This month’s Ouch! newsletter (PDF) from SANS provides a useful overview of encryption, and what it means in the context of the web. Recommended reading for anyone hazy on the subject.
Microsoft will only support most recent Internet Explorer after January 2016
If you want to keep receiving security and bug fixes for Internet Explorer after January 12, 2016, you’ll have to upgrade to the most recent version first. For now, that means IE 11. But if IE 12 is ready before January 12, you’ll be forced to update to that version.
Microsoft is doing this mainly to reduce support costs. But this is also the approach used by Google for its Chrome browser, and Mozilla is moving in that direction for Firefox.
Additional reading:
Another WordPress plugin with critical security issues
WordPress is still an extremely attractive target for malicious hackers. One of the ways they can gain access to WordPress sites is to examine third-party WordPress plugins, looking for security vulnerabilities. Plugins aren’t subject to any kind of approval or auditing process; anyone can develop and publish them.
Many of the most famous WordPress hacks were actually hacks of plugins, not the WordPress core software. The TimThumb graphics library is a good example.
Now there’s news that the popular Custom Contacts Form plugin is vulnerable, and sites using unpatched versions leave them exposed to complete takeover by nefarious persons.
Anyone who runs a WordPress site that uses Custom Contacts Form should immediately update the plugin to version 5.1.0.4 or higher.
What we know about the recent theft of 1.2 billion passwords
On August 5, the New York Times ran a story calculated to cause panic among Internet users. According to the story, a Russian gang had obtained up to 1.2 billion (yes, billion) login credentials.
The source of the story was Alex Holden, of Hold Security. Unfortunately, Holden didn’t provide much in the way of details, which has given rise to a lot of speculation about the facts, and of Holden’s motives.
Hold Security followed up the story by announcing that they planned to offer a fee-based service that would allow anyone to check whether an email address or user id was in the database of stolen credentials. Many took this as a sign that Hold Security was involved in some kind of scam, but well-known security blogger Brian Krebs came to Holden’s defense in a recent post.
Bruce Schneier, another famous security analyst, isn’t sure. He says – and we agree – that there’s something squirrely about this story.
In any case, it’s simply too soon to know for sure what’s going on. Until someone starts using the purloined information for something other than spam, all we can do is wait. Hopefully Hold Security will either create a free tool for checking credentials, or they’ll hand the database over to someone else who will.
In the meantime, our advice remains the same: use complex, unique passwords, especially for critical accounts like online banking.
Advance notification: Microsoft updates for August
Another month, another pile of patches from Microsoft. This month the updates will become available starting about 10am PST on August 12. According to the official advance notification, there will be nine security bulletins, with associated updates for Windows, Internet Explorer, .NET, SharePoint, OneNote and SQL Server. Two are rated critical.
CryptoLocker defanged at last
Security researchers have cracked the encryption used by the horrible CryptoLocker ransomware.
Recall that once CryptoLocker infects a computer, it encrypts all documents it can find, making them inaccessible until you pay the perpetrators $300 for a key to unlock them. Thousands of users have been hit, with some paying the ransom, while many others lost their data forever.
The researchers have set up a free web site (2016Jan09: the site has been decommissioned) that allows anyone hit by CryptoLocker to decrypt their files. You must upload one encrypted file, after which you are sent the required key. After decrypting your files, you can then use a CryptoLocker removal tool to get rid of the infection.
Microsoft continues to back away from the ‘new’ Windows UI
Evidently Microsoft really does listen to users, even if it sometimes takes them a while to react. Aside from making the new/Metro user interface optional in Windows 9 and bringing back the Start menu, they have decided to remove the weird ‘Charms’ bar that appears on the right side of the screen Windows 8.x.
A useful feature that may appear in Windows 9 is virtual desktops. These allow users to set up multiple desktops, each with different desktop icons and application windows. You will be able to easily switch between the desktops, greatly simplifying life for anyone who wears different hats throughout their work day. In fact, however, this is not a new feature at all. Microsoft has offered a few virtual desktop solutions over the years, typically as extra downloads, including the one I’ve used most recently, Desktops.
Upcoming Windows 8 update prompts yawns
There’s very little to talk about for the impending Windows 8.1 Service Pack 2 Update 2 whatchamacallit, aside from Microsoft’s strange (and confusing) aversion to sticking with a naming convention. As previously mentioned, the Start menu won’t return to Windows until version 9. The Verge has the details, which really aren’t worth reading.
WordPress 3.9.2 fixes several security issues
A new version of the popular WordPress CMS was released yesterday. Version 3.9.2 includes a fix for a serious potential Denial-of-Service bug, and a few other changes that improve overall security.
Anyone who operates a WordPress site is strongly encouraged to update the software as soon as possible. Sites that are configured to allow auto-updates should be automatically updated in the next day or so.
New dangers of thumb drives
We’ve known for years that careless use of thumb drives (USB storage devices) is dangerous. Windows in particular has a bad habit of automatically running programs on thumb drives when they are plugged in.
Now researchers have found a new way to infect USB devices; not the files they contain, but the firmware that controls how they operate. All USB devices contain firmware, and while it’s not normally accessible to users, the firmware can be modified by anyone with the requisite skills and knowledge.
The researchers developed proof-of-concept malware called BadUSB. A USB device infected with BadUSB can be configured to do just about anything to a computer to which it’s connected, from redirecting network traffic to modifying files.
It remains to be seen just how easy it is for BadUSB – or any other malware that uses this technique – to spread. USB device firmware varies between brands and device types, which might necessitate infection code that’s specific to each type of device.
For now, while the researchers have created working malware that exploits this new technique, real-world exploits are likely months away, if they indeed ever appear.