Friday 13 December 2013

Canadian ISP learns folly of unpatched WordPress sites

Storm-spam_featureOttawa-based Storm Internet learned a valuable lesson in keeping software up to date – especially when its the content management system behind your website, report malware researchers at Blue Coat.
Without knowing it, the Internet service provider was hosting thousands of malware pages peddling the familiar Canadian Pharmacy spam along with a lot of other malware and junk you generally don’t want on your servers. The Blue Coat team noticed the malicious activity on the site and linked it back to an intrusion on Nov. 27 to Storm’s site caused by a malicious PHP file that was uploaded into the WordPress uploads directly via a vulnerability in the “wp_mailinglist” plugin. After that foothold was gained, hackers found their way into the main WordPress directory and started generating malware pages as needed.
As soon as the Storm.ca security team found about about it, they responded to take down the offending web pages. As author Chris Larsen points out, the team was also kind enough to volunteer some tips on how others facing similar problems could respond in the same situation, or avoid it in the first place.
To avoid a similar fate on your own WordPress site, Larsen recommends following these steps:
  • Remove/disable unused plugins. [Ideally, people with responsibility for web site security will reviewallplugins their site uses, from a risk/benefit perspective: knowing that each such plugin increases the "attack surface" of the site, is the benefit it provides worth the additional risk?]
  • Modify your apache config to not allow the PHP engine to run on any files within the wp-content/uploads tree, so even if someone can upload arbitrary files in there, they won’t be easily executable.
  • Remove write permissions on the wp-contenttree.  It’s convenient to allow WordPress to be able to self-update plugins, but not at the cost of having the whole directory tree forced to be writable by the server.
  • Disable allow_url_fopen and allow_url_includein php.ini — why is that defaulted to allowed?
  • Finally, upgrade WordPress and all plugins to their latest versions!

Iran fears Assassinations, cyber-attacks and possible military strikes

Assassinations, cyber-attacks and possible military strikes: As nuclear negotiations with Iran enter a crucial stage, Tehran is voicing fears that tougher oversight of its activities will increase the risks of an attack on its atomic facilities and the scientists working on them.
Iranian fears that the country's nuclear activities are a target are plausible but some nuclear experts say such concerns are overblown.
Five of Tehran's nuclear scientists and researchers have been killed in Iran since 2010 and a computer virus aimed at the heart of Tehran's nuclear program temporarily slowed its uranium enrichment activities three years ago.
Since then, Iran has claimed to have thwarted other potential malware invasions. It blames Israel, the United States or their allies for the physical and virtual attacks
There have been no reports of recent attacks, but Iranian officials are clearly concerned that opening their nuclear program to greater perusal could increase the security risk. Public calls for alertness have recently increased and a senior Western diplomat has told The Associated Press that Iran is now also playing up the fears of sabotage in resisting demands that it allow live cameras to monitor its facilities.
Tehran's Tasnim news agency recently quoted senior Iranian legislator Seyed Hossein Nagavi Hosseini as warning that IAEA inspectors could convey information to "espionage organizations." The semiofficial Fars news agency, meanwhile, cited former Iranian atomic chief Fereidoun Abbasi as calling for increased vigilance against possible nuclear sabotage.
A deal struck last month with six world powers envisages some lifting of sanctions on Tehran's economy in exchange for concessions that include closer overview of its nuclear activities. The Western diplomat says the Iranian objections were first voiced during the Geneva talks that ended Nov. 10 with the agreement on the first steps of the nuclear accord.
He says Tehran's negotiators argued that live transmissions could be monitored by Iran's enemies to spy on scientists at nuclear sites or serve as an entry point for invasive computer viruses.
They also expressed fears that a live signal from camera monitoring equipment could be used as a beacon to guide a potential missile attack, the diplomat said. The envoy is familiar with the details of the confidential negotiations but demanded anonymity because he was not authorized to discuss them.
The U.N's International Atomic Energy Agency is responsible for the increased monitoring of Iran's nuclear program.
The Iranian stance on security does not threaten the Geneva agreement. But having offline cameras is problematic, because of the lag between the time they capture images and when those images are evaluated.
Iran's refusal to allow live monitoring could theoretically give it some lead time if it decides to cheat on its obligations — a loophole the Geneva deal seeks to close by obligating Iran to give IAEA inspectors 24-hour access to IAEA monitoring equipment. But that, say IAEA officials, stretches resources, forcing the agency to put more inspectors on the mission.
The IAEA already has some offline cameras at Iran's two sites that are enriching uranium, a process that can create both reactor fuel and the fissile core of nuclear arms. Its experts are meeting in Vienna this week with representatives from Iran and the six powers that sealed the Geneva deal with Tehran to find ways to beef up monitoring.
The IAEA often uses live cameras. The agency has real-time video at more than 100 sensitive sites throughout the world, some of them keeping an eye on stockpiles of weapons-grade uranium to ensure they are not moved or tampered with.
It's unclear whether Iran's objections are motivated by real concerns or are just negotiating tactics, but some experts consider the fears exaggerated.
Israel dismisses Iran's insistence that it does not want nuclear arms and says it will strike its adversary's atomic programs if it deems they are close to being able to manufacture such weapons.
Existing technology allows a missile to lock on to sources emitting even a weak electronic signal and destroy a target by following it in. But former IAEA official Olli Heinonen says neither Israel nor any other country contemplating an attack would resort to such technology involving the monitoring cameras.
The locations and details of Iran's enrichment sites have been so well documented with modern satellite imaging that any potential aggressor would "know with the precision of a meter (yard) what each room looks like," says Heinonen, the IAEA's head Iran investigator until 2011.
Heinonen also downplayed fears that live video at the facilities could be used to spy on the movements of Iranian nuclear scientists. Most IAEA cameras are fixed and focus on "nuclear material and not people," he told The Associated Press.
Some cameras do point at the exits and entrances to facilities, potentially enabling them to capture a person's movements. But Heinonen says scientists are normally not found at enrichment plants.
"If you want to keep track of scientists, you ... keep track of them elsewhere," he says.
He and others also discount the dangers of Iranian control systems being invaded by destructive malware hidden in IAEA monitoring equipment.
Heinonen notes that the IAEA closely scans such equipment for computer viruses before installation. That, and the fact that the IAEA installations are separate from Iranian computer systems, makes such transmissions unlikely, he says.
German cyber sleuth Ralph Langner described as "nonsensical" alleged Iranian fears of wireless transmission from IAEA equipment to Iranian equipment.
"Wireless emissions can be detected quite easily," says Langner, who gained international recognition for his analysis of the Stuxnet virus that temporarily disrupted Iran's uranium enrichment program.
AP requests for comment to Iranian officials in Vienna on the alleged objections to live monitoring were not answered Thursday, and officials in Tehran did not pick up their telephones at the start of the Iranian weekend. But recent Iranian reports suggest worries as the nuclear negotiations continue.
Fars, the semiofficial Iranian news agency, recently reported that Israel and Saudi Arabia — Iran's two bitter rivals — are teaming up to attack Iran's nuclear program with "a computer worm more destructive than ... Stuxnet." The attribution was sketchy — an unnamed Saudi intelligence source — and it would be unusual for the Saudis and Israel to overcome their deep differences and form such a partnership.
Still, even reporting such a scenario suggests a case of Iranian jitters.