WordPress Sites Hacked Using Vulnerability

A critical Zero-day flaw in WordPress that was silently patched by the company before hackers have had their hands on the nasty bug to exploit millions of WordPress websites.

To ensure the security of millions of websites and its users, WordPress delayed the vulnerability disclosure for over a week and worked with security companies and hosts to install the patch, ensuring that the issue was dealt with in short order before it became public.


But even after the company's effort to protect its customers, thousands of admins did not bother to update their websites, which are still vulnerable to the critical bug and has already been exploited by hackers.

While WordPress includes a default feature that automatically updates unpatched websites, some admins running critical services disable this feature for first testing and then applying patches.

Even the news blog of famous Linux distribution OpenSUSE (news.opensuse.org) was also hacked, but restored immediately without breach of any other part of openSUSE's infrastructure.

The vulnerability resided in WordPress REST API that would lead to the creation of new flaws, allowing an unauthenticated attacker to delete pages or modify all pages on unpatched websites and redirect their visitors to malicious exploits and a large number of attacks.

The security researcher at Sucuri, who privately disclosed the flaw to WordPress, said they started noticing the attacks leveraging this bug less than 48 hours after disclosure. They noticed at least four different campaigns targeting still unpatched websites.

In one such campaign, hackers were successful in replacing the content of over 66,000 web pages with "Hacked by" messages. Rest campaigns have targeted roughly 1000 pages in total.

Besides defacing websites, such attacks appear to be carried out mostly for black hat SEO campaign in order to spread spam and gain ranking in search engine, which is also known as search engine poisoning.

So, site administrators who have not yet updated their websites to the latest WordPress release 4.7.2 are urged to patch them immediately before becoming next target of SEO spammers and hackers.Humble request to do so for your own safety.

Read more

Yahoo Disables Email Auto-Forwarding,Makes It Harder for Users to Move On

Yahoo! has disabled automatic email forwarding -- a feature that lets its users forward a 

copy of incoming emails from one account to another.

The company has faced lots of bad news regarding its email service in past few weeks. Last month, the company admitted a massive 2014 data breach that exposed account details of over 500 Million Yahoo users.

If this wasn't enough for users to quit the service, another shocking revelation came last week that the company scanned the emails of hundreds of millions of its users at the request of a U.S. intelligence service last year.

That's enough for making a loyal Yahoo Mail user to switch for other rival alternatives, like Google Gmail, or Microsoft's Outlook.

Yahoo Mail Disables Auto-Forwarding; Making It Hard to Leave

But as Yahoo Mail users are trying to leave the email service, the company is making it more difficult for them to transition to another email service.

That's because since the beginning of October, the company has disabled Yahoo Mail's automatic email forwarding feature that would allow users to automatically redirect incoming emails from their Yahoo account to another account, reported by the Associated Press.

"This feature is under development. While we work to improve it, we've temporarily disabled the ability to turn on Mail Forwarding for new forwarding addresses. If you've already enabled Mail Forwarding in the past, your email will continue to forward to the address you previously configured."

In other words, only users who already had the feature turned ON in the past are out of this trouble, but users who are trying to turn ON automatic email forwarding now have no option.

Yahoo has shared the following statement about the recent move:

"We're working to get auto-forward back up and running as soon as possible because we know how useful it can be to our users. The feature was temporary disabled as part of previously planned maintenance to improve its functionality between a user’s various accounts. Users can expect an update to the auto-forward functionality soon. In the meantime, we continue to support multiple account management."

Yahoo is trying to save its Verizon Acquisition Deal

The move to turn off the email forwarding option could be an attempt to keep its customers’ accounts active because any damage to the company at this time is crucial when Yahoo seeks to sell itself to Verizon.

The Yahoo acquisition deal has not yet closed, and Verizon Communications has reportedly asked for a $1 Billion discount off of Yahoo's $4.83 Billion sales price.

As a workaround, you could switch on your vacation responder instead to automatically reply to emails with a note about your new email address.

Delete Your Yahoo Account Before It's Too Late

You can also forego the forwarding process and simply delete your Yahoo Mail account entirely, until and unless Yahoo disables that option, too.

As the Reg media reports that British Telecoms customers, whose email had been outsourced to Yahoo, have not been able to set up automatic email forwarding or even access the option to delete their accounts.

Read more

Microsoft Patches 5 Zero-Day Vulnerabilities

Microsoft has released its monthly Patch Tuesday update including a total of 10 security bulletin, and you are required to apply the whole package of patches altogether, whether you like it or not.

That's because the company is kicking off a controversial new all-or-nothing patch model this month by packaging all security updates into a single payload, removing your ability to pick and choose which individual patches to install.

October's patch bundle includes fixes for at least 5 separate dangerous zero-day vulnerabilities in Internet Explorer, Edge, Windows and Office products that attackers were already exploiting in the wild before the patch release.

The patches for these zero-day flaws are included in MS16-118, MS16-119, MS16-120, MS16-121 and MS16-126. All the zero-days are being exploited in the wild, allowing attackers to execute a remote command on victim's system.

Although none of the zero-day flaws were publicly disclosed prior to Tuesday, the company was aware of attacks exploiting these flaws, said Microsoft.

Here's the list of Zero-Day Vulnerabilities:

1. CVE-2016-3298: An Internet Explorer zero-day flaw is a browser information disclosure vulnerability patched in MS16-118 bulletin among 11 other vulnerabilities. It could allow attackers to "test for the presence of files on disk."
2. CVE-2016-7189: A zero-day in the browser's scripting engine has been patched in Microsoft Edge bulletin, MS16-119, among others. The flaw is a remote code execution vulnerability.
3. CVE-2016-3393: Another zero-day in Microsoft Windows Graphics Component has been addressed in MS16-120 that could be exploited over the web, or via an email containing malicious file or over a file-sharing app to conduct RCE attack.
4. CVE-2016-7193: A single zero-day in Office has been addressed in MS16-121 bulletin. The flaw is a remote code execution vulnerability caused by the way Office handles RTF files.
5. CVE-2016-3298: The last publicly attacked zero-day has been patched in MS16-126, which is the only zero-day that is not rated critical, just moderate. The flaw is an information disclosure bug affecting Vista, Windows 7 and 8 and exists in the Microsoft Internet Messaging API.

Another bulletin rated critical is MS16-122 that patches a remote code execution flaw, CVE-2016-0142, in the Windows Video Control, affecting Windows Vista, 7, 8 and 10. The bug can be exploited when a user opens a crafted file or app from the web page or email.

Microsoft also patched twelve vulnerabilities in Adobe Flash Player for Windows 8.1, Windows 10, and Server 2012 in MS16-127.

Rest bulletins rated important or moderate, including MS16-123, MS16-124 and MS16-125, patches five elevation of privilege vulnerabilities in Windows Kernel-Mode, four elevation of privilege vulnerabilities in Windows Registry, and an elevation of privilege flaw in Windows Diagnostics Hub respectively.

Adobe Patch Update

Adobe also released a new version of Flash Player today that patched a dozen of vulnerabilities in its software, most of which were remote code execution flaws.

Adobe has also published code clean-ups for 71(!) CVE-listed security flaws in Acrobat and Reader, along with a fix for a single elevation of privilege bug in Creative Cloud.

Users are advised to apply Windows and Adobe patches to keep away hackers and cyber criminals from taking control over your computer.

A system reboot is necessary for installing updates, so admins are advised to save work on PCs where the whole package of patches is deployed before initiating the process.

Read more

How to Hack Someones Facebook Account Just by Knowing their Phone Numbers

 

Hacking Facebook account is one of the major queries on the Internet today. It's hard to find — how to hack Facebook account, but researchers have just proven by taking control of a Facebook account with only the target's phone number and some hacking skills.

Yes, your Facebook account can be hacked, no matter how strong your password is or how much extra security measures you have taken. No joke!

Hackers with skills to exploit the SS7 network can hack your Facebook account. All they need is your phone number.

The weaknesses in the part of global telecom network SS7 not only let hackers and spy agencies listen to personal phone calls and intercept SMSes on a potentially massive scale but also let them hijack social media accounts to which you have provided your phone number.

SS7 ( Signalling System Number 7 ) is a telephony signaling protocol that is being used by more than 800 telecommunication operators worldwide to exchange information with one another, cross-carrier billing, enabling roaming, and other features.

However, an issue with the SS7 network is that it trusts text messages sent over it regardless of their origin. So, malicious hackers could trick SS7 into diverting text messages as well as calls to their own devices.

All they need is the target’s phone number and some details of the target’s device to initiate the silent snooping.

The researchers from Positive Technologies, who recently showed how they could hijack WhatsApp and Telegram accounts, now gave the demonstration of the Facebook hack using similar tricks, Forbes reported.

SS7 has long been known to be vulnerable, despite the most advanced encryption used by cellular networks. The designing flaws in SS7 have been in circulation since 2014 when the team of researchers at German Security Research Labs alerted the world to it.

Here’s How to Hack Any Facebook Account:

The attacker first needs to click on the "Forgot account?" link on the Facebook.com homepage. Now, when asked for a phone number or email address linked to the target account, the hacker needs to provide the legitimate phone number.

The attacker then diverts the SMS containing a one-time passcode (OTP) to their own computer or phone, and can login to the target’s Facebook account.

You can watch the video demonstration that shows the hack in action.

The issue affects all Facebook users who have registered a phone number with Facebook and have authorized Facebook Texts.

Besides Facebook, researchers’ work shows that any service, including Gmail and Twitter, that uses SMS to verify its user accounts has left open doors for hackers to target its customers.

Although the network operators are unable to patch the hole sometime soon, there is little the smartphone users can do.

• Do not link your phone number to social media sites, rather rely solely on emails to recover your Facebook or other social media accounts.
• Use two-factor authentication that does not use SMS texts for receiving codes.
• Use communication apps that offer "end-to-end encryption" to encrypt your data before it leaves your smartphone over your phone's standard calling feature.

Read more

Hack the Pentagon: Hackers find over 100 Bugs in U.S. Defense Systems

 

The "Hack the Pentagon" bug bounty program by the United States Department of Defense (DoD) has been successful with more than 100 vulnerabilities uncovered by white hat hackers in Pentagon infrastructure.

In March, the Defense Department launched what it calls "the first cyber Bug Bounty Program in the history of the federal government " inviting hackers to take up the challenge of finding bugs in its networks and public faced websites that are registered under DoD.

Around 1,400 whitehat (ethical) hackers participated in the Hack the Pentagon program and were awarded up to $15,000 for disclosures of the most destructive vulnerabilities in DoDs networks, Defense Secretary Ashton Carter said at a technology forum on Friday.

"They are helping us to be more secure at a fraction of the cost," Carter said. "And in a way that enlists the brilliance of the white hatters, rather than waits to learn the lessons of the black hatters."

The Hack the Pentagon program, hosted on bug bounty platform Hacker One, was opened between April 18 and May 12, 2016. All participants were required to qualify a background check.

Although hackers and bug hunters were permitted to hack the agency's web properties, critical and highly sensitive systems of the Pentagon were out of bounds for the bounty program.

When the Hack the Pentagon was initially announced in March, Carter said he believed this effort would "strengthen our digital defenses and ultimately enhance our national security." And yes, it did.

Read more

Apple hires Encryption Expert to Beef Up Security on its Devices

The FBI and other law enforcement agencies have waged legal war on encryption and privacy technologies.

You may have heard many news stories about the legal battle between Apple and the FBI over unlocking an iPhone that belonged to the San Bernardino shooter. However, that was just one battle in a much larger fight.

Now, in an effort to make its iPhone surveillance-and-hack proof, Apple has rehired security expert and cryptographer Jon Callas, who co-founded the widely-used email encryption software PGP and the secure-messaging system Silent Circle that sells the Blackphone.

This is not Apple’s first effort over its iPhone security.

Just a few months back, the company hired Frederic Jacobs, one of the key developers of Signal — World's most secure, open source and encrypted messaging app.

Now Apple has rehired Callas, who has previously worked for Apple twice, first from 1995 to 1997 and then from 2009 to 2011.

During his second joining, Callas designed a full-disk encryption system to protect data stored on Macintosh computers.

Apple's decision to rehire Callas comes after rumors that the company is working on improving the security of its iOS devices in such a way that even Apple can't hack.

Earlier this year, Apple was engaged in a battle with the US Department of Justice (DoJ) over a court order asking the company to help the FBI unlock iPhone 5C of San Bernardino shooter Syed Farook.

Basically, the company was deliberately forced to create a special, backdoored version of its iOS, so that the FBI may be able to Brute Force the passcode on Farook's iPhone without losing the data stored in it.

Although Apple refused to do so, and now the Apple wanted to remove its own ability to break its iPhone security in future iPhone models, thereby eliminating the chances for government and intelligence agencies for demanding backdoors.

Read more