Category Archives: Security

aka infosec

Internet crime, Security, Spam and scams, WordPress and other CMS

WordPress sites targeted by pro-ISIL hacks

Leave a comment

An active campaign pushing the agenda of ISIL is being perpetrated mainly via hacked WordPress sites. The FBI has issued a related warning.

Anyone who runs a WordPress site should immediately ensure that it is up to date with all WordPress and plugin updates. Of course this won’t help if your site has already been hacked, so if you have any doubt, please scan your site with one (or preferably all) of the following web-based site scanners:

Meanwhile, yet another popular WordPress plugin has been found to contain a serious vulnerability. The site caching plugin WP-Super-Cache has a nasty cross-site scripting bug. Anyone using this plugin on a WordPress site needs to update it to the fixed version (1.4.4) immediately.

Firefox, Patches and updates, Security

Firefox 37.0.1 fixes crashing and security issues in 37.0

Leave a comment

Some of us never really had a chance to try Firefox 37.0, and that’s probably a good thing. Version 37.0 tends to crash when started, and it includes at least one new security vulnerability.

Mozilla pulled Firefox 37.0 from the auto-update queue after learning of these issues, and yesterday released 37.0.1 to resolve them.

Unfortunately, despite the fact that this would have been a really good time for some kind of announcement of what was going on, Mozilla has said exactly nothing about this. The release notes for Firefox 37.0.1 don’t provide any insight, and although the security advisories page has been updated for 37.0.1, it still doesn’t say much.

It does appear that Mozilla’s attempt to enable Opportunistic Encryption in Firefox 37.0 didn’t work out as expected, because the HTTP Alternative Services feature is disabled in Firefox 37.0.1.

Firefox, Patches and updates, Security

Firefox 37 released

Leave a comment

A new version of Firefox was announced yesterday by Mozilla. Yes, you read that correctly: a post on the Mozilla blog announced new versions of Firefox for all platforms. Of course, the announcement doesn’t mention the new version number, and it doesn’t provide any details, it just points to the release notes. Still, it’s progress!

According to the release notes for Firefox 37.0, the new version includes several changes related to security, including ‘improved protection against site impersonation’, and several fixes related to recently-discovered TLS vulnerabilities. WebGL rendering performance on Windows was improved. HTML5 support was also enhanced.

According to the Firefox Security Advisories page, at least 13 security vulnerabilities were fixed in Firefox 37.0.

Update: As of April 1 at 6:53am PST, the version of Firefox I’m currently using (36.0.4) is telling me that ‘Firefox is up to date’. It looks like someone may have forgotten a step when publishing version 37.0. Presumably this will be resolved shortly. If I visit the main Firefox download page, it tells me I’m using an older version of Firefox, and the download link definitely goes to Firefox 37.0.

Update 2015Apr02: According to sources on the official Firefox IRC channel, auto-updates for version 37 have been suspended while the developers look into a crashing problem being reported by some Windows 8 users.

Internet, Internet crime, Malware, Security

Malvertising is a growing threat

1 Comment

If you’re not familiar with the term, you should be. ‘Malvertising‘ refers to the increasingly common tactic whereby malicious persons include exploit code within what otherwise appears to be legitimate, web-based advertising.

Over on eWEEK, a recent post (Why ‘Malvertising’ Has Become a Pervasive Security Risk) explains why Malvertising is a real and growing threat.

Organizations that provide advertising platforms – including Google – need to deal with this threat quickly. If they don’t, there’s likely to be a surge in users installing ad-blocking software in their browsers. I personally use and recommend NoScript, a browser plugin that blocks all Javascript (and Malvertising) by default.

Firefox, Patches and updates, Security

Firefox 36.0.3 fixes two security bugs

Leave a comment

Two security vulnerabilities, discovered at the HP Zero Day Initiative Pwn2Own contest, have been fixed in Firefox 36.0.3.

As usual, there was no proper announcement for the new version. The release notes for 36.0.3 include changes made in previous versions, as you can see by comparing them to the release notes for 36.0.1. At least the changes specific to 36.0.3 are flagged as such.

The Security Advisories (aka Known Vulnerabilities) page now has a section for each version; the most recent changes are listed under the heading ‘Fixed in Firefox 36.0.3’.

Internet, Mac, Mobile, Patches and updates, Security, Windows

FREAK vulnerability affects Windows, Mac, mobiles

Leave a comment

It’s been about two weeks since the FREAK vulnerability was first reported. The flaw itself has existed for at least ten years, and we now know that it affects mobile devices, Mac OS X, and Windows.

From the related US-CERT alert:

FREAK (Factoring Attack on RSA-EXPORT Keys CVE-2015-0204) is a weakness in some implementations of SSL/TLS that may allow an attacker to decrypt secure communications between vulnerable clients and servers.

Google has released an updated version of its Android OS and Chrome browser for OS X to mitigate the vulnerability. Microsoft has released a Security Advisory that includes a workaround for supported Windows systems.

It’s now clear that this is a teaching moment for the Internet. The FREAK flaw exists because of the ridiculous (and short-lived) insistence by the US government that encryption software designated for export be made deliberately weak. The imposed restrictions ended, but the code involved in switching between strong and weak encryption remained. This intentional weakening of encryption is similar to the kind of ‘golden key’ (back door) for which intelligence organizations are currently clamouring. The lesson: Encryption Backdoors Will Always Turn Around And Bite You In The Ass. Bruce Schneier calls this a ‘security rollback‘. The Economist puts it succinctly, “…mathematics applies to just and unjust alike; a flaw that can be exploited by Western governments is vulnerable to anyone who finds it.”

Update 2015Mar19: Researchers determine that exploiting the remaining vulnerable systems is much easier than originally estimated. Thousands of iOS and Android apps are vulnerable.

Internet Explorer, Microsoft, Patches and updates, Security, Tools, Windows

EMET 5.2 released by Microsoft

Leave a comment

A new version of the Enhanced Mitigation Experience Toolkit (EMET) was announced by Microsoft on March 12. EMET is an application that provides an additional level of security for Windows systems by detecting and blocking specific types of application behaviour that are associated with malware.

Version 5.2 of EMET adds new features for Windows 8.1 (and up), and for Internet Explorer.

EMET is highly recommended for Windows computers. You can obtain it from the main EMET page.

Update 2015Mar17: If you downloaded EMET 5.2 before March 16, you may have noticed that Internet Explorer on Windows 8.1 stopped working. Microsoft has re-released EMET 5.2 to address this problem.