Friday, February 27, 2015

More than 1 Million WordPress websites are vulnerable to blind SQL Injection Attacks

A security bug in the WordPress plugin WP-Slimstat could be exploited by attackers to discover a “secret” key and use it to run blind SQL Injections.

More than one million WordPress sites are potentially vulnerable to SQL injection attacks due to the presence of a critical flaw in the popular plugin WP-Slimstat. WP-Slimstat is an analytics plugin for WordPress that count more than 1,300,000 downloads. The exploitation of the security flaw could allow an attacker to guess the value of the secret key the plugin uses to sign data sent to and from the user.
WP-Slimstat wordpress plugin 2
The security issue was discovered by Marc-Alexandre Montpas, a researcher with the firm Sucuri, during a routine audit.
All the WP-Slimstat versions prior to the latest release 3.9.6 are affected by the security issue. If an attacker is able to guess the secret key could run a series of blind SQL injection attacks and access data contained in the database of the WordPress instance, including user credentials, hashed passwords and WordPress Secret Keys.
“This bug can be used by any visitor browsing the vulnerable website. If your website uses a vulnerable version of the plugin, you’re at risk. Successful exploitation of this bug could lead to Blind SQL Injection attacks, which means an attacker could grab sensitive information from your database, including username, (hashed) passwords and, in certain configurations, WordPress Secret Keys (which could result in a total site takeover).” wrote in a blog post Marc-Alexandre Montpas.
The key was really a hashed version of the plugin’s installation timestamp. To guess the key, an attacker have to visit a website that caches information about when sites were put online, like the Internet Archive.
“An attacker could use sites like Internet Archive to approximately guess what year the site was put online (which would leave us with approx. 30 million values to test, something doable within 10 minutes with most modern CPUs).” states the post.”The only piece missing to be able to bruteforce the site’s timestamp is valid, signed, information coming from the plugin to compare our generated signatures with.”
In this specific case of Blind SQL attack, an attacker brute forces site timestamps until it gets the same combination of characters from the affected site’s homepage. Montpas urges the administrators of websites using the WP-Slimstat to update plugin as soon as possible.
“The security of our users’ data is our top priority, and for this reason we tightened our SQL queries and made out encryption key harder to guess,” explained the plugin’s author, Camu.

Why do people ignore security warnings when browsing the web?

We may read browser security warnings, but why don't we always follow them?


We may rely on computers, but we don’t notice what they’re telling us about online threats. Google recently had to redesign the security warnings in its Chrome web browser because most people were ignoring them. What’s even more worrying is that our brains may be hardwired to do so.

Like most browsers, when Chrome visits a web site it checks the site’s online proof of identity, called an SSL certificate. This certificate come from a third party authority, which performs a background check on the site before issuing it.

Checking PayPal’s certificate ensures that you’re visiting the right PayPal, rather than a fake version created by scammers. If something looks wrong, the browser warns the user about it.

Unfortunately, fewer than one in four Chrome users follow these warnings, found its development team, which published the results in a paper recently. Given that more than one in ten users surf the web with Chrome, that’s a frightening statistic.

The problem goes beyond mere SSL certificate warnings, say experts. Many people seem to ignore more or less everything that their computers warn them about.

“When you’re posting on an online social network, you need to make a decision about to whom your post will be visible,” explains Lujo Bauer, an associate research professor at Carnegie Mellon University’s Cylab security research centre. “It’s not a warning, but it’s a security-related configuration choice that you have to make at that moment.”


So, why is it so difficult for users to follow simple security and privacy messages? Maybe it’s because they’re not that simple.

Often, warnings describe what the problem is (“this site’s SSL certificate has expired!”) rather than what the consequences of continuing might be (“if you visit this site, it might infect your computer with malware that steals your bank details!”).




Lujo co-authored a paper on effective warning design that featured several key guidelines. They included describing the risk comprehensively, being concise, and offering meaningful choices about how to proceed.

Google’s team reached similar conclusions. They stripped out the technical terms (most users don’t know what a certificate is, they found), and reduced the reading level by simplifying the text. That included making the text as brief as possible, even if it meant sacrificing detail.

The Chrome developers also added illustrations to suggest danger, and started using background colours to represent different kinds and severity of threat.

Giving your browser an opinion
Perhaps the most significant design element that the team introduced was the use of ”opinionated design”. Instead of presenting evenly-balanced choices to the user, opinionated browsers can decide what the safest choice is and steer users towards it. They can highlight that choice by making the button bigger or bolder, perhaps, or even hiding unsafe choices behind one or more screens.

Making browsers more opinionated is an important design choice, says Andreas Gal, chief technology officer at Mozilla, which created the Firefox browser. “Even though we prefer that the user decides things, in some cases, it simply doesn’t make sense. It’s simply impossible to explain something as complex as cryptography to many users,” he says. “You start making specific recommendations or judgements for the user.”

This is an important weapon against one of the biggest challenges for security usability, said Raluca Budiu, senior researcher at usability consulting firm Nielsen Norman Group. She explains that the user makes a cost-benefit analysis when deciding whether to dismiss a warning.

“The immediate cost of heeding the warning is high, because I will not be able to achieve my immediate goal, which is to reach the site and complete the bill payment or the status update that I had in mind,” she says. “The immediate benefit is low and abstract. The chance of my information being stolen is smaller if I heed the warning, but that does not really change or improve in any way my current state.”

In short, users will prioritise immediate gain, and tend to dismiss consequences with no immediate visible effect.

Building an opinionated browser certainly helped Chrome’s design team. After testing the new warning design, users didn’t really understand the warnings much more, but they did follow them: the adherence rate climbed to 62%.

Still, that means that almost four in every ten Chrome users still fail to heed these warnings. Why? One of the most worrying answers is that we’re simply designed that way.

Hardwired not to notice
Anthony Vance, assistant professor of information systems at Utah’s Brigham Young University, works in the neurosecurity lab there. The lab spends its time exploring how the brain interacts with cybersecurity issues. His team put test subjects in a magnetic resonance imaging machine to see what happened inside their brains when faced with software security warnings.

“We used a variety of 40 different warnings – common ones of all kinds, like anti-virus warnings, software updates, and SSL warnings from browsers of all kinds,” says Vance. The results showed that the visual processing part of the brain stopped analysing the warnings after seeing them more than once.

This is a concept that he calls “habituation” – in short, people stop paying attention to warnings, the more they see them, and Vance says there’s a biological reason for it. “The first time that your brain experiences a stimulus, it devotes attention to it, but then for subsequent exposures, it relies on memory, and the response is far less,” he says.

When you walk into your room for the hundredth time, you’re not really looking at your wallpaper Vance explains. Instead, your brain is painting a picture of it for you from memory. This leaves your brain free to focus on other things.

That’s fine for wallpaper that doesn’t change, but it’s problematic for computer warnings which may change frequently and present different information. “Some people think that users are lazy and inattentive,” says Vance, “but this is simply fundamental to our own biology.”

Bauer’s design guidelines suggest consistency in warnings to make them more understandable for the user. Paradoxically, Vance’s research suggests the opposite. He tried to make polymorphic warnings, which are inconsistent, to keep the brain engaged.

Switching colours, adding images randomly and including animated graphics are all ways to stop the brain relying on memory and persuading it to pay attention, he said. One of the most successful polymorphic warnings in his test even jiggled slightly.

Who needs users, anyway?
There are other solutions, according to Sigbørn Vik, who works in the security group at browser developer Opera. In some cases, developers can make habituation work positively for them.

“What does work is using habituation positively,” he said. “That means getting users to expect a certain pattern.” That could be checking for certain ambient indicators that suggest a site is valid – and noticing when they’re not displayed.

Others suggest just cutting the user out of the equation altogether. Melih Abdulhayoglu is founder and chief executive of Comodo, a company that both issues digital certificates and also sells anti-virus software. “The technology must solve the problem by making the decision on behalf of the user, and not interrupting them,” he said.

Like many anti-virus systems, Comodo’s software uses blacklists to filter out known bad software. It also checks for software signed with digital certificates to help determine if it’s known and trusted. If it can’t classify software as good or bad, it runs it in a container, designed to limit the effect of the software on the system. That stops the software having to interrupt the user with prompts, he concluded.

Deciding for the user isn’t possible 100% of the time, though, across every application, says Candid Wueest, principal threat researcher at Symantec. His company also tries to make as many decisions for the user as possible, but there may be some decisions where it might be necessary to ask the user about it, he warned.

“It might be something the user actually wants to do, like changing the user’s home page in the browser,” Wueest said, arguing that both spyware and legitimate software sometimes tries to do this, as do users, manually.

Browser vendors must be particularly careful here. There will also always be an expert that wants to override a browser warning for good reason, and if a browser is too prohibitive, users may simply use a competitor’s software instead.

“We want people to be safe by default when using Chrome, but we also want to give people control over their browsing experience,” the Chrome development team told the Guardian in a statement. Users can still override warnings in the browser.

Smaller screens and more complex choices
This is a big enough problem on desktop browsers, but the stakes increase as devices get smaller, and choices become more complex. “Now with gadgets that collect lots of data, we have to make decisions about who to share it with,” said Bauer.

Android applications often ask users to give them permissions for everything from contact info through to control of their phone, for example. How many of us take notice, and how many simply click ”ok” so that we can get on with the task in hand?

Mozilla has tried to mitigate this problem by making mobile apps ask for permissions when they’re about to carry out a task, rather than when they’re installed. Gal calls this ”pay as you go security”.

All of these approaches may get us closer to waking users up, but nothing trumps good old-fashioned education, says David Emm, principal security researcher at security software vendor Kaspersky Lab. Browser vendors can redesign warnings all they want, he said, “but if this is done in isolation and if there’s no wider learning context for it, this will always be much less effective”.

What we need is a drip-fed online safety education, akin to the drink-driving road safety campaigns of the past, Emm warns. He believes that drumming online safety into people repeatedly is a vital component.

We all remember the road safety slogans of the past. “Think once. Think twice. Think bike,” was one. “Clunk click with every trip” graced our TV screens for years. But somehow, “use caution when visiting sites with apparent SSL certificate disparities” doesn’t roll off the tongue. Anyone got any better ideas?

Wednesday, February 25, 2015

The Ramnit botnet has been shut down in a joint effort by the Europol and the security firms Symantec, Microsoft, and Anubis Networks.


Another success For the Europol and its allies Microsoft, Symantec, and Anubis Networks. The organizations in a joint effort have shut down command and control servers of the popular Ramnitbotnet. The Joint Cybercrime Action Taskforce* (J-CAT) and CERT-EU also provided a significant support to the operations.
“On 24 February, Europol’s European Cybercrime Centre (EC3) coordinated a joint international operation from its operational centre in The Hague, which targeted the Ramnit botnet that had infected 3.2 million computers all around the world.” states the official announcementissued by the Europol.
According to cyber security experts, the Ramnit is one of the world’s biggest botnets, which infected up to 3.2 million machines worldwide.
Ramnit infection
The group behind Ramnit botnet seems to be active since 2010, but quickly evolved in the time thanks continuous improvement. A botnet could be used for several fraudulent activities, Ramnit one was mainly used by crooks for financial frauds.
Police enforcement from several European countries, including Germany, Italy, the Netherlands, and the UK, have seized the control infrastructure for the Ramnit botnet.
“Representatives from the various countries, Microsoft, Symantec and AnubisNetworks worked together with Europol officials to shut down command and control servers and to redirect 300 Internet domain addresses used by the botnet’s operators.” reported the Europol.
Europol Deputy Director Operations, Wil van Gemert, has expressed its satisfaction for the operation highlighting the importance of collaboration between several entities to fight the criminal ring operating the Ramnit botnet.
“This successful operation shows the importance of international law enforcement working together with private industry in the fight against the global threat of cybercrime,” said Wil van Gemart.
“We will continue our efforts in taking down botnets and disrupting the core infrastructures used by criminals to conduct a variety ofcybercrimes,” 
Symantec published a blog post in which describes the evolution of the Ramnit agent since 2010, The experts revealed that the malicious code and its controllers rapidly evolved over the time.
The latest variant of Ramnit (W32.Ramnit.B) has abandoned the file infection routine and implemented a range of several alternative infection methods.
“Ramnit (W32.Ramnit) began life as worm, first appearing in 2010 and spreading quickly due to aggressive self-propagation tactics. Once it compromised a computer it sought out all EXE, DLL, HTM, and HTML files on the local hard disk and any removable drives and attempted to infect them with copies of itself. ” reportedSymantec.
Symantec explained that the Ramnit malware is composed of six standard modules, “Spy module,” “Cookie grabber,” “Driver scanner,” “Anonymous FTP server,”VNC module,” and FTP grabber.
Microsoft and Symantec have released a removal tool for Ramnit, users that fear their computer may have been infected, could download the software. For further information please visit www.getsafeonline.org or www.cyberstreetwise.com.
ramnit botnet infographic symantec

Tuesday, February 24, 2015

2015 as a Turning Point for Web Freedom, Study

                       2015 as a Turning Point for Web Freedom, Study
Web freedom global issue























Web freedom is of paramount importance, especially in countries where there is heavy censorship. 
Recent incidents and ongoing prohibitions have made the future uncertain, when it comes to people 
being able to express themselves without worrying about the consequences of censorship on them.
In 2015, one of the issues that will cause grave concern and debate is undoubtedly that of web 
freedom. As it has been made clear over the past few years, many people get frustrated as to the 
percentage of online freedom that they are allowed to experience.
At the same time, there is an emerging fear of the personal information revealed by social media 
and search engines and the possibility of such information being used by the authorities against 
Internet users. As it seems, this matter is going to be on the spotlight in 2015 as well, with many 
more battles still to be won by civilians who wish to secure their digital traces.

One of the difficult parts to tackle with is the legislation and the barriers that this has placed as to 
what social media can conceal and what every company is obliged to hand over to the authorities. 
In cases of strict regimes, such as that of Russia and Turkey, there is a conflict between social 
media and the prohibitions applied by the Governments.

Facebook, Twitter and Google can be put in a challenging position, where they will have to choose 
how they will survive, by adopting the new requirements. Their legal departments are truly busy, 
trying to come up with loop holes that they can take advantage of along the way.

Russia in particular has passed a law which clearly states that every single company that wishes to 
store information on Russian residents should do that locally, meaning that their servers should be
 placed inside Russia. The country’s Government has been trying to increase vigilance, after the 
outstanding 57 million cyberattacks that have occurred only in the first half of 2014, due to the 
troubling times Russia is suffering from.

Another incident that has alarmed people of the censorship efforts doing more harm than good 
was that of Facebook being prompted to remove a page of the political opponent of Vladimir 
V. Putin, Aleksei A. Navalny. The issue has drawn great attention, due to the severity of the removal
 and the quick turnaround of Facebook towards executing the order that the Russian Government 
has given them. The whole issue has emerged, after Aleksei Navalny’s supporters were encouraged
 to attend a rally on the day of his trial on January 15th through the Facebook page. Of course, in 
the end a lot more pages with similar or even identical content appeared on other social media and 
managed to gain even more attention.

Similar censorship was attempted to Twitter by Turkey. The Government insisted that they 
blocked Twitter in an effort to stop security breaches, but the truth is that Twitter was blocked due
 to links of corruption within the Turkish Government.

As a result of the blocking, Turkish Internet users became well aware of how to overcome the 
restrictions applied by the Government and therefore the whole ban had completely different 
consequences than the ones anticipated by Recep Tayyip Erdogan. As for Pakistan, there is heavy 
censorship there as well. In the form of examples, Facebook and YouTube suffer from a lot of 
blocking attempts and the Government is pressing for further action.

The recent statement from the European Union as to the right to be forgotten highlights the 
universal need to allow online content from social media and search engines to be deleted. Even 
though to this date the right applies to European countries and their versions of social media and 
search engines, the trend exists and the rest of the world is bound to follow.

Especially when it comes to Facebook with the gigantic number of more than 1.3 billion users 
globally, there need to be some attentive measures regarding the privacy settings and the right to 
anonymity. As for Google, their policy concerning content deletion is summed up within their 
statement back in 2010, where they claim that they are driven by the right to freedom of expression.
 Human rights should not be overlooked and this is in fact what is at stake with the multiple cases of
 content removal orders.

Another aspect that requires further attention is the refugee that Mr. Edward Snowden has found 
in Russia. The country’s reactions regarding the strict legislation and the need to have data servers 
within Russia instead of the United States can be regarded as a straightforward reaction against the
 ongoing revelations of Snowden as to the tactics used by the NSA and the US in general. So, it is
 left to the future to prove whether or not there can be common ground between powerful countries
 with conflicting interests, antagonism and revelations that hurt one another.

In this difficult time period, there is global concern as to web freedom and its limitations. The 
Governments find it hard to grant fully uncensored Internet and particularly in times when there
 are abundant threats and conflicts that can turn into menaces in a heartbeat. Let’s see how the dice 
are rolled!

Monday, February 23, 2015

25 billion Cyberattacks hit systems in Japan during 2014

The National Institute of Information and Communications Technology revealed that more than 25 billion cyberattacks hit  systems in Japan during 2014.


I decided to write this post to highlight the importance of a cybersecurity posture for any government. When the majority of people thinks to cybersecurity, has no idea of principal cyber threats and their effect on the infrastructure of a country, in this post we will try to give a quantitative analysis of the phenomena on one of the most technological country, the Japan. The National Institute of Information and Communications Technology (NICT), which has a network of a quarter of a million sensors, said there were 25.66 billion attempts to compromise systems, according to a report by Kyodo News.
The National Institute of Information and Communications Technology (NICT) revealed that Japanese government offices and other entities suffered more than 25.66 billion of attacks in 2014. 
Kyodo News reported that a network of a quarter of a million sensors has detected the amazing number of attempts to compromise country systems. The number of attacks is in exponential growth, in 2005, when the analysis was made for the first time, the overall number of attacks was 310 million. It should be emphasized that the figure also includes cyber attacks conducted as part of penetration tests conducted by experts.
Personally, I am always reluctant to consider absolutely these figures, however, it is interesting to note the percentage increase of the attacks. The finding is consistent with data provided by the numerous reports published by the various security companies.
Giving a close look to the category of attacks that hit the systems in Japan, the experts at NICT confirmed that among most targeted infrastructure there were Internet of Things devices, including routers, security cameras and other systems connected to the Internet.
Japan cyber attacks
China was the primary source of attacks against the Japan, 40 percent of the attempts of attack was originated in China, while among other sources figure the South Korea, the Russia and the United States.
We cannot forget that an increase in the number of attacks corresponds to an increase of the costs incurred by the governments, by the private companies and by the population.
Recent cases of the Sony Pictures hack and the recent attack uncovered by Kaspersky against financial institutions have demonstrated the severity of the cyber attacks suffered by victims.

Lenovo released an automatic removal tool for the Superfish adware

Lenovo, with the support of Microsoft and McAfee, has developed a removal tool to clean its laptop and delete the Superfish malware.

Last week, the news of the presence of Superfish adware in the laptops sold by the Chinese Lenovo has captured the attention of the media. The presence of the Superfish malware exposes Lenovo users to hacking attacks, as explained by the cyber security expert Robert Graham in a blog post the malware hijacks and throws open encrypted connections, a circumstance that could be exploited by attackers to eavesdrop the users’ traffic.
Lenovo has intentionally pre-installed a malware on laptops, but once discovered has tried to remedy the problem by releasing a tool to remove the ,malicious “SuperFish” adware that the company had pre-installed onto many of its consumer-grade Lenovo laptops sold before January 2015.
Lenovo admitted that it was caught preloading a piece of adware that installed its own self-signingMan-in-the-Middle (MitM) proxy service that hijacked HTTPS connections, the company also informed its customers that  it had “stopped Superfish software at beginning in January” 2015.
“We ordered Superfish preloads to stop and had server connections shut down in January based on user complaints about the experience.  However, we did not know about this potential security vulnerability until yesterday.  Now we are focused on fixing it.”  states an official statement released by Lenovo. “We recognize that this was our miss, and we will do better in the future. Now we are focused on fixing it.”
Graham reverse engineered the malicious software in a debugger (or IDApro), the process allowed him to extract the certificate from the SuperFish adware and cracked the password (“komodia”) that encrypted it. By using the password an attacker can potentially inject malware or spy on a vulnerable Lenovo user sharing the same Wi-Fi network.
Lenovo laptop Superfish
The US-CERT  recently issued the Alert (TA15-051A) to warn Lenovo users about that fact that Superfish Adware is vulnerable to HTTPS Spoofing.
“Superfish adware installed on some Lenovo PCs install a non-unique trusted root certification authority (CA) certificate, allowing an attacker to spoof HTTPS traffic.” states the alert. “Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed.  This means websites, such as banking and email, can be spoofed without a warning from the browser.” 
Lenovo, with the support of Microsoft and McAfee, has developed a removal tool to clean its laptop and delete the Superfish malware.
“We apologize for causing these concerns among our users – we are learning from this experience and will use it to improve what we do and how we do it in the future,” states Lenovo. “In addition to the manual removal instructions currently available online, we have released an automated tool to help users remove the software and certificate.  That tool is here:http://support.lenovo.com/us/en/product_security/superfish_uninstall