Maintaining our health is a priority for many of us. So it’s only natural that in the modern digital age, we’ve developed thousands of health apps and gadgets to help monitor our fitness and keep us on track. One of the most popular health apps out there is MyFitnessPal, with which users share their daily diet and fitness information to determine optimal caloric intake. Only now, these users may have unwittingly shared their data with a group of cybercriminals that have breached the popular app. Just yesterday, it was revealed that 150 million accounts for the MyFitnessPal site and app were breached earlier this week.
As of now, few details have emerged about how the attack happened or what the intention was behind it. While the breach did not compromise financial data, large troves of other personal information were affected. The impacted information included usernames, email addresses, and hashed passwords.
MyFitnessPal, which is a subsidiary of Under Armour, has notified affected customers of the breach (see below), and Under Armour has released an official statement making the public aware of the attack as well. So now that potentially impacted customers are aware of the breach – what next?
There are a few security steps affected customers should take immediately. Start by following these pointers below:
Change your password immediately. If you are a MyFitnessPal user, you should first and foremost change the password to your account. Then, you should also change your password for any other account on which you used the same or similar information used for your MyFitnessPal account.
Stay vigilant. Another way cybercriminals can leverage stolen emails is by using the list for phishing email distribution. If you see something sketchy or from an unknown source in your email inbox, be sure to avoid clicking on any links provided. Better to just delete the email entirely.
Monitor your credit card statement. If cybercriminals are able to leverage the data to gain access to accounts, there’s potential they gain access to financial data, too. And as we know, it’s better to be safe than sorry. Be sure to consistently scan your credit card statement for any suspicious or irregular activity. If you see anything odd, flag to your bank immediately.
Lock down your mobile device. If for some reason the MyFitnessPal app is impacted by this attack, or in the future, it’s best you ensure the data stored on your mobile device is secure. To do just that, use a mobile security solution such as McAfee Mobile Security.
And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.
<br><a href="https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/myfitnesspal-accounts-data-breach/">Source link </a>
This entry was posted in Research, Vulnerabilities on March 30, 2018 by Brad Haas 0 Replies
In February, we wrote about a vulnerability on three shared hosting services. Following our Vulnerability Disclosure Policy, we had alerted them about vulnerable permissions on shared drives on their servers. They fixed the problem, making things safer both for their customers and for their customers’ site visitors.
During the past month we noticed the same kind of attacks happening on websites hosted with MelbourneIT (and NetRegistry.com.au, which they own). We were able to verify the same vulnerability on their platform, and we disclosed it to them. We’re happy to say they moved quickly to fix it as well.
A Note on Disclosure and Responsible Vendors
It’s important to note that vulnerabilities are a fact of life in any service, system or software. Finding, confidentially disclosing and fixing vulnerabilities is how our industry works with the information security community to improve the products and services we all use and to keep the public safe. The process that we use is well-established, and widely used by organizations that include Google’s Project Zero.
When we find vulnerabilities and vendors are responsive, you benefit as a customer of those vendors and can know that your vendor reacts quickly to fix security problems and will likely do so long term, keeping you and your data safe.
A disclosure like this is not an opportunity for “vendor shaming” or a witch hunt. All developers who write enough code will write vulnerabilities at some point in their career. Instead, it’s a moment to celebrate responsive vendors and a well-handled incident that left customers and the online community safer.
At Wordfence, we are excited when a vendor works closely with us to fix a vulnerability, and responsive vendors garner the greatest respect from our engineering team.
Customer files on MelbourneIT cloud hosting are housed in a couple of different shared drives, and the directory names follow a set pattern. For example: /clientdata/apache-www/e/x/example.com.au/www
As in the platforms we wrote about in February, all of the folders down to /clientdata/apache-www/e/x belonged to the root account, and did not permit directory listing to other users. But they were all world-traversable, and the directories containing the site files were world-readable (along with the files themselves). So any user who knew the full path to a site root directory could list and read the files in it.
For example, a hacker could take over example.com.au. Then, using DNS tools, they could find other WordPress sites running on the same IP address. They might find otherexample.com.au and correctly guess that it was stored in /clientdata/apache-www/o/t/otherexample.com.au/www. Knowing that full path, they could read the wp-config.php file and use the credentials in it to tamper with the database of otherexample.com.au.
As in the previous cases, there was little anyone could do to prevent exploitation. Thankfully, the team at MelbourneIT took the issue very seriously, and moved quickly to fix it. Our disclosure to their security team was on March 6. They notified us on March 14 that they were rolling out a patch, and notified us on March 19 that deployment was complete.
What You Need to Do
If you use the cloud hosting service on MelbourneIT or Netregistry.com.au, use Wordfence to check your site for issues. In particular, there may be rogue administrator accounts created, or passwords changed on existing administrator accounts. The attackers are also adding malicious scripts and cloaked spam into posts and pages. If your site has these issues, we recommend our comprehensive learning center resources to help you resolve them.
We are pleased with the positive impact adding service vulnerabilities to our Vulnerability Disclosure Policy is already having. The hosting companies we have worked with have been generally responsive, deploying fixes to issues that were leaving many WordPress sites vulnerable to hacking.
With the popularity of WordPress today, the security of the WordPress community at large is critically important. We are pleased to see that our new approach is working to support that need and bringing about an improved overall security posture for the community.
Our Security Services Team continues to analyze hundreds of hacked websites each month, so we expect to find more of these on an ongoing basis. We will continue to provide updates here on the blog.
Note: All product names, logos, and brands are property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.
Did you enjoy this post? Share it!
<br><a href="https://www.wordfence.com/blog/2018/03/service-vulnerability-melbourneit-fixes-nfs-permissions-problem/">Source link </a>
In this episode, John James Jacoby and I discuss the news of the week including, the removal of offensive lyrics in Hello Dolly, a request for plugin developers to stop supporting legacy PHP versions, and changes coming in WordPress 4.9.5.
We also talk about community management, the difference between comments and forums, and finally, John shares his concerns on how the Gutenberg call-out prompt is being built into core.
A Plea For Plugin Developers to Stop Supporting Legacy PHP Versions Without Context, Some Lyrics Inside the Hello Dolly Plugin Are Degrading to Women Why Gutenberg and Why Now? Noteworthy Changes Coming in WordPress 4.9.5 In WordPress 4.9.5, Users Will Be Two Clicks Away From Installing and Activating Gutenberg From the Dashboard
Picks of the Week:
How to Disable Push Notification Requests in Firefox
Facebook Container Add-on for Firefox
Next Episode: Wednesday, April 4th 3:00 P.M. Eastern
Subscribe to WordPress Weekly via Itunes
Subscribe to WordPress Weekly via RSS
Subscribe to WordPress Weekly via Stitcher Radio
Subscribe to WordPress Weekly via Google Play
Listen To Episode #310:
Podcast: Play in new window | Download (Duration: 1:20:22 — 44.2MB) | Embed
Subscribe: Apple Podcasts | Android |
<br><a href="https://wptavern.com/wpweekly-episode-310-community-management-php-and-hello-dolly">Source link </a>
This entry was posted in General Security on March 29, 2018 by Dan Moen 4 Replies
Yesterday the Drupal security team announced a highly critical unauthenticated remote code execution vulnerability in Drupal core. The vulnerability allows an attacker to leverage multiple attack vectors and take complete control of a website. The Drupal team estimates that, at the time of the announcement, over one million sites are affected – about 9% of Drupal sites. They also reported that, to their knowledge, it was not being actively exploited.
We normally don’t cover Drupal vulnerabilities on this blog, but given the nature and scope of the issue, we felt compelled to help spread the word via this public service announcement (PSA).
Site owners should upgrade to a safe version of Drupal core immediately. While the reports of no active exploits are comforting, the announcement will draw a lot of attention from attackers. Given the nature of the vulnerability, there will literally be a race between site owners upgrading and attackers figuring out an exploit.
Here is a high-level summary of the versions impacted and recommended actions:
Sites running Drupal 8.x should update to version 8.5.1
Sites running Drupal 7.x should update to version 7.58
There are patches available for 8.3.x and 8.2.x versions
Sites running end of life versions will need to upgrade to a supported version of Drupal
A more detailed overview of upgrade recommendations from the Drupal security team is available on Drupal.org. They have also published a detailed FAQ.
Looking at the diff of the patches provided by the Drupal team, they reveal a new DrupalRequestSanitizer class used to sanitize user input.
This class is used to filter values from the query string, post body, and cookies that begin with #.
A proof of concept demonstrating the attack has not yet been made public, but we expect that one will be made available soon.
This attack has been nicknamed “Drupalgeddon 2.” The previous Drupalgeddon was as high in severity as this, and had automated attacks against unpatched Drupal sites within a matter of hours after the public announcement of the vulnerability was made.
Please help us spread the word about this potentially nasty vulnerability to other site owners so they can stay a step ahead of attackers.
Did you enjoy this post? Share it!
4.33 (15 votes) Your rating:
<br><a href="https://www.wordfence.com/blog/2018/03/drupalgeddon2/">Source link </a>
Is it time to #deleteFacebook? Facebook’s long line of dramas has many of us rethinking our dependence on Mark Zuckerberg’s largest social media platform. While many of us were alarmed at the fake news allegations last year, the recent scandal with Cambridge Analytica has us genuinely spooked and now asking ourselves this question.
The fact that Facebook allowed British data analysis firm Cambridge Analytica to tap the Facebook profiles of more than 50 million users without their knowledge has many of us questioning both our – and our children’s – relationship with the social media platform. How compromised is our privacy? What’s really happening with our data? Is our every online move really being monitored?
The immediate reaction of many is to delete their Facebook accounts and insist their kids do the same. When news broke of the Cambridge Analytica scandal, the #deleteFacebook hashtag trended heavily on Twitter. Many high profile tech types deleted their personal and business Facebook accounts and, consequently, drove the Twittersphere into a frenzy.
To #DeleteFacebook Or Not To #DeleteFacebook?
But many of us can’t really afford to be idealists. Some of us run online businesses and rely heavily on Facebook. Others use Facebook for our jobs. Many of us (and our kids) use Facebook to run our social lives – organise events and parties, remember birthdays and stay in touch with friends and family across the world. And for nearly all of us, it is our digital scrapbook that preserves our important life events, shared moments and memories. In short, we would be lost without it.
While the black and white idealist in me absolutely agrees that we should delete Facebook, the realist in me acknowledges that life is often lived in the shades of grey. Facebook has spent more than a decade making itself a deeply entrenched part of our modern society. Saying farewell to this part of your life is a decision that I believe many of us would find almost impossible to make.
So, while deleting Facebook from your online life is the most drastic way of protecting your data, there are steps you can take to keep your account more secure and your personal information more private. Here are my top recommendations:
Set up new logins for each app you are using.
Setting up a new login and password for each app you’re using is a great way to protect yourself and your data online. Login may take fractionally longer but it will help ensure your data is not shared between different services.
Review your third party apps – the ones you joined using Facebook.
Facebook has made it just so easy for us to download apps using our Facebook settings that many of us have acquired quite the collection of apps. The problem is that Facebook provides these apps with our data including our name, location, email or even our friends list. So, review these apps, people! Not sure where to start? Go to Settings > Apps > Logged in with Facebook and remove anything that doesn’t absolutely need access to your Facebook profile. You will still have to contact the app developer to ensure they have deleted the data they already have gathered on you. Tedious but worth it!
Don’t overshare on social media.
Oversharing online gets many of us including our kids into trouble and allows cybercriminals and ‘data analysis types’ the ability to form an accurate picture of us very quickly! Being conscious of what is publicly available from your social media profiles is essential. Ensure every member of the family knows to NEVER share their telephone number, address or details of their school online. Also rethink whether you really want your relationship status made public, or the city of your birth.
Cull your Friends list.
The Cambridge Analytica scandal should provide us all with a reality check about how we manage online friends. In 2015, an app entitled ‘this is your digital life’ was developed by Cambridge Professor Dr Aleksandr Kogan and then downloaded by 270,000 users. Those who opted in allowed the app access to their information – including their friends – which then gave Kogan access to the data of over 50 million Facebook users. Facebook have reportedly since changed their terms of service and claim app developers can no longer access this detail, or at least, not at the same level of detail. So, go through your friend list and delete those you barely know or who were just passing acquaintances. Do you really want to share your personal or family updates with these people?
Choose a different social media platform to connect to apps.
If an app lets you choose which account you use to login, pick one which holds limited data about its users. Twitter could be a good choice as it tends to hold less personal information about you.
And while I salute those who are bold enough to #deleteFacebook and insist their kids do so, I know that it isn’t for me. I choose to stay. I’ll navigate my way around the risks and flaws, so I can enjoy the upside – belonging to my community, keeping my job and adding to my digital scrapbook.
Till next time,
<br><a href="https://securingtomorrow.mcafee.com/consumer/family-safety/deletefacebook-do-you-really-need-to/">Source link </a>