Twitter admits to password storage blunder – change your password now!

Today Twitter admitted that the company had made a serious security blunder: it had been storing unencrypted copies of passwords.

Twitter claims that it has now “fixed the bug” and that its investigation “shows no indication of breach or misuse by anyone”.

Twitter therefore suggests merely that you “consider changing your password”.

Please do change your password(s) as soon as possible. There is no information about how long passwords have been out there in plain text or whether hackers managed to harvest any of them.

With 4 months to switch on HTTPS, are web hosting companies ready?

Like it or not, if your website isn’t using HTTPS (the encrypted version of the web’s HTTP protocol) by July then you’re likely to lose traffic.

That’s because in July 2018 Google Chrome, the world’s most popular browser, will start warning users that web pages served over HTTP are not secure (they aren’t).

This isn’t an empty threat, Chrome has been turning the screw on HTTP for a number of years and Google Search already gives sites with HTTPS a boost in its search rankings. You should expect other browsers to follow Chrome’s lead.

As Mark Stockley explains, if you’re buying web hosting you’re going to want HTTPS.

Cloudflare now offers unmetered DDoS attack mitigation

Cloudflare turns seven this week and it wants to give your network a present. Should your website come under Distributed Denial of Service (DDoS) attack, it will never charge you additional fees, or (and this is important) kick you off the network.

Cloudflare CEO Matthew Prince has pledged unmetered DDoS mitigation, regardless of the size of the attack and no matter what level of service you have from the free tier all the way up to the enterprise level.

This is wonderful news for small business owners. Take advantage of it if you haven’t done so yet.

Next steps toward more connection security

Google has sent out a warning that HTTP sites that contain forms and other input fields will be marked Not Secure staring this October.

The search giant gave a notice of this a few months ago but has now takes the next step to formally notify those who will be affected with the upcoming change.

The notification states: “Beginning in October 2017, Chrome will show the ‘Not secure’ warning in two additional situations: when users enter data on an HTTP page, and on all HTTP pages visited in Incognito mode.”

The original Google Chrome post can be found here: https://blog.chromium.org/2017/04/next-steps-toward-more-connection.html

Chrome and Firefox Phishing Attack Uses Domains Identical to Known Safe Sites

There is a phishing attack that is receiving much attention today in the security community.

A phishing attack happens when an attacker sends you an email with a link to a malicious website. You click on the link because it appears to be trusted and may either infect your computer or be tricked into signing into the malicious site with credentials from the real website. The attacker then has access to your username, password and any other sensitive information you may inadvertently provide.

This particular phishing attack uses malicious registered domains that look identical to real domains in your browser.

WordFence, the force behind of one of the best WordPress security plugins set up a test case to demonstrate how this attack works in case you are interested in technicalities, but the most important thing to do if you are using Chrome or Firefox is staying safe, and the easiest thing to do when you are about to log into a website you trust is this.

Copy the URL in the location bar and paste it into any program on your device that allows to paste as plain text.

A fake domain will appear as starting with https://xn--. A real website will look exactly as in your browser’s location bar.

In Chrome, you can even copy the domain and paste it right back into the location bar and the fake website’s domain will reveal itself.

Case Studies: Fixing Hacked Sites

In hopes to provide help to other webmasters who have been victims of hacking, Google shares two different stories of websites that had been hacked and then cleaned up by their owners, one of a restaurant website with multiple hack-injected scripts and another of a professional website with lots of hard to find hacked pages.

Cleaning up a hacked website is usually an involved task that often requires hiring a professional. Google advises to void the hassle by following a few simple steps to minimize chances of being hacked:

  • Avoid using FTP when transferring files to your servers. FTP does not encrypt any traffic, including passwords. Instead, use SFTP, which will encrypt everything, including your password, as a protection against eavesdroppers examining network traffic.
  • Check the permissions on sensitive files like .htaccess. Your hosting provider may be able to assist you if you need help. The .htaccess file can be used to improve and protect your site, but it can also be used for malicious hacks if they are able to gain access to it.
  • Be vigilant and look for new and unfamiliar users in your administrative panel and any other place where there may be users that can modify your site.

Check It Out: 25 Worst Passwords of 2014 (Not Still Using 123456, Are You?)

SplashData has announced its annual list of the 25 most common passwords found on the Internet which makes them the worst passwords that will expose anybody to being hacked or even identity theft.

“Passwords based on simple patterns on your keyboard remain popular despite how weak they are. Any password using numbers alone should be avoided, especially sequences. As more websites require stronger passwords or combinations of letters and numbers, longer keyboard patterns are becoming common passwords, and they are still not secure.” ~ Morgan Slain, CEO of SplashData

Read the full article for more details and tips on keeping your data secure with good passwords.

3 security mistakes small companies make and how to avoid them

Just about every organisation is dependent on computers but dedicated IT staff are a luxury most very small businesses can’t afford. But they still need to find a way to secure their computers against cybercriminals that aren’t going to give them a break just because they’re small.

Follow Mark Stockley’s pointers about full disk encryption, making good backups, and dangers of using outdated operating systems (Windows XP anyone?) and stay safe.

Computer Viruses 101: What You Need to Know Now

Computer viruses first emerged in the 1980s. Since then, they have posed problems for computer users worldwide. Unfortunately, most are here to stay.

In this article, Justin Kemp talks about origins of computer viruses, their types, and ways to prevent them from harming your own computer or your company’s computer network.