Month: January 2019

Top 5 eCommerce Posts for January

A Comprehensive Guide To Using Emojis In Email Subject Lines – Growth Hackers Emojis are the pineapple on pizza for marketers. Some love them, some hate them, but I’ve never met anyone indifferent to them. Social Media Marketing And The Importance Of Social Proof – Lean Startup Life If you want to get real results […]

CTF Writeup: Complex Drupal POP Chain

About the Challenge The Droops challenge consisted of a website which had a modified version of Drupal 7.63 installed. The creators of the challenge added a Cookie to the Drupal installation that contained a PHP serialized string, which would then be unserialized on the remote server, leading to a PHP Object Injection vulnerability. Finding the cookie was straightforward and the challenge was obvious: Finding and crafting a POP chain for Drupal.
2018 in Review: A Breakout Year for DuckDuckGo and Internet Privacy

2018 in Review: A Breakout Year for DuckDuckGo and Internet Privacy

2018 in Review: A Breakout Year for DuckDuckGo and Internet Privacy

From where we stand, 2018 was a breakout year for online privacy, the likes of which we haven’t seen since the surveillance revelations of 2013. In this yearly recap post, brought to you on Data Privacy Day, we’re honored to share that last year was DuckDuckGo’s best year yet 👏.

In 2018, we’re most proud to have taken a giant step toward our vision of setting a new standard of trust online by expanding beyond private search to also protect you while you’re browsing the Internet. Early last year, we released a browser extension and mobile app, both of which now offer best-in-class built-in tracker blocking, smarter encryption, website privacy grades, and of course, private search. We bundled together all of the privacy essentials you need to get seamless privacy protection because reclaiming your privacy should be as easy as closing the blinds!

2018 in Review: A Breakout Year for DuckDuckGo and Internet Privacy

In terms of growth, 2018 saw our average daily private searches leap 63%, from 19 million to 31 million. To put things into perspective, that’s 723% growth in average daily searches since the privacy zeitgeist of 2013.

And, 2019 has already kicked off with new traffic records: this month we broke 36 million daily private searches for the first time. This exciting achievement came a mere two weeks after we crossed the 35 million daily search mark.

2018 in Review: A Breakout Year for DuckDuckGo and Internet Privacy

Our outsized growth in 2018 was inextricably connected to the groundswell of privacy interest that characterized the year. Through research we conducted in 2018, it became very apparent that more people are searching for privacy-focused alternatives, and that there is a need for more education on how to take control of your privacy online, as major tech companies like Facebook and Google revealed huge breaches of consumer data. For instance, our research highlighted that:

  1. After Cambridge Analytica, 64.2% ±2.9 of U.S. adults aware of the incident grew more concerned for their online privacy. Many respondents reported plans to change their relationship to Facebook, either by deleting their account or sharing less personal information, a fact that was echoed in subsequent findings by the Pew Research Center.
  2. About half (44.6% ±2.8) of U.S. adults didn’t know that Google owns YouTube.
  3. 50.4% ±6.3 of U.S. adults that used WhatsApp in the previous six months weren’t aware that Facebook owns WhatsApp.
  4. A majority (56.9% ±2.8) of U.S. adults weren’t aware that Facebook owns Instagram.
  5. 56.3% ±5.7 of U.S. adults who used Waze in the past six months didn’t know that it’s owned by Google.
  6. Google puts people in a filter bubble, even when people search while logged out of their Google account and in private browsing mode.

2018 also saw DuckDuckGo deepen existing partnerships with leading browsers and proudly become the default search engine in private browsing mode in Vivaldi and in Brave. This is a major step in privacy protection because most people don’t realize how vulnerable they are when they use private browsing mode with a non-private search engine. We also established a partnership with Canadian-based OMERS Ventures, part of the $95 Billion global OMERS pension fund, to help expand our global reach.

Finally, we donated $500,000 to help advance privacy rights and tools. This was truly exciting, especially because many of you helped to raise an additional $142,482 through our crowdfunding campaign, meaning a grand total of $642,482 was raised to directly benefit privacy focused non-profits and organizations like The Tor Project and The Freedom of the Press Foundation.

2018 was, without a doubt, a landmark year for DuckDuckGo. Throughout the year, we also continued to make improvements to our search results, including a large focus on delivering better news results and local listings. And we’re already making big strides in 2019, including integrating Apple Maps into all map and address-related searches on DuckDuckGo. As always, we thank you for your support, your feedback, and for helping us set a new standard of trust online. We have even more in store for this year so you can continue to take control of your privacy online. Stay tuned!  

For more privacy advice, follow us on Twitter & get our privacy crash course.

How ModSecurity protects WordPress websites

How ModSecurity protects WordPress websites

Now a days majority of wordpress security breaches are not to stealing your valuable data to a limit or mess with your website. Instead they are aiming your server and attempts to use your server as an email relay for spam, or to set up a temporary web server to serve their vulnerable files. Keeping your websites secure is the most challenging one on all time. So let’s get started how ModSecurity protects wordpress sites.
ModSecurity is an open-source web application firewall (WAF) and acts as real-time application monitoring, logging, and access control. It is deployed to provide protections against generic classes of vulnerabilities using some Core Rule Set written in its SecRules language. Potentially block common code injection attacks in real-time, and has the ability to inspect it.

How it works?

Top 5 eCommerce Posts for January 1

ModSecurity acts as an IDS layer (intrusion detection) between the web serving content of the wordpress website and the outside world. It processes requests such as query strings, http post content and other incoming and outgoing HTTP communications to the endpoint .similar requests submission and checks against the predefined Secrules. The rules contain some set of regular expressions that if matched, will refuse to process the request. which pass, drop, redirect, and return a given status code.

For example, if the following query string is passed to WordPress index.php file
GET http://yoursite.com/index.php?../../etc/passwd
In this case, ModSecurity will treat this as a malicious attempt to read the password file on a linux/unix system and interrupt the request and generating an error message.

What does ModSecurity Do?

  • Real time security monitoring and access control
  • Virtual patching
  • Full HTTP traffic logging
  • Web application hardening
  • Continuous passive security assessment
  • Simple request or regular expression based filtering
  • Auditing
  • IP reputation based filtering
  • DOS protection
  • Null byte attack prevention
  • Server identity masking
  • Setting memory limits for web uploads

Identify ModSecurity installed on your hosting server?

If you have root access on the server, the mod_security log file can be usually found at

/etc/httpd/logs/modsec_audit.log or /etc/httpd/logs/error.log

Below mentioned log is the sample error log from mod security which clearly shows that SQL injection attempt on a WordPress website is blocked.

tail /etc/httpd/logs/error_log

[Sun Nov 18 07:57:23.857486 2018] [:error] [pid 1328] [client 77.161.107.217] ModSecurity: Access denied with code 500 (phase 2). Pattern match “(insert[[:space:]]+into.+values|select.*from.+[a-z|A-Z|0-9]|select.+ from|bulk[[:space:]]+insert|union.+select|convert.+(.*from)” at ARGS:comment. [file “/usr/local/apache/conf/modsec2.user.conf”] [line “379”] [id “300016”] [rev “2”] [msg “Generic SQL injection protection”] [severity “CRITICAL”] [hostname “www.example.com”] [uri “/wp-comments-post.php”] [unique_id “VuVVo0UQ6TcBBAUwzDEAABBAb”]

If you get to see similar errors on the website, as below, it should be from ModSecurity.

406 – Not acceptable
403 – Forbidden: Access is denied error is shown. You do not have permission to view this directory or page using the credentials that you supplied.

How to configure Web Application firewall (ModSecurity) in Plesk and cPanel

Top 5 eCommerce Posts for January 2

Mod security is supported in both Linux & Windows for Plesk and cPanel. It works as a web server (Apache or IIS) module. To use web application firewall (mod security), administrators who upgrade from Plesk 11.5 must obtain a new Plesk onyx licence key either directly from Plesk or from their vendor.

For cPanel You will need to install the ModSecurity Apache module first.

If your system runs EasyApache 3, use WHM’s EasyApache 3 interface (WHM >> Home >> Software >> EasyApache 3) to install the ModSecurity Apache module

If your system runs EasyApache 4, use WHM’s EasyApache 4 interface (WHM >> Home >> Software >> EasyApache 4) or the below command to install the ModSecurity Apache module

yum install ea-apache24-mod_security2

Once the apache module is installed, you could find an Interface WHM >> Home >> Security Center >> ModSecurity Tools which allows you to add and manage rules.

How to Enable Modsecurity in Plesk?

Please follow below steps to enable Modsecurity;

1. Go to Tools & Settings > Web Application Firewall (ModSecurity) in the security group.
2. We can set the web application firewall mode to On or Detection only. Each incoming HTTP request and other related query will be checked against the rule set of modsecurity. If the check succeeds, the HTTP request will be passed to web site to retrieve the content. If the check fails, web site will displaying corresponding error message. In the On mode, the HTTP response will be provided with an error code.

3.We can select a rule set from the interface that will be checked by the web application firewall engine for each incoming HTTP request or we can upload any set of custom rule.
There are two rule set explained below.

  • Atomic Basic Modsecurity –> A free starter version of the Atomic ModSecurity rules, bundled with Plesk. It contains important security features and bug fixes released on a monthly basis.
  • OWAP Modsecurity core Rule set (CRS) –> The CRS provides generic protection from unknown vulnerabilities often found in web applications.

Top 5 eCommerce Posts for January 3

4. By selecting the update rule set option in plesk, the rule set will update automatically.
Enable “Update rule sets” and set this to weekly:

Top 5 eCommerce Posts for January 4

5. Under “Configuration”, you have three options for the rule sets. The options available are Fast,Tradeoff and Thorough:

Top 5 eCommerce Posts for January 5

6. Click OK to apply the settings. This will restart Apache and load the ModSecurity settings.

Log location Plesk (Linux)

Mod security audit log located in /var/log/httpd/modsec_audit.log is very detailed and it is used by the whole plesk server. To view the ModSecurity audit log.Go to Tools & Settings > Web Application Firewall (Modsecurity) > click the Logs Archieve link in the Modsecurity audit log section.
Log location Plesk (Windows)
On Windows, ModSecurity audit logs are domain-specific and located in %plesk_dir%ModSecurityvhostslogs (where %plesk_dir% is the default installation directory for Plesk).

Log location (cPanel)

# grep -i mod /usr/local/apache/logs/error_log | grep

Add a rule

Top 5 eCommerce Posts for January 6

In order to add specific rule, perform the following step;

  • Click Add Rule in the ModSecurity Tool, A new interface will display.
  • Enter the rule in the Rule Text text box.
  • Select the Enable Rule checkbox.
  • Select the Deploy and Restart Apache checkbox.
  • Click Save.

While adding custom rule set, please make sure it is compatible with your domain settings as well. Otherwise your legit user activity might be triggered with those rules.
Edit a rule
Top 5 eCommerce Posts for January 7

In order to edit a rule, perform the following steps in Home »Security Center »ModSecurity Tools »Edit Custom Rules:

  • Click Edit for the rule that you wish to update.
  • Make the desired changes in the Rule text box.
  • Click Save.

How to whitelist IP address for ModSecurity in Plesk

As an example in order to whitelist 203.0.113.2 IP address with rule ID 55666 proceed with the following

Navigate to Tools & Settings in plesk > ModSecurity > Settings > Configuration
Add the following rule to Custom directives field:
SecRule 203.0.113.2 “^127.0.0.1$”
phase:1,log,allow,ctl:ruleEngine=Off,id:55666

FYI: Have you installed ConfigServer Security&Firewall in the server? If so you will get an additional layer of protection by enabling “LF_MODSEC” in CSF. It is enabled by default and the config file is at “/etc/csf/csf.conf”.

So the prime advantage of Mod Security enabled server is, it can block common code injection attacks in real-time and filters incoming HTTP requests.

Do you need any expert advice on How ModSecurity protects WordPress websites?

We have an expert team to guide you

Thanks for dropping by. Ready for the next blog?

Mail server IP reputation : Best practices

Read more, our featured blog?  WordPress Security: How to secure a website

The post How ModSecurity protects WordPress websites appeared first on Sysally.

Emotet malspam campaign exploits reliance on magic for file type detection

Emotet malspam campaign exploits reliance on magic for file type detection

Emotet is a Trojan designed to steal banking information. It is frequently spread by sending phishing emails to governments, banks, healthcare organizations, and schools. The phishing emails will often claim to be an invoice, with a malicious Microsoft Word document attached. The email may often appear to be from a trusted supplier. Once the attachment or link is opened, the target is prompted to click “Enable content”, which would allow the dropper to install Emotet.

Screenshot of a Emotet dropper document open in Microsoft Word 2016.
The document clams that the user must click “enable content” to view it, but doing so would actually install malware

I recently encountered two Emotet dropper samples (0b9ccb04553ba5f1ce784630ef9b2c478ed13a96e89c65dcd9c94205c235ea12 and eff6619aee017ee5d04c539ff12c63a199a1e489660f7156b95e562667393d3c) that would not run correctly in my malware sandbox. I soon found the cause of the problem: the file type had been detected as a generic XML file, rather than what it really is: a Microsoft Word document.

Modern Microsoft Office files (.docx, .xlsx, and .pptx) are XML documents inside a ZIP archive file. The OS knows to open these files as Office files instead of ZIPs based on the determined file type. On Windows systems, file types are based on the file extension part of the filename. On UNIX, Linux, and Mac, file type detection is based on magic, literally. Magic strings are signatures, consisting of specific sequences of bytes of characters that can be used to identify a file. A common software library for file type detection is libfile. You can see it in action by using the file command on a Linux system. For example, the file command generates this output when ran against a docx file:

$ file hello-world.docx
hello-world.docx: Microsoft Word 2007+

But, the attackers figured out that if you extract the worddocument.xml file from a .docx ZIP archive save the Office document as a Office 2003 XML file, and rename it with a Microsoft Word file extension, such as .doc it will still open as a Word document on Windows systems. Unix systems using filemagic, on the other hand, consider it to be a plain XML file, because it is plain text content starts with

Update: in0d3 pointed out that these are actually Office 2003 XML files, not extracted OOXML Office 2007+ files like I initially thought.

$ file Untitled_attachment_20190123.doc

Untitled_attachment_20190123.doc: XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators

This gives the dropper an advantage: many email gateways and security appliances (including my sandbox) will treat the file as a plain XML file, and not treat it with much suspicion, while the Windows system will happily open Word.

Fortunately, a Microsoft office document as raw XML that also contains a macro is also not a normal occurrence at all. It is very easy to detect with yara.

Let’s take a look at the content of one of these files:

A screenshot of a malicious Microsoft Word document as a raw XML file

This file is not easy on the eyes

Here’s what the same file looks like after running a XML/HTML beautifier to make it more human readable using whitespace:

A screenshot of a malicious Microsoft Word document as a raw XML file after being run through a XML/HTML beautier
Much better

From here, we can see the

Scrolling down past the Word document boilerplate, we can see a chunk of data encoded in base64, enclosed in binData tags. That is the obfuscated macro content.

A screenshot of base64 encoded binary content in a Microsoft Word XML document
Gotcha!

Here’s a Yara rule that looks for:

  1. macrosPresent=yes (The flag required to have macros in a modern Microsoft Office document)
  2. binData (The XML tag that encloses arbitrary base64 encoded data)
rule obfuscated_office_macro_xml: TLPWHITE
{
    meta:
        date = "2019-01-25"
        author = "Sean Whalen - @SeanTheGeek"
        description = "Detects obfuscated macros in uncompressed Microsoft Office documents, as seen in a January 2019 Emotet dropper campaign"
        sample_sha256 = "0b9ccb04553ba5f1ce784630ef9b2c478ed13a96e89c65dcd9c94205c235ea12 eff6619aee017ee5d04c539ff12c63a199a1e489660f7156b95e562667393d3c"
        reference = "https://seanthegeek.net/598/emotet-malspam-campaign-exploits-reliance-on-magic-for-file-type-detection/"

    strings:
        $xml = "

As a member of the Yara Exchange, I get access to VirusTotal Enterprise in exchange for sharing Yara rules with the Exchange members, which would otherwise be a cost prohibitive subscription. VT Enterprise includes a feature called Retrohunt, which lets you run your Yara rules against all samples uploaded to VirusTotal in the last six months.

A screenshot of Retrohunt results
4583 matches!

Here’s the full list of Emotet dropper SHA256 hashes that matched my Yara rule on retrohunt:

Emotet mitigations

The post Emotet malspam campaign exploits reliance on magic for file type detection appeared first on seanthegeek.net.

Small Steps to Prevent Cervical Cancer

Small Steps to Prevent Cervical Cancer

Top 5 eCommerce Posts for January 8

In honor of Cervical Health Awareness Month, the Alexandria Clinic OB/GYN Team wants you to know that there’s a lot you can do to prevent cervical cancer. HPV (human papillomavirus) is a very common infection that spreads through sexual activity, and is the leading cause of cervical cancer. About 79 million Americans currently have HPV, but many people with HPV don’t know they are infected. (According to Office of Disease Prevention and Health Promotion)

The good news? “Prevention and early detection are key.” – Demetra Heinrich, OB/Gyn, M.D. at Alexandria Clinic.

  • The HPV vaccine can help prevent HPV. “HPV vaccine should be strongly endorsed and encouraged as part of routine vaccinations at age 11-12 years old in both girls and boys for preventative care. HPV vaccination has been very successful in decreasing the prevalence of cervical cancer.” – Dr. Demetra Heinrich
  • Cervical cancer can often be prevented with regular screening tests and follow-up care. “It is also very important to have the appropriate screenings done.  Starting at the age of 21, all females should be screened for cervical cancer with a Pap smear and have this screening completed every 3 years, if normal. (Decreasing to every 5 years at the age of 30 years old) If your Pap smear is abnormal, it is imperative to follow up as recommended and often to prevent the progression of cervical cancer.” – Dr. Demetra Heinrich

Taking small steps can help keep you and your loved ones safe and healthy. Schedule your child’s preventative vaccination or your regular screening through MyChart or call (320) 763-5123.

The post Small Steps to Prevent Cervical Cancer appeared first on Alomere Health News.

Small Steps to Prevent Cervical Cancer

Small Steps to Prevent Cervical Cancer

Top 5 eCommerce Posts for January 9

In honor of Cervical Health Awareness Month, the Alexandria Clinic OB/GYN Team wants you to know that there’s a lot you can do to prevent cervical cancer. HPV (human papillomavirus) is a very common infection that spreads through sexual activity, and is the leading cause of cervical cancer. About 79 million Americans currently have HPV, but many people with HPV don’t know they are infected. (According to Office of Disease Prevention and Health Promotion)

The good news? “Prevention and early detection are key.” – Demetra Heinrich, OB/Gyn, M.D. at Alexandria Clinic.

  • The HPV vaccine can help prevent HPV. “HPV vaccine should be strongly endorsed and encouraged as part of routine vaccinations at age 11-12 years old in both girls and boys for preventative care. HPV vaccination has been very successful in decreasing the prevalence of cervical cancer.” – Dr. Demetra Heinrich
  • Cervical cancer can often be prevented with regular screening tests and follow-up care. “It is also very important to have the appropriate screenings done.  Starting at the age of 21, all females should be screened for cervical cancer with a Pap smear and have this screening completed every 3 years, if normal. (Decreasing to every 5 years at the age of 30 years old) If your Pap smear is abnormal, it is imperative to follow up as recommended and often to prevent the progression of cervical cancer.” – Dr. Demetra Heinrich

Taking small steps can help keep you and your loved ones safe and healthy. Schedule your child’s preventative vaccination or your regular screening through MyChart or call (320) 763-5123.

The post Small Steps to Prevent Cervical Cancer appeared first on Alomere Health News.

Small Steps to Prevent Cervical Cancer

Small Steps to Prevent Cervical Cancer

Top 5 eCommerce Posts for January 10

In honor of Cervical Health Awareness Month, the Alexandria Clinic OB/GYN Team wants you to know that there’s a lot you can do to prevent cervical cancer. HPV (human papillomavirus) is a very common infection that spreads through sexual activity, and is the leading cause of cervical cancer. About 79 million Americans currently have HPV, but many people with HPV don’t know they are infected. (According to Office of Disease Prevention and Health Promotion)

The good news? “Prevention and early detection are key.” – Demetra Heinrich, OB/Gyn, M.D. at Alexandria Clinic.

  • The HPV vaccine can help prevent HPV. “HPV vaccine should be strongly endorsed and encouraged as part of routine vaccinations at age 11-12 years old in both girls and boys for preventative care. HPV vaccination has been very successful in decreasing the prevalence of cervical cancer.” – Dr. Demetra Heinrich
  • Cervical cancer can often be prevented with regular screening tests and follow-up care. “It is also very important to have the appropriate screenings done.  Starting at the age of 21, all females should be screened for cervical cancer with a Pap smear and have this screening completed every 3 years, if normal. (Decreasing to every 5 years at the age of 30 years old) If your Pap smear is abnormal, it is imperative to follow up as recommended and often to prevent the progression of cervical cancer.” – Dr. Demetra Heinrich

Taking small steps can help keep you and your loved ones safe and healthy. Schedule your child’s preventative vaccination or your regular screening through MyChart or call (320) 763-5123.

The post Small Steps to Prevent Cervical Cancer appeared first on Alomere Health News.