Connect with us

Cyber Security

WordPress GDPR Cookie Consent plugin patched



A patch released this week for WordPress GDPR Cookie Consent plugin used by more than 700,000 websites fixed critical vulnerabilities that would let attackers change and delete content as well as inject malicious JavaScript code.

The GDPR Cookie Consent plugin aids sites in complying with EU GDPR/Cookie Law regulations and is maintained by WebToffee.

that even “users who do not use Wordfence Premium have a clear upgrade path”
now that the patch is available, Wordfence described
“how improper
access controls lead to a stored cross-site scripting vulnerability in the GDPR
Cookie Consent plugin that emerged after it was removed from the repository” and
released details on the vulnerability.

Essentially, a capabilities
check added to an AJAX endpoint meant only to be used by administrators made it
possible for “subscriber-level users to perform a number of actions” that could
compromise site security.

“While consent management platforms (CMP)
have been widely adopted, they have not been proven to honor consumer choice,”
said The Media Trust CEO Chris Olson. “CMPs conform to a minimum standard and
oftentimes provide outdated information to consumers.”

Calling CMPs useful, Olson points out each
implementations vary, depending on vendor, in the way it captures consumer
consent to meet a minimum standard. “Bottom line, the technologies that power
the digital ecosystem are still fragmented and after almost two years of GDPR
all that is being offered is a misplaced sense of trust,” he said.


Cyber Security

Coronavirus: cases pass 66,000 as Beijing orders 14-day quarantine for returnees



Covid-19 cases pass 66,000 in China as residents in capital who flout new restrictions told they will be held accountable under the law

Beijing has ordered people returning to the city from holidays to quarantine themselves for 14 days to try to contain the coronavirus spread, as the death toll in China from the outbreak passed 1,500.

On Saturday, the countrys National Health Commission said 2,641 new cases were confirmed in the previous 24 hours, taking the total number of confirmed infections across mainland China to 66,492. There were also 143 deaths in the 24 hours to midnight on Friday, taking total fatalities from the virus to 1,523.

The official Beijing Daily newspaper said people failing to obey government orders to quarantine themselves on return from the holidays would be punished. But it was not immediately clear how that would be enforced, or whether the restrictions would apply to non-residents or foreigners arriving from abroad.

Beijing has a population of more than 20 million people and the annual National Peoples Congress, where thousands of Communist Party delegates pour into the city, is due to start on 5 March.

Global Times (@globaltimesnews)

Beijing city is intensifyng virus fight, ordering all Beijing-based work units to ensure “zero infections” as the city faces a challenge of rising arrivals of migrant workers. The capital city enacted a law Friday all people coming to Beijing must be quarantined for 14 days.

February 15, 2020

From now on, all those who have returned to Beijing should stay at home or submit to group observation for 14 days after arriving, Beijings virus prevention working group said in a notice cited by the Beijing Daily.

Those who refuse to accept home or centralised observation and other prevention and control measures will be held accountable under the law, it said.

A Chinese worker wears a protective mask and goggles as he cleans and disinfects machines at a nearly empty subway station during rush hour in Beijing. Photograph: Kevin Frayer/Getty Images

A National Health Commission official Liang Wannian told a news conference the government would continue to try to contain the spread of virus in the city of Wuhan in Hubei province the centre of the outbreak. The commission was focused on lowering the fatality rate and reducing the infection rate, Liang said.

The number of deaths in Hubei rose by 139 as of Friday, with 107 of those in Wuhan. A total of 1,123 people in Wuhan had died from the coronavirus.

Wang Hesheng, the new head of Hubeis Health Commission, vowed to find and treat everyone affected by the virus, the state-run Global Times said.

Wang was one of several high-level appointees flown in to Hubei province in the past week to take over from sacked local officials. It followed public anger over the death in Wuhan of whistleblower doctor, Li Wenliang, who succumbed to the virus.

China has been struggling to get the worlds second largest economy going after the lunar new year holiday, which was extended by 10 days to help contain the virus. The Global Times reported that Chinas banks have offered $77bn in lines of credit to help combat the epidemic. The central government has also pumped tens of billions into the countrys financial system.

A man wearing a face mask walks his dog in Beijing. Photograph: STR/AFP via Getty Images

Meanwhile the White House economics advisor, Larry Kudlow, said he expected the virus to maybe knock 0.2-0.3% off the US GDP in the first quarter.

The number of trade fairs, sports events and industry conferences in China and overseas that have been affected by the spread of the virus continued to increase.

International Business Machines Corp (IBM) said on Friday it had canceled its participation in the RSA cyber security conference in San Francisco at the end of February due to coronavirus-related concerns.

Earlier, Facebook said it had cancelled its global marketing summit scheduled for next month, also in San Francisco, over worry about the same risks.

The Mobile World Congress (MWC), the annual telecoms industry gathering in Barcelona, was also cancelled after a mass exodus by exhibitors linked to the coronavirus.

Organisers of next weeks gymnastics World Cup in Melbourne said on Saturday the entire Chinese team had pulled out due to travel restrictions.

A top Chinese official, in an interview with Reuters, acknowledged that the coronavirus was a huge challenge, but defended the governments management of the epidemic and lashed out at the overreaction of some countries.

State Councillor Wang Yi, who also serves as Chinas foreign minister, said China had taken decisive measures to fight the epidemic, many going beyond international health regulations and World Health Organization (WHO) recommendations.

Through our efforts the epidemic is overall under control, he said.

Outside mainland China, there have been nearly 450 cases in some 28 countries and territories, and three deaths. Japan confirmed its first coronavirus death on Thursday.

One person has died in Hong Kong and one in the Philippines.

The virus is killing about 2% of those infected, but has spread faster than other respiratory viruses that emerged this century.

A WHO-led joint mission with China will start its outbreak investigation work this weekend, focusing on how the new coronavirus is spreading and its severity, WHO chief Tedros Adhanom Ghebreyesus said.

Reuters contributed to this report

Read more:

Continue Reading

Cyber Security

Security News This Week: The ‘Robo Revenge’ App Makes It Easy to Sue Robocallers



Just when you thought the catastrophic Equifax breach was entirely in the rearview, the Department of Justice this week charged four Chinese military hackers with the theft. That's 147.9 million people's Social Security numbers and other personal information in China's hands. Add it to the compromises of the Office of Personnel Management, Anthem, and Marriott—all also linked to China—and it's clear that the country has amassed an unprecedented trove of data that it can use for intelligence purposes for years to come.

In other international law enforcement news, the DoJ also alleged that Huawei perpetrated years of rampant intellectual property theft. We also took a look at the real reason the US is so afraid of Huawei creating potential backdoors: American intelligence agencies have a long history of doing that very thing.

With all that alleged geopolitical hacking afoot, it's a good thing that Google this week announced that it would give away security keys to campaigns for free, as well as tutorials on how to actually use them. Those campaigns should also consider reading our guide to sending files securely online; if you want end-to-end encryption, Firefox Send is a good place to start.

In domestic news, the US Department of Homeland Security is apparently buying up cell phone location data to boost its immigration enforcement. While that might raise your hackles, it also raises interesting questions about digital privacy, especially in light of the Supreme Court's decision in Carpenter v. United States two years ago that limited the use of cell site data by law enforcement. Also interested in tracking: Conservative news sites, which plant far more cookies in your browser than their liberal counterparts do. Meanwhile, security researchers found a series of serious flaws in the Voatz voting app, although the company denies that they could have led to vote manipulation.

Finally, if you're not using encrypted messaging app Signal yet, now's the time to start. The company has put a $50 million infusion towards building out features that make it not just secure, but accessible to normals.

The good people at DoNotPay have previously automated the arduous processes of fighting parking tickets and canceling subscriptions. This week, they added robocalls to their target list with Robo Revenge, a sort of digital sting operation. Robo Revenge generates a burner credit card number to give to the scammer on the other end of the line, who'll give up their contact information as part of the transaction. The service will then automatically create legal documents and provide instructions on how to sue the unwanted caller for up to $3,000. Instead of feeling helplessly bombarded by calls, you can finally fight back. You can access Robo Revenge now through DoNotPay's website or app.

In what appears to be a first, the Department of Justice arrested an Ohio man in connection with a cryptocurrency laundering scheme. Larry Harmon allegedly ran Helix, a bitcoin mixer that operated on the dark web, concealing the origins of hundreds of millions of dollars' worth of illicit transactions. Take it as another in a series of reminders that cryptocurrency transactions aren't nearly as private as you might think.

The FIDO Alliance wants to kill passwords. The consortium focuses on promoting and developing other forms of authentication that aren't quite so problematic. To do that effectively, it needs the buy-in of all the major tech companies, which it pretty much had with the exception of Apple. Good news! The Cupertino holdouts officially signed on this week, meaning you can expect FIDO's seamless logins to eventually work across whatever devices you happen to own.

By now you hopefully understand that Macs do indeed get malware. In fact, according to new research from security firm Malwarebytes, Macs saw more malware threats per device than their PC counterparts in 2019, and was up 400 percent year over year. The good news—or maybe we should just say better news—is that most of that malware is adware, which is annoying but relatively harmless compared to ransomware and other ills. Still, remember that just because you're on an Apple device doesn't mean you can go around clicking shady links with impunity.

Read more:

Continue Reading

Cyber Security

Incident Of The Week: Quaker Steak & Lube Alerts Customers To Payment Card Incid…



The independent owners and operators of several Quaker Steak & Lube casual dining restaurants have disclosed that customer payment card data was sent to an unauthorized source due to malware infecting the stores’ retail point-of-sale (POS) terminals over weeks to months during 2019.

Quaker Steak & Lube is a casual dining restaurant chain based in Sharon, Pennsylvania known for its chicken wings and variety of sauces. The company has 42 stores located in Florida, Indiana, Iowa, Kentucky, Louisiana, New Jersey, Ohio, Pennsylvania, South Carolina, Tennessee, Virginia and West Virginia. The company was acquired out of bankruptcy in 2015 by TravelCenters of America (T/A).

Franchise Locations Hit With Retail POS Malware

At the time of publication, 7 independently owned and operated Quaker Steak & Lube locations has issued breach disclosures. All seven locations stated that their payment card terminals were infected with malware that captured customer data, though the start and end dates varied:

Store Location

Infected POS Dates

Bloomsburg, PA

February 14, 2019 and September 6, 2019

Charleston, WV

February 14, 2019 and August 19, 2019

York, PA

June 14, 2019 and August 5, 2019

State College, PA

June 14, 2019 and August 5, 2019

Canton, OH

June 14, 2019 and August 23, 2019

Mentor, OH

July 2, 2019 and July 10, 2019

Columbus, OH

July 4, 2019 and September 6, 2019

See Related: Incident Of The Week UPDATE: Wawa Customer Payment Card Data Found on Dark Web

Remotely Accessed POS Management System Presumed To Be Vulnerability

All of the notifications point back to a common POS system managed by Midwest POS Solutions. The store owners were alerted to unusual activity relating to payment cards that may have been used at these restaurant locations and began working with third-party forensic investigators to investigate the report.

Through the investigations, it was discovered that payment card information may have been accessed as a result of the installation of malicious software on the POS system utilized at these restaurants. It was further determined that Midwest POS credentials were used to remotely access the POS system at this location, which allowed an unauthorized actor to deploy the malicious software into the point of sale system.

See Related: Incident Of The Week: Leak Discloses UN Data Breach From 2019

Information Involved In Data Incident; Incident Response Efforts

The investigations determined that payment card information such as name, card number, expiration date, and/or CVV (magnetic stripe track data) that were used at the restaurants in the disclosed periods may have been involved in this incident.

The store owners worked with multiple forensic investigative firms to conduct investigations into this incident and to assist in remediation efforts. The owners have also deployed tools to contain, disable, and remove any malware that may have been installed on its restaurant systems and enhanced existing security measures to reduce the likelihood of future incidents.

See Related: All Incident Of The Week Reports


Continue Reading