DNS hijacking takes advantage of how the Domain Name System functions as the internet’s phone book—or more accurately, a series of phone books that a browser checks, with each book telling a browser which book to look in next, until the final one reveals the location of the server that hosts the website that the user wants to visit. When you type a domain name like “google.com” into your browser, DNS servers hosted by third parties, like the site’s domain registrar, translate it into the IP address for a server that hosts that website.
A DNS lookup is a convoluted process, and one that’s largely out of the destination website’s control. To perform that domain-to-IP translation, a your browser asks a DNS server—hosted by the your internet service provider—for the location of the domain, which then asks a DNS server hosted by the site’s top-level domain registry (the organizations in charge of swathes of the web like .com or .org) and domain registrar, which in turn asks the DNS server of the website or company itself. A hacker who’s able to corrupt a DNS lookup anywhere in that chain can send the visitor off in the wrong direction, making the site appear to be offline, or even redirecting users to a website the attacker controls.
Keeping your internet property safe from hackers is hard enough on its own. But as WikiLeaks was reminded this week, one hacker technique can take over your entire website without even touching it directly. Instead, it takes advantage of the plumbing of the internet to siphon away your website’s visitors, and even other data like incoming emails, before they ever reach your network.
Between an industry-wide push to encrypt all web traffic and the newfound popularity of secure chat apps, it’s been a boom time for online privacy. Virtual private networks, which shield your web traffic from prying eyes, have rightly garnered more attention as well.
BETWEEN AN INDUSTRY-WIDE push to encrypt all web traffic and the newfound popularity of secure chat apps, it’s been a boom time for online privacy. Virtual private networks, which shield your web traffic from prying eyes, have rightly garnered more attention as well. But before you use a VPN to hide your online shopping from the IT department at your company—or help protect yourself from state surveillance—know that not all mobile VPNs are created equal. In fact, some are actively harmful.
“These days, many people know what a VPN is and what they can do with one,” says Kevin Du, a computer security researcher at Syracuse University and IEEE senior member. “Not many people know what a bad or flawed VPN can do to their devices, because they don’t know how VPN works.”
VPNs have been around for years, as have their attending trust issues. But while previously VPN enthusiasts were mostly a core base of desktop users, the mobile boom and app store accessibility has created an explosion in mobile VPN offerings. And while some are genuinely looking to offer security and privacy services, plenty do more harm than good.
In a recent in-depth analysis of 283 mobile VPNs on the Google Play Store from Australia’s Commonwealth Scientific and Industrial Research Organization, researchers found significant privacy and security limitations in a majority of the services. Eighteen percent of the mobile VPNs tested created private network “tunnels” for traffic to move through, but didn’t encrypt them at all, exposing user traffic to eavesdropping or man-in-the-middle attacks. Put another way, almost a fifth of the apps in the sample didn’t offer the level of security that’s basically the entire point of VPNs.
Read the rest at wired.com
Changing your WordPress table prefix is risky to implement and it does absolutely nothing to enhance your site security.
What if I told you that a great way to prevent burglaries is to turn off all the lights in your home? That way a burglar would be able to gain entry, but they would not be able to see where your stuff is and so they couldn’t steal it.
When you change your table prefix in WordPress you usually use a WordPress security plugin to do the job. Unfortunately the security plugin needs to execute as the change is taking place. That means that during execution, half your tables have one prefix, and the other half have another prefix. If execution stops for any reason you are left with a broken website that you need to restore from backups.
You’d tell me that the burglar would either bring a flashlight or turn on the lights themselves.
It’s exactly the same concept when it comes to renaming your WordPress database table prefix. Once an attacker can access your database using SQL injection, they are inside your home. If you rename your database tables using a unique prefix, you’ve turned out the lights in your home.
So what’s the first thing an attacker does? They do this:
The output of this query is:
The above query simply asks the database what WordPress table prefix is being used for the postmeta table. It turns on the lights.
Any bot, attack script or manual attack, using a tool like sqlmap, will always run a query like the above before assuming any default table prefix.
Changing your WordPress table prefix for security reasons does not make a SQL injection attack “slightly harder” for attackers. They simply run the above query before assuming your tables have a default prefix.
This entry was posted in WordPress Security on December 28, 2016 by mark 1 Reply There is an idea that was popularized a few years ago that if you change WordPress table prefix in your database, it helps protect your WordPress website from attackers.
Last week, WordPress security firm WordFence revealed it detected over 1.65 million brute-force attacks originating from an ISP in Ukraine that generated more malicious traffic than GoDaddy, OVH, and Rostelecom, put together. A week later, after news of WordFence’s findings came to light, Ukrainian users have tracked down the ISP to a company called SKS-Lugan in the city of Alchevs’k, in an area controlled by pro-Russian forces in eastern Ukraine. All clues point to the fact that the ISP’s owners are using the chaos created by the Ukrainian civil war to host cyber-crime operations on their servers. Some of the criminal activities the ISP hosts, besides servers for launching brute-force attacks, include command-and-control servers for the Locky ransomware, [email, comment, and forum] spam botnets, illegal streaming sites, DDoS stressers, carding sites, several banking trojans (Vawtrack, Tinba), and infostealers (Pony, Neurevt).
More details have surfaced regarding a recent wave of brute-force attacks (dictionary attacks to be more accurate) that have targeted WordPress sites over the past few weeks.
Update: We posted a follow-up to this post on Monday December 19th which goes into more detail about the Ukraine IP block where these attacks originate from and we discuss possible Russia involvement. At Wordfence we constantly monitor the WordPress attack landscape in real-time.
“Avalanche” refers to a large global network hosting infrastructure used by cyber criminals to conduct phishing and malware distribution campaigns and money mule schemes. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI), is releasing this Technical Alert to provide further information about Avalanche.
Cyber criminals utilized Avalanche botnet infrastructure to host and distribute a variety of malware variants to victims, including the targeting of over 40 major financial institutions. Victims may have had their sensitive personal information stolen (e.g., user account credentials). Victims’ compromised systems may also have been used to conduct other malicious activity, such as launching denial-of-service (DoS) attacks or distributing malware variants to other victims’ computers.
In addition, Avalanche infrastructure was used to run money mule schemes where criminals recruited people to commit fraud involving transporting and laundering stolen money or merchandise.
A system infected with Avalanche-associated malware may be subject to malicious activity including the theft of user credentials and other sensitive data, such as banking and credit card information. Some of the malware had the capability to encrypt user files and demand a ransom be paid by the victim to regain access to those files. In addition, the malware may have allowed criminals unauthorized remote access to the infected computer. Infected systems could have been used to conduct distributed denial-of-service (DDoS) attacks.
- December 1, 2016: Initial release
Cyber criminals utilized Avalanche botnet infrastructure to host and distribute a variety of malware variants to victims, including the targeting of over 40 major financial institutions. Victims may have had their sensitive personal information stolen (e.g., user account credentials).
First, a little background. If you want to take a network off the Internet, the easiest way to do it is with a distributed denial-of-service attack (DDoS). Like the name says, this is an attack designed to prevent legitimate users from getting to the site. There are subtleties, but basically it means blasting so much data at the site that it’s overwhelmed. These attacks are not new: hackers do this to sites they don’t like, and criminals have done it as a method of extortion. There is an entire industry, with an arsenal of technologies, devoted to DDoS defense. But largely it’s a matter of bandwidth. If the attacker has a bigger fire hose of data than the defender has, the attacker wins.
Recently, some of the major companies that provide the basic infrastructure that makes the Internet work have seen an increase in DDoS attacks against them. Moreover, they have seen a certain profile of attacks. These attacks are significantly larger than the ones they’re used to seeing. They last longer. They’re more sophisticated. And they look like probing. One week, the attack would start at a particular level of attack and slowly ramp up before stopping. The next week, it would start at that higher point and continue. And so on, along those lines, as if the attacker were looking for the exact point of failure.
The attacks are also configured in such a way as to see what the company’s total defenses are. There are many different ways to launch a DDoS attacks. The more attack vectors you employ simultaneously, the more different defenses the defender has to counter with. These companies are seeing more attacks using three or four different vectors. This means that the companies have to use everything they’ve got to defend themselves. They can’t hold anything back. They’re forced to demonstrate their defense capabilities for the attacker.
Over the past year or two, someone has been probing the defenses of the companies that run critical pieces of the Internet. These probes take the form of precisely calibrated attacks designed to determine exactly how well these companies can defend themselves, and what would be required to take them down.
Amid complaints that Google Play is always switching on GPS, it appears Google has made it impossible to prevent the app store from tracking your whereabouts unless you completely kill off location tracking for all applications.
If you’re not keen on this, the options are not great: you can either delete Google Maps and/or Google Play, or you have to repeatedly turn your phone’s location services on and off as required throughout the day, which is extremely irritating.
“Kind of defeats the purpose of fine-grained privacy controls,” Al-Bassam noted, adding: “Google is encouraging developers to use the Play location API instead of the native Android API, making an open OS dependent on proprietary software.”
Google was not available for comment.
Google, it seems, is very, very interested in knowing where you are at all times. Users have reported battery life issues with the latest Android build, with many pointing the finger at Google Play – Google’s app store – and its persistent, almost obsessive need to check where you are.
The lesson here is simple enough. If a device has an exposed USB port — such as a copy machine or even an airline entertainment system — it can be used and abused, not just by a hacker or malicious actor, but also electrical attacks.
“Any public facing USB port should be considered an attack vector,” says the company. “In data security, these ports are often locked down to prevent exfiltration of data, or infiltration of malware, but are very often unprotected against electrical attack.”
For just a few bucks, you can pick up a USB stick that destroys almost anything that it’s plugged into. Laptops, PCs, televisions, photo booths — you name it. Once a proof-of-concept, the pocket-sized USB stick now fits in any security tester’s repertoire of tools and hacks, says the Hong Kong-based company that developed it.
THIS WEEK, GOOGLE security researcher Tavis Ormandy announced that he’d found numerous critical vulnerabilities in Symantec’s entire suite of anti-virus products. That’s 17 Symantec enterprise products in all, and eight Norton consumer and small-business products. The worst thing about Symantec’s woes? They’re just the latest in a long string of serious vulnerabilities uncovered in security software.
Some of these products cannot be automatically updated, and administrators must take immediate action to protect their networks. Symantec has published advisories for customers, available here.
Some of Symantec’s flaws are basic, and should have been caught by the company during code development and review. But others are far more serious, and would allow an attacker to gain remote-code execution on a machine, a hacker’s dream. One particularly devastating flaw could be exploited with a worm. Just by “emailing a file to a victim or sending them a link to an exploit … the victim does not need to open the file or interact with it in anyway,” Ormandy wrote in a blog post Tuesday, further noting that such an attack could “easily compromise an entire enterprise fleet.”
It gets worse. The flaw exists in an unpacker Symantec uses to examine compressed executable files it thinks might be malicious. So the vulnerability would let attackers subvert the unpacker to take control of a victim’s machine. Essentially, a core component Symantec uses to detect malware could be used by intruders to aid their assault.
“These vulnerabilities are as bad as it gets,” Ormandy wrote. He would know.
Read the rest at WIRED