Cybersecurity: WordPress Vulnerabilities

April 01, 2015

FBI (April 7) ISIL Defacements Exploiting WordPress Vulnerabilities. Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS). The defacements have affected Web site operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites. Although the defacements demonstrate low-level hacking sophistication, they are disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems. Click here for the full alert.

Best practice. The FBI recommends the following actions be taken:

  • Review and follow WordPress guidelines: http://codex.wordpress.org/Hardening_WordPress
  • Identify WordPress vulnerabilities using free available tools such as
    http://www.securityfocus.com/bid,
    http://cve.mitre.org/index.html,
    https://www.us-cert.gov/
  • Update WordPress by patching vulnerable plugins:
    https://wordpress.org/plugins/tags/patch
  • Run all software as a non-privileged user, without administrative privileges, to diminish the effects of a successful attack
  • Confirm that the operating system and all applications are running the most updated versions.

Hacktivist
Click on the graphic to open a PDF version of this notification.

The FBI is warning U.S. companies that cyber terrorists from the Middle East and North Africa are planning to conduct cyber-attacks against Israeli and Jewish interests next week.  The Bureau stated in a security notice to U.S. industry on Sunday that, as of early March, “several extremist hacking groups indicated they would participate in a forthcoming operation, #OpIsrael, which will target Israeli and Jewish Web sites.”

“Given the perceived connections between the government of Israel and Israeli financial institutions, and those of the United States, #OpIsrael participants may also shift their operations to target vulnerable U.S.-based financial targets or Jewish-oriented organizations within the United States,” the FBI warning said.

The FBI predicts that the threat to U.S.-based infrastructure from the coming cyber attack is low for well-maintained and updated networks. So, make sure that your techies and hosts maintain and update your systems.

The FBI said members of at least two extremist hacking groups it did not identify are currently working to recruit hackers for the attacks next week. The hacker group Anonymous this week also threatened an “electronic Holocaust” in a video statement.

The FBI estimated that the threat to U.S.-based infrastructure from the coming cyber attack is low for well-maintained and updated networks. However, as part of its program to notify private industry of major cyber threats, the FBI is notifying several possible targets.

 

Cybersecurity for Jewish organizations 101: an update

July 22, 2014

Two years ago the websites of many Jewish organizations were hacked during Israel’s Operation Pillar of Defense. JCRC-NY and ADL (thanks to the ADL for some of the suggestions below) have noted some new attacks against Jewish community websites allegedly motivated by the ongoing conflict in Israel. Hacker groups claiming affiliation to Anonymous, the hacker collective, have attacked and defaced the websites for U.S. based Jewish institutions as well as Israeli government and business websites.

There may be an increase in the frequency and scope of attacks against Jewish websites. Jewish institutions should review their security procedures, including:

Website. Have your website hosted with a professional web hosting company rather than having it reside on an institutional server or  a member’s home computer. Contact your institution’s Internet Service Provider (ISP) and/or website hosting company to discuss what measures are in place to protect your website and its content and what steps should be taken in case of an incident.

When deciding on a web host and ask them:

  • whether they install security patches on a regular and timely basis;
  • how often they make active backups of hosted websites (you should have a current back-up version of the relevant website and establish a periodic policy of taking snapshot backups — e.g., on a weekly basis, in no case should the period be longer than a month).
  • what security measures do the hosting company use to prevent Denial of Service (DoS) attacks and unauthorized Website access. 
  • if they have a disaster recovery procedure that includes someone available as a 24/7 point of contact for emergencies.

Remove any personal information (e.g., personal email, Facebook pages, Twitter handles, home addresses and phone numbers) from organizational websites wherever possible. Website administrators should review website server logs for unusually high visitor activity or visitors from unusual locations and alert their ISP or hosting company immediately.

Passwords. As with institutional email addresses, an effort should be made to limit and control the number of people Website administrator or Webmaster permissions and policy for strong passwords and a schedule for changing passwords.

  • Administrator passwords must be changed periodically (at least every two months). Passwords must be complex, i.e., contain both alpha and numeric characters and have at least one case change. Ideally, they should also contain at least one “special” (non-alpha/numeric) character. Staff names should never be part of any password.
  • You can find tips to create strong passwords and  a utility to check the strength of a potential password here.

Social networks.  Social networking pages are also vulnerable and should be monitored regularly. In addition, wherever possible, institutional staff should remove information about their affiliation with the institution from personal social media pages. See these tips on socializing securely.

ADL is in contact with many of the major Internet and social networking companies. Facebook pages for Hamas and hacker groups have already been removed from the Internet and we will continue our efforts.

Computer systems. Be aware of who has access to their computer, the permissions granted to each account, who has system administrator authorization and who assigns passwords.

  • To the extent possible, financial records should be segregated from membership data and other documents. Many programs allow users to encrypt data, further protecting the confidentiality of constituents. Of course, passwords become critical elements of your data protection efforts.
  • It is always prudent to have active and up-to-date firewall, anti-virus and threat detection software.

Phishing. Remind institutional staff and key members to be wary of attachments to emails.  Computer criminals are adept sending emails from people that you know (often victims of prior phishing attacks) to lure you into a sense of false security. See specific tips and more at Lots of phishing going on: Stop, think, click.

System Intrusion. Computer system intrusion can happen in a variety of ways: access in an unauthorized manner, by an unauthorized user, internally by a member of the institution or externally by the public.

  • Advanced software can alert a system administrator if an unauthorized access has been attempted. Older systems may require a regular manually review of computer logs to detect unwanted access.
  • Computer logs and advanced software, if properly configured, can indicate which computer files, if any, have been accessed. A policy should be established to inform members if files containing personal or sensitive information have been exposed. It is likely best to err on the side of caution in such situations.
  • Unauthorized computer access is potentially a criminal act. System intrusions rarely happen by accident and, as such, it is best to assume the person violating the system is seeking something. As with Website hacking, those perpetrating a system breach, likely know they are breaking the law and may have motivation to justify that risk.
  • As soon as a system intrusion is detected the system administrator must be contacted immediately. Subsequent contact to law enforcement and FBI (http://www.ic3.gov/default.aspx) computer crime specialists would not be an unusual next step.

For more information, explanations and suggestions see the FCC’s Small Biz Cyber Planner.

Lots of phishing going on: Stop, think, click

February 18, 2014
How do you stop phishers? Look for these clues. Click to enlarge.
How do you stop phishers? Look for these clues. Click to enlarge.

OK, you’ve heard it over and over…don’t click on unknown links. Well, people, even smart people, don’t listen. You get an email from someone that you know, click on what is said to be a “secure” link and your adventure begins.

googledocs - Secure Login
Here’s the bait. It looks official. People click and type in their password, giving their email account and contacts to hackers.

Now the phisher has you lured in. You’re asked to sign in. A nasty bot takes control of your computer, steals your contact list and sends everyone on your list an invitation to become infected.

Recommendations:

    • Look at the illustration at the top of this email. Be aware.
    • Do not follow unsolicited web links in email messages or submit any email account or password information to unknown webpages in links.
    • Use caution when opening email attachments. Refer to Using Caution with Email Attachments for more information on safely handling email attachments.
    • Maintain up-to-date anti-virus software.
    • Perform regular backups of all systems to limit the impact of data and/or system loss.
    • Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity.
    • Secure open-share drives by only allowing connections from authorized users.
    • Keep your operating system and software up-to-date with the latest patches.
    • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
    • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Here are some free resources to see if your computer is infected (from STOP. THINK. CONNECT.™  the global cybersecurity awareness campaign to help all digital citizens stay safer and more secure online. – See more at: http://www.stopthinkconnect.org/)

For more tips about cybersecurity, check out the following non-technical publications:

New cyberthreats (including CryptoLocker Ransomware)

November 17, 2013
Stop. Think. Connect.
Click on the icon to download a set of posters to help you create a culture of cybersecurity.

The FBI and the National Cybersecurity and Communications have identified new computer malware threats and recommend that, “organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.” Destructive malware is a direct threat to your daily operations. Because of the increasing sophistication of malware, anyone (employee, client, volunteer, student) who  is on your network could trigger an infection affecting everyone. Organizations should work to develop a culture of safe computing.

  1. The publication, Planning and Recommended Guidance: Destructive Malware is technical, but it is a good guide for techies. Please pass it on to your IT departments and/0r consultants to assist them to protect you, your data, your credit and your reputation.
  2. The National Cyber Awareness System reports outbreak of “ransomware” that restricts access to infected computers and demands a payment to to decrypt and recover your files (see CryptoLocker Ransomware Infections for more information and how to undo the damage). The latest means of infection appears to be phishing emails designed to mimic the look of legitimate businesses and through phony FedEx and UPS tracking notices. Some victims saw the malware appear following after a previous infection from existing botnets lurking on infected computers.

Recommendations:

    • Do not follow unsolicited web links in email messages or submit any information to webpages in links.
    • Use caution when opening email attachments. Refer to Using Caution with Email Attachments for more information on safely handling email attachments.
    • Maintain up-to-date anti-virus software.
    • Perform regular backups of all systems to limit the impact of data and/or system loss.
    • Apply changes to your Intrusion Detection/Prevention Systems and Firewalls to detect any known malicious activity.
    • Secure open-share drives by only allowing connections from authorized users.
    • Keep your operating system and software up-to-date with the latest patches.
    • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
    • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

US-CERT and DHS encourage users and administrators experiencing a ransomware infection NOT to respond to extortion attempts by attempting payment and instead to report the incident to the FBI at the Internet Crime Complaint Center (IC3).

Related information:

For more tips about cybersecurity, check out the following non-technical publications:

Protecting your cyberlives

July 31, 2013

DHS has an excellent resource: the US Computer Emergency Readiness Team (US-CERT). Their website has information ranging from Computer Security 101 to advanced information for IT professionals.

Remember: Scams, bots and viruses continue to proliferate. Use caution when opening email messages and take the following preventive measures to protect themselves from phishing scams and malware campaigns.

  • Do not click on or submit any information to webpages.
  • Do not follow unsolicited web links in email messages.
  • Use caution when opening email attachments. Refer to the Security Tip Using Caution with Email Attachments for more information on safely handling email attachments.
  • Maintain up-to-date antivirus software.
  • Users who are infected should change all passwords AFTER removing the malware from their system.
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
  • Refer to the Security Tip Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

Other great information for non-techies from the US-CERT website.

Top 10 Ways to Improve the Security of a New Computer

  • Top 10 Ways to Improve the Security of a New Computer Because our computers have such critical roles in our lives and we trust them with so much personal information, it’s important to improve their security so we can continue to rely on them and keep our information safe.Virus Basics
  • Virus Basics Learn about viruses, what they can do to your systems, and how to avoid them and lessen their impact.
  • Home Network SecuritySecuring Wireless Networks In today’s connected world, almost everyone has at least one Internet-connected devices. With the number of these devices on the rise, it is important to implement a security strategy to minimize their potential for exploitation (see Securing the Internet of Things). Internet-connected devices may be used by nefarious entities to collect personal information, steal identities, compromise financial data, and silently listen to—or watch—users. However, taking a few precautions in the configuration and use of your devices can help prevent this type of activity.
  • Staying Safe on Social Networking Sites The popularity of social networking sites continues to increase. The nature of these sites introduces security risks, so you should take certain precautions.

Considerations for digital & online security at Jewish institutions

November 28, 2012

The hackings of 82 synagogue websites during Israel’s Operation Pillar of Defense by the “Moroccan Ghosts” brought appropriate responses from law enforcement agencies. The intrusions should remind us that cybersecurity is in our own hands. The following recommendations from the ADL make sense.

Read More Considerations for digital & online security at Jewish institutions

New hack attack on websites

August 19, 2012

For those of you with websites.

The problem

There is a relatively new attack on websites hitting MySQL. If you don’t understand this, check with your techie or your ISP to confirm if your website is vulnerable.

How do you know that you’ve been compromised? Google is ever alert and will mark your site as “dangerous”. Websites/web hosting companies subscribe to “blacklists” of such sites. Firefox and Chrome check the blacklists before going to a site and will tell a user, Warning – visiting this website may harm your computer!”.

Once your site is hacked it must be “cleaned”. After doing so, you can notify Google, request that it be removed from the blacklist and 3 to 24 hours later the site will be unblacklisted.

Best practices

  1. Make regular backups of your website. Even if your ISP takes care of this it couldn’t  hurt to have another.
  2. Your website probably has all kinds of access passwords (FTP, SQL administration, etc.). Make sure that you have strong passwords at every option. This usually includes multiple words, mixing capital and lower case letters and using numbers and symbols. See this Consumer Reports article for more explanations and tips.