Information Technology

WordPress is far more than just blogs. It powers over 42% of all websites. So whenever there’s a WordPress security failure, it’s a big deal. And now GoDaddy, which is the top global web hosting firm with tens of millions more sites than its competition, reports that data on 1.2 million of its WordPress customers has been exposed.

In a Securities and Exchange Commission (SEC) filing, GoDaddy’s chief information security officer (CISO) Demetrius Comes said they’ve discovered unauthorized access to its managed WordPress servers. To be exact the breach opened information on 1.2 million active and inactive managed WordPress customers since September 6, 2021. This managed service, according to WordPress, is streamlined, optimized hosting for building and managing WordPress sites. GoDaddy handles basic hosting administrative tasks, such as installing WordPress, automated daily backups, WordPress core updates, and server-level caching. These plans start at $6.99 a month. Customers had both their email addresses and customer numbers exposed. As a result, GoDaddy warns users that this exposure can put users at greater risk of phishing attacks. The web host also said that the original WordPress admin password, created when WordPress was first installed, has also been exposed. So if you never changed that password, hackers have had access to your website for months.In addition, active customers had their sFTP and database usernames and passwords exposed. GoDaddy has reset both these passwords. Finally, some active customers had their Secure-Socket Layer (SSL) private key exposed. GoDaddy is currently reissuing and installing new certificates for those customers.WordFence, a WordPress security company, says in their report, “It appears that GoDaddy was storing sFTP credentials either as plaintext, or in a format that could be reversed into plaintext. They did this rather than using a salted hash, or a public key, both of which are considered industry best practices for sFTP. This allowed an attacker direct access to password credentials without the need to crack them.”GoDaddy has announced that its investigation is ongoing. The company is contacting all impacted customers directly with specific details. Customers can also contact GoDaddy via its help center. This site includes phone numbers for users in affected countries.

At this time, that’s all the information GoDaddy has made public about the breach.Related Stories: More

Meta, the parent company of Facebook, has pushed back its plans to enable end-to-end encryption (E2EE) as the default on Facebook Messenger and Instagram until 2023. 

Social Networking

Messenger and Instagram chats are on the same platform these days, reflecting the company’s push to unify its messaging products and aligning them with WhatsApp, where E2EE is the default, based on Signal’s E2EE protocol. In April, Facebook said that Messenger and Instagram direct messages wouldn’t be “fully end-to-end encrypted until sometime in 2022 at the earliest”.E2EE should mean that even Facebook employees with physical access to its hardware in data centers can’t access the content of messages, preventing the firm and employees from producing some evidence even when ordered by a court to do so. Facebook rolled out E2EE for WhatsApp in 2016 using the protocol developed by messaging platform Signal, which gained users after Facebook announced plans to share user data between WhatsApp and Facebook to expand its offering for businesses on both platforms. Antigone Davis, Meta’s global head of safety, detailed Meta’s encryption challenges in an article for the UK’s The Telegraph.  “There’s an ongoing debate about how tech companies can continue to combat abuse and support the vital work of law enforcement if we can’t access your messages,” wrote Davis. 

“We believe people shouldn’t have to choose between privacy and safety, which is why we are building strong safety measures into our plans and engaging with privacy and safety experts, civil society and governments to make sure we get this right.”Davis said Meta has three approaches to the question of safety, including detecting suspicious patterns like someone setting up multiple new profiles and messaging strangers. She said this system is in place and that “we’re working to improve its effectiveness.”The second is giving Instagram users the ability to filter direct messages based on offensive words. The third is encouraging people to report harmful messages. She goes on to point out that law enforcement still has access to metadata for criminal investigations. “Even with billions of people already benefiting from end-to-end encryption, there is more data than ever for the police to use to investigate and prosecute criminals, including phone numbers, email addresses, and location data,” she notes. “Our recent review of some historic cases showed that we would still have been able to provide critical information to the authorities, even if those services had been end-to-end encrypted,” wrote Davis. “While no systems are perfect, this shows that we can continue to stop criminals and support law enforcement.””We’re taking our time to get this right, and we don’t plan to finish the global rollout of end-to-end encryption by default across all our messaging services until sometime in 2023,” Davis said.  The US, UK and Australia have in 2019 called on Facebook to create a create a backdoor to access encrypted messages. Facebook has resisted these calls.  Facebook CEO and co-founder Mark Zuckerberg announced the name change to Meta in November, a month after a former employee Frances Haugen went public with allegations the company’s algorithms are used to spread harmful content. Meta and its brands are facing new laws in the UK that could require them to protect users from harmful content.      More

Over 4,000 online retailers have been warned that their websites had been hacked by cybercriminals trying to steal customers’ payment information and other personal information. 

ZDNet Recommends

In total, the National Cyber Security Centre (NCSC) has identified a total of 4,151 retailers that had been compromised by hackers attempting to exploit vulnerabilities on checkout pages to divert payments and steal details. They alerted the retailers to the breaches over the past 18 months.  The majority of the online shops that cybercriminals exploited for payment-skimming attacks were compromised by known vulnerabilities in the e-commerce platform Magento. Most of those affected and alerted to the compromises and vulnerabilities are small and medium-sized businesses.  See also: A winning strategy for cybersecurity (ZDNet special report). The NCSC revealed the number of businesses it has notified about customer data being stolen ahead of Black Friday. It urges all retailers to ensure that their websites are secure ahead of the busiest online shopping period of the year to protect their business — and their customers — from cybercriminals.  “We want small and medium-sized online retailers to know how to prevent their sites from being exploited by opportunistic cybercriminals over the peak shopping period,” said Sarah Lyons, deputy director for economy and society at the NCSC. “Falling victim to cybercrime could leave you and your customers out of pocket and cause reputational damage.”  One of the key things that online retailers can do to help prevent payments and personal data from being stolen is to apply the available security patches that stop cybercriminals from being able to exploit known vulnerabilities in Magento and any other software they use. 

“It’s important to keep websites as secure as possible, and I would urge all business owners to follow our guidance and make sure their software is up to date,” said Lyons.  Applying security patches in a timely manner is just one of the things recommended by the NCSC’s and British Retail Consortium’s Cyber Resliance Toolkit For Retail. This kit was released in October 2020, but the information on keeping websites secure from cyberattacks is still very much relevant today.  “Skimming and other cybersecurity breaches are a threat to all retailers,” said Graham Wynn, assistant director for consumer, competition and regulatory affairs at the British Retail Consortium. “The British Retail Consortium strongly urges all retailers to follow the NCSC’s advice and check their preparedness for any cyber issues that could arise during the busy end-of-year period.” See also: Ransomware: It’s a ‘golden era’ for cybercriminals — and it could get worse before it gets better. The compromised shopping websites were identified as part of the NCSC’s Active Cyber Defence programme, which has been monitoring for vulnerabilities that could impact online retailers since April 2020.  The NCSC has also reiterated advice to consumers on how to stay safe when shopping online. The advice includes being selective about where you shop, only providing necessary information, ensuring the payment system used is protected and keeping online accounts secure. 
More on cybersecurity More

AUCloud has announced it will commence a AU$35 million capital raising, which will comprise NextDC taking up approximately a 20% stake in the company as the former eyes plans for national expansion.AUCloud said in a statement that it will raise the total by issuing new shares at AU$0.50 per share, which will also include a placement to NextDC of approximately AU$12.4 million.According to AUCloud, the funding will largely be used to scale the company to “critical mass”.”We continue to see a trend towards greater emphasis on sovereign cloud services to ensure all data remains within Australian legal jurisdictions,” AUCloud CEO and managing director Phil Dawson said. “Our strategic partnership with NEXTDC, a leading provider of premium data centre facilities, will provide access to a powerful national network of 1,500+ enterprise customers and 730+ channel partners. “This equity raising capitalises AUCloud to extend its platform footprint into Brisbane, Melbourne, and Adelaide, and expand its customer reach into the large security-conscious enterprise market.”NextDC will also be entitled to a place on the AUCloud board, which will initially be NextDC CEO and managing director Craig Scroogie.

“NextDC has an in-depth understanding of the underlying cloud market dynamics gained through our national network of premium data centre facilities across Australia. Following the injection of growth capital into AUCloud, we believe Phil and the team are very well positioned to benefit from the increasing trend towards sovereign IaaS cloud and high security solutions,” Scroogie said.AUCloud expects its pro-forma net cash position will increase to AU$41.5 million as of 31 October 2021 post-equity raising.AUCloud was one of four cloud providers that were certified strategic status under the Australian government’s hosting certification framework in October. This followed in the footsteps of NextDC, after it became a certified player to store sensitive data locally in August. Related Coverage More

Australian payments provider Eftpos has gone live with new online security features through a handful of payment merchants, ahead of a full rollout next year.These security features, which include two-factor authentication functionality, has initially been adopted by Till Payments, Fat Zebra, and Eftex. The rollout of these features is part of Eftpos’ five-year, AU$100 million investment it’s making on digital upgrades to its network, designed to enhance the level of protection up-front for consumers and merchants, rather than retrofitting security to legacy systems.  “This is a tipping point for Eftpos, online Australian businesses and the digital economy, and it is great to have partners like Till Payments, Fat Zebra, and Eftex onboard,” Eftpos chief Stephen Benton claimed.”This is a game changer for Eftpos and Australian retailers because retail is quickly transforming to become an increasingly digital marketplace, accelerated by COVID. Big economic benefits could flow from increased competition in addition to enhanced payments security.”The company said Eftpos payments are already available online for some card-on-file payments where banks have implemented the service for their merchant customers. Since launching the Eftpos digital service that enables LCR last year, Eftpos said it has been subject to zero fraud.LCR is an initiative aimed at promoting competition in the debit card market and helping to reduce payment costs in the economy.

When a customer makes a contactless “tap-and-go” payment with their dual-network debit card — not credit cards, however — the merchant may choose to send the transaction via the debit network that costs them the least to accept. If the merchant chooses not to route, the transaction is instead sent via the default network which is programmed on the card, typically the Debit Mastercard or Visa Debit network.If a merchant uses LCR, it should not affect which deposit account the funds are paid from, and the three networks — Eftpos, Visa, and Mastercard — offer similar protections to the cardholder from fraud and disputed transactions.”This Eftpos extension will allow eCommerce merchants to securely send millions more online payments through Eftpos, resulting in substantial payment acceptance cost savings for their business and their customers,” Eftex general manager Ian Sanford said.Latest Finance News From Australia More

StackCommerce

ZDNet Recommends

It’s amazing how much affordable self-paced training is available online these days. For instance, even if you have no experience whatsoever, you can learn to be a Python programmer in no time and their average salaries are over $80,000 a year. But you could also become an ethical hacker, learn to be a game developer or so many other choices.However, just like when you are doing anything else online, you need to be extremely careful about protecting yourself when accessing educational content. And now, new users need never worry about that again, because a VPNSecure Online Privacy: Lifetime Subscription is currently available for only $39.99 during our pre-Black Friday sale.Obviously, your traffic will be encrypted so that hackers aren’t able to get access to your data. VPNSecure renders your traffic on the service unrecognizable with Stealth VPN. You also have full stack IP support (IPv4 + IPv6) and kill switches that will automatically disconnect you from the internet if your VPN connection is dropped. Your IP address and location will be hidden and VPNSecure has a strict policy of absolutely no logging.Since you have access to servers in more than 45 countries, and new ones are being added all the time, you will be able to watch all of your favorite content no matter where you happen to be. And VPNSecure fully supports torrents, yet you are allowed unlimited bandwidth, so you should be able to stream smoothly with no buffering.You can use the service on five devices simultaneously, on desktop or mobile. There is an ad blocker option that is available at no extra charge and so many other convenient features.Even Security.org was impressed. They said:”VPNSecure provided us with nearly everything we needed to search the web safely and even included some unique features like the Meta Search Engine.”

You really don’t want to pass up this opportunity to protect yourself online for a lifetime. If you are a new user, get VPNSecure Online Privacy: Lifetime Subscription now while it’s available for only $39.99.

More ZDNet Academy Deals More

The FBI has warned that a sophisticated group of attackers have exploited a zero-day flaw in a brand of virtual private networking (VPN) software since May.

The FBI said its forensic analysis showed that the exploitation of the zero-day vulnerability in the FatPipe WARP, MPVPN, and IPVPN software, by an advanced persistent threat (APT) group, went back to at least May 2021. It did not provide any further information about the identity of the group.The vulnerability allowed the attackers to gain access to an unrestricted file upload function to drop a webshell for exploitation activity with root access, leading to elevated privileges and potential follow-on activity, the FBI said, noting: “Exploitation of this vulnerability then served as a jumping-off point into other infrastructure for the APT actors.”See also: A winning strategy for cybersecurity (ZDNet special report).The FBI said the vulnerability affects all FatPipe WARP, MPVPN, and IPVPN device software prior to the latest version releases, 10.1.2r60p93 and 10.2.2r44p1.It warned that detection of exploitation activity might be difficult, as cleanup scripts designed to remove traces of the attackers’ activity were discovered in most cases.”Organizations that identify any activity related to these indicators of compromise within their networks should take action immediately,” the FBI said in an alert.

“FBI strongly urges system administrators to upgrade their devices immediately and to follow other FatPipe security recommendations such as disabling UI and SSH access from the WAN interface (externally facing) when not actively using it.”FatPipe has its own advisory FPSA006, which notes: “A vulnerability in the web management interface of FatPipe software could allow a remote attacker to upload a file to any location on the filesystem on an affected device.”The vulnerability is due to a lack of input and validation checking mechanisms for certain HTTP requests on an affected device. An attacker could exploit this vulnerability by sending a modified HTTP request to the affected device.” More

Microsoft has raised an alarm about a massive surge in Iranian state-sponsored hacking attempts against IT services firms.

ZDNet Recommends

According to Microsoft, attacks from state-sponsored Iranian hackers on IT services firms were virtually non-existent in 2020, but this year exceeded 1,500 potential attacks. “Microsoft has observed multiple Iranian threat actors targeting the IT services sector in attacks that aim to steal sign-in credentials belonging to downstream customer networks to enable further attacks,” it said.See also: A winning strategy for cybersecurity (ZDNet special report).Most of the targeting is focused on IT services companies based in India, as well as several companies based in Israel and the United Arab Emirates. Microsoft said that these attacks are another example of how nation-state actors are increasingly targeting supply chains as an indirect approach to their real targets.”Until July 2021, Microsoft had observed relatively little history of Iranian actors attacking Indian targets,” Microsoft said in a blogpost from its Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU).”Iranian threat actors are increasing attacks against IT services companies as a way to access their customers’ networks. This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain.”

It would seem Iranian hackers have learned lessons from successful software supply-chain hacks, such as the attack on SolarWinds, which targeted US federal agencies and key US cybersecurity firms, including Microsoft: the US and UK blamed that attack on Russia’s Foreign Intelligence Service. Microsoft says the Iranian attacks on IT services firms have trended upwards significantly in the past six months. “As India and other nations rise as major IT services hubs, more nation-state actors follow the supply chain to target these providers’ public and private sector customers around the world matching nation-state interests,” Microsoft noted. Microsoft said it issued 1,788 nation-state notifications about Iranian actors to enterprise customers in India from mid-August to late September, roughly 80% of which were to IT companies, up from just 10 notifications issued in the previous three years in response to previous Iranian targeting. “Iranian cyber actors have rarely targeted India, and the lack of pressing geopolitical issues that would have prompted such a shift suggests that this targeting is for indirect access to subsidiaries and clients outside India,” Microsoft said.Microsoft is tracking the emerging threat actor as DEV-0228. This week, Microsoft also highlighted Iran’s growing interest in using ransomware to disrupt targets and coordinate these attacks with physical operations. See also: Dark web crooks are now teaching courses on how to build botnets.The US, UK, and Australian governments subsequently urged admins to immediately patch Exchange email server and Fortinet VPN vulnerabilities. And last month, Microsoft warned that Iranian hackers were using password attacks against 250 Israeli and US organizations operating in the Persian Gulf. DEV-0228 used access to an IT company to extend compromise customers in the defense, energy, and legal sectors in Israel, according to Microsoft. “DEV-0228 dumped credentials from the on-premises network of an IT provider based in Israel in early July. Over the next two months, the group compromised at least a dozen other organizations, several of which have strong public relations with the compromised IT company,” it said.  More