Critical WordPress plugin bug affects hundreds of thousands of sites

Hundreds of thousands of websites running a popular WordPress plugin are at risk of hacks that give attackers full administrative control, a security firm warned Thursday.

The vulnerability affects Custom Contacts Form, a plugin with more than 621,000 downloads, according to a blog post by researchers from Sucuri. It allows attackers to take unauthorized control of vulnerable websites. It stems from a bug affecting a function known as adminInit(). Hackers can exploit it to create new administrative users or modify database contents.

"The vulnerability was disclosed to the plugin developer a few weeks ago, they were unresponsive," Sucuri researcher Marc-Alexandre Montpas wrote. "The developers were unresponsive so we engaged the WordPress Security team. They were able to close the loops with the developer and get a patch released, you might have missed it."

Read 1 remaining paragraphs | Comments

Yahoo to begin offering PGP encryption support in Yahoo Mail service

Yahoo Chief Information Security Officer Alex Stamos announced today at Black Hat 2014 that starting in the fall of this year, the purple-hued company will begin giving users the option of seamlessly wrapping their e-mails in PGP encryption. According to Kashmir Hill at Forbes, the encryption capability will be offered through a modified version of the same End-to-End browser plug-in that Google uses for PGP in Gmail.

The announcement was tweeted by Yan Zhu, who has reportedly been hired by Yahoo to adapt End-to-End for use with Yahoo Mail. Zhu formerly worked as an engineer at the Electronic Frontier Foundation, an organization that has consistently been outspoken in its call for the widespread use of encryption throughout the Web and the Internet in general.

In an interview with the Wall Street Journal, Stamos acknowledged that the introduction of encryption will require some amount of education for users to make sure their privacy expectations are set appropriately. For example, he explained that PGP encryption won’t cloak the destination of your e-mail. "We have to make it clear to people it is not [a] secret you’re emailing your priest, but the content of what you’re e-mailing him is secret," Stamos said.

Read 3 remaining paragraphs | Comments

Active Defense: Fighting Fire With Fire Leads to a Dangerous Future

Perfect cybersecurity is a myth. Defenders face an asymmetric strategic challenge. In the current environment, the concept of “active defense” has gained popularity among armed forces and some companies. Active defense is a military term that refers to efforts to thwart an attack by attacking the attackers.

Armed forces are currently openly saying that they are developing offensive cyber capabilities. The reality is that if a military organization wants to be a strong and credible player in today, it must possess offensive cyber capabilities, and announce them publicly as an essential component of deterrence. There has also been extensive discussion about the concept of active defense, which means not just defending your systems and information, but also striking back—sometimes even with a preemptive strike.

The current aggressive trend in the world of cybersecurity is worrying. Nation states in particular are getting more aggressive in their actions and rapidly developing more sophisticated—and destructive—offensive cyber capabilities. The era of the Code War is upon us. The cyber arms race is on and nation states are employing the principle of active defense. In future, the world’s cyber forces will take a more aggressive stance than we have previously seen.

But not only nation states are using active defense. Preventing attacks against corporate networks is increasingly difficult and, at this time, the strategic and tactical advantage lies with the attackers. Companies are starting to be more aggressive, especially to fight back against cybercriminals and cyber espionage attempts. Companies are frustrated by their inability to stop sophisticated hacking attacks, and some companies have already started to take retaliatory action.

An offensive mindset is needed in the corporate sphere in order to build strong defense, but it is alarming when companies start to actively use strike-back technology. Some companies are already hiring outside contractors to hack back at assailants. One very controversial trend is the prevalence of firms that offer offensive cyber services, and are contracted to retaliate against hackers. Active defense is becoming a common course of action in cybersecurity beyond governments and the armed forces.

One of the reasons why companies conduct active defense is to create a deterrent. Companies want to show attackers that they are capable and willing to fight back. The attribution of cyber attacks is still a problem; thus companies are starting to use different tactics to reveal information about their intruders.

The offensive use of cybersecurity capabilities leads to many questions and consequences: Where is the dividing line between defense and attack with the intrusive tracking and testing tools used by network forensic scientists? Of course, there are also moral and legal issues involved. Is it right to launch a counterattack to identify an attacker? Existing laws lack the capability to regulate key aspects of active defense.

A more comprehensive question concerns our general mentality: How should we behave in cyberspace? At this moment it seems that even if we are incredibly dependent on the digital world of bits and bytes, cyberspace is a kind of new “Wild West” where everyone is doing more or less what they want.

We cannot solely focus on increasing offensive activities in cyberspace. Fighting fire with fire will lead us to a dangerous future. As has been the case on many occasions in the history of the physical world, offensive actions can easily lead to greater problems, and the danger of escalation is always present. In today’s digitally interconnected world there is also huge potential for unpredictable side effects and collateral damage from aggressive actions.

Strategic cyber understanding is essential. Unfortunately today’s cybersecurity issues are primarily thought of as technical questions and considered from a technology-first point of view. Only a strategic approach can enable societies and companies to gain the advantage over cyberattackers. At state level and in the boardroom we need to ask: Why? Decision-makers need to understand why cybersecurity is needed, what characterizes the threat landscape, what the real risks are from cyberattacks, what offensive capabilities are appropriate, and what level of cybersecurity is required for a successful and resilient system. Only by thinking strategically can we make the right operational decisions and create the best technical solutions.

While the security industry and security decision makers continue to create technological solutions without clear strategic goals, we are wasting resources and failing our organizations and our people. Until decision makers have an understanding of the strategic requirements for building resilient defense systems, we are likely to experience escalation, and damage to livelihoods and lives, from the excesses of active defense.

The post Active Defense: Fighting Fire With Fire Leads to a Dangerous Future appeared first on McAfee.

OpenSSL Patches Nine Vulnerabilities

Original release date: August 07, 2014

OpenSSL has released updates patching nine vulnerabilities, some of which may allow an attacker to cause a Denial of Service (DoS) condition or force the client to revert to a less secure Transport Layer Security (TLS) 1.0 protocol. The following updates are available:

  • OpenSSL 0.9.8 users should upgrade to 0.9.8zb
  • OpenSSL 1.0.0 users should upgrade to 1.0.0n
  • OpenSSL 1.0.1 users should upgrade to 1.0.1i

US-CERT recommends users and administrators review the OpenSSL Security Advisory for additional information and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.