There was lots of privacy and security news this month!
The biggest news: bad actors are taking advantage of the COVID-19 pandemic in a variety of ways.
WordPress was a big target this month, with new and old exploits being used in massive numbers. Some of the plugins that have been exploited this month have over 1 million installs. If this isn’t a great lesson in keeping your WordPress sites up-to-date, I’m not sure what is!
Also in the news this month:
- Two pieces of malware (one on Android, one via email) have been targeting financial login information.
- A great new way to find out which Twitter accounts are (probably) bots (and what they’ve been amplyfing).
- Several large sites have had private user data put up for sale. Make sure you’ve got strong authentication protection in place!
- Google’s Pixel 3a phones have gotten a deep discount at Amazon, and Google’s new Pixel Buds are much better than their previous model
- Microsoft has released a bunch of new (and improved) hardware.
Security
WordPress
The TL;DR for this section is: keep your WordPress site up-to-date.
Hackers aren’t taking a break and the best way to keep yourself safe is to keep your site up-to-date!
Here is a partial list of some of the biggest exploits:
- Elementor Pro and Ultimate Addon for Elementor: Installed on over 1 million sites these plugins are under active attack. The newest version of Elementor Pro has patched the vulnerability. This vulnerability allows remote code execution on your site and could lead to a site takeover.
- A (separate) large-scale campaign targeting over 1 million sites using vulnerabilities in several plugins. Plugins affected include Easy2Map, Blog Designer, WP GDPR Compliance, Total Donations, and the Newspaper theme. Many of these plugins have removed the vulnerabilities in their most recent versions, so make sure you are up-to-date!
- The WP Product Review Lite plugin (installed on 40,000+ sites) had a bug discovery that allowed an unauthenticated user to inject malicious code into to Product Review database. With the right code, an attacker could potentially take over the site or infect site visitors.
- A couple of vulnerabilities in the Page Builder by SiteOrigin (over 1 million installations) would allow an attacker to create a new admin account, or inject a backdoor into a site for later exploitation. This has been patched in the most recent version of Page Builder.
- A vulnerability in Site Kit by Google allowed any signed-in user to become a Search Console owner of your site. As a Search Console owner, an attacker could remove your site pages from Google results, modify your sitemap, or cause other damage that would lower your search ranking.
GoDaddy
A breach happened in mid-October of 2019 that disclosed the SSH credentials of around 28,000 GoDaddy hosting accounts.
GoDaddy discovered the breach on April 23, 2020, disclosed it on May 4, 2020.
If you use GoDaddy hosting, it’s a good idea to update your site’s database password, and make sure you don’t have an unauthorized users on your site.
There’s also an additional concern – if you’ve got a GoDaddy-hosted site, be cautious of any notices you receive via email. GoDaddy has millions of users, and only a small percentage of them appear to have been impacted, but because all of GoDaddy’s users may be expecting an email, they are more likely to trust emails that appear to be from GoDaddy and request sensitive information.
If you get a questionable email from GoDaddy, don’t respond. Go directly to the GoDaddy site and contact them using their standard support channels. Never email passwords or other login information, even if they ask for it and appear legitimate.
Android Banking Trojan
If you’ve got an Android phone, you should know about a new version of banking malware that has targeted a wide range of banking, money transfer, and cryptocurrency services.
EventBot – discovered in March 2020 – is not known to be distributed via the Google Play Store, but likely comes from less-reputable APK-hosting websites and marketplaces.
The malware asks for a large number of permissions upon installation (running in the background, ignore battery optimizations, run in the background, read text messages, etc.). It also to use Android’s accessibility services, which allow it to receive keystrokes and notifications from other apps and windows. With this access it can read text messages (to steal 2FA codes), and use these to infiltrate your financial accounts.
If you download apps from places other than the official Google Play App Store, be very careful. Also, pay attention to the permissions requested by an app – if the requested permissions don’t make sense, email the app creator or uninstall the app!
An(other) Email Banking Trojan
Zloader is not a new piece of malware – it was actually last seen in 2018, but it has made a big comeback.
Since the beginning of 2020, security researchers have seen more than 25 different versions used in over 100 email campaigns.
These emails have recently been COVID-19-related, and often times entice the users to click by either pretending to warn of COVID-19 scams or contain details of government relief payments.
Once a user clicks, the malware steals private banking credentials and information from the victim’s browser, and then use this data to log on to the victim’s online bank account(s) through the victims own computer without their knowledge.
Since the logon (and subsequent financial transfers) happen using the customer’s computer and credentials, this malware raises little suspicion at the bank and makes it more difficult to dispute the transaction once it is noticed.
Privacy
Apple vs. FBI (Again)
The FBI and US Department of Justice are beating the drum of “encryption is for criminals” again.
This latest time involves the iPhone from a 2019 shooting at a military base in Florida. When Apple refused to unlock the gunman’s iPhone (although they did provide iCloud backups and other account information), the FBI and William Barr’s Department of Justice decided that Apple is essentially creating a “haven for criminals”.
What the FBI and DoJ seem to want is for Apple (and Facebook, Google, Microsoft, Dropbox, etc.) to drop real encryption and replace it with “encryption lite” with a backdoor for law enforcement or other government entities.
What they seem to not understand (or not care about), is that having a backdoor means that anyone can come in. Encryption is math. There’s no way to make a backdoor that only “good guys” can use. That’s like making a gun that only “good guys” can shoot. It doesn’t exist.
Apple has said repeatedly that they won’t re-engineer (and weaken) their phone’s encryption for law enforcement.
More User Databases for Sale
A hacking group known as Shiny Hunters has been selling user databases from alleged data breaches from 11 different companies.
The databases include Tokopedia (Indonesia’s largest online store), Unacademy, Homechef, Chronicle.com, Zoosk, ChatBooks, and several others. You can see the full list of companies here.
A data breach at Home Chef, a US-based meal kit delivery service, caused the selling of a database containing 8 million user records earlier in the month.
Additionally, an apparent breach at Mathway has put about 25 million user records up for sale on the dark web. Mathway is an online calculator that allows users to type in math questions and receive an answer for free.
As always, if you have an account at any of these companies, change your password now. If that password (or a similar one) is reused on another site, make sure to change those too!
Chrome Gets DoH (and more!)
The newest version of Google’s Chrome browser (version 83) was released earlier this month, and includes quite a few security and privacy enhancements.
The biggest changes include the ability to use secure DNS (to keep your ISP from seeing (and monetizing) your browsing habits), updated cookie controls (block 3rd-party cookies in regular or incognito mode by default), a new Safe Browsing feature (which checks sites you visit in real time for malicious URLs and files), and a Firefox Monitor-like feature that will scan your saved credentials to see if they are present in any known compromised databases.
Social Media
An interesting new browser plugin, BotSite, is attempting to show which twitter accounts are probably real and which are probably bots. It shows the results live and right next to the Twitter handle name.
This is especially interesting (and very useful) considering that a report from the MIT Technology Review shows that almost half of the Twitter accounts that are aggressively pushing a rapid US reopening are likely bots.
In this time of massive and automated misinformation, knowing who is and isn’t “real” on social media is important. The plugin is free, and it works with Chrome/Chromium and Firefox browsers, and you can download it here.
Hardware
Google’s Pixel 3a and 3a XL On Sale
Starting a few days ago the “value” models in Google’s Pixel line of phones went on sale for very attractive prices.
This is likely in preparation for the release of the Pixel 4a. But if you’re looking for a quality mid-range Android phone, the 3a (and 3a XL) are highly competitive products and they get updates straight from Google.
I mentioned earlier this year how the next wave of high-end Android phones will possibly be handicapped by weird modem and processor architecture changes. This means that mid-range phones are likely to make a resurgence this year.
While the 3a is last year’s midrange Pixel, it still stands up well against it’s 2020 counterparts in specs. Plus, it gets all-important security and feature updates directly from Google.
Google’s Pixel Buds Are [Really] Good Now
After Google released the not good Pixel Buds, they’ve come out with a pretty great second version.
This time the wireless earbuds are actually wireless, and it sounds like they’ve got pretty good sound, fit, and quality. There’s no active noise cancellation, but the touch controls and quick-access to Google Assistant make these a great option if you’re looking for some new wireless earbuds for your Android phone.
New Microsoft Surface Products
While Windows is a source of almost constant stress and annoyance lately, Microsoft is on a good hardware streak.
The recently unveiled their next-generation 2-in-1 laptop (with detachable screen), the Surface Book 3; a new entry-level tablet PC with the Surface Go 2; an updated version of their over-ear headphones with the Surface Headphones 2; and the long-promised Surface Earbuds have now been released.
If you’re looking for some quality Windows hardware, the Surface line from Microsoft has you covered!
Leave a Reply