iStock_000014139389Small

Forbes Hacked By SEA; WordPress Vulnerabilities Exploited

Feb 17, 2014 By Sharon Solomon

As the Syrian Civil War rages on, cybercrime activity emerging from the troubled state is reaching monstrous proportions. Syrian president Bashar al-Assad may be losing hold on his people, but his loyal hacker-team is continuing to wreak havoc worldwide and exploit numerous high-profile websites and social media accounts.

Forbes is the latest victim of the infamous Arab hacking group. The American business magazine’s website was recently vandalized, with the hackers posting hate-text on the home page. This was achieved by gaining access to the website’s WordPress panel.

The hackers are repeatedly “conquering” large websites thanks to numerous loopholes in Content Management System (CMS) plugins. The classic Cross-Site Scripting (XSS) technique has also been extensively used by the cybercriminals from the middle-east.

More and more media powerhouses are being targeted by the SEA.

  • 23rd April 2013 – The Associated Press Twitter account was hacked and exploited.
  • 27th August 2013 – The NY Times DNS was redirected to Pro-Assad websites.
  • 30th September 2013 – The Global Post’s website and Twitter account were compromised.
  • 23rd January 2014 – CNN’s official Twitter account was hacked and manipulated.

Checkmarx’s research lab has found glaring vulnerabilities in WordPress, the world’s leading Content Management System (CMS). The Security State of WordPress Top 50 Plugins study, published in June 2013, painted a very grim picture. 7 out of 10 popular e-commerce plugins (and 20% of the plugins overall) were vulnerable to SQL Injections.

Here are a few safety tips all CISOs and InfoSec Managers should implement:

  • Just like apps in smartphones, only official plugins should be used for websites. For example, WordPress users are advised to download solutions only from WordPress.org.
  • Make sure your plugins are up-to-date. There are new security patches all the time.
  • Unused and dormant plugins should be taken off the servers. Old plugins, even when not in use, pose a huge security threat and can be exploited by hackers.
  • Scan the source code of your plugins using Source Code Analysis (SCA) products.

Besides these safe practices and precautions, website owners should prefer and support programmers who develop their programs in secure SDLC environments. While no software is completely hack-proof, baking security into the plugin development significantly reduces the amount of vulnerabilities the hackers can exploit. Hacktivism can be defeated.

Source – Forbes Hacked By SEA

The following two tabs change content below.

Sharon Solomon

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.