Thankfully, November was relatively quiet when it comes to WordPress vulnerabilities and other data breaches.
Unfortunately, the same can’t be said for Apple, Google, Microsoft, and a couple of hosting providers. Oh, and a Ring doorbell could catch fire if you use the wrong screws during installation.
This month there was just a single plugin with a major vulnerability, although there is some concern about an attack on another plugin brewing.
- Ultimate Member is a plugin designed to improve user registration and account control on WordPress. The vulnerability exposed this month would allow an attacker to escalate priveledges and become an administor on the target site. This could cause a complete site takeover. A patched version of the plugin (2.1.12) was released at the very end of October. Patch now!
- While it’s not an active attack yet, there is active probing happening for WordPress sites running Epsilon Framework Themes. A security flaw discovered a few months ago (which would permit a full site takeover) is being probed on a massive scale – 7.5 million probing attacks against 1.5 million sites coming from over 18,000 IP addresses. If you’re running an Epsilon Framework theme, make sure it’s up-to-date.
However, there was some other interesting WordPress activity.
Like I mentioned last month WordPress automatically updated sites to 5.5.2 to patch a pretty major vulnerability in the Loginizer plugin. Unfortunately, the 5.5.2 version had a problem that prevented installation on a fresh website under some circumstances.
When WordPress discovered this mistake and “disabled” the automatic 5.5.2 update, some sites were automatically updated to 5.5.3-alpha. An alpha release is very early software, and often has significant bugs.
It appears that there was no major fallout from this mistake, luckily. Those websites that got the alpha software received the correct 5.5.3 shortly thereafter.
Get Help With Your WordPress Security
If you’ve got a WordPress site, it’s crucial to keep it up-to-date.
Since WordPress is one of the largest content management systems on the Internet today (39 of all websites), it’s also a huge target for attacks. And the biggest vectors for most attacks comes from outdate and vulnerable themes and plugins.
If you need some help, check out my WordPress Maintenance Plan for an affordable way to keep your site backed up and up-to-date. I also offer WordPress Maintenance members free site work and a discount on future work. Check out the plan here.
Hosting Provider Exposed 63 Million Records
A hosting provider (Cloud Clusters, Inc) apparently left a massive database of 63 million records stored in an unsecured database.
Once the hosting provider was made aware of this by a security researcher, he locked the database. However, it’s unknown if anyone had accessed the database before it was locked. It’s also unknown if anyone else had accessed the records, or how long they had been available.
If you’ve used Cloud Clusters hosting, make sure you change all your passwords and login credentials.
Managed.com Hit By REvil Ransomware
An attack against hosting provider Managed.com has taken their web servers and hosting systems down.
According to a disclosure, they were hit with a “coordinated ransomware campaign” earlier this month.
According to BleepingComputer, the REvil ransom is $500,000.
Stock Photo Service Breached
The stock photo site 123RF apparently suffered a data breach recently, since a database of 8.3 million user records was put up for sale on a known hacker forum.
The database includes users full name, email, hashed passwords, PayPal email address, phone number, and physical address. The database does not appear to be recent, and 123RF says that it likely is from 2019.
If you’re registered at 123RF, make sure to change your password, and change any other sites that may have used the same (or similar) passwords. Also, use something like LastPass to make sure you never duplicate passwords!
The biggest announcement from Apple this month was the release of the first Apple Silicon-powered Macs. Recent benchmarks have shown that performance-per-watt for the new M1 chips is impressive.
They also released MacOS 11 – Big Sur – but it’s apparently causing some major issues on older MacBook Pros.
It looks like it’s not just Microsoft that has potentially hardware-ruining updates!
Free Photo (and Documents) Storage Ends
After offering unlimited free photo backups for five years, Google Photos will now start charging if you’re storing more than 15 gigs of photos.
Additionally, Google Workspace files (documents and spreadsheets) will now count against the same cap. Plus, if you’re “inactive” (ie: don’t log in) for two years, Google will delete your data.
This policy goes into effect on June 1, 2021. The good news is that photos and files uploaded before June 1 will not count against the 15 GB storage cap.
Pixel 5 Review: “Meh”
If you’re looking for the best Pixel phone, the Pixel 4a is still your best option.
Windows 7 Still Highly Used
Despite Microsoft aggressively pushing users into Windows 10, Windows 7 is still running on about 1/5th of computers, according to a report by NetMarketShare.
Given the wide range of vulnerabilities in recent versions of Windows, and the fact that Microsoft is not patching those security holes in Windows 7 (unless you have a special license) the number of computers that are just asking to be compromised is surprisingly high.
At this point, running Windows 7 is basically irresponsible. Especially if you’re dealing with sensitive or important data.
November’s Patch Tuesday
As if to underscore this point, November’s Patch Tuesday fixed over 100 vulnerabilities this month (112, to be precise).
Seventeen of these were labeled as “Critical”, and 93 are “Important”. You can see a list of all the patched vulnerabilities on BleepingComputer.com.
So far, I haven’t heard about any major issues stemming from this update, so make sure you patch now (if you haven’t yet)!
Ring, as you probably know, makes a line of video doorbells, cameras, and security systems. Ring is owned by Amazon, and has come under fire in recent years for building a private surveillance network.
However, this month Ring faced some more serious issues. One, relatively minor, the other is somewhat more troubling.
Don’t Screw Around
The “minor” issue is that Amazon and Ring have issued a recall for 350,000 2nd-generation Ring doorbells. The recall states that improperly-installed doorbells can catch fire.
Luckily, the “improper” installation involves the use of 3rd-party screws to install the Ring doorbell. Longer screws can come in contact with wires or other electrical components and cause a short-circuit which could lead to a fire.
If you’ve installed your Ring doorbell with the included screws, you’re fine. If not, go here and see if your doorbell is one of the recalled models.
A much more serious issue is Ring’s unwillingness to require customers to use robust security methods, instead allowing customers to use relatively weak passwords and not requiring the use of 2-Factor Authentication.
Because of this, and since Ring doesn’t do basic things like checking a user’s IP address (to see if it’s a new login) or check for simultaneous sessions (especially from different countries), it’s easy for accounts to be compromised for months without the Ring owner’s being aware.
Motherboard did an excellent article about the lack of Ring security in late 2019, and it doesn’t sound like much has changed. A new article (also from Motherboard) shows what can happen when a malicious actor gets a hold of someone’s Ring credentials. Essentially, a 21st-Century SWATting incident.
If you’ve got a Ring doorbell, make sure you use all the security measures provided to you. Use a long, unique password, and turn on 2-Factor Authentication. Just these two basic actions (which you should be doing everywhere) make your account more secure than the vast majority of other accounts. And while nothing is hack-proof, making yourself a more difficult target is the current goal of most online security measures.