Thursday, December 29, 2016

PHPMailer Hack puts millions of Wordpress Sites at risk


Fancy Wordpress design marketing firms can create  a pretty site, but 9.9 times out of 10, security is severely lacking. Once burned, is just too late. But try convincing your customers of that.

Well this one will grab you where it counts. A critical remote code execution vulnerability in PHPMailer, one of the most widely used PHP email sending libraries, could put millions of websites at risk of hacking.

The flaw was found by a security researcher named Dawid Golunski and an initial fix was included in PHPMailer 5.2.18, which was released Saturday. However, it turns out that the patch was incomplete and can be bypassed.

The PHPMailer library is used directly or indirectly by many content management systems (CMSs) including WordPress, Joomla and Drupal. Where the library is not included in their core code, it is likely available as a separate module or can be bundled with third-party add-ons.A critical remote code execution vulnerability in PHPMailer, one of the most widely used PHP email sending libraries, could put millions of websites at risk of hacking.

Below is a  hacked crafted email address, which if not validated in the form will allow the code to run.

From https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.htm

# Bypass / PHPMailer < 5.2.20 Remote Code Execution PoC Exploit (CVE-2016-10045)

"\"attacker\\' -oQ/tmp/ -X%s/phpcode.php  some\"@email.com"

Monday, December 26, 2016

Are Macs safer than Windows? Ans: A resounding NO, TL;DR read the highlighted text

You would be amazed at how many people believe and how Apple Store representatives perpetuate the following myth;  

"Mac's don't need an anti-virus solution" 💣EPIC FAIL 💀


Anecdote


This very discussion occurred before Christmas, consequently triggering the writing of this post, when my niece purchased a Macbook Air at a local Apple Store. For the record, I was no present. In a dinner discussion with my niece, she insisted that "Mac's don't need anti-virus and it slows down the computer." I drilled her, and asked her what did the Apple Store attendant say? She did ask, and paraphrased the attendant,  "Ah, it doesn't need it." So, I spent next few hours lecturing her on how bad of an idea is surfing the internet without antivirus. That's like a women going shopping without a purse. No money, no funny. Very difficult to covey risk to a 17 year old, given her credit card info is stored on the laptop for the Apple Store, and can be ransomed.

"Mac's don't need an anti-virus solution" is not only is this misleading, in my opinion it verges on libel. The potential for credit card charges, fraud and identity theft are very high.

Myth


Let's kill "Mac's don't need an anti-virus solution" misinformation, for good. 

The great thing about the internet is factual data.


Threats Designed for Mac


Experts detected several malicious programs for Mac OS X here are some notable mentions;


  • Backdoor.OSX.Laoshu –  a malicious program which makes screenshots every minute. This backdoor is signed by the trusted certificate of the developer which means the creators of the program were about to place it in the AppStore.
  • Backdoor.OSX.Ventir – a multi-module Trojan spy with a hidden remote control function. It includes the keystrokes interception driver logkext, the source code for which is publicly available.
  • Trojan-Downloader.OSX.WireLurker – an unusual piece of malware designed to steal victims’ data. It attacks not only Mac-based computers but iOS-based devices connected to them. There is also a Windows-based version of this malicious program. It is distributed via a well-known Chinese store that sells apps for OS X and iOS.

Number of Vulnerabilities

According to our friends at Security Vulnerability Database1 for 2015 (Mac's worst year),

  1. Mac OS X had 444 vulnerabilities versus Windows 8.1 which had 151

    (see chart below and drill into the details!).
  2. Mac OS X has nearly 3x times the number of vulnerabilities of any version of Windows!
  3. Mac OS X has nearly 2x times the number of vulnerabilities of Ubuntu Linux!

1.  CVE Details (www.cvedetails.com) is a security vulnerability database that organizes data provided by the National Vulnerability Database (NVD) in a easy to use online web interface. As its name implies, the Common Vulnerabilities and Exposures (CVE) system keeps track of publicly known information-security vulnerabilities and exposures.
CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known problems. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."

CVE Identifiers (also called "CVE names," "CVE numbers," "CVE-IDs," and "CVEs") are unique, common identifiers for publicly known information security vulnerabilities.


Infection Rate

According to McAfee Labs Quarterly Threat Report June 2017 Mac OS X malware is on the rise.


























In 2014, Kaspersky introduced its first line products designed to protect Mac OS X systems blocked almost 3.7 million infection attempts that year. 19 million Mac computers were sold in 2014. 

Kaspersky also detected  1,499 malicious programs designed to target Mac OS X, 200 more than the previous year.  

The number of Mac exploits is rising year over year.









































Additionally, infections go way back and to give the above chart some additional perspective. In 2012 the number of Mac's that suffered from Flashback Trojan virus was estimated to reach 700,000 Macs.





Conclusion 

Macs have less attacks, but you are more vulnerable than Windows.

An average, a Mac user encountered 9 threats during the year, in 2014.

No one is safe however, remember this factoid; 



Commentary

So suck it Mac heads, you are not safe. You simply benefit from hacker laziness, not being attacked as much because Mac has about 7% of desktop market vs Windows 91% in 2016 (see graph below).

Same debate is happening now with smartphones and tablets, the debate is iOS against Android. Numbers show that more than 90% of mobile malware exists on Androids. Why? Well, because Android owns over 80% of the mobile market.


Call to Action

Mac users need to get an anti-virus solution. I recommend Kapersky, rated number #1 anti-virus for many years in a row, available for Windows, Macs, Linux, Iphone and Android phone. 

Chart from Security Vulnerability Database at https://www.cvedetails.com/top-50-products.php?year=2015

RankProduct NameVendor NameProduct TypeNumber of Vulnerabilities
1Mac Os XAppleOS444
2Iphone OsAppleOS387
3Flash PlayerAdobeApplication329
4Ubuntu LinuxCanonicalOS259
5Air SdkAdobeApplication259
6AIRAdobeApplication259
7Air Sdk & CompilerAdobeApplication259
8OpensuseNovellOS237
9Internet ExplorerMicrosoftApplication231
10Debian LinuxDebianOS230
11ChromeGoogleApplication187
12FirefoxMozillaApplication179
13SolarisOracleOS162
14Windows Server 2012MicrosoftOS155
15Windows 8.1MicrosoftOS151
16Windows Server 2008MicrosoftOS150
17Windows 7MicrosoftOS147
18Windows 8MicrosoftOS146
19Windows Rt 8.1MicrosoftOS139
20Windows RtMicrosoftOS138
21Windows VistaMicrosoftOS136
22SafariAppleApplication135
23AcrobatAdobeApplication130
24Acrobat ReaderAdobeApplication130
25AndroidGoogleOS125
26FedoraFedoraprojectOS125
27ItunesAppleApplication101
28Acrobat Reader DcAdobeApplication97
29Acrobat DcAdobeApplication97
30Firefox EsrMozillaApplication95
31WatchosAppleOS88
32Linux KernelLinuxOS86
33JREOracleApplication80
34JDKOracleApplication80
35MysqlOracleApplication77
36Enterprise Linux ServerRedhatOS71
37Fusion MiddlewareOracleApplication68
38Enterprise Linux WorkstationRedhatOS68
39Enterprise Linux DesktopRedhatOS68
40Enterprise Linux Hpc NodeRedhatOS67
41Apple TvAppleApplication57
42Windows 10MicrosoftOS53
43Apple TvAppleOS52
44Enterprise Linux Workstation SupplementaryRedhatOS52
45Enterprise Linux Desktop SupplementaryRedhatOS52
46Enterprise LinuxRedhatOS52
47Suse Linux Enterprise DesktopNovellOS51
48Enterprise Linux Server Supplementary EusRedhatOS50
49Enterprise Linux Server SupplementaryRedhatOS49
50Enterprise Linux Server EusRedhatOS47




Graph from https://netmarketshare.com/

Friday, December 23, 2016

How to fix Google Chrome - Your connection is not private

If you are getting "Your connection is not private" in Google Chrome and reload is not working. This blog will fix the most common issue causing this.

Firstly, notice is the type of NET error (red arrow in pic below) which will help you diagnose the issue.


This post will solve the following NET errors; 
  1. "NET::ERR_CERT_DATE_INVALID" or "Your clock is behind" or "Your clock is ahead" - means you cannot use HTTPS because SSL certificate on server has been expired.

    Solution: Change time and time to be exactly time, synchronized to atomic clock. See below

  2. NET::ERR_CERT_COMMON_NAME_INVALID or NET::ERR_CERT_AUTHORITY_INVALID - means that the name of the certificate does not match the site you are visiting. Server's certificate does not match the URL. Server could not prove that it is the trusted Website because its security certificate is from different URL.

    Quick Solution:  Try only use http:// to load the page. Don't use https://, since some top websites that still use http://, but usually not the cause.

    Solution: Change time and time to be exactly time, synchronized to atomic clock. See below

Other common NET errors are; 

  1. NET::ERR_CERT_AUTHORITY_INVALID – It means the SSL certificate issuing authority is unverified.
  2. NET::ERR_CERT_REVOKED – It means the SSL certificated has been removed by issuing authority.

    Solution:
    https://support.google.com/chrome/answer/6098869


Solution: How to set exact time on Windows 8, 8.1, 10

Right-click the time in system tray (1) and choose Adjust date/time (2)






Make sure "Set time automatically" is On. Make This will update from Microsoft's default time server.

Done !


Now that should update you clock to match your phone time exactly! Being off by a few seconds can cause this error.  


Click Reload button in page. This should fix the issue. If not then time has not updated, see below! 


If times does not update immediately, continue below to force a refresh!

Detailed Time Settings

Choose Region & language on left panel

In diagram below follow these steps as numbered; 

  1. Choose Additionally date, time & regional settings
  2. Opens a new window and click Set the time and date
  3. Opens new window and choose  Change settings... button.



This opens a window titled Internet Time Settings

Which indicates the Internet time server currently being used synchronized with.

Click Update now to refresh and get exact current time!



Done.


Click Reload button in Google Chrome. This should fix the issue.

Set a Time Server for your country

NOTE: For privacy and more accurate time, choose a time server close to you. Most of these time servers are based on the official atomic clock for you country.

Each respectable nation in the world, has their own Time Servers, and here's a brief list; 

  1. USA      - time.nist.gov
  2. Canada  - time.nrc.ca
  3. UK        - ntp2c.mcc.ac.uk  University of Manchester
                    (UK Nation Physics Lab  NTP Server is no longer funded) 
  4. More NTP Servers listed here for more country selection
    http://support.ntp.org/bin/view/Servers/StratumOneTimeServers


Solution:  How to set exact time on Windows 7

Same as above as in Win10






































Wednesday, December 14, 2016

Canadian Cybersecurity Survey 2016

Tip! Page-Up, Page-Down keys enable when you click on presentation.