Month: May 2017

IFTTT Stored XSS In Homeboy Recipes Could’ve Impacted Other Users If Shared

Author wefightforsecurityPosted on May 23, 2017May 23, 2017Categories Uncategorized

IFTTT is a great site, let’s get that out of the way before we say anything else. They offer a great service, however their response time to this one security issue was somewhat slow. On  September 20th, 2014 we made a recipe for the homeboy camera. This recipe contained XSS, which triggered every time anyone viewed the recipe due to a parameter not being properly sanitized.

 

What does this mean to IFTTT security?

Anyone else who discovered that bug could’ve released this to  the IFTTT published recipe page, thus anyone who clicked it could’ve executed malicious code thus affecting the security of other users. Since we are ethical cyber security researchers, we didn’t release it to the published recipe page. We instead reported it to IFTTT.   Fast forward to mid-2016 and the vulnerability still existed, even though we had reported it to them in 2014. This wasn’t safe for their users, however our vulnerability could’ve gotten overlooked in their emails. We asked for an invite to their private bounty, which pays security researchers for fixes to issues. Sadly, we were not granted access despite having already identified one security flaw.  Fast forward to 2017 and the vulnerability appears to have been fixed.

 

We are proud of IFTTT of taking steps in the right direction to make their site more secure for their users and applaud them on doing this. We hope and are probably right that missing the issue we reported on 2014  was an accident and are glad that they responded to us in mid-2016 when we contacted them.  What we find interesting is that it appears that a site re-design fixed the issue, which is why you should subscribe to our RSS feed, since we will be writing an article all about site re-designs and how it impacts security.

 

Cyber Security — A Beginners guide to Cyber Security

Author wefightforsecurityPosted on May 19, 2017May 19, 2017Categories cyber security, web security

What is cyber security?

Cyber security is the art of protecting your systems from criminals who mean to do you harm, including ransomware like wannacry which we recently wrote a guide on. Cyber security also helps you keep criminals out of your private information and even more importantly your customers private information.

If you haven’t heard of cyber security, then you most likely haven’t heard of phishing, which is fine. Phishing is another word for fraudulent emails sent to you by people who are trying to gain illegal access to your computer. Once they gain access to your computer, they can steal all your data, use your machine as part of a large network of thousands of machines to do whatever they want, also referred to as a zombie network and to make the malware keep spreading they can use your contact list to send it to all your contacts from your email address.

 

If you don’t think that’s bad, it gets worse. Once inside your system, the criminals have control of your computer, not you. They could charge you thousands of dollars to potentially relinquish control of it or they could put all your information online for the world to see. Of course there are plenty of other uses for your machine and your data, but we aren’t getting into that in this article, since that would make up a good portion of a   book.

 

Why does my website need security? I don’t store anything sensitive on it.

This is a point a lot of people make and while you may not store anything on it, people do come to your website and we make sure of that if you use our SEO services, to make sure people can find you on search engines. If people come to your site and it is hacked, they will either also get infected, see your site defaced and potentially have dead bodies on it, like we’ve encountered in the past, or Google could block them from going to your site, which also hurts your rankings on their search engine.

If Google blocks them from coming to your site, then this is a major damage to your reputation. If your site is defaced, that also damages your reputation. Most people don’t know that 60 percent of cyber crime victims go out of business and 50 percent of all attacks are against small businesses.

This is what your customers will see if Google blocks them from coming to your site

Google warning blocks access to site

Google hacked site warning blocks access to your website

 

So what can you do about this? Well, you can keep learning about cyber security by signing up for our mailing list, which sends out exclusive information only available to people on our mailing list.

 

 

 

Nastiest Defaced Server That We Made A More Secure Server

Author wefightforsecurityPosted on May 18, 2017May 21, 2017Categories Uncategorized

We were doing cyber security on a server that had been hacked. We were improving the security, but that was hard to do because it was the nastiest defaced server we’ve ever encountered. Everywhere you went the customers of the company and the administrators saw dead bodies of children strewn across the ground with blood coming out of their body. They were lying in heaps upon heaps of dead bodies everywhere you went on the site. The server had been hacked by a foreign country or someone sympathetic to a foreign country alleging that the United States was killing their people. We did not take the time to try and independently  verify the claims, because we had to get that server back in proper condition as quickly as possible.

Customers were horrified and wanted the images removed, so we did, but we did so much more then that. We used our experience  to ensure it wouldn’t happen again.  We made the server far more secure and made many security recommendations. however some were ignored by the customer. The company quickly learned that ignoring security recommendations from cyber security experts is a big mistake and they learned it the hard way. They were hacked again to the horror and outrage of their customers. After we cleaned up yet another hack on their server, they took cyber security very seriously and finally putting all of our security fixes into place,  even though it made a few customers grumble because it was an inconvenience.

Did they lose customers due to those hacks? Yes, they did, but due to our quick response to the disaster they retained enough to barely stay in business and are doing far better today.

What  should you learn from this experience about a defaced server? That server security is very important or you too may end up a victim of cyber crime. We hope you won’t have images of dead bodies everywhere, but you will lose customers and stop working on other things you might be doing to respond to the hack, thus a loss of even more money.

If you run a server, retaining our services to secure your servers as much as we can or as much as we can within the time constraints you put us on.  We offer one affordable security audit that looks for gaping holes and is much more affordable and another that is an extremely comprehensive security audit fixing everything we can find.

 

Affordable Server Security Audit to fix Gaping Security Holes In Your Server

Author wefightforsecurityPosted on May 18, 2017Categories Uncategorized

Our affordable server security audit goes through gaping holes in your server and will make a patch for them. We will make your server as secure as we possibly can during our affordable server security audit.

What does an affordable server security audit entail?

 

  • Fixing default insecure server configurations
  • Fixing security holes that we only offer to our customers
  • Making the server as secure as you will let us in the time constraint we have
  • Doing a quick check to see if the server has already been hacked

How much is a server security audit? Only $3000 and if you don’t think it’s worth it, read about a server company who hired us due to dead bodies across their entire site.

 

Buy your server security audit now!

 


Information Security Audit & Website Security Audit To Keep You Safer

Author wefightforsecurityPosted on May 18, 2017May 18, 2017Categories information security, web security

Information security audits are great for website security, server security and anything else that connects to the internet, like internet of things devices. We don’t mean to imply that devices that don’t connect to the internet shouldn’t be secure, on the contrary. All devices should be as secure as possible, but especially if they are online, including your computer system.

 

So, what do we do to help you with your information security audits and website security? A lot. We have a 100 percent success rate of finding flaws in customers software and then proposing solutions. If you hire us we will test your website security and server security or any internet connected device, that includes devices that only use bluetooth or wifi. In previous audits for internet of things products we’ve discovered how to make internet of things light bulbs explode and make drones fall out of the sky, hack security cameras or anything else we are asked to secure.

In web security and server security audits, we’ve helped secure Godaddy, government organizations, and a lot of financial companies. We want to bring our expertise to all the companies in the world, since information security audits shouldn’t be a luxury that only large corporations can afford. Our most affordable information security audit is affordable for most small businesses and our automated security tools are so cheap, they’re a steal. If you want to contact us, please do or you can sign up for tips on how to stay more secure and reduce the impact cyber criminals can have on your life by filling out the form below.