Hackers are exploiting a critical vulnerability that may be affecting hundreds of thousands of websites running WordPress. The vulnerability lies in versions of the popular third-party plugin WordPress File Manager, which has been installed on over 700,000 websites. WordPress File Manager bills itself as a tool to make it simple for webmasters to upload, edit, archive, and delete files and folders on their website's backend. READ MORE...
Manufacturers need to invest more effort into protecting root-level access to connected devices, security researcher says. A vast majority of IoT hardware in homes and offices is vulnerable to attacks that allow devices to be easily taken over and manipulated for malicious purposes. Few device manufacturers or security researchers are paying nearly as much attention to this issue as they are to software vulnerabilities, according to Marc Rogers, white hat hacker and executive director of cybersecurity at Okta. READ MORE...
Bryan Connor Herrell, a 25-year-old from Colorado, was sentenced to 11 years of prison time for acting as a moderator on the dark web marketplace AlphaBay. According to court documents, between May 2016 and July 2017, Herrell acted as a marketplace moderator and a scam watcher known under the 'Penissmith' and 'Botah' nicknames. During this time, he settled more than 20,000 disputes between AlphaBay vendors and buyers, while being paid by the marketplace owners in Bitcoin. READ MORE...
A new Malicious Domain Blocking and Reporting (MDBR) service will help organizations improve security by preventing IT systems from connecting to malicious domains. Launched through a partnership between the U.S. Department of Homeland Security's Cybersecurity Infrastructure Security Agency (CISA), Center for Internet Security (CIS), and Akamai Technologies, the MDBR service adds another layer of Domain Name System (DNS) security to help organizations protect applications. READ MORE...
U.S. agencies must implement vulnerability-disclosure policies by March 2021, according to a new CISA mandate. The U.S. government's cybersecurity agency is now requiring federal agencies to implement vulnerability-disclosure policies (VDPs), which would give ethical hackers clear guidelines for submitting bugs found in government systems, by next March. Currently, most federal agencies lack a formal mechanism to receive information from white-hat hackers about potential security. READ MORE...
The average wire-transfer loss from business email compromise (BEC) attacks is significantly on the rise: In the second quarter of 2020 the average was $80,183, up from $54,000 in the first quarter. That's according to the recently released Anti-Phishing Working Group (APWG)'s Phishing Activity Trends Report [PDF], which pointed out that the rise in dollar amounts could be driven largely by one Russian BEC operation, which has been targeting companies for an average of $1.27 million per effort. READ MORE...
Massachusetts Institute of Technology (MIT) scientists have created a cryptographic platform that allows companies to securely share data on cyber attacks they suffered and the monetary cost of their cybersecurity failures without worrying about revealing sensitive information to their competitors or damaging their own reputation. The SCRAM platform allows defenders to learn from past attacks and provides insight into which cyber-risk control areas require additional scrutiny or investment. READ MORE...
In April, security researcher Rich Mirch got a text from a friend who had just switched to a new wireless router and was raving about its high-speed internet. You have to try it, the friend told Mirch. Curious, Mirch downloaded the router's firmware and started picking it apart. He found that the device, made by an obscure Canada-based company called MoFi Network, had multiple password-related vulnerabilities packed into its code. But Mirch wanted to delve deeper. READ MORE...
Teams new to Kubernetes often deploy clusters in an insecure way by default because they don't know what they don't know. Unless you've got a team of battle-hardened Kubernetes experts, you're bound to run into trouble. For example, it's not always obvious when a Kubernetes deployment is overpermissioned, and often the easiest way to get something working is to give it root access or cluster-admin permissions. But just because the site is working doesn't mean your job is done. READ MORE...
With the pandemic still in full swing, educational institutions across the US are kicking off the 2020-2021 school year in widely different ways, from re-opening classrooms to full-time distance learning. Sadly, as schools embracing virtual instruction struggle with compounding IT challenges on top of an already brittle infrastructure, they are nowhere near closing the K-12 cybersecurity gap. Kids have no choice but to continue their studies within the current social and health climate. READ MORE...
When you own a short email address at a popular email provider, you are bound to get gobs of spam, and more than a few alerts about random people trying to seize control over the account. If your account name is short and desirable enough, this kind of activity can make the account less reliable for day-to-day communications because it tends to bury emails you do want to receive. But there is also a puzzling side to all this noise: Random people tend to use your account as if it were theirs. READ MORE...