If you noticed more spam than usual in your inbox in recent months, you’re not alone. You may also have noticed that using your email client to block the sender is typically ineffective. That’s because the spam is coming from thousands of different domains, each corresponding to a different compromised web server.
This is the work of the Mumblehard botnet, which was observed sending mass spam starting about seven months ago by ESet researchers. The Mumblehard code has existed on the web for at least five years, but seems to have started its spamming activities on a large scale only in the last year or so.
Computers infected with Mumblehard are typically Linux web servers. It remains unclear exactly how servers become infected, but researchers suspect that unpatched WordPress and Joomla vulnerabilities provide the key.
A new version of WordPress addresses several critical security issues. Version 4.2.2 also fixes some non-security issues that were introduced in WordPress 4.2.
The vulnerabilities fixed in WordPress 4.2.2 are being actively exploited on the web, so anyone who operates a WordPress site should immediately check whether the new version has been auto-installed, and if not, install it.
If you’ve been trying to live without Flash, because of its never-ending security vulnerabilities, take heart. YouTube now shows videos using HTML5 instead of Flash by default. YouTube will still use Flash in browsers that don’t support HTML5, but all the major browsers do now support it.
Flash use is still pervasive on the web. But this change by YouTube – arguably the biggest user of Flash up to now – is going to reduce Flash usage enormously.
Note that while YouTube started experimenting with this change some time ago, it’s only recently shown up in Firefox, with version 37.
If YouTube was the only place you were using Flash, you should be able to completely disable Flash in your browser now.
In other words, if you run a web site that fails to meet Google’s mobile-friendly requirements, that site will now appear lower down in Google’s search results, when the search is performed on a mobile device.
There’s no reason to panic, however. Mobile-friendliness is only one of numerous factors that determine where a site ranks in Google search results.
A recent Cloudmark analysis shows that spam traffic originating in Canada has dropped by as much as 37% since Canada’s Anti Spam Law (CASL) took effect last year. Canadians are also receiving 29% less spam than before CASL.
This is terrific news, particularly as there had been some doubt as to whether the new law would prove effective.
Recent studies from Verizon and Symantec show that malicious hackers almost always gain unauthorized access to computer systems because of misconfigured software and user errors. You don’t have to be a genius hacker to get into a supposedly secure system if a sysadmin left the door wide open, or if you can fool a gullible user into revealing their password.
As a user, you’re probably getting tired of being told to be careful when clicking links on the web and in email. But it’s good advice. If you receive an email message that includes a link, and tells you to click the link, think before you click. If someone asks you for your password, do not give it to them.
A new extension for Chrome called Password Alert helps users recognize when they’ve unknowingly entered their Google/GMail password on a phishing web page. The extension does this without itself compromising security. If you use Chrome, this extension is highly recommended. You can find the extension in the Chrome web store. Bruce Schneier has more.
Update 2015May01: And just like that, Google’s Password Alert extension is shown to be extremely easy to bypass. Google issues an update, which is also shown to be seriously flawed.
Noted technology blogger Jeff Atwood discusses passwords in a recent post on his entertaining and informative site Coding Horror.
Jeff wants web-based services to get better at both insisting on strong passwords, and helping users to choose those passwords; or to switch to authentication technologies provided by Facebook, Google, and others. Based on his testing, he also observes that passwords shorter than twelve characters are easy to crack using brute force methods.
The latest version of Google’s web browser is another batch of security fixes. Version 42.0.2311.135 addresses five vulnerabilities, including at least one reported by non-Google security researchers.
A critical cross site scripting (XSS) vulnerability in WordPress was revealed on April 27. Anyone managing a WordPress site should upgrade to version 4.2.1 as soon as possible. Ars Technica has more.
Rants and musings on topics of interest. Sometimes about Windows, Linux, security and cool software.
Close
Ad-blocker not detected
Consider installing a browser extension that blocks ads and other malicious scripts in your browser to protect your privacy and security. Learn more.