WordPress 4.2.1 Critical Security Release

WordPress 4.2.1 Security Release

WordPress 4.2.1 is now available. This is a critical security release for all previous versions and we strongly encourage you to update your sites immediately. April 27, 2015 the WordPress team was made aware of a cross-site scripting vulnerability, which could enable commenters to compromise a site.

If your web site is powered by WordPress, please upgrade it ASAP, here is the procedure we recommend:
1- Backup your Hosting account using your account’s Plesk Panel Backup Manager
2- Upgrade WordPress. There are 2 ways of doing that:
  •  If you installed WordPress from the Plesk Panel Applications tab, you can upgrade it from the Panel
  • If you installed WordPress yourself, login to your WordPress Admin Dashboard and upgrade it from there
3- Check that everything is working.
4- Backup your upgraded installation as a precaution.

ISIL Defacements Exploiting WordPress Vulnerablities – update now

The FBI has warned that ISIL is exploiting vulnerabilities in WordPress sites running out-of-date versions of WordPress or old versions of certain plugins or themes to deface the sites.

The FBI’s statement:  http://www.ic3.gov/media/2015/150407-1.aspx

Sucuri’s writeup with mention of specific plugins to check:  http://blog.sucuri.net/2015/04/fbi-public-service-annoucement-defacements-exploiting-wordpress-vulnerabilities.html

The current version of WordPress (as of 4/8/2015) is 4.1.1.  If you are running any earlier version, you are vulnerable.  If you need to upgrade, you can do so from your WordPress admin login or by downloading the latest version of WordPress from https://wordpress.org/  Don’t forget to  update any out-of-date plugins or themes as well.

If you need help updating your HIS-hosted WordPress site, open a support request ticket at http://info.his.com/support/support.his.com.html

Don’t let your email account get hijacked – tips

Email accounts are prime targets for spammers, who can no longer send spam directly from malware-infected computers because of improved spam filtering and steps that major providers like Verizon/Comcast/Cox have taken.  If a spammer can hijack an email account, he’ll be able to send spam at high speed from a legitimate account until he gets caught.  We’re good at detecting this, but when it happens it’s inconvenient for the legitimate account holder, since we have to change the password and the account owner will be locked out until they set the password again and update the password on their computer/phone/etc.

The most common ways that bad guys obtain login info are:

  • phishing email – the kind that takes you to a supposedly legitimate web link where you’re tricked into entering your email username and password.
    • Some of these messages are very real-looking.  Best practice:  never enter login info on a web page that you got to by clicking a link in email.
  • Hotel wi-fi or a public wi-fi hotspot and bad guys were sniffing the network.
    • We’ve seen quite a few of these cases.  Hotel wi-fi is particularly dangerous.  You’re better off using your phone’s wireless connection at hotels and coffee shops.
  • You’ve used the same username and password somewhere else (adobe.com, ebay.com, etc.) and that site got hacked.
    • This is probably the #1 way people get hacked.  Never use the same username and password on multiple sites.  You will get bitten if you do.
  • malware on your computer that’s sending your keystrokes & other info the the bad guys’ mother ship.
    • When this is what’s happening, your account will usually get hacked again quickly after you’ve changed your password.  Set your PC to scan for malware daily, and run a full scan every now and then so the anti-virus scanner will check everything (default scans usually scan only the most likely locations for malware).  Make sure your PC is set to receive automatic updates to virus definitions – there is a new virus every few minutes, so you need to update your definitions at least daily.
  • Your password is easy to guess.  Our systems lock out password-guessers quickly, but they get a few tries before they’re locked out and if your password is super simple (12345 / ILoveAndy / etc.) they might get lucky.

There are a lot of bad guys and they’re highly motivated, but if you’re careful, odds are your account won’t get hijacked.

 

eBay passwords compromised

According to Ars Technica, encrypted eBay passwords and other information have been stolen by cyberattackers.  If you have an eBay account, change your password ASAP.  If your eBay password is one you’ve used on other services, including your accounts with HIS, change those passwords too, and don’t use the same password on more than one service.

When password lists are leaked this way, even in encrypted form, the bad guys have very powerful tools for cracking the passwords, and the cracked passwords go into their database of passwords that are used somewhere and thus are probably also used somewhere else, increasing your likelihood of being hacked on another system if you’re using the same password there.

We know that it’s a pain to change passwords, especially email passwords where you might have several devices checking your account (a phone, a tablet, multiple computers), but it’s a bigger pain to get hacked.  When we detect a hacked account, we change the password immediately and there’s a period of time between then and when we can reach you when you’re without access to your account.   If you use strong passwords (mixed upper/lower case, numbers, punctuation) and you don’t use a password on more than one account, your odds of having your account hijacked are greatly reduced.

Resolved: spam.his.com backlog 5/19/2014

Starting at 6:30 AM on Monday, 5/19/2014, multiple servers were hit with a high-volume spam flood from a Russian botnet that had hijacked user email accounts.  The volume was so high that spam.his.com, which filters both incoming and outgoing mail, became backlogged and mail delivery became very slow.  We identified the problem shortly after 7 AM and blocked the botnet, but it took several hours to clear the unprocessed queue of this spam because we wanted to avoid accidentally deleting any legitimate mail.  This problem has been resolved and mail delivery was normal (about 3 seconds after receipt)  by 11 AM.

Our early-warning system caught this quickly, but the volume of spam from this large botnet was extraordinarily high, causing the backlog.  We’re looking at ways to detect hijacked email accounts more quickly.

Our servers do a good job of blocking the thousands of bots attempting to guess user passwords on each server every day, but if your password is a simple one, or is one that you’re using on some other system that has been compromised (Adobe, Twitter, Evernote, Dropbox, etc.), the bad guys can test and confirm your password on the first try and we won’t detect that as an attack.  If you’re using your password on any other system, consider changing it ASAP, and choose a strong password (mixture of upper/lower case letters, some numbers, some punctuation).

Heartbleed OpenSSL bug – should you change your passwords?

You may have read about the bug in OpenSSL that allowed attackers to access random 64k byte chunks of memory.  This bug was reported by CERT on Monday, April 7, 2014.  Software vendors supplied patches on April 7 and 8.  A few of our SSL servers were vulnerable, and we had all patches applied and were able to confirm that the patches worked on all servers April 7 and 8.

Many of the most popular internet sites were affected, including Google, Facebook, Youtube, Yahoo!, Bing, Pinterest, Blogspot, Instagram, Tumblr, Reddit, Netflix, Yelp, Blogger, Dropbox, and the Washington Post (to name a few).

This was a nasty bug – it left no traces in server logs, so there’s no way to tell whether it was exploited by bad guys.  There’s an XKCD cartoon that shows how the exploit worked.

We prefer to err on the side of caution, so we have replaced our own SSL certificates and have changed important passwords.  Odds of your password being exposed on a server that we host are low, but not zero, and since many people use the same passwords on multiple sites (a really bad idea – don’t do this), we’re encouraging everybody to change their passwords.  If you use the same password on, say, Facebook, that you use with your email account, and bad guys managed to get the password from Facebook, you’re exposed.

Our Zimbra email servers were not vulnerable, but we still recommend that you consider changing your password anyway in case you’ve used the same password somewhere else.  Instructions for customers on Zimbra servers are here (use the webmail URL for your domain).  If your email account is on a Plesk server, instructions are here.  If you need  help, open a ticket at https://support.his.com/home.

Changing your password isn’t mandatory, but it’s a good idea, especially if you think you may have used the same password anywhere else.

 

Microsoft Ending Support for Windows XP and Office 2003 4/8/2014

Windows XP has reached end-of-life, and there will be no updates or security patches for XP after April 8, 2014.  The bad news is that CERT estimates that 30% of all internet-connected PCs are still running XP, so a lot of people are going to be exposed to the latest malware with no help from Microsoft.

If you’re running Windows XP,  it’s time to upgrade (or change to Mac or Linux).

 

NCCIC / US-CERT

National Cyber Awareness System:

03/10/2014 10:56 AM EDT
Original release date: March 10, 2014

Systems Affected

  • Microsoft Windows XP with Service Pack 3 (SP3) Operating System
  • Microsoft Office 2003 Products

Overview

Microsoft is ending support for the Windows XP operating system and Office 2003 product line on April 8, 2014. [1] After this date, these products will no longer receive:

  • Security patches which help protect PCs from harmful viruses, spyware, and other malicious software
  • Assisted technical support from Microsoft
  • Software and content updates

Description

All software products have a lifecycle. End of support refers to the date when Microsoft no longer provides automatic fixes, updates, or online technical assistance. [2] As of February 2014, nearly 30 percent of Internet-connected PCs still run Windows XP. [3]

Microsoft will send “End of Support” notifications to users of Windows XP who have elected to receive updates via Windows Update. Users in organizations using Windows Server Update Services (WSUS), System Center Configuration manager, or Windows Intune will not receive the notification. [4]

Impact

Computer systems running unsupported software are exposed to an elevated risk to cybersecurity dangers, such as malicious attacks or electronic data loss.

Users may also encounter problems with software and hardware compatibility since new software applications and hardware devices may not be built for Windows XP or Office 2003.

Organizations that are governed by regulatory obligations may find they are no longer able to satisfy compliance requirements. [4]

Solution

Computers operating Windows XP with SP3 or running Office 2003 products will continue to work after support ends. However, using unsupported software may increase the risk of viruses and other security threats.

Users have the option to upgrade to a currently supported operating system or office productivity suite. The Microsoft “End of Support” pages for Windows XP and Office 2003 offer additional details.

There are software vendors and service providers in the marketplace who offer assistance in migrating from Windows XP or Office 2003 to a currently supported operating system or office productivity suite. US-CERT does not endorse or support any particular product or vendor.

Users who choose to continue using Windows XP after the end of support may mitigate some risks by using a web browser other than Internet Explorer. The Windows XP versions of some alternative browsers will continue to recieve support temporarily. Users should consult the support pages of their chosen alternative browser for more details.

References

Revision History

  • March 10, 2014 – Initial Release

FYI: CryptoLocker virus

CryptoLocker is a new virus that affects Windows PCs – if you get infected, a screen pops up telling you that your stored documents and images have been encrypted, and if you don’t pay $300 within 72 hours, the key required to decrypt your files will be destroyed and you’ll be out of luck.  There have been other ‘ScareWare’ viruses that popped up windows like this in the past, but this one actually does what it says.

Our spam filters do a very good job of blocking email that contains viruses, but since the bad guys are clever, it’s always possible for malicious email to get through until the spam filters figure out the new technique, and you could be exposed.  Also, if you have multiple PCs on your LAN, this virus can jump from an infected PC to the others over the ethernet or WiFi link, so you can be exposed that way as well.

Here’s the US-CERT announcement:    http://www.us-cert.gov/ncas/alerts/TA13-309A  Read this and follow their advice in the “Prevention” section of the writeup.

Other writeups on CryptoLocker:

Announcement: mail.his.com setting change for his.com and hers.com users

If you have a his.com or hers.com email address, check the settings in your email software (smartphone/tablet/laptop/computer/etc.) and make sure that mail.his.com is set as the hostname for both incoming and outgoing mail.  This has always been the correct setting, but for legacy reasons, using just his.com as the hostname has worked too.  Starting October 5, 2013, only mail.his.com will work as the hostname for his.com and hers.com users.

This change is being made for anti-spam reasons.  Some spammers (millions of them, actually) will attempt to bypass spam filtering by ignoring the official mail exchanger records in DNS and connecting to the hostname that resolves to the domain name.  We’re able to block most of this, but we need to block it all.

Summary:

  • this affects only users with his.com or hers.com email addresses.
  • check the settings in the email software on all your devices and make sure that mail.his.com is set as the hostname for both incoming and outgoing email.

We’ve been scanning the logs, and we think we’ve identified most of the folks who this applies to, and we’ve sent email everyone who we know needs to make the change.

his.com and hers.com users can access webmail as always at https://webmail.his.com

If you have any questions or need assistance, open a support ticket at https://support.his.com/contact