WordPress 5.8.3 Security Release

Read Time:1 Minute, 45 Second

This security release features four security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.

WordPress 5.8.3 is a short-cycle security release. The next major release will be version 5.9, which is already in the Release Candidate stage.

You can update to WordPress 5.8.3 by downloading from WordPress.org or visiting your Dashboard → Updates and clicking Update Now.

If you have sites that support automatic background updates, they’ve already started the update process.

Security Updates

Four security issues affect WordPress versions between 3.7 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 3.7 have also been updated to fix the following security issue (except where noted otherwise):

Props to Karim El Ouerghemmi and Simon Scannell of SonarSource for disclosing an issue with stored XSS through post slugs.Props to Simon Scannell of SonarSource for reporting an issue with Object injection in some multisite installations.Props to ngocnb and khuyenn from GiaoHangTietKiem JSC for working with Trend Micro Zero Day Initiative on reporting a SQL injection vulnerability in WP_Query.Props to Ben Bidner from the WordPress security team for reporting a SQL injection vulnerability in WP_Meta_Query (only relevant to versions 4.1-5.8).

Thank you to all of the reporters above for privately disclosing the vulnerabilities. This gave the security team time to fix the vulnerabilities before WordPress sites could be attacked. Thank you to the members of the WordPress security team for implementing these fixes in WordPress.

For more information, check out the 5.8.3 HelpHub documentation page.

Thanks and props!

The 5.8.3 release was led by @desrosj and @circlecube.

In addition to the security researchers and release squad members mentioned above, thank you to everyone who helped make WordPress 5.8.3 happen:

Alex Concha, Dion Hulse, Dominik Schilling, ehtis, Evan Mullins, Jake Spurlock, Jb Audras, Jonathan Desrosiers, Ian Dunn, Peter Wilson, Sergey Biryukov, vortfu, and zieladam.

Read More

Norton 360 Now Comes With a Cryptominer

Read Time:5 Minute, 4 Second

Norton 360, one of the most popular antivirus products on the market today, has installed a cryptocurrency mining program on its customers’ computers. Norton’s parent firm says the cloud-based service that activates the program and allows customers to profit from the scheme — in which the company keeps 15 percent of any currencies mined — is “opt-in,” meaning users have to agree to enable it. But many Norton users complain the mining program is difficult to remove, and reactions from longtime customers have ranged from unease and disbelief to, “Dude, where’s my crypto?”

Norton 360 is owned by Tempe, Ariz.-based NortonLifeLock Inc. In 2017, the identity theft protection company LifeLock was acquired by Symantec Corp., which was renamed to NortonLifeLock in 2019 (LifeLock is now included in the Norton 360 service).

According to the FAQ posted on its site, “Norton Crypto” will mine Ethereum (ETH) cryptocurrency while the customer’s computer is idle. The FAQ also says Norton Crypto will only run on systems that meet certain hardware and software requirements (such as an NVIDIA graphics card with at least 6 GB of memory).

“Norton creates a secure digital Ethereum wallet for each user,” the FAQ reads. “The key to the wallet is encrypted and stored securely in the cloud. Only you have access to the wallet.”

NortonLifeLock began offering the mining service in July 2021, and early news coverage of the program did not immediately receive widespread attention. That changed on Jan. 4, when Boing Boing co-editor Cory Doctorow tweeted that NortonCrypto would run by default for Norton 360 users.

NortonLifeLock says Norton Crypto is an opt-in feature only and is not enabled without user permission.

“If users have turned on Norton Crypto but no longer wish to use the feature, it can be disabled by temporarily shutting off ‘tamper protection’ (which allows users to modify the Norton installation) and deleting NCrypt.exe from your computer,” NortonLifeLock said in a written statement. However, many users have reported difficulty removing the mining program.

From reading user posts on the Norton Crypto community forum, it seems some longtime Norton customers were horrified at the prospect of their antivirus product installing coin-mining software, regardless of whether the mining service was turned off by default.

“How on Earth could anyone at Norton think that adding crypto mining within a security product would be a good thing?,” reads a Dec. 28 thread titled “Absolutely furious.”

“Norton should be DETECTING and killing off crypto mining hijacking, not installing their own,” the post reads. “The product people need firing. What’s the next ‘bright idea’? Norton Botnet? ‘ And I was just about to re-install Norton 360 too, but this has literally has caused me to no longer trust Norton and their direction.”

It’s an open question whether Norton Crypto users can expect to see much profit from participating in this scheme, at least in the short run. Mining cryptocurrencies basically involves using your computer’s spare resources to help validate financial transactions of other crypto users. Crypto mining causes one’s computer to draw more power, which can increase one’s overall electricity costs.

“Norton is pretty much amplifying energy consumption worldwide, costing their customers more in electricity use than the customer makes on the mining, yet allowing Norton to make a ton of profit,” tweeted security researcher Chris Vickery. “It’s disgusting, gross, and brand-suicide.”

Then there’s the matter of getting paid. Norton Crypto lets users withdraw their earnings to an account at cryptocurrency platform CoinBase, but as Norton Crypto’s FAQ rightly points out, there are coin mining fees as well as transaction costs to transfer Ethereum.

“The coin mining fee is currently 15% of the crypto allocated to the miner,” the FAQ explains. “Transfers of cryptocurrencies may result in transaction fees (also known as “gas” fees) paid to the users of the cryptocurrency blockchain network who process the transaction. In addition, if you choose to exchange crypto for another currency, you may be required to pay fees to an exchange facilitating the transaction. Transaction fees fluctuate due to cryptocurrency market conditions and other factors. These fees are not set by Norton.”

Which might explain why so many Norton Crypto users have taken to the community’s online forum to complain they were having trouble withdrawing their earnings. Those gas fees are the same regardless of the amount of crypto being moved, so the system simply blocks withdrawals if the amount requested can’t cover the transfer fees.

Norton Crypto. Image: Bleeping Computer.

I guess what bothers me most about Norton Crypto is that it will be introducing millions of perhaps less savvy Internet users to the world of cryptocurrency, which comes with its own set of unique security and privacy challenges that require users to “level up” their personal security practices in fairly significant ways.

Several of my elder family members and closest friends are longtime Norton users who renew their subscription year after year (despite my reminding them that it’s way cheaper just to purchase it again each year as a new user). None of them are particularly interested in or experts at securing their computers and digital lives, and the thought of them opening CoinBase accounts and navigating that space is terrifying.

Big Yellow is not the only brand that’s cashing in on investor fervor over cryptocurrencies and hoping to appeal to a broader (or maybe just older) audience: The venerable electronics retailer RadioShack, which relaunched in 2020 as an online-focused brand, now says it plans to chart a future as a cryptocurrency exchange.

“RadioShack’s argument is basically that as a very old brand, it’s primed to sell old CEOs on cryptocurrency,” writes Adi Robertson for The Verge.

“Too many [cryptocurrency companies] focused on speculation and not enough on making the ‘old-school’ customer feel comfortable,” the company’s website states, claiming that the average “decision-making” corporate CEO is 68 years old. “The older generation simply doesn’t trust the new-fangled ideas of the Bitcoin youth.”

Read More

The Feeling of Safety

Read Time:2 Minute, 12 Second

The internet’s greatest feat? Fundamentally shifting how we live. Once a revelation, it quickly set our long-standing beliefs about how we work, play, and connect into a whole new context. 

Today, the shifts come fast. Video meetings once felt alien. Now, they’re part of our routine. We’ve gone from setting doctor’s appointments online to actually seeing the doctor online—and from family visits to seeing everyone in seconds on a screen.  

At McAfee, we’ve seen our share of shifts as well. Looking back across our thirty-plus years, we were among the first to deliver antivirus technology. First to create a biometric password manager. First to give people an intuitive Protection Score, and so much more. And we’re not stopping. We’re protecting people and their ever-changing lives. That means covering all your life online, from security to privacy to identity, in a way that adds to your confidence and enjoyment too. 

Confidence and enjoyment. Those two words mark our next shift in online protection. We’re bringing those feelings to life across the McAfee experience. And it’ll redefine the way you stay safe online.  

Safety has an unmistakable feeling. As we bring that feeling to online protection, you’ll see a remarkable evolution. It will look and act in bold new ways, guide you, reassure you, and most importantly, keep you safe. In all, it’s a new breed of online protection that’s helpful, even thoughtful, in the ways it looks out for you. 

And this evolution is already underway. You’ll find that feeling in everyday moments as we make them simpler, freer, and safer—such as paying your bills at a coffee shop, managing your family’s healthcare from your laptop, and booking flights to catch up with old friends. Across them all, our protection will have your back, and even offer guidance when needed, all while you do you—wherever your day takes you and no matter what “online” looks like next. 

There’s simply so much to see out there. And with us by your side, you’ll feel safe and stay that way. Life online will continue to surprise us. In the best of ways. And people have a right to enjoy every moment of it, confident that they’re safe and secure, in ways they can point to and feel.  

That’s our next big shift. Giving you the unmistakable feeling of safety. You deserve it. More than that, it’s your right. And we’re proud to bring it to you. 

The post The Feeling of Safety appeared first on McAfee Blogs.

Read More

Endangered data in online transactions and how to safeguard company information

Read Time:5 Minute, 29 Second

This blog was written by an independent guest blogger.

Online transactions are essential for every modern business. From online shopping to banking, transferring funds, and sending invoices, online transactions ensure utter convenience and efficiency.

However, the familiarity of making financial transactions online can make people forget about security and all the dangers that they may be facing. On top of that, new cybersecurity threats keep popping up constantly.

That’s why it’s crucial to have a robust IT security strategy in place.

How safe are your company’s online transactions?

Source; Pexels

From hardware or software issues and hidden backdoor programs to vulnerable process controls, weak passwords, and other human errors, many problems can put your transactions at risk and leave the door open to cybercriminals.

Did you know that human error is the main culprit of 95% of data breaches? Many people still don’t realize the dangers of phishing, malware, ransomware, unpatched software, and weak passwords. They could expose your sensitive data and put you, your employees, clients, and customers at risk of identity theft and fraud.

Believe it or not, pay stubs are among the most common vulnerabilities because many companies don’t store them carefully, risking theft of their employee data and confidential files.

That’s why savvy businesses have started using online generators for making stubs. With a paystub generator, you can create and store your pay stubs online, so you don’t have to keep them in your system, preventing cybercriminals from gaining access to your sensitive data.

No cybersecurity experts

Cybersecurity is a complex issue that requires comprehensive knowledge. Sadly, most companies don’t hire any cybersecurity experts. What they don’t realize is that they could be supercharging their productivity.

What can a business do to improve its productivity?

By putting experts in charge of  cybersecurity, companies can keep other employees productive. They can work with up-to-date  technology, reduce their workload, work  smarter, and improve their performance.

A cybersecurity team can even train your employees and teach them how to identify and avoid threats. This way, your employees won’t make security mistakes, and can focus on their core competencies.

How to protect your transactions

Given that the average cost of a data breach is $3.86 million, implementing proper security measures  to protect your transactions is a no-brainer. Here are some of the best ways to do so.

Use a Secure Sockets Layer

Secure Sockets Layer (SSL) is a standard security protocol that encrypts the connection between a web browser and a server. It prevents a third party from intercepting the data that is exchanged between the two.

This is especially  beneficial for financial transactions as all the data, including credit card information, remains private. .

An SSL certificate is beneficial  for your SEO as well, since Google uses HTTPS as a ranking signal.

To secure your transactions with an SSL certificate, you need to purchase the right one for your business and install it on your server with the help of your web host manager. This only takes a few clicks, because an SSL certificate is a text file with encrypted data.

Implement multi-layered protection

A multi-layered security approach is a defense mechanism for cybersecurity protection. It’s about  implementing multiple components to protect your entire IT infrastructure.

If a potential hacker finds a loophole and tries to break into your system, they will be prevented from doing so by another layer of security. .

Some of the most important security layers include the network (IP and ICMP), the application (e.g., HTTPS and DNS), data link (e.g., Ethernet and MAC), the session (WEB sockets), transport (SSL, TCP, and UDP), perimeter (firewalls), and physical layers (securing endpoint devices).

Avoid storing payment data from your customers

If you store payment details from your customers, a potential data breach could expose their personal and sensitive information. This could severely damage your company’s reputation.

So, once a customer completes a purchase, make sure there are no logs of their financial information

If you want to ensure a seamless shopping experience by allowing your customers to save payment details for future purchases, you should use a reliable e-commerce platform and a secure payment processor. This will  help you detect and prevent potential cyberattacks.

Use data encryption

Data encryption is the key to keeping sensitive data private. It ensures integrity, authentication, and non-repudiation.

There are three main types of data encryption:

3DES (Triple Data Encryption Standard) — 3DES uses three 56-bit keys to encrypt data, but it takes a long time. Its predecessor, DES (Data Encryption Standard), is no longer secure  on its own.
AES (Advanced Encryption Standard) — AES is the best and most widely-used type which uses symmetric key encryption where only one key can encrypt and decrypt data. It’s the most secure method you can use.
RSA (Rivest-Shamir-Adleman) — RSA uses an asymmetric key encryption (one public key to encrypt data and one private key to decrypt). This is time-consuming but great for verifying digital signatures.

Consider tokenization

Tokenization involves replacing sensitive data, such as credit card numbers, with random strings of characters (tokens) that have no meaningful value. If a hacker were to steal tokenized data, they could not exploit it.

Furthermore, tokenization removes the original data from the system and serves only as a reference. That’s quite different from data encryption, where the data is preserved but can only be accessed with the right key.

Use electronic signatures

Like data encryption, electronic signatures ensure integrity, authentication, and unforgeability.

They also increase security and speed up transactions by enabling the authentication of  electronic documents and online forms in seconds.

Create a verification process

Verifying accounts, addresses, and transactions helps  you prevent identity theft and fraud.

An AVS (Address Verification Service) can help you verify your customers’ billing addresses. At the same time, a card security code (a CVV number) is the best way to verify bank accounts and transactions.

Don’t forget to enable 2FA (Two-Factor Authentication) and MFA (Multi-Factor Authentication), which are among the best ways to secure user authentication protocols. They provide additional protection for the login process, and effectively prevent fraudulent login attempts.

Conclusion

These are the most proven methods to keep your online transactions and company information private, but you should consider other security tips, too.

Don’t forget to comply with the PCI DSS before you start accepting online payments. This way you can eliminate any vulnerabilities beforehand and ensure that your customers’ data remains safe and secure.

Read More