Must-Know Privacy and Security Compliances

compulsory securityWith cyber attacks and data breaches on the rise, privacy and security compliances are more important than ever. What are compliances? Generally, they’re laws designed to protect private consumer and company data from being stolen and exposed.

Privacy and security compliances span across many industries – education, government, health and high-tech like cloud and SaaS. You may have even heard of a few of them, like HIPAA or SOC.

Neill Feather, president of SiteLock, recently wrote an article highlighting the top 3 privacy and security laws that you should know, along with some tips to help organizations improve website compliance. You can read it on Govloop by clicking here.

 

How to get your website hacked

Web application firewall
SiteLock prevents harmful visitors and malicious attacks on your website.

Websites and web applications are being hacked more than ever these days (especially with the rise of online businesses and B2B SaaS-based platforms). If a hacker gains access to the system, they can compromise financial records, medical records and other personal information such as Social Security Numbers and credit cards.

SiteLock president Neill Feather recently wrote an article on B2BNN, covering 5 security issues that many websites and web applications face, with solutions, including handling payments  (PCI compliance), malware and password enforcement. For the full article, click here.

SiteLock and the WordPress Genericons XSS Vulnerability: What You Need to Know

Earlier this week a security researcher reported a cross site scripting (XSS) vulnerability in the WordPress icon package, genericons. Genericons included an HTML file, example.html, which had the cross site scripting flaw, and the icon package is used with the default installed WordPress theme, Twenty Fifteen, to give you an idea of the broad impact.

The XSS vulnerability was DOM, or document object model, based meaning it could potentially control how the browser handles a requested page. The victim would have to be coaxed into clicking a malicious link, reducing severity, though the exploit remains widely deployed all the same.

The attack is carried out by the attacker crafting a link to the vulnerable example.html file including malicious JavaScript, and persuading a victim to click the link. The server responds to the request, serving the page with crafted code. The browser then runs the code in the DOM object of the page, performing any number of malicious actions. Logged in admins, as you can imagine, would be vulnerable to site takeover.

As a SiteLock customer, here’s what you need to do.

First, don’t worry. Even though the exploit is run directly in the browser, SiteLock TrueShield customer sites are virtually patched against the exploit. Plus, further extension of an attempted attack will be caught by the TrueShield WAF or the SiteLock SMART scanner if malicious code makes it on the site.

Next, update WordPress to the latest version released yesterday, 4.2.2. Most WordPress installations will update automatically, though we recommend backing up your database and site files all the same. You can also remove the example.html file or files which will remove the vulnerability without impact to the site.

(It’s a good idea to remove example, test, and development files from a production site anyway. Run a ‘$ sudo find / -name example.html’ to find and review all files named example.html.)

WordPress is a powerful, yet simple to use CMS ideal for many blogs, portfolio or e-commerce sites. The widespread adoption and scrutiny of WordPress’ code base is an absolute positive, and SiteLock’s security products work in perfect conjunction with WordPress’ growth. Stay tuned to The Website Risk Lockup for the latest in WordPress and internet security.

Who Else Is Reading Your Email? A Guide to PGP Encryption

prevent data breachWe teach our kids not to share anything on the internet that they wouldn’t want their grandmothers to see. We tell our employees to be mindful of private information shared via email. But are we really doing all we can to protect this method of conversation? There are over 204 million emails sent each minute, yet email is one of the most overlooked technologies when it comes to cyber security. A recent study by Domo showed more than 53% of employees receive unencrypted and risky corporate data through email or an attachment. How can we help ensure that the information we’re interacting with is secure?

PGP, which stands for Pretty Good Privacy, is a great first step. PGP works by encrypting email between two people who each have unique digital fingerprints known as PGP keys.

There are two types of PGP keys, private and public. Private keys are just that – they are protected and kept private to each PGP user. Public keys are shared with each recipient, if not the world. These two types of keys allow those with your public key to decrypt mail encrypted with your private key. This encrypted channel keeps unwanted observers out of the email conversation.

The technology has existed since before the Windows era, and hasn’t changed much since. Setting up PGP can be slightly confusing at first, but there are a couple guides online that outline the setup process.

As long as your recipient is all setup with PGP and your public key on their end, they should be able to decipher and read the message. Anyone else that tries to read it will see garbled, encrypted characters. Remember, not all emails are sent securely and are only viewed by the intended recipient. Make sure you are taking the proper precautions to safeguard yourself from security breaches at all times.

 

SiteLock Sponsors WHD.usa 2015

WHD.usa (WorldHostingDay USA) is an upcoming networking event for the hosting and cloud service markets, bringing together local service providers and international IT companies. WHD.usa will be WHD’s first event in the United States, and is taking place on May 19-20, 2015 at the 7Springs Ski & Mountain Resort in Pennsylvania.

WHD.usa will feature forums, panel discussions, breakout sessions and networking activities from industry leaders, including executives from Weebly, cPanel and ICANN. SiteLock will be joining companies like NEC and OpenSRS as a Gold Partner for the event.

“We want WHD.usa to be exceptional – for our partners, as well as their customers and visitors. Thus we are creating exceptional opportunities for a different customer approach and a completely new event experience. Sometimes it’s about re-thinking what’s possible.”

-Thomas Strohe, Founder of WHD

You can register for WHD.usa here. Standard tickets are $349, and VIP tickets are $999. As part of our sponsorship with WHD.usa, you may use code LXX8TJT for discounted rates.

SiteLock and the WordPress 4.2 XSS Vulnerability: What You Need to Know

malware surgesRecently, a security researcher released a zero-day stored XSS vulnerability in WordPress, meaning it was previously undisclosed and, at the time, unpatched. The vulnerability affected the latest versions of WordPress at release, including 4.2.

The vulnerability involves how WordPress stores comments in its MySQL database. Comments are stored as text and the size of that text is limited to 64 kilobytes, or 64,000 characters. Given a previously approved comment, an attacker could create a malformed comment using approved HTML tags and tack on 64 kb of any character (perl -e ‘print “a” x 64000′). The 64 kb of junk is truncated and what’s left is a malicious comment in the database which will run whenever it’s viewed. And what can run is up to the attacker – creating backdoors, stealing credentials, malicious redirects and more.

If you run WordPress, here’s what you need to know.

WordPress versions 3.9.3, 4.1.1, 4.1.2, and 4.2 are confirmed to be vulnerable. WordPress 4.2.1 was released yesterday to address this vulnerability and users are urged to backup their database and site files and upgrade to the latest version as soon as possible.

If an upgrade is not feasible, disable comments and do not approve any comments until the update is applied.

Next, deploy a web application firewall (WAF). The SiteLock TrueShield™ WAF protects against cross site scripting attacks, like the WordPress stored XSS vulnerability, regardless of platform patch level. All traffic to the site is analyzed and requests which contain malicious code are dropped, never reaching your site.

Finally, enable the website scanner. This type of scanner crawls your WordPress site looking for malicious links and code. Any malicious code stored in the database and rendered on the page as comments or site content is flagged as malicious and the site owner is immediately alerted. For SiteLock customers, Expert Services are available to step in and quickly remove the malicious code.

As always, stay up to date on the latest WordPress patches, and stay locked in to The Website Risk Lock-Up for the latest security news.

 

OTA Receives SC Magazine Editor’s Choice Award

rsa-2015-7OTA (The Online Trust Alliance) was awarded SC Magazine’s Editor’s Choice award earlier this week, thanks to the input from SC Magazine’s editors and over 40,000 readers. SC Magazine chose to award the OTA based on its efforts to improve SSL best practices, botnet frameworks, integrity in email and data breach readiness.

OTA was also cited for its work in public policy and success in convening multi-stakeholder efforts. When asked about the award, SC Magazine’s Vice President of Editorial Illena Armstrong said “The Editor’s Choice Award is presented to the company or organizations that best exemplify the continued hard work and dedication to educating the industry on best practices for IT security and leading meaningful initiatives to positively impact the lives of our community.”

“The Online Trust Alliance truly lives up to their mission to create and promote innovation, best practices and key technologies that enhance trust and promote principles vital to technology adoption, growth and global access to information.”

SiteLock President, Neill Feather, is a current board member of OTA. For more on the partnership, visit this page.

SiteLock and the Magento Vulnerability: What You Need to Know

Screen Shot 2015-04-27 at 8.37.24 AMEarlier this week, a remote code execution vulnerability against Magento, the Ebay-owned free and paid ecommerce platform, was released. Security researchers chained together multiple smaller vulnerabilities to ultimately run arbitrary code on the server Magento is hosted on.

As you can imagine, being able to run any code you want on an ecommerce site is bad. Customer and credit card data, prices and inventory, all become controllable with this exploit “chain.”

After responsible disclosure of the vulnerability this week, attacks on Magento sites ramped up, with the attackers adding surreptitious admin users and likely leaving other backdoors for future access.

If you run a Magento site, here’s what you need to know.

First, update Magento as soon as possible. A patch for the vulnerability was released in February – SUPEE-5344 – and the patch and instructions are available here and here respectively. Backup your database and site files before patching.

Next, if you don’t have a web application firewall (WAF), consider getting one. WAF’s block attacks and stop them from accessing your site to begin with. The SiteLock TrueShield stopped attempted exploits of even unpatched Magento sites, and for already exploited sites, TrueShield stops backdoor access so the bad guys can’t get back in.

Finally, scan your Magento site files to ensure all issues are patched. The SiteLock SMART scanner analyzes the source code of sites themselves, and often finds the payload, or results, of an exploit before it’s released. For more information on how SiteLock can help secure your site, visit www.sitelock.com.

 

5 Must-Read Cybersecurity Websites

happy_cyber_MondayThere’s no doubt that cybersecurity is on the rise. As the world continues to experience data breaches, more and more of these stories have been filling headlines.

With so much cybersecurity overage, it can be difficult to sort through the noise and identify the most important stories. That said, we’ve put together a list of the top five must-read websites that you should add to your daily reading list:

Dark Reading

Dark Reading is InformationWeek’s online cybersecurity publication, focusing on enterprise security. This website covers everything from breaches to compliance and cloud security. It’s worth adding to your reading list if you want the latest in both cybersecurity news and insight from key industry leaders.

Government Technology

Government Technology, also known as GovTech, covers a wide range of technology topics for the public government sector, on both state and local levels. Topics range from network IT to applications, but one of GovTech’s most interesting sections is security which covers government-related data breaches, cybersecurity companies in the government sector and strategy and insight from government leaders.

OTA Blog

The OTA (Online Trust Alliance) is a non-profit organization dedicated to enhancing online trust and empowering users, while promoting internet innovation. OTA’s blog features the latest cyber security legislation news, insight from key thought leaders and general cybersecurity news that consumers need to know.

CIO

CIO covers several technology topics for Chief Information Officers and other IT leaders, and has been around since the 1980’s (but is now mostly in digital format). CIO’s security section is a great place for IT leaders to get the latest news on what’s happening in the enterprise cybersecurity world, and also features white papers/case studies on cybersecurity from key companies like HP and Rackspace.

SecurityWeek

SecurityWeek is similar to the aforementioned publications in that it covers the latest general cybersecurity news, but it also has a great section that focuses on features and insights from key industry leaders. Topics include phishing, malware, fraud and network security.

Keeping a pulse on the ever growing threat landscape is difficult, but education is imperative. The more consumers and business people alike know about the very real cybersecurity threat, the better equipped we can all be to handle protecting our investments and mitigating risk. Be sure to check back often for more tips and tricks on website security and feel free to include any publications we may have missed in the comments section below.

 

DoS vs. DDoS: One on One, or One on Many

securityplanningPlease read the following post with this notion in mind: DoS doesn’t refer to the classic operating system, nor is DDoS a “Different” version of this system.

DoS and DDoS are two common types of cyber attacks that can block legitimate users from getting access to your website. Both attacks can cause companies to lose millions of dollars in just a few hours. According to Incapsula, the average cost of a successful DDoS attack is $500,000. Although these two attacks look similar and both have unfavorable financial influences, the difference between them is more than just the letter “D.”

DoS Attack

A Denial-of-Service attack (DoS attack) is a type of cyber attack executed from a single server or a home network. It can compromise your website in the following ways:

  • Resource exhaustion, such as using all CPU time, bandwidth, etc.
  • Limitation exploitation, such as repeatedly attempting to log into one account to constantly block the legitimate user out
  • Process crashing, such as leveraging an infected software to disrupt requests sent from legitimate users
  • Data corruption, such as changing all user types into invalid types to prevent users from logging in

Among these categories, resource exhaustion is the most common type of DoS attack. It is usually caused by a hacker flooding requests to your server to drain one or more resources. During a DoS attack, your website usually stops responding to visitors. Therefore, if your customer service center is receiving constant complaints from customers who can’t get access to your online services while most access requests come from one IP address, you should consider the possibility of a DoS attack.

DDoS Attack

Distributed Denial-of-Service attack (DDoS attack) is usually considered as an evolved version of DoS attack. It has all the negative effects of DoS attack and is harder to stop. A DDoS attack is executed by having multiple computers on different networks (called a botnet), to send a large amount of requests to your website at the same time.

If a DoS attack is like starting a one-on-one fight, then DDoS attack is like besieging your house with people flooding from different directions. What’s worse, these people all look like legitimate visitors, because DDoS attackers can compromise legitimate source IPs and leverage them to start an attack. Even if there is no malicious hacker, DDoS can still happen when there is an unexpectedly large traffic to your website.

DDoS attacks are very hard to prevent, because it’s difficult to differentiate a legitimate user from a compromised visitor. To help you mitigate the increasingly rampant DDoS attack, SiteLock Website Security, the most comprehensive DDoS protection solution in the industry, can target vital components of comprehensive DDoS attacks by providing Web Application Protection, Infrastructure Protection and DNS Protection, adding multiple layers to your online business.  To learn more about SiteLock’s DDoS protection solution, please click here.

Follow

Get every new post delivered to your Inbox.

Join 57 other followers

%d bloggers like this: