Home / Companies / Detectify / Blog / March 2016

March 2016 Summaries

7 posts from Detectify

Filter
Month: Year:
Post Summaries Back to Blog
WordPress, despite its efficiency and popularity as a Content Management System (CMS), is recognized as the most vulnerable platform due to its widespread use, with security concerns primarily arising from outdated installations and vulnerable plugins. The text emphasizes the importance of maintaining site security by addressing these vulnerabilities through easy fixes, careful consideration when installing plugins and themes, and utilizing security plugins to enhance safety. Additionally, a series of IT Security FAQs provide insights and expert tips on basic web security concepts, while alerts and updates on vulnerabilities, such as stored XSS issues in the Jetpack plugin, highlight ongoing security challenges and improvements in WordPress and related tools.
Mar 31, 2016 345 words in the original blog post.
Installing plugins and themes on a WordPress site enhances its functionality but also introduces potential security risks that users should carefully consider. Prior to installation, it's advisable to research developers, check ratings and reviews, and investigate any past vulnerabilities associated with the plugin or theme to understand how issues were addressed. Security plugins like Wordfence, Bulletproof Security, and All In One WP Security & Firewall can help protect WordPress sites from various threats such as malware, XSS, and SQL injections, though they themselves have occasionally faced vulnerabilities. The key to maintaining a secure WordPress environment is not just in using these plugins but also in how swiftly and effectively vulnerabilities are managed and resolved.
Mar 30, 2016 559 words in the original blog post.
Ethical hacking is distinguished from malicious hacking by its positive intent, focusing on identifying and reporting vulnerabilities to enhance security rather than exploiting them for harmful purposes. While malicious hackers are often portrayed as criminals in popular media, ethical hackers, such as those at Detectify, act as security consultants committed to safeguarding systems by uncovering weaknesses. Companies often incentivize these ethical hackers through Bug Bounty Programs, offering financial rewards for discovering significant security breaches. As explained by Johan Edholm at Detectify, those engaged in such activities are known as Bug Bounty Hunters, as they seek vulnerabilities to earn these awards.
Mar 17, 2016 203 words in the original blog post.
WordPress, initially a simple blogging platform, has evolved into a versatile Content Management System (CMS) known for its user-friendliness and extensive library of plugins and themes. Despite its growth, WordPress has faced security challenges, with early versions experiencing significant vulnerabilities, such as one in 2009 that allowed remote privilege escalation. While the core system has become more secure over time, the addition of third-party themes and plugins can increase vulnerability risks. Security best practices include avoiding the default 'admin' username, setting strong passwords, using unique database table prefixes, avoiding posting with administrator accounts, enabling two-factor authentication, and keeping software updated. Users are advised to download WordPress from the official site, monitor vulnerabilities with tools like Detectify, and ensure the overall security of the web server and related systems.
Mar 15, 2016 332 words in the original blog post.
Two-factor authentication (2FA) enhances account security by requiring two forms of identification, typically a password and a code sent to your phone, to access an account. This added layer of security makes it more difficult for hackers to gain unauthorized access, as they would need both your password and your phone. Johan Edholm from Detectify highlights the importance of using 2FA, especially for email accounts, since they are often the key to accessing other services. He suggests that receiving unexpected login codes can serve as a warning sign that someone may have your password, prompting a password change. Despite being occasionally inconvenient, enabling 2FA on all available services is strongly recommended to prevent unauthorized access to accounts. Activating 2FA is generally straightforward and can typically be found within the security settings of most services, such as Facebook's "Login Approvals".
Mar 09, 2016 266 words in the original blog post.
SQL injection flaws are critical vulnerabilities that allow remote attackers to gain unauthorized access to databases, potentially enabling them to read, write, and delete data, as well as execute remote commands under certain conditions. A notorious example of this occurred in 2009 when Heartland Payment Systems suffered a breach that exposed 134 million credit cards due to an SQL injection attack. These attacks often exploit the lack of sanitization in user input used to construct SQL queries, allowing attackers to inject SQL syntax and manipulate the intended query, as illustrated by a vulnerable PHP/MySQL login scenario. The use of prepared statements is recommended as a defense against SQL injection, as they ensure the proper sanitization of SQL queries by substituting constant values for user input, thus preventing unauthorized query manipulation. Automated web security scanners like Detectify can help identify SQL injection vulnerabilities and other security issues, providing tools for organizations to protect their websites.
Mar 08, 2016 566 words in the original blog post.
Many people use the same password across multiple sites because remembering different passwords for each service can be challenging, but this practice poses a significant security risk if one account is compromised. To mitigate this risk, using a password manager is recommended, as it helps track passwords securely. There are two main types: web-based and local programs, with the latter being favored by experts like Johan Edholm from Detectify, due to the reduced risk of cloud-based hacking. Edholm advises against relying on browser autofill functions for passwords due to potential security vulnerabilities and suggests using password managers like KeePass or Password Safe, which store passwords in a secure vault accessible via a master password. It's also important to back up the password manager on an external drive for added security.
Mar 02, 2016 320 words in the original blog post.