Think Like A Hacker With Wordfence

  • Autor: Vários
  • Narrador: Vários
  • Editora: Podcast
  • Duração: 39:48:39
  • Mais informações

Informações:

Sinopse

Mark Maunder co-founded Wordfence in 2011 after his WordPress site was hacked and he learned how hard it was to clean and secure. Today the team has grown to over 35 members world-wide and Wordfence protects over 2 million WordPress sites. Join Mark as he and his colleague Kathy Zant cover interesting topics related to WordPress, security and innovation. Most episodes include interviews with luminaries from the WordPress or security communities.

Episódios

  • Episode 85: 0Day in File Manager Plugin and WordPress 5.5.1 Fixes Broken Sites

    04/09/2020 Duração: 06min

    Over 700,000 WordPress users were affected by a zero-day vulnerability in the File Manager plugin, and the WordPress 5.5.1 release fixed millions of sites affected by deprecation of jQuery Migrate. SendGrid is under siege from spammers using hacked accounts, and Apple approves a notorious malware variant to run on Macs.

  • Episode 84: Google Chrome Plans to Implement Insecure Form Warnings

    28/08/2020 Duração: 07min

    The Google Chrome web browser has a high-severity vulnerability that could be used to execute arbitrary code, which has been fixed in Chrome version 85. Google also announced that Chrome 86 will alert users if a form submission is using the insecure HTTP protocol, making it a good time to audit older sites that may have migrated to HTTPS, but still have forms submitting via HTTP. A security researcher found a flaw in Apple's Safari browser that could allow an attacker to access files on a Mac or iOS device. The FBI and CISA have issued a joint alert to warn about the growing threat from vishing attacks targeting companies.

  • Episode 83: 100,000 Sites Impacted by Vulnerabilities in Advanced Access Manager

    21/08/2020 Duração: 08min

    The Wordfence Threat Intelligence team discovered vulnerabilities in the Advanced Access Manager plugin installed on over 100,000 WordPress sites. A high severity authorization bypass could lead to privilege escalation and site takeover. Critical vulnerabilities found in the Quiz and Survey Master plugin could also lead to site takeover on the 30,000 WP sites using the vulnerable version of this plugin. Thousands of sites broke after updating to WordPress 5.5 due to deprecated support for jQuery Migrate, and the release of the Enable jQuery Migrate Helper plugin reached 10,000 active installations to help fix these sites using older themes or plugins. As cryptocurrency values rise, we’re seeing a wave of new scams and hacking campaigns with cryptocurrency as a driving force, such as the recent Twitter hack and a botnet campaign breaching SSH servers.

  • Episode 82: Important Changes in the WordPress 5.5 Update

    14/08/2020 Duração: 07min

    WordPress 5.5 was released on August 11 with a number of important updates, including a new feature allowing auto-updates of themes and plugins as well as changes to the block editor. The popular Astra theme was suspended from the repository for having affiliate links in the code. A vulnerability found in Google Chromium browsers could allow attackers to bypass content security policy in order to steal data and execute rogue code, this vulnerability affects billions of users. The Wall Street Journal reported that government tracking software is embedded in over 500 mobile apps.

  • Episode 81: Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder

    07/08/2020 Duração: 09min

    Our Threat Intelligence team disclosed numerous vulnerabilities this week, including a critical vulnerability in the Divi and Extra themes as well as the Divi Builder plugin. In total, this vulnerability affected over 700,000 sites. A vulnerability found in The Official Facebook Chat Plugin created a vector for social engineering attacks as it allowed an attacker to pose as a site owner via chat. Object injection vulnerabilities discovered in the Newsletter plugin affected over 300,000 sites. We also look at the charges brought against 3 people in connection with the recent Twitter hack. The WordCamp US organizing team made the difficult decision to cancel WCUS this year amid online event fatigue.

  • Episode 80: Critical File Upload Vulnerability in wpDiscuz Plugin

    31/07/2020 Duração: 08min

    Our threat intelligence team discovered a vulnerability in the wpDiscuz plugin, affecting over 80,000 sites. A blind SQL injection attack affected analytics service WayDev, exposing OAuth tokens for GitHub repositories for software companies, leading to further breaches. A debate about problematic admin notices on the WordPress admin dashboard has many wondering how to best solve the issue, while WordCamps move to all virtual in 2020. Garmin's ransomware attack takes down more than step counting.

  • Episode 79: High Profile Twitter Accounts Compromised in Coordinated Attack

    17/07/2020 Duração: 41min

    A number of high profile Twitter accounts including those of Elon Musk, Apple, Uber, Bill Gates, Joe Biden and others were compromised as a part of a coordinated bitcoin scam attack. The attack lasted a few hours and netted the attackers about $100,000 worth of bitcoin. We talk about how this attack could have possibly happened and lessons for businesses with remote workers accessing company systems. We also talk about a vulnerability our Threat Intelligence team discovered in the All in One SEO Pack plugin used by over 2 million WordPress sites. This vulnerability could be used by a malicious contributor account to take over a WordPress site. We also discuss SigRed: A 17-year-old ‘wormable’ vulnerability that could be used to hijack Windows servers, a vulnerability that could have severe ramifications for enterprise Windows networks. This vulnerability was patched on July 14. And we take a look at some privacy concerns with the increasingly popular TikTok app and how Apple discovered TikTok spying on iPhone

  • Episode 78: Targeted Phishing Bypassing Security Checks and a new DDoS Record

    22/06/2020 Duração: 13min

    This week, we look at some targeted phishing attacks that are bypassing Microsoft Outlook’s protective filters, and phishing campaigns using calendar invitations to target unsuspecting recipients. We also look at some successful bitcoin scams and a new record for a massive DDoS attack that targeted an AWS customer. Drupal pushes out some security fixes, and zero-day vulnerabilities found in numerous Netgear routers.

  • Episode 77: WordPress 5.4.2 Released, Fake Ransomware Bitcoin Scams

    12/06/2020 Duração: 14min

    This week, we look at the WP 5.4.2 release and a ransomware bitcoin scam targeting site owners with a “You’ve Been Hacked” email. We also look at an FBI warning about online banking app malware, the Verizon data breach report and what is says about WordPress, and how some white hat hackers are becoming millionaires by responsibly disclosing vulnerabilities via HackerOne.

  • Episode 76: Ongoing Attacks on WP Growing in Volume Plus Numerous Plugin Vulnerabilities

    15/05/2020 Duração: 18min

    On this week's Think Like a Hacker podcast, we cover an active attack campaign targeting WordPress sites and numerous plugin vulnerabilities. This active attack campaign has been ongoing and has outpaced all other attacks on WordPress vulnerabilities. Our threat intelligence team has been tracking this attacker for months now, and we’re seeing these attacks intensifying. We also look at vulnerabilities found in Google's Site Kit plugin and the Page Builder by SiteOrigin, and why it’s so important for plugin developers to have a Responsible Disclosure Policy published in an easy to find location on their site. We also look at how a combination of two vulnerabilities were used in a zero-day active attack on sites running Elementor Pro and the Ultimate Addons for Elementor plugin.  We also look at some new updates to Fast or Slow, the new global site speed profiling tool created by the Wordfence engineering team, and the impromptu hard launch the site experienced when it rose to the #1 position on Hacker News on

  • Episode 75: The WordPress 5.4.1 Security Release & More Plugin Vulnerabilities

    02/05/2020 Duração: 17min

    The Wordfence Threat Intelligence team unpacked the security updates in WordPress 5.4.1, and they published quite a few blog posts about vulnerabilities in popular plugins like Ninja Forms, LearnPress, and the Real-Time Find and Replace plugin. These plugin vulnerabilities affected over 1 million WordPress sites. As a few of these were Cross Site Request Forgery vulnerabilities, so we take a look at how these attacks work and how to avoid becoming a victim to a malicious CSRF request. We also look at more scams targeting COVID-19 fears and stimulus funds, and Google’s upcoming crackdown on Chrome extensions set to happen in August 2020. We also look at the privacy concerns expressed by many in the information security field about contact tracing initiatives by various companies including Google and Apple as well as governmental agencies.

  • Episode 74: Staying Safe When Hackers Use Sophisticated Attacks

    24/04/2020 Duração: 15min

    Stories this week about targeted attacks using 0days in iPhone and iPad devices and a sophisticated phone scam targeting a security professional that ended with a $9,800 wire transfer underscore what we all know: malicious attacks are becoming increasingly sophisticated. We also cover a recent plugin vulnerability in the MapPress Maps plugin affecting over 80,000 WordPress sites, Google’s report that they’re seeing more than 18 million daily malware and phishing emails. We also cover the recent funding that Frontity received, and look at what this might mean for faster WordPress sites.

  • Episode 73: Security News and Success through Processes with Adam Silver

    17/04/2020 Duração: 34min

    The FTC is reporting numerous scams targeting fears and uncertainty, with over $12 million lost to Coronavirus-related scams. We also cover BBB warnings against oversharing on social media, over 500,000 Zoom credentials found on the dark web, Google's removal of malicious Chrome extensions, as well as recent plugin and theme vulnerabilities. We chat with Adam Silver, host of the KitchenSinkWP podcast, celebrating 6 years of podcasting. We ask Adam about his consistent success, experiences with WordCamps, as well as the impact of Open, the film about the WordPress community, in which Adam plays a starring role.

  • Episode 72: WordPress 5.4 Released, Zoom Conferencing Safety & Security

    06/04/2020 Duração: 15min

    This week, we look at what’s new in WordPress 5.4, including that distraction free editing is now on by default. We also look at new plugin vulnerabilities, including Rank Math and a Contact From 7 helper plugin. We review the new updates to Fast or Slow, the free global website speed profiler. We also talk about Zoom’s recent security and privacy issues, including a recent discovery by a security researcher who found recordings of meetings containing sensitive information on Zoom’s cloud service.

  • Episode 71: Hackers Targeting COVID-19 Fears

    25/03/2020 Duração: 14min

    With many of us under either lockdown or shelter-in-place orders due to the COVID-19/Corona virus, fear and stress are rampant. This additional stress lowers our critical thinking capabilities and increases our vulnerability. Hackers targeting these human vulnerabilities are using the global pandemic to attempt exploitation through numerous scams and phishing campaigns. We also cover two plugin vulnerabilities affecting tens of thousands of sites as well as a new product from Wordfence, Fast or Slow, a global website speed profiler.

  • Episode 70: Customer Education and Agency Resiliency with Jon Bius

    14/03/2020 Duração: 50min

    We chat with Jon Bius, a web developer at Biz Tools One, an agency in Fayetteville, NC, about how they use customer education to build relationships and differentiate their business. We also cover two plugins with vulnerabilities, more cancelled WordCamps, some hackers taking advantage of the fear surrounding COVID-19, the rise of remote work, and what’s coming with full screen editing in WordPress 5.4. Find show notes and links on https://www.wordfence.com/podcast/

  • Episode 69: The Meteoric Growth of Elementor with Kfir Bitton

    06/03/2020 Duração: 35min

    On February 26, WordPress page building platform Elementor announced that they had received $15 million in venture funding. After topping 4 million installations of their plugin in January, it appears that Elementor is on a path to do some big things with WordPress. This week, we chat with Elementor CRO Kfir Bitton from his office in Tel Aviv, Israel about how Elementor grew so quickly, what's next for this plugin turned platform, and how Elementor strives to give back to the WordPress community. Of course, we also have news stories including how COVID-19 is affecting WordCamps, the Let's Encrypt domain control validation bug, and the coupon creation vulnerability in WooCommerce Smart Coupons.

  • Episode 68: More Plugin Vulnerabilities and Active Attack Campaigns

    29/02/2020 Duração: 25min

    This week, we review numerous plugin vulnerabilities in popular WordPress plugins and the attacks that are targeting them. We also review the Duplicator vulnerability affecting over 1 million sites, and Chloe Chamberland's discovery of multiple vulnerabilities in the Pricing Table by Supsystic plugin. Some WordPress-focused companies, Elementor and Strattic, receive venture funding. We also ask lead customer support engineer Tim Cantrell about the different ways to use Wordfence settings for brute force protection, blocking IP addresses, and how to prevent alert fatigue. A transcript is available on wordfence.com/podcast

  • Episode 67: Avoiding Common Vulnerabilities When Developing WordPress Plugins

    28/02/2020 Duração: 35min

    Almost every week, a new vulnerability is discovered in a popular WordPress plugin or theme, leaving developers scrambling to fix it before it’s widely exploited. Surprisingly, almost all critical vulnerabilities boil down to a few common mistakes. In this talk from WordCamp Phoenix, Ramuel Gall reviews these common errors and provides advice on creating secure plugins. Check out the video on YouTube to see slides with example code. There were some audio glitches during the presentation, but the content is good enough we had to share this with you. Transcript available in the show notes.

  • Episode 66: New Plugin Vulnerabilities & Succeeding as a Digital Nomad with Chloe at WCPHX

    21/02/2020 Duração: 53min

    It has been a busy week in WordPress security with active attacks on a number of plugins including ThemeRex Addons and Theme Grill Demo Importer plugins. In this week’s Think Like a Hacker, we look at what’s happening, review what a zero-day vulnerability is, and give you some advice on keeping WordPress installations clean and safe. We also look at a vulnerability uncovered in the wpCentral plugin installed on over 60,000 sites, a WHO phishing attack, and Malwarebytes’ State of Malware report. At WordCamp Phoenix, Wordfence Threat Analyst Chloe Chamberland spoke to a packed room of attendees looking to learn more about how she succeeds working remotely as a digital nomad. Her talk starts at 19:13 if you’d like to skip ahead, though we recommend watching the YouTube video of her talk to see Chloe’s travel photos and audience interaction. Links to that video and all of the news items are available in the show notes on wordfence.com/podcast.

página 3 de 5