According to Patchstack’s State of WordPress Security In 2022 whitepaper, there was a 328% increase in WordPress security bugs last year. But don’t panic! This doesn’t mean WordPress is less secure; in fact, this indicates there are lots of folks out there hunting these issues down to keep WordPress site users MORE secure.
But it does require YOU to take action to keep your plugins, themes, and WordPress core software updated. Patchstack reports that 42% of websites have at least 1 current vulnerable software component installed. That’s like leaving your back window open to a thief.
42% of websites have at least 1 current vulnerable software component installed
Okay, so you’re keeping an eye on your site and updating plugins and themes and WordPress whenever you get a notification. But what about the 26% of plugins with security vulnerabilities that didn’t get patched? Are you regularly monitoring this “threat intelligence” to ensure you aren’t running a plugin or theme that’s “up to date” but still vulnerable? These abandoned software components are a silent threat to website owners who may not even be aware they are running insecure software.
Software supply chain vulnerabilities are also an issue. Just like the economy, open source software like WordPress is dependent on a supply chain consisting of code libraries and frameworks. Vulnerabilities in those libraries can have cascading effects on security, such as that found in the Freemius framework, which is used in a number of plugins and themes. As Patchstack’s white paper says:
The good news was hundreds of plugins that were notified of the security bug in Freemius updated their project’s code and patched the bug. The bad news was dozens to hundreds of projects did not respond to the notifications.
While the numbers and threats seem alarming, Patchstack takes an optimistic view of security for the coming year. With security researchers and developers working together to find and fix vulnerabilities, and continued awareness and action from website owners to keep their sites up to date, the WordPress ecosystem will continue to grow safer.
Check out Patchstack’s whitepaper on the State of WordPress Security. And if you need someone to help keep your site updated, running well, and secure, give Milepost 42 a shout!
Ever hear Brad Paisley’s song about the short, chubby, “hero” who’s “so much cooler online”? The internet makes it easy for people to pretend to be something they’re not. And today’s online dating landscape has made it easy for some cyber criminals to take advantage of people looking for love.
Romance scams, where someone is tricked into believing they’re in a caring relationship with someone who is really just out to steal their money or information, are a growing problem. In fact, during the first half of 2021, the FBI Internet Crime Complaint Center (IC3) received over 1,800 complaints related to online romance scams, resulting in losses of approximately $133.4 million.
Sometimes romance scams are part of a larger cybercriminal ecosystem. International cyber gangs sometimes use dating sites to recruit victims as “money mules” and use them to unknowingly launder funds.
Scammers often prey on victims who are lonely or isolated, and the lockdowns and closings in response to the COVID-19 pandemic have created a fertile ground for this loneliness. If you or a loved one has started an online relationship, be sure to check for red flags such as:
- Requests for money, especially urgent requests. Scammers may try to pressure you into sending money for “urgent” matters, such as medical expenses. Or they may say they want to visit you in person, but need money for a plane ticket. Never send money to someone you haven’t met in person.
- They often make and break promises to come see you in person. The person claims to live far away, overseas, or be in the military.
- The relationship is moving fast and the person professes love quickly.
- They pressure you to move the conversation off the dating platform to a different site or want to continue the conversation through text. Dating platforms search for scammers on their sites. Scammers will want to move their victims off-platform to avoid detection.
If you think you or someone you care about may be the victim of a scam:
- Stop communications with the scammer immediately, and take note of any identifiable information you may have on them, such as their email address.
- Contact your bank or credit card company if you’ve given them money.
- File a police report with your local precinct.
- Report the scammer to the FTC at gov/complaint and the FBI at ic3.gov.
- Notify the website or app where you met the scammer.
Romance scams can happen to anyone at any age, and falling for a scam is nothing to be ashamed of. By speaking out, reporting scams, and encouraging others to do the same, you can help protect others from becoming victims.
Learn more about how to protect yourself from romance scams and other threats at https://staysafeonline.org/stay-safe-online/.
Today is Data Privacy Day, an international day of recognition to promote best practices in safeguarding data and respecting privacy.
There’s a lot of talk in the news about new privacy laws and the rights of individuals. While many businesses are taking a look at their practices and privacy policies, there are also several organizations under fire for real or perceived violations of individuals’ privacy.
Recognize that you do have to give up some private information in order to have some of the conveniences you may enjoy. You can’t get “local deal alerts” or “check in” on your phone unless you allow the device to know your location. You can’t get local weather from your smart home speaker, unless you are willing to share your address with the owning company. And you can’t get special offers on your favorite products without sharing your preferences.
But in many cases, you do have control of the data you choose to share. Here are three things you can do today to celebrate Data Privacy Day and help take control of YOUR data privacy.
1. Set Up Multi-Factor Authentication
Privacy and security aren’t exactly the same thing, but they are related. Using multi-factor authentication is absolutely necessary on things like your financial accounts, in order to protect you from fraud. However, it’s also a good idea to secure your email and social media accounts, so your personal information isn’t exposed.
2. Review Your Privacy Settings
You read all those privacy policies for every site where you set up an account, right? It’s easy to just ignore or gloss over those long legalistic policies, but take a few moments to read them and make sure you really do understand and agree with how the company can use your data. Often, they also give information on how you can limit the data you share. Spend a little time today to examine and update your privacy settings, and take control of your data. Not sure where to find the privacy and security settings? Check out this great resource with links to change privacy settings on many popular services and devices.
3. Delete Recorded Conversations
Most personal assistants keep records of your queries and requests. There have been instances where personal data was inadvertently revealed to a person other than the device owner. While most of these recordings are innocuous, it’s a little creepy to think about, and all these little snippets of information could be collated and become a bigger privacy issue. Take a few minutes and clean your digital house today by deleting those recordings, and make sure you’re comfortable with how long the recordings are kept. This Consumer Reports article provides information on how to control what’s heard and recorded on the “big three” devices, Amazon Alexa, Apple Siri, and the Google Assistant.
You can learn more about Data Privacy Day at StaySafeOnline.org.
Take action today, and Own Your Privacy!
Milepost 42 is proud to be a Data Privacy Day Champion.
In 2005, the U.S. Senate designated June as National Internet Safety Month, as “an opportunity to educate the people of the United States on the dangers of the Internet and the importance of being safe and responsible online.” While the resolution was born from the recognition that children were increasingly online, the need to understand internet safety extends to all of us – and it’s even more important today than 15 years ago. Just as personal hygiene can protect you from disease (wash your hands), practicing good cyber hygiene can help protect you from internet nasties. Here are 3 common mistakes that compromise your internet safety, along with advice on what you can do to protect yourself.
Internet Safety Mistake 1 – Reusing Passwords
A 2018 study by researchers at Virginia Tech University revealed that an alarming 52% of users reuse passwords on different services – and the MOST reused passwords were for sensitive sites, like email or shopping sites. Not only that, many people were still reusing the same passwords even after the credentials had been leaked in a data breach. Wonder if your password has been exposed? Check Have I Been Pwned? to see if your account has been involved in any of the numerous data breaches reported over the last several years.
Why it’s a problem:
Suppose you’ve set up a really strong password – no dictionary words, you’ve used a passphrase to establish an 18 character password with various alphanumeric characters and even a special character or two. That’s great. But if you use your special strong password for your bank, and your email, and your social media account, and one of those is hacked, all the other services where you use that password are at risk.
What you should do:
Using a strong password is great, and still important. But the best password in the world is of no use if it’s been exposed in a data breach. Use a password manager to help you create and manage strong, unique passwords for the many systems you use. And use two-factor authentication as an extra layer of protection for your most sensitive accounts, like banking or email.
Internet Safety Mistake 2 – Not Updating
You probably get update notifications on your computer or your phone. Maybe you have them set to auto-update, or maybe you prefer to have control over when an update is done, since you’ve heard of problems happening with updates. But do you always make sure the updates are done in a timely manner? You probably have other software on your computer, not just the operating system. Those programs often get updates as well, but they may require you to log in to apply the update. What about the other internet-connected items in your home? When is the last time you updated the firmware on your wireless router? Many smart devices get updates as well, usually automatically, but sometimes an update is interrupted – you should check to be sure all updates are applied.
Why it’s a problem:
Software updates are done either to add new features or to plug security holes. Technology is constantly changing, and new vulnerabilities are discovered all the time; reputable companies do their best to stay on top of this and issue updates or “patches” to fix security issues. Failure to do updates and apply patches is one of the top reasons for data breaches, and this applies to your home systems as well as to big companies. In 2018, a major cyberattack was launched targeting small office and home routers; it allowed bad actors to steal website credentials, extract information, and block network traffic. Most vendors created patches, but routers usually require you to do a manual update.
What you should do:
Be aware of all the connected devices you have – definitely your smart phone and computer, but also think about your router, your smart TV, streaming devices, smart speakers, home control hubs, even your smart watch. If you have a small business, don’t forget about your connected printer, your website, and your file servers. Establish a process to regularly check for updates on all your devices and for the software running on those devices, especially if you don’t have auto-updates.
Remember to check for updates on all the software running on your computer. CCleaner Pro is one program that can help you with this; it can check for outdated software on your computer and in many cases update it for you.
Internet Safety Mistake 3 – Using Public WiFi
Have you ever connected to the “free WiFi” offered at your favorite coffeeshop? Or perhaps you travel for business, or vacation, and use the airport or hotel WiFi. Careless use of public WiFi is one of the biggest mistakes people make when on the go. While having access to WiFi can be very convenient, it comes with a significant security risk.
Why it’s a problem:
Very often, free WiFi offered in public spaces is completely open, with no password or protection at all. A hacker can set up a wireless “sniffer”, which can read all the data you send over that network, such as user names and passwords.
Also, it’s easy for a hacker to set up an inexpensive device and pretend to be a legitimate wireless access point. When you log in to that “FreeAndOpenWiFi” network at the hotel or airport, are you sure it’s really the right network? It could be a bad guy out in the parking lot, who can now view everything you are doing on your laptop or phone.
What you should do:
SurfShark has a great resource explaining the risk of public wifi and what you can do to protect yourself. A couple of quick things to remember:
When using public WiFi, always check with the venue to make sure you’re logging in to the REAL network – and make sure it has at least basic encryption and requires a password.
Even when you’re sure it’s the right network, take precautions to protect the information you’re sending over the WiFi network. It’s best not to do any sensitive business while using public WiFi – for example, don’t log in to your bank using the airport WiFi. If you must use public WiFi, use a VPN service on your laptop or mobile device to encrypt the data you send and keep it safe from cyber thieves.
Don’t make these internet mistakes!
Protect your passwords, update regularly, and be extra careful if you use public WiFi. Keep yourself safe by staying aware of risks and practicing good cyber hygiene!
You may have heard the quote, “Trust, but verify,” (made famous by Ronald Reagan), but based on the information in the FBI Internet Crime Complaint Center’s 2019 Internet Crime Report, you’d do better to verify first. According to the FBI, 2019 had both the highest number of complaints and the highest financial losses since the IC3’s beginning in 2000 – 467,361 reported complaints and over $3.5 billion lost.
Internet Crime – Where The Money Is
With financial losses due to internet crime at the highest levels ever, what are the areas where fraudsters are causing the most damage?
Nearly half the losses reported were due to Business Email Compromise (BEC) or Email Account Compromise (EAC). This is a scam in which a cyber criminal hacks or spoofs a legitimate email account and convinces the recipient of the email to transfer funds to a fraudulent location.
For example, consider this BEC fraud attempt, in which First Business Bank received an email from the business email address of the CEO of a business client, requesting a $15,850.00 wire transfer. The bank employee emailed a blank wire request form, and received a return email with the completed form, including the CEO’s matching signature. The fraud was discovered when the wire desk did additional authentication by calling the client’s phone number of record.
Unfortunately, a woman in Spokane was not so lucky when she fell victim to EAC during the process of buying her dream home. A 75 year old woman lost her life savings of almost $100,000 when she followed emailed wire transfer instructions that appeared to be from her escrow officer. Sandra Lee lost her money and her home, and her only consolation is that the FBI was able to track down one perpetrator with the report and evidence she provided.
Sadly, Lee was also in the age group that loses the most to fraudsters – those over 60. These internet criminals prey on those over 60, since they are believed to have financial resources, as well as being more trusting and less tech savvy.
Elder Fraud, defined as a financial fraud which targets or disproportionately affects people over the age of 60, is a growing problem. According to the statistics in the report, this age group is the most targeted and the group which loses the most to internet crime.
IMAGE: FBI’s 2019 Internet Crime Report
Those over 60 are also the most victimized by another growing problem, Tech Support Fraud. This is a scam in which a criminal pretends to be a customer service or support technician in order to defraud a victim. The infamous computer pop-up claiming “your computer is infected by a virus” is one example, as are calls, texts, or emails purporting to be from a well-known company such as Apple or Microsoft, claiming to have discovered a problem with your system or account and offering to “help” you resolve it. While not the most lucrative or most prevalent scheme, losses due to Tech Support Fraud increased 40 percent in 2019, and the majority of victims were in the over 60 age group.
While BEC/EAC accounts for the majority of financial losses, it’s not the most prevalent scheme. The most common internet crime type by far, with 114,702 reported victims, is Phishing/Vishing/Smishing/Pharming.
IMAGE: FBI’s 2019 Internet Crime Report
Phishing, vishing, and smishing involve unsolicited emails, phone calls, or text messages from criminals pretending to be a legitimate company or even a friend, and asking for login credentials or personal information. Pharming is a tactic which uses a fake website pretending to be a legitimate company’s website, set up for the purpose of obtaining personal or financial information.
For example, you may get an email, phone call, or text purporting to be from your bank, telling you that your account has been compromised and asking you for personal information to confirm your identity. Or you may search for something online and find yourself on a fraudulent site which collects your credit card information.
How Can You Protect Yourself From Internet Crime?
With both victims and losses from internet crime at an all-time high, what can you do to protect yourself?
We can no longer “trust, but verify” – the best preventive measure is to verify first. The Chief of IC3, Donna Gregory, cautions that internet crime is becoming increasingly sophisticated, and she recommends we make a practice of double-checking everything.
Gregory advises, “In the same way your bank and online accounts have started to require two-factor authentication, apply that to your life. Verify requests in person or by phone, double-check web and email addresses, and don’t follow the links provided in any messages.”
Report Internet Crime
The IC3 report includes some appalling numbers on victims and losses due to internet crime, but it’s likely this is only the tip of the iceberg. Many victims don’t report these crimes, either because they are embarrassed or they aren’t aware of how to do so.
If you’re a victim of internet crime, report the crime to the IC3. With timely reporting, the FBI has a chance of stopping a fraudulent transaction and recovering the money. And the more information you can provide, the better it helps the FBI combat the criminals. Matt Gorham, assistant director of the FBI’s Cyber Division, encourages everyone to report internet crime, as “It is through these efforts we hope to build a safer and more secure cyber landscape.”
It’s the last day of October, which means this year’s National Cybersecurity Month is officially ending. But that doesn’t mean you should stop taking measures to #StayCyberSafe! This year, the NCSAM theme was “Own IT, Secure IT, Protect IT” – let’s take a look at some of the tips that were presented this month.
We’re almost constantly connected, whether at home, at work, at school, or even on vacation. With mobile phones and Internet of Things devices, there are more ways to be connected than ever before. Not only that, we also have many accounts which collect our information.
- Don’t overshare on social media. #BeCyberSmart about where you share your information and who you share it with. Connect only with people you know and trust.
- Set privacy and security settings to limit what your devices and social media accounts share about you.
- Keep tabs on your apps; only download from legitimate, trusted sources. Review the permissions those apps are asking for, and deny any that don’t make sense.
Security breaches seem to be happening more and more often; they’re hardly front page news any more. Your personal information is valuable, so do what you can to keep it out of the hands of cyber criminals.
- Use strong passwords, and don’t use the same password on multiple accounts. A password manager can help you keep track of all those strong, unique passwords for your accounts. Some can even help you share access with trusted partners or family members, without requiring you to give them the password.
- No matter how strong your password is, if a breach occurs, your account may be vulnerable. Enable multi-factor authentication to add another layer of security and help ensure the only person who can access your account is you.
- Don’t get hooked by a phishing scam! Be very cautious when opening emails, and never click on links or attachments sent by people you don’t know. Even if the email looks like it’s from a friend, coworker, or your boss, be wary of clicking on links. Scammers can spoof email addresses, so it’s best to check the legitimacy of the email, especially if it’s urging you to click or open something right away.
While today’s technology allows us to shop, bank, communicate, and entertain ourselves anywhere, this convenience comes with an increased risk. Smart home devices, such as thermostats, door locks, and cameras can make our lives easier and save time and money, but be aware of the additional security risk that comes with these smart devices.
- Your wireless router is the main entryway to all your connected devices, so be sure to change the default user name and password, keep the firmware up to date, and set a password on your Wi-Fi network. Also, change the default credentials on all your smart devices, and make sure you understand the permissions and access they have to your network, your information, and your personal space. Assume a smart speaker is always listening, and a smart camera is always watching.
- Keep software and firmware on all your devices up to date. Your computer, smart phone, router, and many smart home devices get updates to help keep them protected from ever-changing threats. If you have an older device, make sure it’s still being supported; sometimes, it’s just time to get rid of that old streaming device to help protect the rest of your home.
- Public Wi-Fi is not safe or secure. Even a public Wi-Fi network with a password could be compromised. If you must use public Wi-Fi, be sure it’s the actual network provided by the location. Use a VPN service to protect the privacy of the information you’re sending, and avoid accessing sensitive accounts such as financial and banking accounts while on public Wi-Fi.
As we move into the holiday season and the new year, keep these cyber security tips in mind. OWN IT, Secure IT, and Protect IT to keep yourself and your family #CyberSafe.