Time to check all your Wordpress installs...: A US-based cyber-security firm has published details about two zero-days that impact two of Facebook's official WordPress plugins. The details also include proof-of-concept (PoC) code that allows hackers to craft exploits and launch attacks against sites using the two plugins. IMPACTED PLUGINS The two zero-days impact "Messenger Customer Chat," a WordPress plugin that shows a custom Messenger chat window on WordPress sites,
It's ironic that many legitimate still haven't migrated to https. All the while the fraud sites are getting more sophisticated...: The proliferation of alternative, "generic" TLDs—such as .app and .online—as well as the ability to register domain names using non-latin characters are enabling phishing attacks, according to the 2019 Proofpoint Domain Fraud Report, published Tuesday. Since ICANN—the organization responsible for administration of the domain name system—began del
Use Bluetooth devices with your computer? There's a potential problem which you should be aware of and patch...: Windows security update will block pairing of certain weak BLE security keys at the OS level. This security advisory -- ADV190016 -- is part of Microsoft's June 2019 Patch Tuesday updates, which the company released just a few hours ago. This means that after applying today's security updates, Windows users will be protected at the OS level against any unkno
Do you know if you are exposing RDP to the internet? Time to head over to shodan to see if they see you...: Security researchers are watching a new botnet, GoldBrute, which is currently brute-forcing a list of roughly 1.5 million remote desktop protocol (RDP) servers exposed online. The ongoing campaign is one of many scanning for vulnerable servers and using weak or reused passwords to access them. RDP has been making headlines since Microsoft disclosed "BlueKeep," a rem
A law firm's take on the recent Verizon report. Generally, if someone is going to breach your defences then it's most likely to be via a targeted individual...: Verizon recently released its 2019 Data Breach Investigations Report (the “Report”) and it reveals some startling trends about the targets of cyber breaches. Based on an analysis of 41,686 security incidents, including 2,013 confirmed data breaches, the Report highlighted the increasing number of financially-motivate
In a previous job we used to sigh every time there was an 'MGI' (Management Good Idea), usually prompted by the CEO having read something on the 'plane. I'm sure we can all recognise cognitive bias, or maybe not?...: It's a scenario commonly seen in today's businesses: executives read headlines of major breaches by foreign adversaries out to pilfer customers' social security numbers and passwords. They worry about the same happening to them and strategize accordingly – but...
Yet another example of supply chain risk. I'm interested in what controls are in place to check the suppliers' use of data that's been collected...: Customs and Border Protection officials on Monday said personal information the agency collected on travelers entering and exiting the U.S. was exposed in “a malicious cyber-attack.” The breach occurred after one of CBP’s subcontractors illegally transferred images of travelers and license plate photos collected by the agency...
I'm migrating clients away from Magento for two reasons. 1. It's a pain to apply patches; 2. It's too easy for a user to crash or misconfigure a site just by making a typo. Magento enables you to build sophistcated eCommerce sites but f you don't need the full functionality of Magento, consider using something simpler to maintain. Remember, complexity = risk...: New research has found 87% of SME websites using the Magento platform are currently at high risk from cyber attack
Using a hardware security device (e.g. USB cryptowallet)? You'll probably want to check if any updates are available...: [...] The duo, made up by Gabriel Campana and Jean-Baptiste Bédrune, said they reported the findings to the HSM maker, which "published firmware updates with security fixes." The two did not name the vendor, but the team behind the Cryptosense security audit software pointed out that the vendor may be Gemalto, which issued a security update last mont