As the Syrian Civil War rages on, cybercrime activity emerging from the troubled state is reaching monstrous proportions. Syrian president Bashar al-Assad may be losing hold on his people, but his loyal hacker-team is continuing to wreak havoc worldwide and exploit numerous high-profile websites and social media accounts.
Forbes is the latest victim of the infamous Arab hacking group. The American business magazine’s website was recently vandalized, with the hackers posting hate-text on the home page. This was achieved by gaining access to the website’s WordPress panel.
The hackers are repeatedly “conquering” large websites thanks to numerous loopholes in Content Management System (CMS) plugins. The classic Cross-Site Scripting (XSS) technique has also been extensively used by the cybercriminals from the middle-east.
More and more media powerhouses are being targeted by the SEA.
- 23rd April 2013 – The Associated Press Twitter account was hacked and exploited.
- 27th August 2013 – The NY Times DNS was redirected to Pro-Assad websites.
- 30th September 2013 – The Global Post’s website and Twitter account were compromised.
- 23rd January 2014 – CNN’s official Twitter account was hacked and manipulated.
Checkmarx’s research lab has found glaring vulnerabilities in WordPress, the world’s leading Content Management System (CMS). The Security State of WordPress Top 50 Plugins study, published in June 2013, painted a very grim picture. 7 out of 10 popular e-commerce plugins (and 20% of the plugins overall) were vulnerable to SQL Injections.
Here are a few safety tips all CISOs and InfoSec Managers should implement:
- Just like apps in smartphones, only official plugins should be used for websites. For example, WordPress users are advised to download solutions only from WordPress.org.
- Make sure your plugins are up-to-date. There are new security patches all the time.
- Unused and dormant plugins should be taken off the servers. Old plugins, even when not in use, pose a huge security threat and can be exploited by hackers.
- Scan the source code of your plugins using Source Code Analysis (SCA) products.
Besides these safe practices and precautions, website owners should prefer and support programmers who develop their programs in secure SDLC environments. While no software is completely hack-proof, baking security into the plugin development significantly reduces the amount of vulnerabilities the hackers can exploit. Hacktivism can be defeated.
Source – Forbes Hacked By SEA