Community news and analysis: February 2015

Posted on March 3, 2015 - 11:08 by ccondon

Featured news: Superfish, new malware warnings, universal SSL

Read Mozilla’s directions for getting Superfish out of Firefox (Feb. 27), Sophos on Superfish removal (Feb. 20), and a Fortinet Superfish FAQ. (Feb. 20) ESET also has a wise piece on unwarranted panic and false positives. (Feb. 20) Note: We hope we don’t ever have to write the word “Superfish” again.

Google Safe Browsing expands Chrome warnings: New warnings let users know when they’re about to visit a site known for encouraging downloads of unwanted or suspicious software. (Feb. 23)

Feedback and data-driven updates to Google’s Project Zero disclosure policy (Feb. 13)

Universal SSL: Public beta version of new CloudFlare service encrypts data from the browser to the origin for free. (Feb. 24)

Malware news + vulnerabilities

Google releases free, cloud-based web application security scanner that can help App Engine developers check for cross-site scripting and mixed content vulnerabilities. (Feb. 19)

Highlights from Internet Identity’s 2014 eCrime Trends Report (Feb. 25)

Fortinet: Decoy files used to spread CTB-Locker ransomware (Feb. 16)

Automattic (Feb. 6), Sucuri (Feb. 16), and SiteLock (Feb. 26) on a serious vulnerability affecting most versions of the Fancybox-for-WordPress plugin

SiteLock on a security flaw in the UpdraftPlus premium WordPress plugin (Feb. 17)

Sucuri: Vulnerabilities in Gravity Forms WP plugin (Feb. 26) and analytics plugin WP-Slimstat (Feb. 24)

Security news + perspectives

In case you missed it: After six years, StopBadware is shutting down its community forum. Details and recommended alternatives here.

Automattic: WordPress 4.1.1 is out! This one’s a maintenance release. (Feb. 18)

ESET on exploits: What are they, and how do they work? (Feb. 27)

DreamHost’s Mika E. talks about the virtues of open source and his experience writing plugins for WordPress. (Feb. 10)

SiteLock: How you can tell if a website is secure (Feb. 24)

Sucuri: Why websites get hacked (Feb. 26)

StopBadware shutting down community forum

Posted on February 24, 2015 - 13:43 by ccondon

It's been nearly six years to the day since StopBadware and its partners launched, our community platform for those who wanted to learn about and prevent badware. Over the years, the forum has helped thousands of website owners clean up hacked websites. Dozens of security experts have volunteered their time and talent to examine compromised sites, offer advice, and guide users to the best security resources for their needs. BadwareBusters has been exactly what it was intended to be when it launched in 2009: a place for our community to define its own needs, share stories, and learn from each other's experiences. 

At the end of this month, StopBadware will be shutting down the forum. We're terribly proud of all that our community has accomplished these past six years; we don't take lightly the decision to close up shop, but limited resources mean StopBadware is no longer able to maintain the forum in a way that's fair and productive for users. 

We're confident those seeking help with hacked sites and malware cleanup can find what they're searching for in places such as Google's malware forum, Bleeping Computer's forums, or Stack Exchange's community Q&As. StopBadware's hacked sites resources section also has useful tools and tutorials on finding and removing website malware, and longtime BadwareBusters moderator RedLeg maintains a gem of a site on website cleanup. 

Thanks for your participation and your wisdom. Keep learning.

Community news and analysis: January 2015

Posted on February 6, 2015 - 13:44 by ccondon

General security news

Google looks back on how its security rewards programs did in 2014 and details a new vulnerability research grant it will offer in 2015. (Google Online Security Blog Jan 31)

Mozilla on referers [sic]: “This HTTP header has become quite problematic and not very useful...What’s needed is a better way for referring sites to reduce the amount of data transmitted and thus providing a more uniform referrer that’s less privacy invasive.” Firefox 36 Beta supports a “meta referrer” feature that gives sites tighter control over their referrers. (Mozilla Security Jan. 21)

Mozilla is also progressing in its project to phase out certificates with 1024-bit RSA keys. See the post for a list of affected root certificates. (Mozilla Security Jan. 28)

A WordPress security Q&A with VaultPress Vaultkeeper and lead developer Mark George (Automattic Jan. 30)


Qualys, SiteLock, and Sophos on what you need to know about the much-mentioned GHOST vulnerability in the Linux glibc library. Patches were available as of Jan. 27, 2015.

Qualys (Jan. 21 and Feb. 2) and Sophos (Jan. 23 and Jan. 24) have also offered excellent coverage of multiple recent Adobe zero-day vulnerabilities.

Webmaster warnings from Sucuri: Security vulnerabilities in Pagelines and Platform themes for WordPress (Jan. 21), remote code execution vulnerability in vBSEO (Jan. 13), and a fake “mobile-shortcuts” WordPress plugin that injects SEO spam into websites. (Jan. 30)


CTB-Locker: New campaigns spread malware that demands Bitcoin ransoms from victims; Poland, the Czech Republic, and Mexico have the highest infection rates. (ESET Jan. 21)

Apparently, it’s such an ordeal for Belarusians wanting Polish visas to get an appointment at the Consulate of Poland that someone created a botnet with the express purpose of filling out forms to secure an appointment slot. Yes, really. (ESET Jan. 29)

5 ways to protect your website from malware (SiteLock Jan. 20)

Fortinet malware analysis: Cracked version of an old Andromeda botnet malware variant spreads Bitcoin miner (Jan. 7), analysis of recent VBA macros (Jan. 6)

After a multinational takedown operation in December 2013, the ZeroAccess click fraud botnet has reappeared. At the end of January 2015, around 50K computers were compromised by the resurgent botnet, although researchers noted it doesn’t appear to be growing. (Sophos Jan. 31)

A mid-January malvertising campaign abused AdSense to redirect users to fake health websites. (Sucuri Jan. 14)