SC Magazine Australia Blames WordPress Plugins for Unrelated Hack

SC Magazine Australia’s recent article “50,000 sites compromised in sustained attack” incorrectly claims that WordPress was associated with a past malware campaign and tries to link general security issues to WordPress. As we continue to see the harmful impact of the bad security information, particularly when it involves WordPress, we want to clear up some of the claims in the article and fill in the critical missing information on actually protecting against security vulnerabilities in WordPress plugins.

The most blatant error in the article comes near the end of the article where it is stated that “Vulnerabilities in WordPress plugins have been long understood. Last year, large malware campaigns including the LizaMoon attacks exploited those holes” The LizaMoon attack was part of a frequently hyped multiyear campaign that targets ASP and ColdFusion based websites that have fairly basic SQL injection vulnerabilities. It had nothing to do with WordPress or any WordPress plugins. The link they provide about the LizaMoon attack makes no mention of WordPress and we are not aware of any source that ever claimed that it had a connection with WordPress. The rest of the article isn’t much better. Earlier it says:

Attackers targeted holes in a string of plug-ins for blogging software — such as WordPress— including timthumb, uploadify and phpmyadmin.

None of those things are themselves plugins for WordPress or other blogging software, nor is blogging software the only thing targeted by hackers. We probably deal with as many websites that are hacked due to outdated Joomla extensions as WordPress plugins, so there doesn’t appear to be a good reason to spotlight WordPress for special attention as the article did.

phpMyAdmin is web based administration tool for MySQL database. Several years ago there was WordPress plugin that added phpMyAdmin to WordPress which contained an exploitable vulnerability, but at this point it isn’t a major target of hackers as the plugin was removed back then. phpMyAdmin itself is frequently probed for on our website, so that is likely why phpMyAdmin would be listed as being targeted. That doesn’t explain why it be listed as a being a plugin for WordPress or other blogging software, though.

The TimThumb and Uploadify libraries are included in some WordPress plugins and those have been targeted (though since we last discussed recent serious security vulnerabilities in WordPress plugins we have seen attackers expand from targeting just the recent Uploadify based vulnerabilities to the other upload vulnerabilities recently identified).

Later in the article it claims then claims that Plesk is being targeted (web hosts are not always good about keeping that up to date), so it appears somebody involved in the article just threw together an incomplete list of software that gets targeted without any specific relation to the malware mentioned, while singling out WordPress.

Another worrisome aspect of the article is that it cites a “malware researcher” from Sucuri, the company that has a malware scanner that doesn’t actually bother to scan a website for malware before falsely flagging it.

Protecting Against WordPress Plugin Vulnerabilities

What the article lacks, as stories about hacks often do, is any information on protecting websites from the vulnerabilities they are warning about. For WordPress plugin vulnerabilities, you would hope the answer is to update your plugins, as by the time a vulnerability is being exploited it should have already been patched. Unfortunately, in an analysis of WordPress plugin vulnerabilities in the second quarter of 2012, that we just did, we found that a fourth of the plugins had not been fixed (we will have a post with the full details of the analysis in the next few days). What makes this even worse is that most of the vulnerabilities in those plugins were serious vulnerabilities that are the most likely to lead to website being hacked. So what happens when plugins are not fixed?

When the maintainers of the WordPress.org Plugin Directory are made of aware of a security vulnerability in a plugin they will remove the plugin from the directory until it is fixed. Unfortunately, when we started looking into this earlier this year we found that many plugins had never been reported and had remained in the directory including one in which hackers were attempting to exploit at the time. Since then we have been making sure that any plugins with reports of unresolved security vulnerabilities are reported and appropriate action is taken (we have also been warning them about security issues that impact plugins, including notifying them about the recent Zend Framework vulnerability that impacted several plugins). While removing the plugins until they are fixed prevents any additional websites from being exposed to the vulnerabilities, websites already using the plugins don’t receive any warning and remain vulnerable as we have discussed before. The process of adding alert in WordPress when plugins that have been removed from the Plugin Directory are installed has begun and you can help to make sure it is given a high priority by voting for implementing that change. Until an alert is added in WordPress itself, you can get a more limited version of this functionality using our No Longer in Directory plugin (we released update for the plugin, with new vulnerabilities, at the beginning of the week).

California Starts Up a Privacy Enforcement Unit

Watch out, Silicon Valley, there’s a new startup in town and its gunning for you. California Attorney General Kamala Harris announced Thursday she’s created a unit intended to actually enforce federal and state privacy laws.

“The Privacy Unit will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others,” California’s top attorney said in a statement.

The announcement of the unit, comprised of six attorneys, comes just months after Harris inked a February agreement with Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion to demand that mobile apps on their platforms contain privacy policies. Facebook signed on last month.

If the new unit is run like a startup, it could change the world by filing a billion complaints in the next year. Hell, maybe even better, what if it filed just enough to jolt Silicon Valley out of its default policy of “invading user privacy by default and apologizing for it later,” as exemplified most recently by Path and its deep-pocketed apologists.

That’s not very likely, of course, especially since privacy laws are weak. But the success of Instagram or Facebook wasn’t likely, either. We’re looking forward to seeing what Harris’ attorneys ship.

Judge OKs Nudity at TSA Checkpoint

John Brennan, the man who stripped at Portland International Airport to protest TSA screeners, is shown as he testifies during his trial Wednesday, July 18, 2012, in Portland, Oregon. Photo: Rick Bowmer/AP

An Oregon man was cleared of indecent exposure charges Wednesday when a local judge said his protest of Transportation Security Administration screening procedures was constitutionally protected speech under state law.

John Brennan, a 50-year-old technology consultant, was charged with the infraction after taking his clothes off at Portland International Airport in April, on a way to a business trip to San Jose.

“I was mostly motivated by the absurdity of it all. The irony that they wanna see me naked. But I don’t get to take my clothes off?” he said after being cleared.

The incident began when Brennan refused to go through the so-called “nude” scanners and instead opted for a pat-down. A TSA officer detected nitrates on his gloves after the pat down. Nitrates are used in explosives.

That, Brennan said, was the last straw. He took his clothes off and proceeded through the checkpoint. He was subsequently arrested.

Multnomah County Circuit Judge David Rees said nudity laws don’t apply when it comes to protest. “It is the speech itself that the state is seeking to punish, and that it cannot do,” Rees said from the bench.

Screenshot: Youtube

In an unrelated case, a 21-year-old Virginia man was arrested last year at an Richmond International Airport screening checkpoint after he began removing clothing to display on his chest a magic-marker protest of airport security measures. He had the Fourth Amendment written on his body. He sued. The case was largely dismissed, and is on appeal.

In 2006, however, the TSA reluctantly conceded that the screening area remained open to free speech so that fliers could wear slogans on their shirts, or even put them on their toiletry bags.

“There is no policy that restricts passengers from expressing their opinion as long as they are not threatening,” the TSA said.