WordPress recently posted news of version 4.2.3, a security and maintenance release:
WordPress 4.2.3 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately.
[Source]
Via Security Week.
From the Technology blog at guardian.co.uk:
There are some clues left in the hacking of Mark Zuckerberg’s Facebook fan page on Wikipedia -– but what do they add up to?
A quick whois query tells you that it is… the US department of defence in Williamsburg.
In other words: this might be someone in the military. Most likely those edits don’t come from one person –- they come from all sorts of people in the Williamsburg location. Or, just as possible, it was someone who had hacked into the computers there from outside (not as difficult as you’d hope it would be) and is using them as a proxy to make the Wikipedia edit, and, quite possibly, hack Zuckerberg’s page.
(Update: Facebook tells us that “A bug enabled status postings by unauthorised people on a handful of Pages. The bug has been fixed.”)
— Charles Arthur @ guardian.co.uk
Cory Doctorow of Boing Boing reports this depressing news about WordPress:
Siobhan Ambrose went looking for a WordPress theme; of the top ten free WordPress theme sites listed on Google, eight had hidden, obfuscated, or encrypted code buried in them that rendered spammy keyword links that were part of a deceptive search engine optimization scheme; in some cases, Siobhan couldn’t figure out what the offending code did and speculates that it might contain malware. Of the remaining two, one hosted themes that didn’t validate. The remaining site, WordPress.org, is the only site in the first ten Google results for “free wordpress theme” whose themes don’t contain deceptive backlinks, obfuscated code, or non-validating themes.
— Cory Doctorow @ Boing Boing
As browser-based exploits and specifically JavaScript malware have shouldered their way to the top of the list of threats, browser vendors have been scrambling to find effective defenses to protect users. Few have been forthcoming, but Microsoft Research has developed a new tool called Zozzle that can be deployed in the browser and can detect JavaScript-based malware on the fly at a very high effectiveness rate. Zozzle is designed to perform static analysis of JavaScript code on a given site and quickly determine whether the code is malicious and includes an exploit. In order to be effective, the tool must be trained to recognize the elements that are common to malicious JavaScript, and the researchers behind it stress that it works best on de-obfuscated code.
— Slashdot
Cory Doctorow of Boing Boing writes:
We’ve written before about the security vulnerability that allows websites to sniff your browsing history. A paper from UC San Diego computer science department researchers, An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications [PDF], surveys which websites use this invasive technique against their users. YouPorn tops the list, but PerezHilton, Technorati, TheSun.co.uk, and Wired are also spying on their users’ browsing habits by exploiting this vulnerability.
— Cory Doctorow @ Boing Boing
“A researcher from a Dutch university is warning that Facebook’s ‘Like This’ button is watching your every move. Arnold Roosendaal, who is a doctoral candidate at the Tilburg University for Law, Technology and Society, warns that Facebook is tracking and tracing everyone, whether they use the social networking site or not. Roosendaal says that Facebook’s tentacles reach way beyond the confines of its own web sites and subscriber base because more and more third party sites are using the ‘Like This’ button and Facebook Connect.”
— Slashdot
Google is working on a fix to a zero-day flaw discovered by British security expert Thomas Cannon that could lead to user data on a mobile phone or tablet device being exposed to attack. Cannon informed Google before posting information about the flaw on his blog. ‘While doing an application security assessment one evening I found a general vulnerability in Android which allows a malicious website to get the contents of any file stored on the SD card,’ Cannon wrote. ‘It would also be possible to retrieve a limited range of other data and files stored on the phone using this vulnerability.’
— Slashdot
Here’s a good assessment of the problem:
So let’s say you bought a Windows box. Maybe you got it from HP. Maybe you got it from Dell. Maybe from Sony.
Who do you expect to provide you with a patch when someone discovers a new Windows vulnerability? Microsoft, right? If it’s really serious it’ll probably pop up in the next Patch Tuesday. If it’s hyper-serious then it might come out three or four days after the vuln was announced.
That’s not the way it works in the Android world, annoyingly enough. Imagine if the version of Windows loaded onto that HP machine was a special HP version, full of HP customizations like a proprietary HP window manager and a proprietary HP web browser. MS can’t give you any patches because the HP customizations are a fork of MS’s source [code]; when MS does bugfixes, someone at HP has to take a diff of the new MS tree, merge it with the HP tree, and run it all through QA. Oh, and the store you bought it from? Some of them have their own variant source trees too, so the same machine bought from Best Buy rather than direct from HP has its own fork of the OS.
Now multiply this by a different fork for every damn model they sell. Oh, and because they only have so much money, HP/Dell/Sony/Best Buy/whoever typically only bother merging in the OS updates for computers they made in the last year. If you’re lucky.
— Peganthyrus @ Slashdot
[T]wo US companies, Kindsight Inc. and Phorm Inc., are pitching deep packet inspection services as a way for Internet service providers to claim a share of the lucrative online ad market [Shunned Profiling Technology on the Verge of Comeback]. Kindsight and Phorm say they protect people’s privacy with steps that include obtaining their consent. They also say they don’t use the full power of the technology, and refrain from reading email and analyzing sensitive online activities. Use of deep packet inspection this way would nonetheless give advertisers the ability to show ads to people based on extremely detailed profiles of their Internet activity. To persuade Internet users to opt in to be profiled, Kindsight will offer a free security service, while Phorm promises to provide customized web content such as news articles tailored to users’ interests. Both would share ad revenue with the ISPs. Kindsight says its technology is sensitive enough to detect whether a particular person is online for work, or for fun, and can target ads accordingly.
— Slashdot
HTTPS Everywhere Gets Firesheep Protection
The Electronic Frontier Foundation today said it rolled out a version of HTTPS Everywhere that offers protection against ‘Firesheep’ and other tools that seek to exploit webpage security flaws. Hitting the streets in October, Firesheep caused a storm of controversy over its tactics, ethics and Web security in general. Firesheep sniffs unencrypted cookies sent across open WiFi networks for unsuspecting visitors to Web sites such as Facebook and Twitter, and lets the user take on those visitors’ log-in credentials.
— Slashdot
HTTPS Everywhere
HTTPS Everywhere is a Firefox extension produced as a collaboration between The Tor Project and the Electronic Frontier Foundation. It encrypts your communications with a number of major websites.
Many sites on the web offer some limited support for encryption over HTTPS, but make it difficult to use. For instance, they may default to unencrypted HTTP, or fill encrypted pages with links that go back to the unencrypted site.
The HTTPS Everywhere extension fixes these problems by rewriting all requests to these sites to HTTPS.
I use Bluehost for my own web sites, and recommend it for clients who need web hosting. If you click on the banner above, and then sign up for a Bluehost account, I will earn an affiliate bonus. (Thank you!)