Campbell, a WordPress core contributor announced the release, 4.7.1, Wednesday afternoon. WordPress 4.7.1 Security and Maintenance Release https://t.co/Qxgd132Dw9 — WordPress (@WordPress) January 11, 2017 One of the XSS vulnerabilities could be triggered via the plugin name or version header on update-core.php, another could be exploited via theme name fallback, according to the release notes. One of the CSRF bugs, identified by Abdullah Hussam, an Iraqi security researcher who’s previously found bugs in Vine, Twitter, and Vimeo, could lead to a bypass if a specific Flash file was uploaded.
Another CSRF bug, discovered by Danish developer Ronni Skansing, was tied to how WordPress handled accessibility mode in widget editing.
Skansing has found several bugs in WordPress over the years. Last February he found a server side request forgery (SSRF) vulnerability in WordPress 4.4.1.
An attacker could have exploited the bug by making it appear that the server was sending certain requests, possibly bypassing access controls. Another issue in WordPress’ REST API could have exposed user data for any users who “authored a post of a public post type.” The issue, jointly uncovered by Brian Krogsgard, who runs the WordPress news site Post Status, and Chris Jean, a WordPress developer for iThemes, was fixed by limiting which posts are seen within the API. WordPress have now fixed my vuln on relation to weak crypto https://t.co/899unBLnKn — linkcabin (@LinkCabin) January 11, 2017 The update also fixes what WordPress calls “weak cryptographic security” in the way it handles multisite activation keys, in addition to 62 smaller bugs that have popped up over the last month or so since the release of version 4.7. Lastly it appears 4.7.1 includes an updated version of the email sending library PHPMailer. While Campbell claims “no specific issue appears to affect WordPress or any of the major plugins” he and other WordPress contributors investigated, they decided to update the library “out of an abundance of caution.” Developers with PHPMailer updated the library to version 5.2.21 two weeks ago to mitigate a remote code execution vulnerability discovered by Dawid Golunski of Legal Hackers.
Golunski warned that an attacker could exploited the vulnerability by targeting website components that use the library, like contact/registration forms, email password reset forms, and so on.
Join the IoT Home Inspector Challenge to provide a technical solution to Internet of Things vulnerabilities.
The Internet of Things isn't exactly a secure platform: Baby monitors, Wi-Fi routers, and refrigerators can expose homeowners to malicious attacks.
But while industry giants fight for better safeguards, the government is turning to its constituency to help save the day.
The Federal Trade Commission invites members of the public to create a technical solution to protect consumers and their homes from IoT security vulnerabilities. In return, there's cash on offer.
Submissions to the IoT Home Inspector Challenge must provide a technical solution (as opposed to a policy or legal fix), that works on existing devices and protects information collected "in transit and at rest."
The tool could be a physical device, an app or cloud-based service, or user interface. According to the Challenge website, it would, "at a minimum, help protect consumers from security vulnerabilities caused by out-of-date" software and firmware.
Proposals should address how the tool "will avoid or mitigate any additional security risks that [it] might introduce into the consumer's home," the FTC's criteria summary said. Submission should include an abstract (a title and brief description), short video demonstration (via YouTube or Vimeo), and detailed written explanation of the tool.
Five judges will assess each entry based on how well it works (60 points out of 100 total score), how user-friendly it is (20 points), and how scalable it is (20 points). For an additional 10 points, folks can address other ways to help guard against broader IoT security vulnerabilities.
Ideas will be accepted until 12pm Eastern on May 22. For more information on the judges and the complete rules, visit the FTC's Challenge website.
Prize winners can earn up to $25,000 for their idea; $3,000 will be available for each honorable mention; the FTC expects to announce victors in July.
The Broadband Internet Technical Advisory Group in November published a plan to help boost the security of the millions of devices that make up the IoT. Google, T-Mobile, Cisco, and several other tech companies called for a major shift in the way manufacturers approach security: They should be "restrictive instead of permissive," the advisory group said. So, instead of automatically allowing Internet traffic—in some cases without a password or firewall—IoT devices of the future should be inaccessible to inbound connections by default.
Seven minutes later, I visited the website, where I was confronted by a sexually explicit video stating I was a pedophile. The video depicted a bearded young man lying back on a bed, pleasuring himself rather vigorously in front of an iPhone.
It was title "Iain Thomson masturbates on webcam in front of 15 year old girl." As someone who has never exposed their shortcomings in such a way, nor looks anything like the aforementioned chap with his chap out on show, the video itself wasn't immediately worrying, although it was worth digging into. Interesting; a @vimeo user has just set up an account in my name and uploaded an obscene clip.
This could make a good article... — Iain Thomson (@iainthomson) May 2, 2016 After discussing the situation with Vimeo, it appears that I'd been caught up in an increasingly common practice of blackmailing people online using embarrassing videos. Sextortion Sexual extortion is happening all the time on the internet: typically, a victim is tricked into performing sex acts on webcam by someone pretending to be a potential paramour.
The blackmail then threatens to leak the compromising images to friends, family and colleagues unless more acts are performed or money is paid. More often than not, such extortion is devastating for the victim and can lead to further abuse.
The Feds have been taking an increasing interest in such cases and tough sentences are being handed out to perpetrators: Karen "Gary" Kazaryan was threatened with 105 years in the big house after getting caught, although he got away with just five years inside. More recently Interpol has warned that organized crime is getting in on the sextortion racket.
Victims are identified via social media, dating, webcam or adult pornography sites, recorded, and then warned to pay up if they don’t want their family and friends to find out what they were up to – sometimes in an email purporting to come from the police themselves. It is, by some accounts, quite a money spinner, and is becoming an increasing problem – not least because victims are unlikely to go to the police.
That's particularly true if the video alleges serious criminal behavior, as the one thrown at me did. However, as a tech journalist I know people at Vimeo, and so I went to the company to find out what was going on.
A technical team within the biz trawled through server logs and appeared to find a first for the New York City-based outfit. Under Vimeo's terms and conditions, videos can be uploaded to an account without any activation by the holder of the email address associated with the account.
Activation of an account opens up messaging services and other goodies, but videos can be posted regardless of whether the account's email address has been validated. This allowed the perp to publish a stranger's private video under my name, using my email address – a stranger who happened to share the same name as me. He is the real victim in this case, wherever in the world he may be: the blackmailer's next step would have been to extort the bloke, or publicly shame him, using the uploaded video.
The vid was removed in less than 24 hours. What to do in these situations If you are the victim of this kind of sextortion attack there are a number of steps to take that will minimize harm. Firstly, be open about it to break the blackmailer's hold. When the video upload notification came up with a screenshot, I thought it was a joke of some kind and showed it to my editor and the other hacks in Vulture West.
It was only when I got home and actually viewed the video on a secure machine that the pedophilia accusation was seen and things got serious. Since there's no way this person could be mistaken for me (I've never worn a beard, am considerably slimmer than the victim, and have never owned an iPhone) I wasn't too worried.
But once something goes online there's always a fear that it could be used to try and trash an online reputation. Secondly, victims should go to the video hosting company and the police if they are being extorted.
Vimeo and others want no part of this kind of traffic and are generally pretty good about taking down videos, and the police are more clued in than they used to be. Paying up will most likely lead to demands for more money. Crucially, don’t destroy the evidence.
Vimeo were able to sort this out so quickly since I'd backed up all the emails but if you are being extorted make sure to keep everything, even logs of the conversations which prompted the original unwise activity. Finally, just don’t do this kind of online sex unless you are 100 per cent certain that the person on the other end is who they say they are, and even then I'd advise against doing it.
Even if you are convinced the person at the other end is real, there's no telling what they could do if the relationship breaks down, as revenge porn sites have shown. Back in the dawn of the World Wide Web, Bruce Schneier gave some excellent advice in the first interview I had with him: never write or post anything online that you couldn’t justify publishing in your local paper.
It was good advice then and still holds true today. ®
Between May 2015 and May 2016, Exponential-e reduced its carbon footprint by a total of 68%.
The ISO 14001 and ISO 50001 Standards are an addition to Exponential-e’s five existing certifications across security, business continuity, quality and service management, making the company one of the only technology providers to hold this many ISO certificates. “With new figures published by British Gas revealing that the UK is still amongst the top 20 countries emitting the largest amount of carbon, British businesses need to urgently review their energy and environmental policies in order to remain globally competitive,” said Jitesh Bavisi, Director of Compliance at Exponential-e. “Although we’ve always taken pride in our Corporate Social Responsibility, these certifications prove our achievements in carbon footprint reduction. We’ve made significant investment into upgrading our facilities, which now reflect a responsible future-focused organisation, and we will continue to work on minimising our long-term environmental impact. We’re delighted to reveal that our energy bill has gone down significantly even though we’ve gained 34 new employees in the past 5 months.” Achievement of the ISO 14001 Environmental Management Standard, is based on the company’s ability to reduce costs in waste, recycling and consumption, as well as manage environmental risks.
ISO 50001 Energy Management Standard shows Exponential-e’s energy efficiency across the business, including raising employee awareness and working towards a more secure long-term energy supply.
Implementing the two standards and maintaining an integrated approach will help Exponential-e’s long-term commitment to reducing its environmental impact. This certification also ensures Exponential-e’s compliance with the Environment Agency’s Energy Savings Opportunity Scheme (ESOS), which identifies areas of energy savings available across the organisation. Examples of Exponential-e’s energy and environmental initiatives include installation of £30,000 worth of motion sensors across its offices that manage light usage, and replacement all its plasma screens, which hold C or D energy consumption ratings, with more environmentally-friendly LEDs, which hold A+ ratings. “With technology being a sector that is traditionally energy intensive, a reduction of 68% is significant.
As we develop and evolve our offering at Exponential-e, we’ll continue to maintain our audits and look to build around our standards frameworks for managing quality, security, business continuity, service and now environmentally friendly policies. We no longer have an area of our business that’s not assessed by a third party, and we’re proud to be one of the few technology companies holding seven ISO certificates,” concludes Bavisi. Toni Allen, UK Head of Client Propositions, BSI comments: “Achieving certification to both ISO 14001 and ISO 50001 demonstrates Exponential-e’s commitment to being a more sustainable organisation.
Implementing these management systems will enable them to control their environmental and energy impact and continually improve their performance.” -ENDS- About Exponential-eExponential-e is a British cloud and connectivity pioneer with a difference.
Its cloud services do not traverse the public Internet.
Instead, they reside (logically) on a customer's LAN, on the clean side of the firewall so security and privacy concerns are negated.
Exponential-e wholly owns a super-fast 100 Gigabit Ethernet Layer 2 VPLS Network that guarantees a superior level of resilience, reliability and performance.
Exponential-e also integrates with third party providers and bespoke applications for both the Enterprise and SMEs with an end-to-end SLA.That’s why it’s trusted by over 2,800 customers, boasts 96% customer reference-ability, features in the London Stock Exchange's Top 1000 Companies to Inspire Britain, included in Investec’s Top 100 fastest growing UK Mid-Market companies and ranked number 16 in the Megabuyte50, which lists the best performing, privately-owned technology companies in the UK.Exponential-e's services are delivered down one pipe, enabling 100% network visibility and control.
The company has demonstrated the highest levels of compliance with industry standards and has been awarded seven ISO accreditations including the highly coveted cloud Security Alliance STAR.
Exponential-e’s product portfolio includes services for cloud & IT, Voice, Networking, Data Centres and Professional Services. Connect with Exponential-e:Twitter: https://twitter.com/Exponential_eLinkedIn: https://www.linkedin.com/company/29666Vimeo: https://vimeo.com/exponentiale
The 2nd US Circuit Court of Appeals reversed that decision, and also overturned the lower court that ruled the DMCA didn't grant so-called safe-harbor passage to ISPs whose employees saw infringements on their platforms uploaded by their users. The decision once again affirms that the DMCA extends immunity to Internet Service Providers for the infringement of their customers if an ISP removes material at the request of the right holder.
The decision was akin to an earlier and popular decision called Viacom v. YouTube, which the record labels said was off base in the case against Vimeo. In the case decided Thursday, the court ruled that a "showing by plaintiffs of no more than that some employee of Vimeo had some contact with a user-posted video that played all, or nearly all, of a recognizable song is not sufficient to satisfy plaintiffs’ burden of proof that Vimeo forfeited the safe harbor by reason of red flag knowledge with respect to that video." The ruling added that a "service provider's personnel are under no duty to 'affirmatively seek' indications of infringement." Regarding the pre-1972 recordings, the court ruled: To construe § 512(c) as leaving service providers subject to liability under state copyright laws for postings by users of infringements of which the service providers were unaware would defeat the very purpose Congress sought to achieve in passing the statute.
Service providers would be compelled either to incur heavy costs of monitoring every posting to be sure it did not contain infringing pre-1972 recordings, or incurring potentially crushing liabilities under state copyright laws.
It is not as if pre-1972 sound recordings were sufficiently outdated as to render the potential liabilities insignificant. "Today's ruling by the Second Circuit is a significant win for not just Vimeo, but all online platforms that empower creators to share content with the world," said Michael Cheah, Vimeo's general counsel.
The case was brought in 2009 by Capitol Records and Sony, which did not immediately respond for comment. The Electronic Frontier Foundation applauded the ruling. "The Court held that (1) there was no duty to monitor for infringement, (2) that suspicion of infringement wasn’t enough unless infringement was obvious, and (3) a few sporadic videos out of millions where Vimeo employees “inappropriately” encouraged users to post infringing videos was insufficient to remove the DMCA safe harbor protections," the group said.
Her work cracking the Enigma machine's coded messages was crucial to the success of D-Day landings during WWII. November 14, 2013 7:49 PM PST (Credit: Vimeo screenshot) Cracking one of the most compl...