Select Page

Microsoft Exchange Mail Storage Exceeded Phishing Email

For those of you using Microsoft Exchange for your email platform, be aware of the latest phishing email going around telling you that you;

“Your email have exceeded maximum disk quota allocated, we require re-activation to continue using mail service…. Our system will automatically purge out mail that have exceeded quota, to avoid this please kindly follow our instruction.”

 

 

As always, if any email looks suspicious, never click on any links that you see. In this particular case, the email ‘from’ address which has been blurred out above is clearly not from Microsoft, it was from an IT company based in Australia. It is likely they have been hacked their self then their web server was used as a way to attack more businesses. While the ‘from’ email address can be easily faked, when the from email address is clearly not from where you would expect, this is a clear sign that this email is fake. In addition to this, when you hover over the link in the email, the link URL is to a strange website with a lot of random characters which is another clear sign that this email is a phishing scam.

Always keep an eye out for phishing scams like this

Non-Secure Collection of Passwords Warning from Google Search Console

You may have recently received an email from Google Search Console warning you that your website is being flagged as Non-Secure Collection of Passwords as can be seen below;

 

 

If you have been sent a message like this, you need to act before it is too late. You have received this message because your website is running over HTTP instead of HTTPS on pages that you collect sensitive information. Whenever either you or your users enter sensitive information on any website using HTTP, i.e. http://www.contradodigital.com/wp-login.php then this information can be seen in transit by anyone listening in on the network.

 

What you need to do

The solution to resolving these warnings is actually relatively simple. If you want to have a go at this yourself, then make sure you claim your free SSL certificate and update your website accordingly. If you need any help implementing this then get in touch and we can help you with the process.

Google Search Console Informing Webmasters About WordPress Security Updates

Google Search Console, formerly called Google Webmaster Tools, has started to inform WordPress website owners when security updates are available. This is a great effort by Google to help website owners and businesses keep their websites safe and secure with regular WordPress security maintenance.

 

 

While this is a great step forward, as a business owner you must not wait until you see these kinds of messages from Google until you take action to update your WordPress website. These messages are purely focused at the WordPress Core files, which is only a small part of WordPress security. If you think of security like you would with a building, imagine WordPress Core files being your front door. Just because your front door is locked, it doesn’t mean that you haven’t left your windows, back doors, side doors and garage unlocked and open. It is the same concept with WordPress security. You must be taking proactive measures to protect your website against hackers.

If you aren’t sure how to go about dealing with WordPress security, then fear not, drop us an email and we can talk you through the options available.

Urgent WordPress 4.7.2 Security Update Required

Urgent WordPress 4.7.2 Security Update Required

WordPress 4.7.2 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. If you are unsure how to deal with WordPress security updates, get in touch and we can manage your WordPress security updates for you.

WordPress versions 4.7.1 and earlier are affected by three security issues:

  1. The user interface for assigning taxonomy terms in Press This is shown to users who do not have permissions to use it. Reported by David Herrera of Alley Interactive.
  2. WP_Query is vulnerable to a SQL injection (SQLi) when passing unsafe data. WordPress core is not directly vulnerable to this issue, but we’ve added hardening to prevent plugins and themes from accidentally causing a vulnerability. Reported by Mo Jangda (batmoo).
  3. A cross-site scripting (XSS) vulnerability was discovered in the posts list table. Reported by Ian Dunn of the WordPress Security Team.
  4. An unauthenticated privilege escalation vulnerability was discovered in a REST API endpoint. Reported by Marc-Alexandre Montpas of Sucuri Security. *

Thank you to the reporters of these issues for practicing responsible disclosure.

Download WordPress 4.7.2 or venture over to Dashboard → Updates and simply click “Update Now.” Sites that support automatic background updates are already beginning to update to WordPress 4.7.2.

Thanks to everyone who contributed to 4.7.2.

* Update: An additional serious vulnerability was fixed in this release and public disclosure was delayed. For more information on this vulnerability, additional mitigation steps taken, and an explanation for why disclosure was delayed, please read Disclosure of Additional Security Fix in WordPress 4.7.2.

Why Don’t Companies Innovate?

This is a question that has been bugging me for a while, and you know what, I still don’t have the answer to this fully. You see, working with technology and user experience on a daily basis while improving digital platforms for companies, I can’t help but get used to continually improving all aspects of a business. Yet when I look around at most companies, I see the same old companies doing the same old things time and time again, often getting busier and busier without being more efficient or growing. Now here’s the thing, it is not like there is a barrier to entry to using technology throughout a business. Costs have come down quite considerably over the last few years and there is now more than ever an enormous pool of digital expertise to tap into. Albeit, there is a hugely varying quality of digital expertise, but there is a lot available never the less. So why is it that companies fail to innovate?

I decided to write this blog post after seeing another “Look at how amazing our new website is, let us know what you think…” post on LinkedIn by a proud owner of a business. So I decided to chip in. The site was WordPress based, so far so good. Then it all kind of went to the usual problems, not using Child Themes and not using HTTPS, both of which are an absolute minimum when building WordPress websites. Yet still, the business owner shrugged off the feedback stating that they are working with a “world leading company, I’m sure they know what they are doing”. And in this case, I can honestly only say that this is purely ignorance that is leading this particular company not to innovate. Look, I’m not saying that building a website is in any way innovative, but it does tell you a lot about a company based on the way their website is built. Firstly, in this instance I can tell you that this website was put together on the cheap in an “all fur coat and no knickers” type of way. I see this a lot, and we generally work with companies around 2-3 years after they have gone down this route and realised that it doesn’t work. And what that tells me about companies who go down this approach is that they are still very much in the mindset of cost over value. Purchasing anything based on cost is a losing battle and one that will cause you no ends of problems in the long run, businesses who eventually realise this start to enormously innovate throughout their organisation which starts them on a path to significant growth as an organisation.

This is by no means a lone example though. I’d argue that most organisations fail to innovate throughout their organisation. And this is not because the innovative technology, processes or systems are either not available or expensive. I’d argue that it is because people are so busy doing what they have always done or busy talking about how busy they are that they fail to realise the opportunity that sits right next to them as a solution to their many problems. This clearly is not a technology problem, it is a people problem. It is the decisions that people make on a day to day and minute by minute basis which prevent their own organisation from innovating by keeping their self busy doing the same old same old. This is by no means a unique situation though, this is what is known as the productivity problem in the UK and something which the UK government is looking at as a priority to grow the economy. Businesses need to step up and as what one minister said “Stop being lazy”.

For anyone who is too busy to look at new opportunities, I wish you well, but for those smart enough to stop and take 5 minutes to look at new opportunities, you will be amazed about what is available when you open your mind a little and speak with companies who can help your organisation significant improve throughout. Happier, leaner and more innovative companies are the companies that people like to work with. What is clear to me on a regional basis is that cities like London and Manchester are clearly leading the way when it comes to implementing innovative solutions throughout their organisations, whereas non-city regions and counties are often much slower to adapt. I’ve come to the conclusion that this is due to the majority of businesses being run by small teams and/or families that they struggle to think differently because they make decisions purely based on their own personal past experiences, which limits their thinking. As the quote goes, “To the man with a hammer, the solution to every problem is a nail”. Often true innovation comes from talking with people who are significantly different to you, even if you completely disagree with their way of working and their beliefs. I know that personally, some of the more innovative solutions that we have implemented have been a direct result of the random conversations I have had with people who I normally wouldn’t connect with. Instead these ideas have come based on making time to speak with different people and learn from their experiences. You can learn an awful lot from others when you stop and think about a problem together.

Innovation is key throughout every aspect of your business and the more businesses I speak with I can guarantee that I could walk into any organisation and improve their efficiencies throughout their organisation, whether that is through digital solutions or process improvements. This is not being over confident, this is based on seeing so many problem which are blatantly obvious to me that never seem to get fixed or improved. Often its the simple things that make the biggest difference. The challenge is always getting companies to change. As they say, you can lead a horse to water…. To finish, I’d like to open this invitation to any businesses who is stuck in their ways and unsure what to do to grab a coffee with me. Let’s look at how we can re-shape your organisation to become more efficient whether that is through digital technologies or otherwise. We can’t do this for you, but we can help you open your mind. Let’s chat.

We’re working on exciting projects with forward thinking companies as always. Becoming a forward thinking company is simply a mindset change required from those at the top of the organisation.

Update OpenSSL to Patch Security Vulnerability

There has been a fix come out which patches a sever vulnerability in the OpenSSL technology in use on many Linux web servers. Be sure to update your web servers to prevent this vulnerability being exploited. For a full technical write up on the vulnerability, head over to Threat Post who have covered the topic in great detail.

The vulnerability was first identified by an information security engineer at Google.

 

What do you need to do?

Install the latest OpenSSL patches available on your Linux web server. Speak to your web hosting company to get this updated. Clients hosting with us, our web servers have been patched as soon as the vulnerability patch was made public.

We strongly recommend running a manual server check if an automatic patch isn’t available to you. If you have any questions regarding the vulnerability or your solution please contact me and I can talk you through the solution.

Patch Your Linux Web Servers for the Dirty COW Vulnerability

Patch Your Linux Web Servers for the Dirty COW Vulnerability

You may have seen the news about a Linux vulnerability branded ‘Dirty COW’, which affects many Linux servers. An overview of the vulnerability is below and what you need to do.

What is Dirty COW?

Dirty COW is a new Linux vulnerability referred to technically as CVE-2016-5195. The name came from the fact that it exploits a mechanism called ‘copy-on-write’ and is known as a privilege escalation bug. This means that if attackers manage to get a foot inside your system they can then use Dirty COW to take total control, so it’s crucial to protect yourself. The bug has only recently came to fruition but has been around for nine years – which means it’s likely that many Linux servers have been affected.

What do you need to do?

Install the latest Linux patches available on your Linux web server. Speak to your web hosting company to get this updated. Clients hosting with us, our web servers have been patched as soon as the vulnerability was made public.

We strongly recommend running a manual server check if an automatic patch isn’t available to you. If you have any questions regarding the vulnerability or your solution please contact me and I can talk you through the solution.

For those interested in the more technical details behind the exploit, read all about Dirty COW.

The Internet Goes Down and Are You Protecting Your Business from Cyberattacks?

Unless you have been living in a cave over these last couple of weeks, you’ll probably have heard about the cyberattack that broke the internet for a few hours on several occasions. So what actually happened? It all starts with the DNS.

DNS stands for Domain Name System, in non-technical terms this is the technology that turns www.contradodigital.com into the servers IP address where your website files are hosted, for example, 178.238.139.113. There are many providers of DNS technology in use on the internet, with many providers using managed services of larger companies who have invested millions in the underlying hardware and infrastructure which enables the internet to work seamlessly. One of these companies providing DNS is called Dyn and here is where the cyberattack happened.

When the attack was happening, internet users in the following areas highlighted in the image below were unable to access many popular websites including websites like Twitter, SoundCloud, Spotify, Shopify and many more.

 

dyn-dns-ddos-attack

Image source: http://thehackernews.com/2016/10/dyn-dns-ddos.html

 

This is a significant part of the US and UK when customers and businesses could not access websites, meaning a significant drop in ecommerce sales for many organisations and a huge drop in productivity for those companies working in digital. For a system as large as the internet, which has been build with redundancy in mind, an attack of this scale is one of the worst we have seen to date and the seriousness of this means that businesses need to really step up in their cyber security efforts both large and small.

To read up more about the specifics of what a DDoS attack is and how this all happened, visit the Dyn website who have provided a write up on what happened.

Ultimately this attack was caused by hackers exploiting internet connected smart devices such as web cams and the likes. With the enormous rise in smart and internet connected devices available on the consumer market now, it is devices like this which are being exploited by hackers. When the software has been designed badly or built with un-updatable code or has been built with security holes in the code, it is this what is being exploited. Specifically using the Mirai software.

Distributed Denial of Service attacks are notoriously difficult to protect against, particularly on this scale with over 300,000 devices attacking a system. This is on the macro scale though and this really does just go to show that no matter how big you are attacks can happen to anyone. The even more worrying aspect is that this code has now been released open source so that the code is available to anyone wanting to exploit the same loophole.

The reality is that smaller and medium sized businesses are never reported on in the news. We deal with several hacked websites per month when businesses have failed to protect their self against cyberattacks. As a business owner you need to take cybersecurity seriously, and that means more than simply installing an antivirus and firewall on your laptops.

Picture this. You own a hotel. Imagine every door, windows, emergency exit and air vents into the building are ways of an attacker getting in. Not imagine your antivirus and firewall are your receptionists, blocking unwanted visitors in the building by locking the front door. Now imagine that all of the other doors, windows and vents in the entire building are left wide open for attackers to exploit. This is the reality that most businesses are dealing with without even realising. The software equivalent of this is that websites and web servers run outdated code, aren’t updated and active add security holes through using inefficient technologies and people to build systems. I cannot stress this enough, take cyber security seriously before you become the next victim. Sticking your head in the sand thinking that you will be fine will ultimately result in your business becoming the next headline. Be proactive.

Take advantage of our Free Digital Disaster Recovery Audit and test yourself on our Digital Evolution Score Card to see how advanced you are as an organisation and hence capable of dealing with problems. Better still, get in touch and we’ll talk you through the various options available for protecting your business, website and digital assets from cyberattacks.

The Digital Forum Summary – 2nd November 2016

Digital Forum Logo

Great to see everyone at the last event. Summary notes for reference.

Hope to see you at the next event –  https://www.contradodigital.com/event/digital-forum-7th-december-2016/ Book now to avoid disappointment.

Get Involved with BeeWUG – Blackburn WordPress User Group

Get Involved with BeeWUG – Blackburn WordPress User Group

It’s taken a good few months of organising everything in the background and we’re finally here. Blackburn WordPress User Group, BeeWUG is now officially starting which will be running on the first Wednesday evening every month in…. Blackburn at the College who are kindly supporting the local WordPress community.

BeeWUG is a free community event open to everyone wanting to learn more about WordPress. Whether you have an interest in WordPress, are using WordPress professionally or just want to come along and meet some great people, get involved. Look forward to seeing you there.

Head over to the BeeWUG website to find out full details and book onto the next free event which is on Wednesday 2nd November: https://beewug.uk/2016/10/17/beewug-2nd-november-2016/

Book directly onto the event here: http://www.meetup.com/Blackburn-WordPress-Meetup/events/234930231/

Follow us socially to keep up to date;

https://twitter.com/BeeWUG

https://www.facebook.com/BeeWUG/

https://www.linkedin.com/groups/8551580

And make sure you sign up to the mailing list on the BeeWUG website.