It’s time for people to fix the WordPress backup plugin

If you use the UpdraftPlus WordPress plugin to backup your systems, you’ll need to patch it or risk sharing your backups with strangers. It is time to fix the WordPress backup plugin.

It's time for people to fix the WordPress backup plugin

The UK company that makes plugins told customers on Thursday to upgrade to version 1.22.3 of the code after a security research engineer at development company Automattic, Marc Montpas, found a mistake that could be very bad. After the business shared the news in a responsible way, a fix was ready in two days.

The UpdraftPlus advisory says, “This bug allows any logged-in user on a WordPress installation with UpdraftPlus active to download an existing backup, which should have been limited to administrative users only.”

You may also like: Some more of the best review plugin for WordPress on the market

“This was possible because the code for checking the status of the current backup didn’t check for permissions. This made it possible to get a previously unknown internal identifier, which could then be used to pass a check on permission to download.

Even though there are millions of users, the attack vector can only be used by logged-in users, and its complexity (Montpas’ full breakdown is worth reading) means it wouldn’t be used for a large-scale attack. Most likely, it will be used very selectively, at least on people who haven’t patched.

Mexican corporate spy pleads guilty to messing around with US spyware kit

Carlos Guerrero, who is 48 years old, pleaded guilty to one charge of conspiracy. He admitted that he helped sell hardware and software that was used to spy on Americans.

Guerrero admitted that he took about $25,000 from a “large Mexican business” in exchange for access to the emails and phone calls of a salesperson in Florida who worked for a company in Florida. He also said that he had used his own products to spy on a business in the US that competed with his own.

He was also busy south of the border. He sold tools to a government official in Mexico, knowing that the tools would be used to spy on the political rival’s Twitter, Hotmail, and iCloud accounts. He also sold to many private people. He could go to prison for up to five years.

The Homeland Security Investigations unit broke up the operation as part of a cross-border probe into the sale and resale of hacking tools. Guerrero said he set up a reseller deal with an unnamed Italian company that sold spyware and surveillance equipment in 2014. He also said he did the same thing with an unnamed Israeli company. You can guess the names of the companies.

“With this guilty plea, we are sending a clear message that companies and people who illegally violate privacy rights will not be tolerated and will be held accountable,” said Chad Plantz, the special agent in charge for HSI San Diego.

“Technology is making the world we live in more connected, which is supposed to make our lives better. However, as this case shows, bad people with bad intentions can get their hands on this same technology.”

Not good enough to blur the WordPress backup plugin

Using a blurring function to hide information is common, but it’s becoming less safe, and now you can test documents yourself.

But newer technology and smarter software make it clear that a simple blur function is way too simple. Last year, security experts at Jumpsec sent out a challenge text and asked people to deblur it. This week, Dan Petro, a lead researcher at information security company Bishop Fox, confirmed that he had broken the blurring.

Petro isn’t giving out the full blurb because he doesn’t want to ruin the surprise. He has also put out an open-source version of the code he used, which he calls “Unredactor,” so that people can try it out and give him feedback. Now, a full explanation of how it’s done has been published (but be careful, the video does have swearing in it), and the message is very clear.

“In the end, if you need to hide text, use black bars to cover the whole thing. He said, “Never use anything else.” “No pixelization, no blurring, no fuzzing, no swirling. Oh, and don’t forget to edit the text as an image.

Cisco passwords are giving the NSA trouble

The US National Security Agency has put out a briefing document for Cisco users that tells them how to make their passwords more secure.

The advisory [PDF] recommends only one type of password: Cisco’s Type 8, which uses either Password-Based Key Derivation Function version 2 (PBKDF2), SHA-256, or an 80-bit salt. One NSA whiz described it as “what Type 4 was meant to be” in the document.

The NSA says that Type 6, which uses an AES algorithm with 128 bits and is good for VPN passwords, is second best. However, Type 8 is better.

“All Cisco devices with software made after 2013 should be set to Type 8 and use it.” “Software from before 2013 should be updated as soon as possible on all devices,” the agency said. “Type 6 passwords should only be used when specific keys need to be encrypted and not hashed, or when Type 8 is not available, which usually means that Type 9 is also not available.”

Type 0 (plain text), Type 4 (a crippled version of PBKDF2 that can be broken by brute force), and Type 7 (a Vigenere cipher that is easy to break) are all on the “Do not use” list.

The NSA also says that you should use long passwords and that admins should give users less access than they do now, but you already knew that.

Teams’ week gets worse without a fix in the WordPress backup plugin

Just days after a bad update stopped some Teams users from making and receiving calls, a new report from cloud security company Avanan says that Microsoft’s platform has been spreading malware.

Avanan said the campaign has been going on since January and uses phished credentials to get into Teams chat sessions. Once there, the attackers will drop harmless-sounding.exe files on forums, hoping that someone will click on them. This will install DLL files on the victim’s computer, which the bad guys can use to set up remote access.

The report said that once an attacker is inside an organization, they usually know what technology is being used to protect it. “That means they will know what kinds of malware can get around current security. This problem is made worse by the fact that Teams’ default protections aren’t very good, as they don’t scan enough for malicious links and files.

These were some thoughts about the necessity to fix WordPress backup plugin, hope you enjoyed!

UpDraftPlus WordPress Backup Plugin – 5 Minute Backup Tutorial

Leave a Comment