Skype’s has updated its password reset system after hackers made public the ability to take control of users accounts.
A Nov. 14 blog post — Hack any Skype account in six easy steps — offers detailed directions on hacking Skype user accounts.
The main flaw with the previous password reset system? Users were
able to reset a password without having access to the e-mail account in
question.
A Nov. 14 blog post
by Skype’s Leonas Sendrauskas indicated the company was notified early
that morning of user concerns about password reset security.
“This issue affected some users where multiple Skype accounts were
registered to the same e-mail address,” he wrote. “We suspended the
password reset feature temporarily this morning as a precaution and have
made updates to the password reset process today so that it is now
working properly.”
Users who receive an e-mail asking if they wish to reset their Skype
password should ensure their accounts have not been hacked. Users who
are unable to change their passwords have likely been compromised. To
keep users from regaining their accounts, hackers are changing the
primary e-mails, effectively locking the account owner out.
Those who have been affected should contact Skype for assistance, Sendrauskas says.
“We are reaching out to a small number of users who may have been
impacted to assist as necessary,” he says. “Skype is committed to
providing a safe and secure communications experience to our users and
we apologize for the inconvenience.”
Skype, now owned by software giant Microsoft, is replacing Windows Live Messenger next year.
Microsoft announced via its Skype blog that Windows Live Messenger (WLM) would be disabled globally, except in China, by March 2013.
Microsoft will offer a tool to ease the transition for WLM messenger
users to Skype — WLM users can sign in to Skype and bring over their
contacts.
According to the blog, by updating to Skype, users can expect:
• Broader device support for all platforms, including iPad and Android tablets.
• Instant messaging, video calling, and calling landlines and mobiles all in one place.
• Sharing screens.
• Video calling on mobile phones.
• Video calling with Facebook friends.
• Group video calling.
Post from: SiteProNews
Showing posts with label hack. Show all posts
Showing posts with label hack. Show all posts
Predictable Passwords a Target for Hackers — SplashData Reveals 25 Worst Choices
If you use the word ‘password’ as your e-mail or social media site password, you’re in good company.
According to SplashData, a provider of password management applications, it is the most-used password of the year.
‘123456,’ and ‘12345678’ round out the top three.
“In a year with several high profile password hacking incidents at major sites including Yahoo, LinkedIn, eHarmony, and Last.fm, SplashData’s list of frequently used passwords shows that many people continue to put themselves at risk by using weak, easily guessable passwords,” reads a press release issued by SplashData.
The firm’s list of the ’25 Worst Passwords of the Year’ was assembled using information hackers have posted online as “stolen passwords.”
New to the worst password list this year are: ‘welcome, ‘ ‘jesus,’ ‘ninja,’ ‘mustang,’ and ‘password1.’
Here is a look at the list:
# Password Change from 2011
1 password Unchanged
2 123456 Unchanged
3 12345678 Unchanged
4 abc123 Up 1
5 qwerty
6 monkey Unchanged
7 letmein Up 1
8 dragon Up 2
9 111111 Up 3
10 baseball Up 1
11 iloveyou Up 2
12 trustno1 Down 3
13 1234567 Down 6
14 sunshine Up 1
15 master Down 1
16 123123 Up 4
17 welcome New
18 shadow Up 1
19 ashley Down 3
20 football Up 5
21 jesus New
22 michael Up 2
23 ninja New
24 mustang New
25 password1 New
SplashData chief executive officer Morgan Slain says publishing the list is a way to make people aware of the risk they are taking in using weak passwords.
“Even though each year hacking tools get more sophisticated, thieves still tend to prefer easy targets,” says Slain. “Just a little bit more effort in choosing better passwords will go a long way toward making you safer online.”
SplashData offers the following tips for choosing more secure passwords:
Post from: SiteProNews
According to SplashData, a provider of password management applications, it is the most-used password of the year.
‘123456,’ and ‘12345678’ round out the top three.
“In a year with several high profile password hacking incidents at major sites including Yahoo, LinkedIn, eHarmony, and Last.fm, SplashData’s list of frequently used passwords shows that many people continue to put themselves at risk by using weak, easily guessable passwords,” reads a press release issued by SplashData.
The firm’s list of the ’25 Worst Passwords of the Year’ was assembled using information hackers have posted online as “stolen passwords.”
New to the worst password list this year are: ‘welcome, ‘ ‘jesus,’ ‘ninja,’ ‘mustang,’ and ‘password1.’
Here is a look at the list:
# Password Change from 2011
1 password Unchanged
2 123456 Unchanged
3 12345678 Unchanged
4 abc123 Up 1
5 qwerty
6 monkey Unchanged
7 letmein Up 1
8 dragon Up 2
9 111111 Up 3
10 baseball Up 1
11 iloveyou Up 2
12 trustno1 Down 3
13 1234567 Down 6
14 sunshine Up 1
15 master Down 1
16 123123 Up 4
17 welcome New
18 shadow Up 1
19 ashley Down 3
20 football Up 5
21 jesus New
22 michael Up 2
23 ninja New
24 mustang New
25 password1 New
SplashData chief executive officer Morgan Slain says publishing the list is a way to make people aware of the risk they are taking in using weak passwords.
“Even though each year hacking tools get more sophisticated, thieves still tend to prefer easy targets,” says Slain. “Just a little bit more effort in choosing better passwords will go a long way toward making you safer online.”
SplashData offers the following tips for choosing more secure passwords:
- Use passwords of eight characters or more with mixed types of characters. One way to create longer, more secure passwords that are easy to remember is to use short words with spaces or other characters separating them. For example, “eat cake at 8!” or “car_park_city?”
- Avoid using the same username/password combination for multiple websites. Especially risky is using the same password for entertainment sites that you do for online email, social networking, and financial services. Use different passwords for each new website or service you sign up for.
- Having trouble remembering all those different passwords? Try using a password manager application that organizes and protects passwords and can automatically log you into websites. There are numerous applications available, but choose one with a strong track record of reliability and security like SplashID Safe, which has a 10 year history and over 1 million users. SplashID Safe has versions available for Windows and Mac as well as Smartphones and tablet devices.
Post from: SiteProNews
Hacked WordPress Sites & Security Countermeasures
Security on WordPress has, especially in the past couple of months,
become a serious issue. Never before have I seen so many determined and
sophisticated hacking attempts directed against the WordPress sites I
own or manage.
These run the whole gamut of attack variations:
Generally speaking, its easy to minimize the potential threat by a few minutes of pre-emptive efforts! In other words, an ounce of prevention is still easier to apply than a pound of cure!
WordPress Security Plugins
This is the first line of defense – a properly implemented security plugin will thwart the majority of hacking efforts – particularly the script-based automated ones! Where a human-driven attack is initiated, you can easily make it extremely difficult to gain access to the internals of your website. The more difficult it is, the greater the likelihood of the attacker giving up and seeking out a softer, easier target. Even in the hacking world, time is money…
There are multiple WordPress security plugin applications available, each with its own methodology or variation on a theme. Selection of one over the other will often be based on the server environment – some simply won’t install if the right PHP elements or server settings are not enabled. Those that I have direct and extensive personal experience with are:
Each has its peculiarities, peccadilloes and quirks! Each works…
Better WordPress Security
I’ve used Better WordPress Security a lot and do like the comprehensive way in which it tackles a broad range of prospective threats. Its evolution has been significant and rapid. Unfortunately, the new releases have been occurring at almost weekly intervals for the past couple of months. Upgrades sometimes culminate in a crisis on the site, such as 500 Server Errors. This issue is particularly problematic if you have WordPress running in a sub-directory! Such issues can only remedied by:
If your WordPress installation runs from the root directory, BWS will give you peace of mind, but you will need a good understanding of WordPress, security issues, and confidence in WordPress troubleshooting…
Minor Irritation
* The “Backup” option being ON by default – that interferes with any backup scheduling you already have in place, such as BackupBuddy or WP DB-Manager etc. That can sometimes culminate in 2 dozen copies of your site backup arriving in your email account overnight! LOL
Major Irritation
* Checking files outside the WordPress installation will give timeout errors and lock up Admin access if you’ve got other large software applications OR add-on domains. There is an “exclude directories” option, but it requires manual selection… Such a lockup is not recoverable and requires deactivation as above.
That said, it’s damned effective at preventing security breaches and I’ve not had a single unauthorized access on a site running BWS! Despite the irritations, I actually made a $50 donation towards the BWS cause, as it’s obviously taking up a huge amount of dedicated effort to get it right, and it’s getting better and better.
Wordfence
While I would prefer to use a single WordPress security plugin across all sites I manage, I’ve got Wordfence Security installed on multiple sites because of WP running from within a sub-directory, or in the case of add-on domains as mentioned above.
Wordfence has a relatively simple interface compared to BWS or BPS, and operates in a different way. It seems very robust, and the firewall settings are easy to configure. Basically, I recommend simply selecting the following setting;
“Level 4: Lockdown. Protect the site against an attack in progress at the cost of inconveniencing some users.”
That’s going to defeat the most determined of automated hacking efforts without impacting on the site’s usability! Wordfence can be configured to provide email warning of a variety of threats, including:
Bullet Proof Security
This is also a robust security plugin application, and I’ve used Bullet Proof Security on 2 sites where the preceding plugins could not be installed. It’s comprehensive, but I personally find its interface to be somewhat daunting – it’s complicated and hard to understand. Maybe it’s just me…
However, it hasn’t ever crashed (unlike BWS) and it hasn’t ever been breached either. On that basis I’d recommend it, but you will need to read the directions!
Secure WordPress
Secure WordPress seems to be at the lower end of the complexity scale and again, I’ve got a couple of sites running it. Installation is neither difficult nor complicated. It’s going to require:
WordPress Security Plugins Summary
One or other of these four plugins are sure to solve the particular security issues on your WordPress website. They provide a known base from which to start your countermeasures. There are several others that can be trialed.
My pick of the litter is Wordfence – that’s because it’s reliable, has that core code verification feature and notifies you immediately of any plugin upgrades!
Securing WordPress
There are several basic elements that need to be addressed as part of any recommendations on WordPress security.
Secure WordPress User ID
The default WordPress User ID is “Admin” and you should NOT use that on your site. Doing so immediately means half of the “site access equation” is known, and all that’s required is the password! That’s pretty reckless in this day and age…
A secure User ID ought to be a minimum of 10 characters containing a mix of upper and lower case and including numeric and/or special character variations e.g.; $The#1Boss
In addition, you should then assign a User Account “nickname” so that there is no clue as to the Admin identity if you inadvertently use the account to publish any pages or posts! Ideally, you should publish the pages and posts from a “Editor” level account…
Secure Passwords
Most people foolishly use a password related to their life in some guessable way. Phone numbers, wife’s name, child’s name, dog’s name etc. A little bit of research, a bit of trial and error on the part of a smart hacker or competitor and your site is wide-open!
There are several websites specializing in secure password generation:
* PCTools
* Strong Password Generator
* Online Password Generator
USE one of them!
Comment Spam & Bad Links
These contribute negatively to your website’s online profile. Eliminate the majority of potential issues by using the inbuilt automation options;
Maintaining WordPress & Plugins
It’s extremely important to diligently maintain WordPress and any plugin applications. When a security breach or flaw occurs, fixes are put in place, but word of the potential exploit quickly circulates amongst the hacking community. Hackers immediately start looking for sites that are at risk, and target them!
A ‘once a week’ login to your WordPress Admin should be a standard task, in order to check if there are upgrades available. Install any upgrades immediately! Having a plugin like Wordfence installed ensures you are notified immediately if upgrades available.
How to Deal With WordPress Hacking
Don’t panic, because it won’t help! Usually, the hacking efforts I’ve seen relate to exploits of inherent security weaknesses in:
Dealing with the problem is usually a straightforward process, as per the next section.
WordPress Tech Support / Help Desk
Usually, the fastest way to deal with a known breach of WordPress is to:
Use more than one online scanning service to examine your website. These all have strengths in different areas, and one may identify issues that another might not spot. Try VirusTotal – scan the Home page URL and get a quick report from multiple sources.
The overriding goal is:
Core File Compromises
If the /wp-config.php has been altered in any way, it is wise to reset the WordPress Database User Account password, and add the new password into the /wp-config.php file. This can be done through the Admin Control Panel access to MySQL Database management. In the case of Cpanel it’s very easy to change the MySQL password.
Backups
Having an automated monthly backup process scheduled, with off-server storage, makes sound business risk management sense.
WordPress Security Conclusions
* Avoiding the problem is not particularly difficult.
* Eliminating the problem is usually straightforward.
These run the whole gamut of attack variations:
- Blackhole Exploit Kit attacks
- SQL Injection attempts
- Login & Password access efforts
- Link Injection & Phishing attacks, where links to bank fraud efforts are made
- Etc…
Generally speaking, its easy to minimize the potential threat by a few minutes of pre-emptive efforts! In other words, an ounce of prevention is still easier to apply than a pound of cure!
WordPress Security Plugins
This is the first line of defense – a properly implemented security plugin will thwart the majority of hacking efforts – particularly the script-based automated ones! Where a human-driven attack is initiated, you can easily make it extremely difficult to gain access to the internals of your website. The more difficult it is, the greater the likelihood of the attacker giving up and seeking out a softer, easier target. Even in the hacking world, time is money…
There are multiple WordPress security plugin applications available, each with its own methodology or variation on a theme. Selection of one over the other will often be based on the server environment – some simply won’t install if the right PHP elements or server settings are not enabled. Those that I have direct and extensive personal experience with are:
Each has its peculiarities, peccadilloes and quirks! Each works…
Better WordPress Security
I’ve used Better WordPress Security a lot and do like the comprehensive way in which it tackles a broad range of prospective threats. Its evolution has been significant and rapid. Unfortunately, the new releases have been occurring at almost weekly intervals for the past couple of months. Upgrades sometimes culminate in a crisis on the site, such as 500 Server Errors. This issue is particularly problematic if you have WordPress running in a sub-directory! Such issues can only remedied by:
- accessing the site via FTP
- deactivating the BWS plugin by renaming or deleting the directory
- editing the BWS code from the .htaccess file (or deleting .htaccess completely)
If your WordPress installation runs from the root directory, BWS will give you peace of mind, but you will need a good understanding of WordPress, security issues, and confidence in WordPress troubleshooting…
Minor Irritation
* The “Backup” option being ON by default – that interferes with any backup scheduling you already have in place, such as BackupBuddy or WP DB-Manager etc. That can sometimes culminate in 2 dozen copies of your site backup arriving in your email account overnight! LOL
Major Irritation
* Checking files outside the WordPress installation will give timeout errors and lock up Admin access if you’ve got other large software applications OR add-on domains. There is an “exclude directories” option, but it requires manual selection… Such a lockup is not recoverable and requires deactivation as above.
That said, it’s damned effective at preventing security breaches and I’ve not had a single unauthorized access on a site running BWS! Despite the irritations, I actually made a $50 donation towards the BWS cause, as it’s obviously taking up a huge amount of dedicated effort to get it right, and it’s getting better and better.
Wordfence
While I would prefer to use a single WordPress security plugin across all sites I manage, I’ve got Wordfence Security installed on multiple sites because of WP running from within a sub-directory, or in the case of add-on domains as mentioned above.
Wordfence has a relatively simple interface compared to BWS or BPS, and operates in a different way. It seems very robust, and the firewall settings are easy to configure. Basically, I recommend simply selecting the following setting;
“Level 4: Lockdown. Protect the site against an attack in progress at the cost of inconveniencing some users.”
That’s going to defeat the most determined of automated hacking efforts without impacting on the site’s usability! Wordfence can be configured to provide email warning of a variety of threats, including:
- Alert on critical problems
- Alert on warnings
- Alert when an IP address is blocked
- Alert when someone is locked out from login
- Alert when the “lost password” form is used for a valid user
- Alert when someone with administrator access signs in
- Alert when a non-admin user signs in
- Enable automatic scheduled scans
- Scan core files against repository versions for changes
- Scan for signatures of known malicious files
- Scan file contents for backdoors, trojans and suspicious code
- Scan posts for known dangerous URLs and suspicious content
- Scan comments for known dangerous URLs and suspicious content
- Scan for out-of-date plugins, themes and WordPress versions
- Check the strength of passwords
- Monitor disk space
- Scan for unauthorized DNS changes
- Scan files outside your WordPress installation
Bullet Proof Security
This is also a robust security plugin application, and I’ve used Bullet Proof Security on 2 sites where the preceding plugins could not be installed. It’s comprehensive, but I personally find its interface to be somewhat daunting – it’s complicated and hard to understand. Maybe it’s just me…
However, it hasn’t ever crashed (unlike BWS) and it hasn’t ever been breached either. On that basis I’d recommend it, but you will need to read the directions!
Secure WordPress
Secure WordPress seems to be at the lower end of the complexity scale and again, I’ve got a couple of sites running it. Installation is neither difficult nor complicated. It’s going to require:
- a (free) account at WebsiteDefender,
- an ‘agent’ file upload to your site that verifies / authorizes the account
WordPress Security Plugins Summary
One or other of these four plugins are sure to solve the particular security issues on your WordPress website. They provide a known base from which to start your countermeasures. There are several others that can be trialed.
My pick of the litter is Wordfence – that’s because it’s reliable, has that core code verification feature and notifies you immediately of any plugin upgrades!
Securing WordPress
There are several basic elements that need to be addressed as part of any recommendations on WordPress security.
Secure WordPress User ID
The default WordPress User ID is “Admin” and you should NOT use that on your site. Doing so immediately means half of the “site access equation” is known, and all that’s required is the password! That’s pretty reckless in this day and age…
A secure User ID ought to be a minimum of 10 characters containing a mix of upper and lower case and including numeric and/or special character variations e.g.; $The#1Boss
In addition, you should then assign a User Account “nickname” so that there is no clue as to the Admin identity if you inadvertently use the account to publish any pages or posts! Ideally, you should publish the pages and posts from a “Editor” level account…
Secure Passwords
Most people foolishly use a password related to their life in some guessable way. Phone numbers, wife’s name, child’s name, dog’s name etc. A little bit of research, a bit of trial and error on the part of a smart hacker or competitor and your site is wide-open!
There are several websites specializing in secure password generation:
* PCTools
* Strong Password Generator
* Online Password Generator
USE one of them!
Comment Spam & Bad Links
These contribute negatively to your website’s online profile. Eliminate the majority of potential issues by using the inbuilt automation options;
- Don’t allow registration unless it’s absolutely necessary!
- Don’t allow comments OR trackbacks on pages
- Close comments on posts after 2 – 4 weeks
- Don’t allow trackbacks on posts
Maintaining WordPress & Plugins
It’s extremely important to diligently maintain WordPress and any plugin applications. When a security breach or flaw occurs, fixes are put in place, but word of the potential exploit quickly circulates amongst the hacking community. Hackers immediately start looking for sites that are at risk, and target them!
A ‘once a week’ login to your WordPress Admin should be a standard task, in order to check if there are upgrades available. Install any upgrades immediately! Having a plugin like Wordfence installed ensures you are notified immediately if upgrades available.
How to Deal With WordPress Hacking
Don’t panic, because it won’t help! Usually, the hacking efforts I’ve seen relate to exploits of inherent security weaknesses in:
- JavaScript in plugins
- permissions allowing concealment of phishing (most often bank fraud) code in a sub-directory
- an email from Fraudwatch requesting you delete the offending content
- a warning from your hosting company that the site is compromised and in danger of being shut down.
- a tip from a friend or client that Google is displaying malware or virus warnings about your website.
Dealing with the problem is usually a straightforward process, as per the next section.
WordPress Tech Support / Help Desk
Usually, the fastest way to deal with a known breach of WordPress is to:
- Use the 1-click update in WordPress Dashboard / Updates to overwrite all core files that may have been compromised.
- Where a plugin is implicated, delete the affected plugin directory, and then upload a new copy.
- Where a Theme is implicated, copy your backup files across to replace the compromised files.
- Files and directories that were altered or uploaded and don’t belong.
- Inappropriate file permissions – e.g. directories should usually NEVER be set to 777 permissions, as this gives access to anyone to do anything. The correct directory permissions for most hosting accounts is 755, and some servers generate “Server 500″ errors if permissions are inadvertently set at 777.
- Unexpected items in /uploads/ or /backups/ directories.
- File Modified dates that don’t match up with any edits, uploads or changes you’ve made.
Use more than one online scanning service to examine your website. These all have strengths in different areas, and one may identify issues that another might not spot. Try VirusTotal – scan the Home page URL and get a quick report from multiple sources.
The overriding goal is:
- deleting the compromised files and replacing them with the correct versions.
- ensuring secure permissions across directories and files.
- implementing a security plugin.
- changing the WordPress admin password.
- changing the Cpanel / Plesk / Hsphere admin password.
- changing the FTP access password.
- deleting any “extra” User or FTP accounts that may have been added to provide easy future access for the hackers.
Core File Compromises
If the /wp-config.php has been altered in any way, it is wise to reset the WordPress Database User Account password, and add the new password into the /wp-config.php file. This can be done through the Admin Control Panel access to MySQL Database management. In the case of Cpanel it’s very easy to change the MySQL password.
Backups
Having an automated monthly backup process scheduled, with off-server storage, makes sound business risk management sense.
WordPress Security Conclusions
* Avoiding the problem is not particularly difficult.
* Eliminating the problem is usually straightforward.
Subscribe to:
Posts (Atom)