Recent surge in spam likely due to Mumblehard botnet

If you noticed more spam than usual in your inbox in recent months, you’re not alone. You may also have noticed that using your email client to block the sender is typically ineffective. That’s because the spam is coming from thousands of different domains, each corresponding to a different compromised web server.

This is the work of the Mumblehard botnet, which was observed sending mass spam starting about seven months ago by ESet researchers. The Mumblehard code has existed on the web for at least five years, but seems to have started its spamming activities on a large scale only in the last year or so.

Computers infected with Mumblehard are typically Linux web servers. It remains unclear exactly how servers become infected, but researchers suspect that unpatched WordPress and Joomla vulnerabilities provide the key.

WordPress 4.2.2 and critical theme updates

A new version of WordPress addresses several critical security issues. Version 4.2.2 also fixes some non-security issues that were introduced in WordPress 4.2.

The vulnerabilities fixed in WordPress 4.2.2 are being actively exploited on the web, so anyone who operates a WordPress site should immediately check whether the new version has been auto-installed, and if not, install it.

Another vulnerability was recently discovered in the Twenty Fifteen theme that comes packaged with newer versions of WordPress. An updated version of the theme that addresses the issue is now available.

YouTube no longer uses Flash by default

If you’ve been trying to live without Flash, because of its never-ending security vulnerabilities, take heart. YouTube now shows videos using HTML5 instead of Flash by default. YouTube will still use Flash in browsers that don’t support HTML5, but all the major browsers do now support it.

Flash use is still pervasive on the web. But this change by YouTube – arguably the biggest user of Flash up to now – is going to reduce Flash usage enormously.

Note that while YouTube started experimenting with this change some time ago, it’s only recently shown up in Firefox, with version 37.

If YouTube was the only place you were using Flash, you should be able to completely disable Flash in your browser now.

Google pushing for mobile-friendly web sites

Google wants the web to be easier to view on mobile devices. To encourage web site owners to make their sites mobile-friendly, Google is now ranking mobile-unfriendly sites lower on mobile searches.

In other words, if you run a web site that fails to meet Google’s mobile-friendly requirements, that site will now appear lower down in Google’s search results, when the search is performed on a mobile device.

There’s no reason to panic, however. Mobile-friendliness is only one of numerous factors that determine where a site ranks in Google search results.

User and sysadmin mistakes allow intruder access in most cases

Recent studies from Verizon and Symantec show that malicious hackers almost always gain unauthorized access to computer systems because of misconfigured software and user errors. You don’t have to be a genius hacker to get into a supposedly secure system if a sysadmin left the door wide open, or if you can fool a gullible user into revealing their password.

As a user, you’re probably getting tired of being told to be careful when clicking links on the web and in email. But it’s good advice. If you receive an email message that includes a link, and tells you to click the link, think before you click. If someone asks you for your password, do not give it to them.

Chrome and Internet Explorer add security features

A new extension for Chrome called Password Alert helps users recognize when they’ve unknowingly entered their Google/GMail password on a phishing web page. The extension does this without itself compromising security. If you use Chrome, this extension is highly recommended. You can find the extension in the Chrome web store. Bruce Schneier has more.

Meanwhile, Microsoft is adding a feature to Internet Explorer that will warn users when they visit a site with ads that contain malware. The feature is expected to start working on June 1.

Update 2015May01: And just like that, Google’s Password Alert extension is shown to be extremely easy to bypass. Google issues an update, which is also shown to be seriously flawed.

Jeff Atwood on passwords

Noted technology blogger Jeff Atwood discusses passwords in a recent post on his entertaining and informative site Coding Horror.

Jeff wants web-based services to get better at both insisting on strong passwords, and helping users to choose those passwords; or to switch to authentication technologies provided by Facebook, Google, and others. Based on his testing, he also observes that passwords shorter than twelve characters are easy to crack using brute force methods.

Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.