SiteGuarding.com’s WordPress Security Plugin Touts Its Use For Those That Pirate Software, While Charging For Its Services

When it comes to security plugins for WordPress, we don’t think to highly of most of them. But we have continued to be surprised how low things can go with them. Take for example the WP Antivirus Site Protection (by SiteGuarding.com) plugin, which on it’s description page on the Plugin Directory it states near the top:

This plugin will be especially useful for everybody who downloads WP themes and plugins from torrents and websites with free stuff instead of purchase the original copies from the developers. You will be shocked, how many free gifts they have inside ?

Their touting its use for those that pirate WordPress themes and plugins is kind of incredible on its own (note the lack of past tense in terms of downloading that software or lack of suggestion not to do that). But more incredible is the fact that at the same time the plugin is really just a connection for a mostly paid service, so they think you should pay them, but are okay with people not paying the developers of software.

What makes that dichotomy more striking is the comments from the developer on some of the negative reviews of the plugins.

One review reads:

If your website contains a file larger than 25MB, the plugin will abort and ask you to upgrade rather than just skipping it and warning you. The plugin is just a leadgen ploy. Uninstalled. Further more, of all the wordpress hacks I’ve ever seen, files affected are NEVER large or over a few kb.

That seems like reasonable complaint, which gets this response from the developer:

free version has limits. if you are not ready to pay for the security enjoy and live with the viruses.

As part of their response to another review the developer wrote in part:

If you installed it again. It means plugin is good, you just dont want to pay for good plugins and services and want everything for free.

It is also worth noting that there are a lot of rather fake looking reviews for the plugin.

The Morning After: What Happens to Data Post-Breach?

This post first appeared on the security website Dark Reading.

We need consumers and businesses to not simply shrug off data breaches but to take active measures to protect their data. We are hopeful that new insights will provide a compelling answer to the question “So what?”

No company is bulletproof when it comes to the compromise of data; this is the resounding message from Verizon’s 2016 Data Breach Investigations Report (DBIR). With statistics detailing how many records have been compromised, the fundamental question that is often overlooked is “So what?”

I don’t mean to sound indifferent, but it is a response that we often hear. “Banks refund me anyway” and “Well, it’s just another notification letter. I get these all the time” are common refrains. Feeling numb to the dizzying statistics is a dangerous trend that without correct education could have significant repercussions to the data subjects that have been impacted.

To assist with that education, we have coauthored one section of the DBIR that explains what happens with data after a breach, in particular the monetization of stolen data and their associated markets. (Intel Security contributed to this report by providing anonymized breach data. We also coauthored Appendix A, which focuses on post-breach fraud and what happens to data once it has been stolen from the breached entity. The report and more about our contribution can be found here.)

One of the biggest challenges we face when attempting to explain market pricing for stolen data is that not all data is created equally. How can we normalize various stolen data sets to establish “market prices?” In short, we cannot. It is for this reason that we focused instead on specific data sets—payment card information, financial account information, and medical data.

What is particularly significant is how inexpensive it is to purchase this type of data, with payment cards selling for the price of a cup of coffee. However, we were surprised by the sharp drop in the price of stolen payment cards over the last several years. Apparently, the law of supply and demand applies to all markets, including the criminal marketplace. With so many recent confirmed payment card breaches, there is only one direction for the market price of these cards to move—downward!

We are hopeful that such insights provide a compelling answer to the question “So what?” As a society, we are increasingly dependent on digital systems. We need consumers and businesses to not simply shrug off data breaches but to take active measures to protect their data and not give criminals a shortcut to becoming millionaires. As the European Cybercrime Centre states in the report, “Only through a coordinated effort involving all parties will we be in a position to tackle this threat.”

The post The Morning After: What Happens to Data Post-Breach? appeared first on McAfee.

Samsung Smart Home flaws let hackers make keys to front door

Computer scientists have discovered vulnerabilities in Samsung's Smart Home automation system that allowed them to carry out a host of remote attacks, including digitally picking connected door locks from anywhere in the world.

The attack, one of several proof-of-concept exploits devised by researchers from the University of Michigan, worked against Samsung's SmartThings, one of the leading Internet of Things (IoT) platforms for connecting electronic locks, thermostats, ovens, and security systems in homes. The researchers said the attacks were made possible by two intrinsic design flaws in the SmartThings framework that aren't easily fixed. They went on to say that consumers should think twice before using the system to connect door locks and other security-critical components.

"All of the above attacks expose a household to significant harm—break-ins, theft, misinformation, and vandalism," the researchers wrote in a paper scheduled to be presented later this month at the 2016 IEEE Symposium on Security and Privacy. "The attack vectors are not specific to a particular device and are broadly applicable."

Read 8 remaining paragraphs | Comments