ICYMI: WordPress XSS flaw, costly breaches & the return of Snooper's Charter
ICYMI: WordPress XSS flaw, costly breaches & the return of Snooper's Charter

WordPress XSS flaw an example of growing sophistication

This week a flaw was found in the genericons WordPress package which creates vulnerabilities in any plug-in or theme which uses it.

Two very popular assets – the JetPack plug-in and the TwentyFifteen theme which is installed by default – have been found to be vulnerable, according to David Dede, writing on the Sucuri blog.

This vulnerability follows the news that WordPress had to rush out a patch for another flaw recently. The previously revealed flaw could allow hackers to run malicious JavaScript stored in comment fields to be executed by the server hosting a website.

Dede says of this most recent vulnerability that millions of WordPress installs could be affected. “The main issue here is the genericons package, so any plugin that makes use of this package is potentially vulnerable if it includes the example.html file that comes with the package,” he wrote.

PC maker Lenovo exposes users to "massive security risk"

World number one PC maker Lenovo was accused of running a "massive security risk" last week because flaws in its online product update service allow hackers to download malware onto its users' systems through a man-in-the-middle (MiTM) attack.

The problems have been revealed by security firm IOActive – just weeks after Lenovo was found to be shipping PCs with pre-installed ‘Superfish' adware that also left its users open to MITM attacks.

IOActive researchers discovered the latest “high-severity” privilege escalation vulnerabilities in Lenovo's System Update service, which enables users to download the latest drivers and other software, including security patches, from Lenovo's website.

The researchers found the flaws in February, and have now gone public on them after giving Lenovo time to develop a patch, which was issued last month. But while the released patch fixes the problems, users have to download the security update to protect themselves.

Data breaches to cost businesses £1.3 trillion by 2019

New research suggests that the rapid digitisation of consumer's lives, combined with increasing cyber-crime activity, will push data breach losses up to £1.34 trillion globally by 2019.

In a new report, Juniper Research predicts that the majority of these breaches will still come from existing IT and network infrastructure, with the number of mobile and Internet of Things attacks expected to be “minimal" in comparison to more traditional computing devices.

"Currently, we aren't seeing much dangerous mobile or IoT malware because it's not profitable", said report author James Moar.

The report further notes cyber-crime is becoming increasingly professional, with the emergence of cyber-crime products (such as the sale of malware creation software) over the past year, and believes that there is a decline in casual, activist hacks.

DDoS botnet hijacks thousands of routers

Tens of thousands of poorly-configured home and business routers have been infected with malware and recruited into a massive botnet.

According to research carried out by security firm Incapsula, routers with outdated firmware and default passwords that haven't been changed since purchase have become the target of an anonymous group of hackers.

The attack was first discovered at the tail end of December last year. Almost all the routers appear to be from a single US vendor Ubiquiti. Hackers can log into the routers using a default username and password to access admin functions on the router. Secondly, these routers also allow remote access to HTTP and SSH via default ports.

Once compromised, the hackers can infect routers with malware, such as the MrBlack malware (a.k.a. Trojan.Linux.Spike.A). The researchers looked at 13,000 samples of malware and discovered evidence of other DDoS files including Dofloo and Mayday, which are also used for DDoS attacks.

These vulnerabilities opened up the routers to eavesdropping, man-in-the-middle attacks, cookie hijack, and gave hackers the ability to gain access to other local network devices

New Tory government pushes ahead with Snooper's Charter

The controversial 'Snooper's Charter' surveillance law could be fast-tracked now that the Conservative political party has formed a majority government in the House of Commons.

The law, which is officially known as the Draft Communications Data Bill, is expected to force UK internet service providers (ISPs) into keeping huge amounts of data on customers, and make this information available if requested by government and intelligence agencies.

The last government tried to push the bill through in 2013, but this was subsequently blocked at the House of Commons by the Liberal Democrats, who were part of the coalition government at the time. There were later attempts to sneak the changes through, via amendments to the Counter-Terrorism and Security Bill, although this was also defeated, this time at the House of Lords.

However, after last week's UK General Election saw the Conservative party win a clear, if small, parliamentary majority (of 12 MPs), the bill looks to be firmly back on the agenda.  One privacy-oriented socia network, Ind.ie, is reported to have said it will quit the UK as a result.