Posts tagged Security

New Security Flaw Allows Attackers to Hijack WordPress Sites


If you’re a WordPress user, you’ll want to update your site with a critical security release. That’s because a new zero-day vulnerability, discovered by Jouko Pynnönen of the Finnish security firm Klikki Oy, allows attackers to gain administrative control of WordPress sites. 

The exploit, known as a cross-site scripting (XSS) bug, involves leaving a long comment (over 64 kb) with malicious JavaScript that a logged-in administrator can trigger simply by viewing the comment. Bad things can then happen, according to Klikki Oy:

If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors.

Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.

According to Klikki Oy, another security researcher, Cedric Van Bockhaven, reported a similar WordPress flaw in 2014, although it was only patched this week.

Matt Mullenweg, who is both the lead developer of WordPress and founder and CEO of its parent company Automattic, released the following official statement by email (no link):

It is a core issue, but the number of sites vulnerable is much smaller than you may think because the vast majority of WordPress-powered sites run [the anti-spam plugin] Akismet, which blocks this attack.

However, many WordPress-powered sites do not run Akismet, which now costs $5 to $9 a month for commercial sites and $50/month for enterprise sites. (Automattic did not immediately respond to request for the percentage of users who use the plugin).

WordPress is pushing out the security patch via auto-update, so that will protect many users—at least those who have auto-update enabled—even if they don’t use Akismet.

Lead image by Sean MacEntee

View full post on ReadWrite

Multiple WordPress Plugins Vulnerable to Security Flaw, Immediate Update Recommended by @mattsouthern

WordPress Security watchdogs, Sucuri have issued a warning that multiple WordPress plugins are vulnerable to a security flaw: “Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions. These are popular functions used by developers to modify and add query strings to URLs within WordPress.” Apparently, the problem was that the official WordPress Official Documentation for these functions was not very clear, which led to many plugin developers using them in an insecure way. To date, this is the list of affected plugins: Jetpack WordPress SEO Google Analytics by Yoast All In one SEO Gravity Forms Multiple […]

The post Multiple WordPress Plugins Vulnerable to Security Flaw, Immediate Update Recommended by @mattsouthern appeared first on Search Engine Journal.

View full post on Search Engine Journal

What Does Google’s Venture Arm See In Enterprise Security?

Google has its own two-factor authentication (2FA), so why is its venture arm investing in a company that sells 2FA services?

Because, it turns out, enterprise security is a really big deal, according to Google Ventures partner Karim Faris. Faris has been hammering this enterprise security theme for several years now, leading Google to invest in ThreatStream, Ionic Security, Shape Security, and Duo Security, a 2FA company that now has over 5,000 customers, including Box, Facebook, NASA, Toyota, and Twitter.

This focus on security—particularly things like 2FA that make it somewhat simple for end-users—is critical. (2FA typically requires a user to log in with both a password and a secondary authorization code, often delivered via text message or a small electronic gadget.) Studies, like this one from Aruba Networks, keep showing that enterprise users mostly don’t care about securing enterprise data.


Karim Faris

Just a few short years ago, Google Inc. had zero interest in the enterprise, but now factors heavily in enterprise discussions around cloud, apps, storage, and more. So on the eve of Duo Security’s Series C $30 million raise led by Redpoint Ventures, and joined by Google Ventures, I talked with Faris about Google’s interest in enterprise security.

More Cybercrime, More Cybersecurity

ReadWriteGoogle Ventures’ interest in enterprise security startups seems to have grown. What is changing in the market to make info security more attractive to you now?

Faris: We look to invest in companies that are working on innovative ways to tackle security challenges, while optimizing usability. In addition to Duo, we’ve invested in companies like ThreatStream, Ionic Security, Shape Security, and Synack. 

Security has always been an important topic and has garnered increasing attention as more vectors of attack materialize that cybercriminals can exploit. We used to be able to protect companies by having a hard perimeter around physical networks that was protected by traditional defenses like firewalls. But you can no longer solely rely on that with the rise of cloud and mobility services, as well as people bringing in their own devices. 

That additional exposure makes enterprises more vulnerable and is fueling the need for new security innovation, which creates investment opportunity.

RW: What did you like about Duo Security?

KF: We liked a lot of things: the strength of the team, the passion of their rapidly growing user base, and the depth of the technology. Two-factor authentication gets you a lot of bang for the security buck and is something everyone should consider. If you have a fortress to keep safe, the first thing you do is protect the gates. Duo makes it incredibly easy to deploy and use. They started by guarding the gates, and now they are building a moat.

Factor This

RW: You mentioned that in your original due diligence process you discovered many companies were adopting Duo and, by extension, 2FA. Why is 2FA so important to enforcing enterprise security?

KF: Enterprises historically have always had to find the right balance between adequate protection and usability. If the CISO wanted to enforce security policies, that often came at the expense of a poor user experience and meaningful workflow disruption, which directly impacted productivity. 

In the case of two-factor authentication, hard or soft token implementations have not attracted many fans, whether it’s the idea of carrying another piece of plastic on your keychain or entering a one-time password every time you login. Duo figured out how to make that process seamless and more secure at the same time, while reducing the operational load on the enterprise. That led to impressive user adoption.

RWYou said Duo started by protecting the gate of the fortress. How is this best done?

KF: To be effective, you need to let IT teams easily define rules on who can access what applications and automate the enforcement of these rules. Doing so enables real-time detection and prevention of potentially malicious attempts to access applications from anywhere whether they are on premise or in the cloud. 

One reason I like Duo is that it analyzes the context of a user’s behavior, location, security health of the device and the reputation of the IP address in real-time to enforce these rules. This allows more effective security without inconveniencing users. 

This is critical. CISOs get insight into the security health of endpoints like Macs, Windows PCs, iOS and Android devices, without installing agents. They can identify users with devices that are out of compliance with policy and enforce restrictions on how these devices are used at work, keeping an enterprise current and safe.

Lead photo courtesy of Shutterstock

View full post on ReadWrite

What Does Google Suddenly See In Enterprise Security?

Google has its own two-factor authentication (2FA), so why is it investing in a company that sells 2FA services?

Because, it turns out, enterprise security is a really big deal, according to Google Ventures partner Karim Faris. Faris has been hammering this enterprise security theme for several years now, leading Google to invest in ThreatStream, Ionic Security, Shape Security, and Duo Security, a 2FA company that now has over 5,000 customers, including Box, Facebook, NASA, Toyota, and Twitter.

This focus on security—particularly things like 2FA that make it somewhat simple for end-users—is critical. (2FA typically requires a user to log in with both a password and a secondary authorization code, often delivered via text message or a small electronic gadget.) Studies, like this one from Aruba Networks, keep showing that enterprise users mostly don’t care about securing enterprise data.


Karim Faris

Just a few short years ago, Google had zero interest in the enterprise, but now factors heavily in enterprise discussions around cloud, apps, storage, and more. So on the eve of Duo Security’s Series C $30 million raise led by Redpoint Ventures, and joined by Google Ventures, I talked with Faris about Google’s interest in enterprise security.

More Cybercrime, More Cybersecurity

ReadWriteGoogle Ventures’ interest in enterprise security startups seems to have grown. What is changing in the market to make info security more attractive to you now?

Faris: We look to invest in companies that are working on innovative ways to tackle security challenges, while optimizing usability. In addition to Duo, we’ve invested in companies like ThreatStream, Ionic Security, Shape Security, and Synack. 

Security has always been an important topic and has garnered increasing attention as more vectors of attack materialize that cybercriminals can exploit. We used to be able to protect companies by having a hard perimeter around physical networks that was protected by traditional defenses like firewalls. But you can no longer solely rely on that with the rise of cloud and mobility services, as well as people bringing in their own devices. 

That additional exposure makes enterprises more vulnerable and is fueling the need for new security innovation, which creates investment opportunity.

RW: What did you like about Duo Security?

KF: We liked a lot of things: the strength of the team, the passion of their rapidly growing user base, and the depth of the technology. Two-factor authentication gets you a lot of bang for the security buck and is something everyone should consider. If you have a fortress to keep safe, the first thing you do is protect the gates. Duo makes it incredibly easy to deploy and use. They started by guarding the gates, and now they are building a moat.

Factor This

RW: You mentioned that in your original due diligence process you discovered many companies were adopting Duo and, by extension, 2FA. Why is 2FA so important to enforcing enterprise security?

KF: Enterprises historically have always had to find the right balance between adequate protection and usability. If the CISO wanted to enforce security policies, that often came at the expense of a poor user experience and meaningful workflow disruption, which directly impacted productivity. 

In the case of two-factor authentication, hard or soft token implementations have not attracted many fans, whether it’s the idea of carrying another piece of plastic on your keychain or entering a one-time password every time you login. Duo figured out how to make that process seamless and more secure at the same time, while reducing the operational load on the enterprise. That led to impressive user adoption.

RWYou said Duo started by protecting the gate of the fortress. How is this best done?

KF: To be effective, you need to let IT teams easily define rules on who can access what applications and automate the enforcement of these rules. Doing so enables real-time detection and prevention of potentially malicious attempts to access applications from anywhere whether they are on premise or in the cloud. 

One reason I like Duo is that it analyzes the context of a user’s behavior, location, security health of the device and the reputation of the IP address in real-time to enforce these rules. This allows more effective security without inconveniencing users. 

This is critical. CISOs get insight into the security health of endpoints like Macs, Windows PCs, iOS and Android devices, without installing agents. They can identify users with devices that are out of compliance with policy and enforce restrictions on how these devices are used at work, keeping an enterprise current and safe.

Lead photo courtesy of Shutterstock

View full post on ReadWrite

Run WordPress SEO by Yoast on your website? You need to update it – Graham Cluley Security News

Run WordPress SEO by Yoast on your website? You need to update it
Graham Cluley Security News
WordPress SEO by Yoast has over one million active users, running it on their self-hosted WordPress sites to boost their appearance in search engine results. And, as we all know, the higher you appear in search engines, the more traffic you will get.

View full post on SEO – Google News

SearchCap: SEO Fears, Google Security Flags & Doodles

Below is what happened in search today, as reported on Search Engine Land and from other places across the web.

The post SearchCap: SEO Fears, Google Security Flags & Doodles appeared first on Search Engine Land.



Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

Google Says They May Flag Broken Security Certificates In The Search Results

Google may flag sites that have broken security certificates in the search results. They may also boost the ranking benefit on login pages, to prevent phishing attempts.

The post Google Says They May Flag Broken Security Certificates In The Search Results appeared first on Search Engine Land.



Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

Google Says About Half Of Security Certificates Are Broken On The Web

Google may flag sites that have broken security certificates in the search results. They may also boost the ranking benefit on login pages, to prevent phishing attempts.

The post Google Says About Half Of Security Certificates Are Broken On The Web appeared first on Search Engine Land.



Please visit Search Engine Land for the full article.

View full post on Search Engine Land: News & Info About SEO, PPC, SEM, Search Engines & Search Marketing

How Blackphone Turned A Security Fail Into A Win

Last year, privacy-focused Blackphone got a dubious distinction: It became known as the locked-down phone that supposedly got hacked in just 5 minutes.

Things have changed. Now, it’s a whole mobile product line geared for companies (and perhaps paranoid individuals), a brand-new acquisition for encryption services firm Silent Call, and a multi-million dollar enterprise with nearly $750 million in device sales.

The group introduced its latest devices this week at Mobile World Congress—the Blackphone 2 smartphone and its first tablet, currently dubbed Blackphone+. But what was really on display was the company’s uncanny knack for turning a well-publicized security flub into a win.

Meet Blackphone 2 And Blackphone+


As far as upgrades go, the 5.5-inch Blackphone 2 looks like a decent successor to last year’s original 4.7-inch Blackphone.

Like most second-generation phones, version 2 offers several hardware improvements, including a faster 64-bit 8-core processor, more memory (3GB), a bigger battery and a larger display. The phone also ties into Citrix’s Mobile Device Management, so IT departments can manage employees’ company-supplied or BYO (“bring your own”) phones. Blackphone 2 is priced at $630 (unlocked) and slated for a July release. Soon after, it will be joined by the company’s first tablet, the 7-inch Blackphone+, sometime this fall. 


The original Blackphone (left) and Blackphone 2 exhibition unit (right)

Both run Blackphone’s PrivatOS software, a variation on Android designed as an extra layer of protection between users and the big, bad outside world. When apps unnecessarily ask for personal data, like contacts or location, Blackphone can intercept the request, blocking or obscuring it. The software can even fool the app into thinking the user granted access, even if he or she didn’t.

“You can take an Android device, you can root it, introduce [similar] features, and after months, you can have something like Blackphone,” said Javier Agüera, Blackphone’s founder and now a chief scientist at Silent Call. “Or you can have an out-of-the-box device, with everything set up by security specialists, that’s enterprise ready and configured the way you need it.”


PrivatOS boasts new virtualization feature called “Spaces,” which offers separate “work” and “personal” modes, the ability to add profiles and an app store vetted by Blackphone. The technology’s encryption protocols also save keys on the device itself, not some unknown remote server. The phone’s price includes two years of security services that guards against unsafe WiFi networks, private browsing, and secure cloud file storage.

Sounds like a lot of protection, at least, it’s more than most users are accustomed to getting. It all goes back to Blackphone’s mission: The company wants to safeguard people. It seems sincere—even though a hacker actually did manage to breach those walls last year.

Turning Hackers Into BFs


PrivatOS running on last year’s model

At hacking convention DefCon last year, CTO Jon “Justin” Sawyer of Applied Cybersecurity LLC told Blackphone that he managed to get past its security to root its device. What’s more, he tweeted the exploit, which landed on BlackBerry sites and other tech blogs.

Sawyer found a couple of weak spots in the software, including a hole in the remote wipe feature that let the security expert access the device and grant himself system privileges. He was able to give himself access to core parts of the phone. But what gets less attention, the execs said, is that the company had already patched the hole.


Sawyer essentially attacked an old, outdated version of the software. Even so, the incident and publicity could have humiliated Blackphone right out of the market. It didn’t. Instead, the company is milking it. 

The team thanked Sawyer for the discovery and sent him a bottle of wine. Then it enlisted others to scope out any other vulnerabilities. 

According to Vic Hyder, Silent Call’s chief strategy officer, Blackphone recently launched a bug bounty program to reward people for finding security glitches—from $128 to more, depending on the severity. (Bounties are fairly common in the tech industry; even big companies like Facebook, Google and Microsoft offer rewards to bug hunters.)

“[It] makes them part of the solution, instead of part of the problem,” Hyder said. “It brings everybody in as a participant.” Even Sawyer, now a friend of Blackphone, helps out by looking for other vulnerabilities. The company publishes all of its source code, to help make it easier for people to find holes.

So far, Hyder estimates that the company has paid out about $15,000 to $20,000 in bounties.

Throwing Shade

“Nothing is hack-proof,” admits Daniel Ford, chief security officer.

However, he says his company can help guard against certain types of attacks. “Targeted attacks are completely different than mass surveillance,” he said.” There’s little Blackphone or anyone can do against the former, such as last year’s breach at Sony Pictures—which may have been a specific retaliation for The Interview, a comedy that poked fun at North Korea. 


Sony’s “The Interview” made fun of North Korea’s regime, which may have been responsible for hacking the movie studio. 

Ultimately, if a hacker wants your data badly enough—whether it’s a criminal or a NSA agent—he or she has innumerable tools that can help get it. No platform can hold up against that, he explained.

But when it comes to broader mass surveillance, Ford said Blackphone can step in and offer more protection. “This is where our commitment is: If there is a vulnerability that was disclosed publicly, we will fix it in less than 72 hours,” he said. “We have done so every time. That is our goal … the last time, it took only 6 hours.”

“Samsung had two critical vulnerabilities that was released two weeks ago,” he added, calling out one of his archrivals in the enterprise market, albeit for a vulnerability in its TV business. Still, he couldn’t resist poking at Samsung’s overall attitude toward security: “They have not even started to address it,” he said. 


Photos by Adriana Lee for ReadWrite

View full post on ReadWrite

Why An Open-Source Pro Sees His Next Act In Security


Security is boring—at least until you don’t have it anymore. Then it becomes exciting for all the wrong reasons. 

In our increasingly interconnected world, it’s also painfully difficult. How do you secure connections to internal devices and external services that you do not and, indeed, cannot own? For enterprises trying to lock down sensitive corporate data in a world awash in personal devices and cloud computing, it’s an exercise in futility. 

Maybe. Maybe not.


Zack Urlocker

Zack Urlocker was just named COO of Duo Security, a Benchmark and Google Ventures-backed security company that aims to make two-factor authentication omnipresent and painless. Is this Urlocker’s next unicorn? After all, as SVP of products and marketing at MySQL, he helped to drive a $1 billion sale by Sun. Later, he went on to run operations at pre-IPO Zendesk (now worth $2 billion). 

Urlocker clearly knows how to build unicorns, but is security ripe for a unicorn-sized exit? 

To better understand the allure of security to Urlocker, I caught up with him to discuss the shift from databases and help desk software to security.

Security Is Big For All The Wrong Reasons

Security has been a big market for a long time, but for all the wrong reasons. And while we like to think of security as someone else’s problem (at least, until our own data is pilfered), a Ponemon study shows that we all bear the costs:


Source: Ponemon

And while malicious criminal attacks account for 42% of data breaches, human error comes in second place (30%). Lost devices or other errors in human judgment open up corporations to all sorts of security problems. 

Making It Easy

The problem for most people, however, is that securing their devices and, hence, their data, can be a pain. Often we won’t bother until we’re forced to do so.

I remember when I first implemented two-factor authentication. My IT team had been pushing me to do it for nearly a year, and I kept resisting because I didn’t want the bother. It didn’t help that some things (like calendars) were shared with other family members on their devices. The thought of having to constantly update the passwords on their devices, and not merely mine, seemed to not be worth the effort.

That is, until my daughter’s Gmail account was hacked.

In this case, the hacker goaded me as I madly tried to get ahead of him to change her passwords. He used the Gmail account to get into her Facebook and other accounts, and used all of them to send vile messages to her and her friends. As I tried to stop him, he IM’d me to laugh at my efforts. It was frightening.

It was the wake-up call I needed, and I implemented two-factor authentication for myself and my family immediately afterward. We haven’t had a problem since (though I wish I could keep my credit card numbers from getting stolen every few months.) 

Since that time, two-factor authentication has become increasingly easy, thanks to companies like Duo Security, which Facebook, Box, Palantir, Yelp, Whatsapp, Etsy, and over 5,000 other companies use to provide simple security to hundreds of millions of users. In fact, Duo has developed solutions that secure 80% of the ISPs globally. 

As Urlocker told me, 

Duo makes strong security easy to buy, easy to use and easy to roll into production. Usually security means making things hard for people. With a SaaS solution, it’s easy to deploy. You can get Duo Security up in running in 15 minutes or a few days for major rollouts compared to weeks or months with traditional solutions. And it works, too! 

That ease of use is essential. I’m a reasonably savvy technologist. No one in my family is. For them to be comfortable with two-factor authentication, it has to be as simple as typing in a password. (Or, in this case, a code sent to them via SMS.)

Learning From Open Source

So how did Urlocker get here from open source land? Duo, so far as I know, isn’t offering its software free over the Internet and charging for support. What can open source teach us about security?

Security, it turns out, has an equally open community, sharing both code and insights into how to secure code. 

Importantly, as he told me, it’s critical to “know how bad guys operate and where the vulnerabilities hide,” not to mention “how customers behave.” The best open source software makes difficult processes easy for developers. Duo is trying to accomplish the same thing for security. 

Which means not foisting silly security policies on users (i.e., forcing them to change passwords every 90 days to equally obscure and hard-to-remember passwords). Duo provides multiple ways for users to authenticate, but the one I like best involves sending push notifications and allowing me to simply to respond.

As the thinking goes, anyone can get my password. But getting my password and my mobile device? That’s hard.

Not surprisingly, then, Urlocker find that certain SaaS categories, like Zendesk, Box, New Relic, HubSpot and Duo Security, “definitely operate at a similar scale” to open-source software, “but with much better conversion rates than we ever had in open source!”

That’s good for Duo, of course, but also for corporate security. Which makes it easier to sleep at night, even if the hackers never do.

Photo by Tim RT

View full post on ReadWrite

Go to Top
Copyright © 1992-2015, DC2NET All rights reserved