Stop the presses: HTTPS-crippling “FREAK” bug affects Windows after all

Computers running all supported versions of Microsoft Windows are vulnerable to "FREAK," a bug disclosed Monday that for more than a decade has made it possible for attackers to decrypt HTTPS-protected traffic passing between vulnerable end-users and millions of websites.

Microsoft confirmed the vulnerability in an advisory published Thursday. A vulnerability-scanning service at FREAKAttack.com, a site that offers information about the bug, confirmed the advisory, showing that the latest version of IE 11 running on a fully patched Windows 7 machine was susceptible. Previously, it was believed that the Windows system was immune to the attacks.

FREAK attacks—short for Factoring attack on RSA-EXPORT Keys—are possible when an end-user with a vulnerable device connects to a vulnerable HTTPS-protected website. Vulnerable sites are those configured to use a weak cipher that many presumed had been retired long ago. In analyses immediately following Monday's disclosure of FREAK, it was believed Android devices, iPhones and Macs from Apple, and smartphones from Blackberry were susceptible. The addition of Windows dramatically increases the number of users known to be vulnerable.

Read 5 remaining paragraphs | Comments

$1.1 Million Penalty Issued Under Canada’s Anti-Spam Law

The Canadian Radio-television and Telecommunications Commission (CRTC) announced today that it has issued a Notice of Violation to Quebec-based business Compu-Finder for four alleged violations of Canada’s anti-spam legislation (CASL).

This is the first penalty issued by the CRTC under CASL, which came into force just last year and regulates the sending of commercial electronic messages and the installation of computer programs.  The CRTC investigation found that Compu-Finder did not have consent to send commercial emails promoting various management and professional development training courses to businesses, and also that the unsubscribe mechanisms in the emails did not function as required. Complaints against the company account for over a quarter of all complaints submitted to the CRTC’s Spam Reporting Centre for this industry sector.

In a statement, Manon Bombardier, Chief Compliance and Enforcement Officer, CRTC, critiqued the company for “flagrantly” violating the law and indicated that by issuing this Notice of Violation “[his] goal is to encourage a change of behaviour on the part of Compu-Finder such that it adapts its business practices to the modern reality of electronic commerce and the requirements of the anti-spam law. We take violations to the law very seriously and expect businesses to be in compliance.”

The company has 30 days to submit written representations to the CRTC or pay the penalty. The company also has the option to request to enter into an undertaking with the CRTC, which may require the company to pay monetary penalties and take corrective measures.

A previous CRTC compliance effort under CASL did not result in penalties. In October 2014, the CRTC announced that it had collaborated with a Saskatchewan-based business to stop spam from being sent from its servers that had been compromised and infected with malware. The CRTC also indicated at that time that a number of other investigations related to CASL compliance were underway. Additional enforcement efforts may be on the horizon.

MOJO Marketplace Sells WordPress Security Service While Using Insecure WordPress Version

In a previous post we looked at the fact that MOJO Marketplace distributes outdated software with known security vulnerabilities. Their lack of concern for security doesn’t end there; they have not kept their WordPress installation up to date:

The MOJO Marketplace blog is running WordPress 4.0

 

If they actually used their own service they could be up to date, because unlike other software they offer they actually provide the latest version of WordPress:

MOJO Marketplace is providing WordPress 4.1.1

Not only have they not updated to the latest major release of WordPress, 4.1, they haven’t applied the “critical security release” for 4.0 that was released on November 20. That would have normally have happened automatically, so either they disabled automatic updates, which is bad idea if you are not going to be on top of updating WordPress, or they have some problem blocking that from happening. If there was a problem and they actually cared about WordPress security getting to the bottom problem would have been the right thing to do as it could possible help others as well. Their lack of concern for the security of WordPress on their own website hasn’t stopped them from feeling it is appropriate for them to sell a WordPress security service to others though.

If you are looking to improve the security of your WordPress website you should check out our free Plugin Vulnerabilities plugin, which warns if you are using WordPress plugins with known security vulnerabilities.