Hackers Find WordPress Easy Pickings

Adobe Reader and Oracle Java aren’t alone in having a bull’s eye painted on their code by hackers. WordPress also is becoming a popular target for Internet outlaws.

It’s quite a large target, too. About 18 percent of the sites on the Web — about 60 million of them — use WordPress.

One reason WordPress is attracting hacker attention is that it’s so easy to write plug-ins for it, noted Maty Siman, founder and CTO of Checkmarx.

There are more than 25,000 plug-ins written for WordPress. “That’s good for WordPress, but it has some bad security implications,” Siman told TechNewsWorld.

For instance, every week there are at least two advisories on critical security vulnerabilities in a WordPress plug-in.

Hacker’s Paradise

Checkmarx is releasing a study Tuesday on vulnerabilities in WordPress plug-ins. The task was daunting, Siman confessed.

Six months ago, the company started scanning just the top 50 WordPress plug-ins.

“We were overwhelmed by the sheer amount of results,” Siman said.

So the researchers limited themselves to the five most critical vulnerabilities — SQL injection, cross-site scripting, cross-site request forgery, file inclusion and pass reversal.

“Once we limited ourselves to those vulnerabilities, the results were more meaningful — yet shocking,” Siman said. “We found that 30 percent of the top 50 plug-ins were found to be vulnerable to at least one of the vulnerabilities.”

With numbers like that, it’s no wonder hackers are paying more attention to WordPress.

“They’ve found it’s relatively easy to hack WordPress,” Siman observed, “and the benefit of hacking such a website is huge, because once you find a vulnerability, you can hack into millions of websites.”

Coalition Targets NSA

Mozilla and more than 60 technology and business organizations announced last week a coalition to prod federal action to address what they see as broad violations of U.S. citizens’ privacy rights by the National Security Agency.

The NSA has been exposed by whistleblower Edward Snowden as mounting a massive data fishing expedition through the servers of Google, Facebook, Microsoft and others and daily hoovering all phone calls made on Verizon’s phone network.

The high-tech giants all initially denied any willing participation in the NSA’s surveillance campaign. However, Facebook, Microsoft and Apple have recently disclosed some information regarding their compliance with government requests.

There’s a lesson about responsibility from the NSA flap, said Free Press Internet Campaign Director Josh Levy.

“This moment is a wake-up for Internet companies — for established companies like Facebook and Google, but also for startups and folks trying to get into these spaces,” he said.

With Great Nets Come Great Responsibility

“They’re realizing that storing users’ data and creating these vibrant platforms, if successful, become mainstays of people’s lives,” Levy continued.

“It entails quite a bit of responsibility,” he added, “and maybe it’s the kind of responsibility that folks like Mark Zuckerberg didn’t really expect to have when they started out years ago.”

The Mozilla coalition is calling on Congress to take the following steps:

  • Reform federal law to prohibit blanket surveillance of Internet activity and phone records of any person residing in the United States, and to require that violations of that prohibition be reviewed in adversarial proceedings before a public court;
  • Create a special committee to investigate, report, and reveal to the public the extent of domestic spying, and to make specific recommendations for legal and regulatory reform to end unconstitutional surveillance; and
  • Hold accountable those public officials who are found to be responsible for unconstitutional surveillance.

Trojan Spreads via Bluetooth

Some Android malware that includes Bluetooth in its propagation toolbox was discovered by Kaspersky Lab last week.

The malware — dubbed “Backdoor.AndroidOS.Obad.a,” is a multifunction Trojan that can send SMS messages to premium rate numbers and download malware to a phone.

It also tries to infect other phones over a Bluetooth connection.

“It’s pretty unusual,” Kaspersky Senior Malware Analyst Denis Maslennikov told TechNewsWorld.

“We’ve never seen this before — but it’s unlikely that this technique would become common and widespread,” he added.

“Besides the fact that Obad can operate as a classic backdoor, it’s as sophisticated as many other types of malware for Windows,” noted Maslennikov. “Growing complexity of mobile malware is becoming a new trend today, and we expect to see more sophisticated threats in the near future.”

Data Breach Diary

  • June 10. Invincea discovers link from The Drudge Report leads to a Washington Free Beacon story that contains malware infecting anyone who landed on the page.
  • June 11. Kaspersky Lab identifies Chinese-government-linked hacker group it calls “Red Star APT.” Made up of about 50 people and active since 2004 or 2005, the group is responsible for 350 high-profile attacks, according to Kaspersky. Victims include government agencies, embassies, universities, defense contractors, and oil companies in 40 countries.
  • June 12. Protiviti releases annual Security and Privacy survey that shows two-thirds (68 percent) of respondents said they had elevated their focus on information security in response to recent press coverage of so-called “cyberwarfare.” However, when asked if their organizations had a formal and documented crisis-response plan for use following a data breach or hacking incident, more than one-third reported that either their organizations did not (21 percent) or that they did not know (13 percent).
  • June 14. Identity protection firm CSID releases survey finding that only 12 percent of small businesses have a data breach preparedness plan. Researchers also find that 55 percent of the small businesses in the survey store Social Security numbers; 80 percent, email addresses; and 70 percent phone numbers and home addresses of employees, customers and partners.

Upcoming Security Events

  • June 14-22. SANSfire 2013. Washington Hilton, 1919 Connecticut Ave. NW,Washington, D.C. Course tracks range from US$1,800-$4,845.
  • June 18. Say Yes to BYOD and No to Threats. 2 p.m. ET. Watchguard webinar. Free.
  • June 20. Top Ten Web Defenses. 2 p.m. ET. Black Hat webcast sponsored by Symantec. Free.
  • June 25-26. ICF International CyberSci Summit 2013. Arlington Hilton Hotel, Arlington, Va. Registration: $650.
  • June 28. Small Company Cyber security Awareness Seminar. 2 p.m.-5 p.m. ICT Knowledge Transfer Network, Birmingham, UK. Free.
  • July 24. Cyber Security Brainstorm. Newseum , Washington, D.C. Registration: non-government employees $495; July 24, $595.
  • July 27-Aug. 1. Black Hat USA 2013. Caesars Palace, Las Vegas. Registration: June 1-July 24, $2,195; July 25-Aug. 1, $2,595.
  • Sept. 24-27. ASIS International 59th Annual Conference. McCormick Place, Chicago. Registration: Before Aug. 21, $895 member, $1,150 non-member. After Aug. 20, $995 member, $1,295 non-member.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

1 Comment

  • There is no denying that WordPress has become one of the most popular framework for web developers. The flexibility and multiple plugin support that it provides will surely AM aze anybody. These are the reasons that WordPress can be hacked easily because of fault in plugins and more importantly username and passwords would be hacked using brute force attack. We as Techcronus having expert WordPress developers to develop secure web applications. Reach us at:

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Malware

Technewsworld Channels