Seventeen disclosures this week, with eight issues unfixed.
View this week’s vulnerable plugins list.
Other Security News
The big disclosure this week was the breach at Equifax. If you haven’t head about it yet, I strongly recommend you read the write up by Brian Krebs over at krebsonsecurity.com. The TL;DR is
Equifax, one of the “big-three” U.S. credit bureaus, said today a data breach at the company may have affected 143 million Americans, jeopardizing consumer Social Security numbers, birth dates, addresses and some driver’s license numbers.
To put that in perspective, the U.S. population is just shy of 325 million; this means 45% of the entire United States population is affected by this breach. Given the numbers, there’s a very good chance you were involved in the leak. Equifax has a site set up where you can check to see if your information was included in the leak. They are offering twelve months of credit monitoring service through TrustedID Premiere (interestingly, TrustedID is a wholly owned subsidary of Equifax). However, before you enroll, be sure to read the terms of service as enrolling waives your rights to sue, or be a member of a class-action suit against Equifax in the future. If you’re worried about not having the monitoring in place, read Krebs’ article on credit file freezes.
So far Equifax has not disclosed how the breach occurred, only that they discovered “unauthorized access” by “exploiting an application vulnerability.” While we do not know yet if WordPress was involved in the breach, it is interesting that the www.equifaxsecurity2017.com site is running WordPress, and up until a few hours ago, was still leaking user names via the user REST API endpoint.
Another large disclosure this week was with the Apache Struts framework which involved an issue with the framework’s REST plugin, whereby arbitrary code execution could occur via unsafe deserialization. This is a critical vulnerability and you are encouraged to update immediately if you are using Struts. Deserialization is complicated to protect against, and is coming becoming a big enough issue that it might be included in the OWASP Top 10 for 2017.
Speaking of the OWASP Top 10, yet another disclosure this week highlighted why knowing how and where your sensitive data is being stored is so critical (A6: Sensitive Data Exposure). A Researcher from Upguard discovered a publicly accessible AWS storage bucket containing 9,400 resumes from people who had applied for a job at TigerSwan, an international security company. However, the information wasn’t left in the storage bucket by TigerSwan, but by a recruiting vendor TigerSwan had previously hired. Even if TigerSwan followed all best practices for securing data, sharing that data with a vendor who failed to do so has damaged their reputation, and more importantly, left the individuals who trusted them with their data vulnerable to identity theft.
If you’re interested in Application Security, tradepub.com is offering a couple of good security-related eBooks for free right now: Penetration Testing – A Survival Guide and Web Application Security for Dummies. You will have to give them an email address, to which they’ll send the download link.
Also, today is the last day to register for HighEdWeb 2017, to which you most definitely should attend. It is by the far the best general Higher Education web-related conference in the United States (of course, our beloved WPCampus is the best WordPress-related Higher Education conference). And it just so happens I’ll be teaching a pre-conference workshop on security vulnerabilities. If you’re getting in on Saturday, you should sign up. Even if you don’t, swing by and say “hi”; I’d love to talk about anything security-related!
Last, I forgot to mention last week that a new version of BlackArch Linux has been released.