they are strong passwords, I remember a phrase, instead of a mixture of words; for example “ILoveHotCement110%”… Create a phrase you would remember, yet not something that is know (ie. Movie/Singer/Book quote/title etc…)

Note: Avoid using the same password on multiple websites, as many people do this and hackers know this.

3. Backup and Store

You will want to Backup your files and database on a regular basis, how regular depends on the amount of data processed through your website. In, addition to storing them on a different server, you will want historical versions. Hacks can go undetected and you may have a hacked website with back-doors added over a year ago; so you want to keep some historical backups over a year old, in addition to your short-term backups.

4.SSL Certificate

SSL isn’t just for processing transactions, you will also want any sensitive information to be sent over SSL; such as user Logins. You will also want a valid certificate, instead of a self-signed one.

5. Security Layers

With CMS’s such as WordPress and Joomla, you will want to add security plugins to these and set them up properly to add that layer of security the default installation is missing.

I say “setup properly” as I have seen people add security plugins CMS’s like WordPress, yet they don’t even set it them up, which makes the plugin pointless until it is setup properly.

If you are looking for information or need security Contact Us Today!

By Lionel Thomas / Hacking / 0 Comments

A hacker has found that the Beta Site of Facebook (beta.facebook.com and mbasic.beta.facebook.com) didn’t have any limit on guessing the code to gain access after a ‘Forgot your Password’ request.

This allowed the hacker to brute force into Facebook, meaning he could keep guessing until he got it correct (by using a script).

By Lionel Thomas / WebsiteWebsite SecurityWordPress / 0 Comments

WordPress and other Content Management Systems (Joomla, Drupal etc…) allow us to leverage technology so much, many website nowadays are created by either the business owner themselves, non-technical personal or just a website designer. This opens up websites to many security issues, where they are either not kept up to date, don’t have security added (or not setup properly) and may not even have any backups of their website.

Previously, I helped a Website Design company that had 42 of their clients websites hacked, plus an additional 8 websites from another website design company sharing their server. Looking into the issue, the hacking started 4 years ago and only recently became aggressive, the server and websites lacked security, and was not kept up to date. Their security had more holes than Swiss Cheese and the hackers had a field day. The websites and server where fixed, yet the cost to have implemented the security was insignificant to the cost the fixed the issue. Also, once a server has been hacked to this extent, it is best to move the websites to another server, as there is always the chance something is left behind to regain entry.

In another scenario, a new client had a website with a security plugin, yet it wasn’t setup and still allowed the basic Brute Force attack freely, and was actively having attempts to hack in every day. Luckily, it was a novice hacker and the website was secured before entry was gained, yet it shows a little knowledge can be dangerous with security. When implementing security, you need to know why you are doing what you are doing; adding a Security Plugin doesn’t mean it will work for every scenario, especially if it is not setup properly.
I hear this a lot, “my website is hosted with X, they would look after the security right?”, No hosting company will look after all security issues. If you own a website or looking after one, you need to know what security if any has been setup for your website & server and to also know what security is needed.

Joomla (8 Year Old Vulnerability)

Recently Joomla had a vulnerability that affected all versions for the last 8 years; meaning nearly every website needed to be updated as the vulnerability was actively being exploited. In this scenario, there are precautions that can be taken, such as firewalls or security layers that help prevent issues occurring, until the website can be updated. Yet, as stated above as many websites have non-technical personal maintaining it, there is a great lack of website security, opening up websites to being hacked.

WordPress 4.4.1 Update / Plugin Vulnerabilities

The 4.4.1 update to WordPress fixes a XSS (Cross site Scripting) vulnerability. This vulnerability is now known in the wild, meaning if you have not update your WordPress website you need to ASAP.

WordPress Plugin Vulnerabilities

All of the following have vulnerabilities, these have been fixed in their latest version, so if you have not update ensure you do ASAP.

  • Commentator plugin version 2.5.2 and older
  • WordPress Download Manager 2.8.7 and older
  • Simple Download Monitor 3.2.8
  • Simple Ads Manager 2.9.4.116

Key Note

Research and Training is needed by companies that have a website into what is required to keep not only the website safe, communications from the website and any data they retain of users.

With an aim to improve website security, I have listed various system and plugins that can be used to improve website security; note that these still need to be setup correctly and kept updated to the latest version to be of benefit; plus, there are more areas of owning a website such as the server that do need to be hardened to help maintain an adequate level of security.

Cloud Flare

(www.CloudFlare.com)
A group of web-masters started to collaborate many years ago to create a Database of Hackers, Spammers and the like so they could filter out traffic to improve security of websites. Cloud Flare sits between your website and the users of your website, it is extremely useful and includes CDN, Optimization, Security, Analytics and website Apps; in short it will assist in the Security, may make your website load faster, reduce the load on your server, give you traffic statistics and allow you to add specific features with ease. It has a Free and Paid version. The Free version is very good, yet if you have a large website you want to keep healthy, look into their paid version.
There are several WordPress, Joomla etc… Security Plugins I will do a write up about in my next article. If you need help or would like the know about these security details, send me an email (lionel@vofer.com.au) and I will update you on the details.

Vofer

Websites, Online Marketing (PPC/SMM) and Cyber Security
www.Vofer.com.au