Category: cyber security

Louisana Government Department Of Education Hacked

Author wefightforsecurityPosted on October 11, 2017October 11, 2017Categories cyber securityTags , , , , ,
United States Department of Education

United States Department Of Education failing to secure their systems.

Louisiana Department Of Education referred to as DOE had a subdomain hacked yesterday. This was discovered by a researcher and was posted on Twitter September 10th at 4:58 PM .  The researcher received an email from the Louisiana governments EDGAR System with a link to the malicious page.

 

The malware on the page is served up by powershell and is believed to be called Cobalt Strike. Immediately on hearing this, our CEO alerted some other government contractors, since we do security work for the government, but do not have any contacts in Lousiana.

This ended up in the researcher being told to contact US CERT by a well known researcher.  11 hours ago it was no longer available to access, hopefully it is down for repair.

 

Unfortunately, this is not the first time this month that we have reported on the United States Education systems being hacked.

While the exploit point is unknown, EDGAR is known to be exploited often and has come under scrutiny by congress for the system being exploited and not being disclosed for far too long.

 

We will continue to keep you up to date on the Lousiana government DOE hack as the events are still developing.

 

Equifax hack: The Equifax Data Breach Disaster In Full U.S & Argentina Equifax hack Report

Author wefightforsecurityPosted on September 13, 2017September 14, 2017Categories cyber security, Uncategorized

Equifax hack and the Equifax Data breach In U.S and Argentina explained In Full

The Equifax  hack & the Equifax data breach was horrible, because it has affected up to 143 million people that had their social security numbers exposed in the Equifax data breach disaster. Now Equifax Argentina has been hacked due to equifax using no security measure for a certain portals login credentials.   So, what happened with Equifax data breach? Equifax security had a history of not responding or fixing known security vulnerabilities in their system at the time the equifax hack in the U.S took place. One of many vulnerabilities that had not been fixed was an xss that was reported a year prior to the malicious hack, which may help show the negligence that Equifax showed towards their cyber-security.

 

After the Equifax hack in the U.S took place, the Argentina Equifax hack took place, because their username and password were the same default credentials, no one in the world should be using. What was their username and password? admin for username and the password was also admin.

If you haven’t heard that Equifax royally screwed up on providing credit card monitoring, or even if you have heard that they messed up, it’s far worse than what you know. Originally when people accepted the Equifax credit card monitoring they were waiving their rights to sue Equifax for the equifax data breach, according to multiple reports.  After they came under extreme criticism Equifax updated their terms to say they meant you can’t sue them for the use of the credit card monitoring, but you can still sue them for the cyber-security breach that has already occurred.

 

If the Equifax credit card monitoring issues stopped there, that would be amazing but Equifax showed they weren’t prepared to handle a breach. Equifax only provides you a year of free monitoring services and they use their own companies services to provide you that one year of monitoring. Senator Schatz wrote a scathing, yet one hundred percent factual critique of Equifax and the Equifax data breach  that points out they will make a large profit off of their credit monitoring, because per his critique, Senator  Schatz stated that was insufficient. He Also pointed out that their current one year monitoring model makes them profit when people can  go back to the company that equifax owns  for continued monitoring after the year is up.

 

It was pointed out by others that Equifax can make up to   $120 of profit per person off of credit card monitoring per their page that allows you to sign up. If all 142 million people affected paid for the next year of credit card monitoring they would make 14 billion dollars off of the breach, just on the credit card monitoring. Senator Schatz went on to point out that they will make 30 dollars off of each person who  wants to freeze their credit card file, which is a smart thing to do.

After the scathing critique from Senator Schatz, and colleagues and many other people who protested over the credit freeze charge Equifax announced they will be allowing free credit report freezes until November 21st and refunding anyone who paid for the service after the breach was announced. A credit freeze is also known as a security freeze for your credit  report adding layers of security helping protect criminals from opening new credit in your name.

 

Equifax went on to say that you will not be automatically enrolled or charged after the free year of credit monitoring is over. However, they do not state that they won’t use the email addresses or other information to contact you to let you know you have the option to enroll for another year. Their wording is quite specific in that it states you won’t be automatically enrolled, so the probability of them trying to manually convert you into a paying customer whether via email blasts or phone calls still appears to remain per the wording they have chosen to use.

 

Now let’s make this very clear, the Equifax data breach could still make  them up to 14 billion dollars if every single person used their service and was manually or via automatic blast email opted into one paid year of  monitoring after the free year ended.   Let’s make it equally clear that not every person has signed up for their monitoring nor would every person renew services, but let’s say 50 percent of the 142 million people affected used the service for an additional year on their own dime. Based off of Equifax’s site the services cost $120 a year so , Equifax could make 8 billion and 520 million dollars. Even if only 25 percent of people renewed they would make 4 billion and 200 million dollars off of their own disaster. Nonetheless, they stand to profit off of being hacked.

 

When you go to equifaxsecurity2017.com to see if you are hacked and click on any button to see if you were affected by the hack or to enroll in the one year monitoring, they are going to direct you to go to trustedidpremier.com. Most people won’t notice this, since sadly people don’t pay attention to the site they are actually on. This site asks for your six digit social security number, which quite frankly you should never enter online.  Furthermore, you did not hire Equifax to collect the data that was leaked on you, they collect it as part of their business model for their clients. You are not the client, you are the product, which the  well written CNN piece makes painfully clear.

 

How did the equifax  data breach  in United States happen?

Updated: We were  correct that Equifax was hacked by the March, 2017 Apache Struts bug.

Updated: Providing insight to the carefully crafted Equifax announcment that looks like they are blaming Apache Struts, but are evading from doing so. Removed the Quartz article link, since that article  appears to be partially inaccurate.

Equifax released a statement that many news outlets took as admitting they were hacked by an Apache Struts vulnerability, however after careful analysis, that isn’t what they were saying whatsoever. They were simply noting that their is evidence that someone may have tried to use the 2 month old Apache struts vulnerability, but have not yet confirmed that is indeed how the hack took place.  While we do believe   not updating Apache Struts is one way an attacker could’ve gotten in, their security is inexcusably weak making it possible that a different exploit was used.

 

 

However the equifax data breach wouldn’t have happened as badly if they hadn’t kept so much data about people online, that the people did not ask to be collected about them. When a site you are the customer of is hacked that’s one thing, when a site that you are the product of and in this case you are a product of Equifax, that’s entirely different. You are the victim in this scenario, and Equifax put too much of your personal data online. Also, they did not fix known security vulnerabilities.

How did the Equifax  Data Breach happen in Argentina?

The Equifax  Data breach in Argentina occured because someone had the idea to put the username and password as admin for the username and admin as password. Now to be fair, they may have just bought some software and did not follow the instructions or do any security review whatsoever, like resetting the default admin credentials for the portal they were using. As far as we know, only thousands upon thousands of people were affected in the Equifax Argentina Data Breach. The Equifax Argentina data breach is a developing story, so we will continue to update this as more information becomes available.

 

What countries were affected by the Equifax breach?

There have been multiple Equifax breaches this year, but so far we know that the U.S was affected, Argentina was affected, U.K was partially affected.

 

We will continue to update this article when more information becomes available

 

 

 

WPML and On The Go Systems Has A Stellar Product And Team!

Author wefightforsecurityPosted on July 31, 2017August 1, 2017Categories cyber security, Uncategorized, wordpress security

WPML owned by On The Go Systems is stellar, beyond stellar. They deeply care about security and will help all customers  including current paying customers and those who are no longer paying when a severe threat emerges. Did we work with them to improve their security? Yes, we did, but that isn’t the point, the point is how they handled the security issues and how amazing they are with their customers.

 

On The Go Systems makes many WordPress Plugins and while we haven’t reviewed them all, we can say that security is a high priority for them, which says a lot about a company. They care about providing a good experience to their users both with usability and a secure experience.

 

We asked Amir Helzer, the owner of On The Go Systems his view on customer usability and security and this is a quote directly from him ”

We treat security as an ongoing effort. Ryan helped boost the security of our plugins and helped keep them secure. We started with an initial review which uncovered a number of issues to handle. Then, we kept working with Ryan to maintain the security of our plugins as we released new versions and as WordPress updated the general security advice for the entire project. The cost of the security review was little compared to the damage that we avoided to ourselves and our clients, if we had left security exploits in our products. “
We love helping companies, but most importantly protecting users from being hacked and we were able to help both On The Go Systems and their users. It is companies like On The Go Systems that remind us that some companies truly do want to protect their users and it is truly heart-warming to find companies who do protect their customers.
We highly recommend On The Go Systems WordPress plugins for your plugin needs, and hope other companies will follow their lead in the effort to secure GPL code.
In conclusion, bravo to everyone who works at On The Go Systems to always being On The Go to secure your code.

SiteOrigin Widgets Bundle Vulnerabilities — download our cure for you

Author wefightforsecurityPosted on July 12, 2017July 12, 2017Categories cyber security, Uncategorized, wordpress security

SiteOrigin Widgets Bundle is used by over one million sites and is the newest WordPress plugin for us to fix and have for sale, because siteorigin widgets bundle has some vulnerabilities that can not be ignored and definitely would not be ignored if a criminal wanted to get into your site.

SiteOrigin has a lot of vulnerabilities and we’ve patched the most severe one today. Based on our code review this vulnerability would allow attackers to inject malicious code into the website, deface the site and cause other damage to it. This bug among a few other bugs are patched.

What does this mean to me?
It means that anyone could negatively impact your website brand and cause you a headache and a half due to this vulnerability per code review. We patched the most severe vulnerability that we found and have made it available to you, which is far more secure then the free version of Site Origin Widgets Bundle.

WordPress Plugin OptinMonster Popups on 500 thousand sites allows unauthenticated users to admin backend

Author wefightforsecurityPosted on July 11, 2017July 14, 2017Categories cyber security, Uncategorized, wordpress security

Update: upon further review we reaffirm our post, but make the following annotation; the severity of this issue maybe less then originally thought. We are continuing our evaluation and we will post our findings.
update: We completed our review of the code in the screenshot of this post and while we identified variables that would lead to severe vulnerabilities, we have not been able to find use of the vulnerable variables, however the classes are still vulnerable and need to be updated. The severity of this particular problem is low.

The WordPress plugin Optinmonster API has left over 500 thousand sites vulnerable to a security flaw. Thankfully we have a fix you can buy for this one vulnerability.

During our code review we discovered that the admin area is protected by a WordPress function called is_admin, which is a misunderstood function, that allows admins and unauthenticated users alike to access the information in optinmonster API. What does this mean to you, the user? It means that you can access the admin features, but so can criminals.

What does optinmonster protect using is_admin? At first glance it is just one line of code, so how bad could that actually be? It turns out that one line of code as you can tell is calling almost all of the rest of the code in the application.

optin monster api vulnerable

Yes, the one line of code load_admin, loads everything that should be administrator only, but instead is accessible for all.

 

 

As you can tell above, the administrator menu, admin actions, reviews the admin has access to, the welcome page, the site content and the ability to save content among other things are  accessible to anyone or any bot who logs onto the site. This is a severe vulnerability leaving the admin side of your site vulnerable, so we have written a patch for this one vulnerability in the WordPress plugin Optinmonster, also known as Optinmonster API. You  can buy the more secure version of the WordPress optinmonster plugin on our site. We may patch more vulnerabilities in this plugin, but we can say that our version of WordPress plugin optinmonster is currently more secure then what is available and we can continue to update it to be more secure.

 

We provide updates for any plugin with over 500 thousand users for premium customers, all they have to do is ask us tell us what plugins they’re using that are popular and we will check the security of them.