If you have a blog, you need to install this plug-in immediately.
There is currently a major type of internet attack being waged by botnets against webservers running WordPress. These bots brute-force their way in past your password screen by making thousands of guesses until they gain entry. WordPress currently does not limit the number of incorrect password attempts. Until it does, you need a plug-in that provides the limiting.
There is currently a significant attack being launched at a large number of WordPress blogs across the Internet. The attacker is brute force attacking the WordPress administrative portals, using the username "admin" and trying thousands of passwords. It appears a botnet is being used to launch the attack and more than tens of thousands of unique IP addresses have been recorded attempting to hack WordPress installs.
One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack. These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic. This is a similar tactic that was used to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was behind the large attacks on US financial institutions.
Wired has been discussing an emerging email security vulnerability this month.
The problem lies with DKIM keys (DomainKeys Identified Mail). DKIM involves a cryptographic key that domains use to sign e-mail originating from them — or passing through them — to validate to a recipient that the domain in the header information on an e-mail is correct and that the correspondence indeed came from the stated domain. When e-mail arrives at its destination, the receiving server can look up the public key through the sender’s DNS records and verify the validity of the signature.
Learn more from the article, and ask your hosting company if they use strong — 1024-bit — DKIM. Why?
A hacker who cracks a DKIM key can use it to send out phishing attacks to victims to trick them into believing that a fake e-mail is actually a legitimate e-mail from their bank or another trusted party. Such phishing attacks can be used to trick users into handing over the login credentials to their bank or e-mail account.
Great article about risks of free wordpress themes found in the wild...
A few months ago I wrote about WordPress Security. Now, armed with ... builtBackwards’ Theme Authenticity Checker Plugin and Donncha O Caoimh’s Exploit Scanner, I’m going to take a look through the first page of Google to see just how safe pages ranking for “Free WordPress Themes” are.
Why should you try Google Public DNS?
By using Google Public DNS you can:
- Speed up your browsing experience.
- Improve your security.
- Get the results you expect with absolutely no redirection.
Google Public DNS telephone support
- 877-590-4367 in the U.S.
- 770-200-1201 outside the U.S.
The Google Public DNS IP addresses (IPv4) are as follows:
The Google Public DNS IPv6 addresses are as follows:
You can use either number as your primary or secondary DNS server. You can specify both numbers, but do not specify one number as both primary and secondary.
You can configure Google Public DNS addresses for either IPv4 or IPv6 connections, or both.
Does it affect your secure webserver?
You should know, if you accept credit cards or handle social security numbers on your website.
See these two articles for more expert information:
This company will test your https connection. Here's a example report.
From Lux-Sci: Real-world vulnerability? What is affected by BEAST?
This problem can affect people browsing secure web sites, allowing eavesdroppers to gain full access to your accounts on those web sites under certain conditions. It does not affect
- Other secured services such as email (IMAP, POP or SMTP) that use SSL or TLS for security.
- Use of SSL-secured web site connections for posting data (i.e. posting data from secure web forms)
It does affect:
- Accounts you may have with secure web sites that you login to, like PayPal, LuxSci, Gmail, Bank of America, Facebook, etc.
It is not yet feasible to use a browser or webhost that supports TLS 1.2. For now, here is LuxSci's advice:
The Take Away Message
People should always be concerned and aware of security as the landscape changes constantly. We think that beyond the need to upgrade and to implement software fixes, consider the following:
- We should actually use SSL and TLS whenever possible. Insecure sites puts our browser and computer at risk, as we have no control over what malicious third party may inject into our browsing session. SSL and TLS actually protect us from that threat.
- When going to secured web sites, it is best to start in a new browsing session or one that has only visited other secure (https://) sites.
- Make your home page a secure site and your other secure sites easily-accessed via bookmarks
- Use a separate web browsers for normal insecure browsing and for access to your secure sites.
- Keep your software, web browsers, operating system, anti-virus, and other components up to date.
zip -e archivename.zip filetoprotect.txt
Earlier variants of this new malware against Macs target Safari and Firefox. Recent variants only target Safari.
How to locate an infection by the Flashback trojan?
Type or copy/paste this command into MacOSX Terminal:
defaults read /Applications/%browser%.app/Contents/Info LSEnvironment
From the excellent post: https://www.f-secure.com/weblog/archives/00002336.html
This recent article by MacWorld is an excellent primer on SSL security, the underlying technologies that power HTTPS:// browsing.
This year there have been numerous reports suggesting that the fundamental security infrastructure of the Web is on shaky ground. In March we heard about a collection of stolen security certificates, and in August the release of more than 500 improperly issued certificates came to light.
It focuses on protecting Mac browsers, but talks about Windows and Google Chrome as well.
This is a follow-up post to an earlier topic PDG wrote about after the Egyptian crackdown and censorship of the internet.
Dubbed the "Internet in a suitcase" project, a team at the New America Foundation's "Open Technology Initiative" is creating hardware and software which create separate pathways for communications, whether cell transmissions or wireless data.
“We’re going to build a separate infrastructure where the technology is nearly impossible to shut down, to control, to surveil.... The implication is that this disempowers central authorities from infringing on people’s fundamental human right to communicate.”
The NYTimes in an article this week described their work as:
The group’s suitcase project will rely on a version of “mesh network” technology, which can transform devices like cellphones or personal computers to create an invisible wireless web without a centralized hub. In other words, a voice, picture or e-mail message could hop directly between the modified wireless devices — each one acting as a mini cell “tower” and phone — and bypass the official network.
Mr. Meinrath said that the suitcase would include small wireless antennas, which could increase the area of coverage; a laptop to administer the system; thumb drives and CDs to spread the software to more devices and encrypt the communications; and other components like Ethernet cables.
Hats off to these programmers and engineers, and also to the Obama administration's other initiatives.
Read an earlier post on internet censorship here at PDG.
Sascha's bio from New America Foundation reads:
Sascha Meinrath is the Director of the New America Foundation's Open Technology Initiative and has been described as a "community Internet pioneer" and an "entrepreneurial visionary." He is a well-known expert on community wireless networks, municipal broadband, and telecommunications policy. In 2009 he was named one of Ars Technica's Tech Policy "People to Watch" and is also the 2009 recipient of the Public Knowledge IP3 Award for excellence in public interest advocacy.
Sascha is a co-founder of Measurement Lab, a distributed server platform for researchers around the world to deploy Internet measurement tools, advance network research, and empower the public with useful information about their broadband connections.
He also coordinates the Open Source Wireless Coalition, a global partnership of open source wireless integrators, researchers, implementors and companies dedicated to the development of open source, interoperable, low-cost wireless technologies. He is a regular contributor to Government Technology's Digital Communities, the online portal and comprehensive information resource for the public sector.
Sascha has worked with Free Press, the Cooperative Association for Internet Data Analysis (CAIDA), the Acorn Active Media Foundation, the Ethos Group, and the CUWiN Foundation.
Because of gamed SEO placements and poisoned links, some thousands of Mac users were tricked into installing a fake Mac security program.
Mac security vendor intego.com writes:
UPDATE: See Intego’s full security memo with detailed information about the MAC Defender fake antivirus.
Sophos makes a free Mac security program. Read more about it in another post, and use it soon!
Apple will release a cleaner update for it as well. See their recent tech note.