WordPress Vulnerability.

Posted by Billy Law-Bregan

WordPress vulnerability makes it easy to hijack millions of websites

The WordPress content management system is vulnerable to two newly discovered threats. Both vulnerabilities are known as stored, or persistent, cross-site scripting (XSS) bugs.

The bugs allow an attacker to inject code into the HTML content received by administrators. The attackers can embed malicious code into the comments section at the bottom of a WordPress blog or article post. They can change passwords, add new administrators, or even perform actions as legitimate admins.

Jouko Pynnönen, a researcher with Finland-based security firm Klikki Oy that discovered the vulnerability, wrote:

If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.

They also provided a video of how the attacker could access the WordPress “backdoor”:

WordPress have released a critical security update that fixes the vulnerability. Make sure you have installed the latest patch.

Please let us know if you find these security updates useful. Leave a comment below. :)

Magento Vulnerability.

Posted by Billy Law-Bregan

There’s a serious vulnerability in the Magento platform.

Check Point researchers recently discovered a critical vulnerability in the Magento web e-commerce platform.

The Remote Code Execution (RCE) can lead to the complete compromise of any Magento-based store. This could affect nearly two hundred thousand online shops.

A patch to address the flaws was released on February 9, 2015. We urge store owners and administrators to apply the patch immediately if they haven’t done so already.

Here’s a useful video that explains how the vulnerability can be exploited:

Several Vulnerabilities Together

The vulnerability is a chain of several vulnerabilities. They allow an unauthenticated attacker to execute PHP code on the web server. The attacker can then bypass all security mechanisms and gain control of the store and its database. All the vulnerabilities are present in the Magento core. So, it affects any default installation of both Community and Enterprise Editions.

So, to protect yourself from this vulnerability, make sure you have applied the latest patches.

For a technical breakdown of the Magento vulnerability, take a look at the Check Point blog.

Please let us know if you find these security updates useful. Leave a comment below. :)

The R.I.S.E. Challenge Final is Here.

Posted by Billy Law-Bregan

Black and White Group Which will rise

It doesn’t seem that long ago since we introduced the R.I.S.E. challenge.

But, seven weeks have come and gone. Now, here we are at the final. The teams have finally revealed their creations.

Way back in the beginning of March, Steve Nice, C.E.O. of Reconnix, announced the R.I.S.E. (Reconnix. Innovate. Stimulate. Encourage) challenge. A team building exercise…with a twist.

Utilising all the creativity and invention they can muster, the Reconnix staff have 6 weeks to create something innovative and useful using the Sparkfun inventor’s kit. To make things interesting, everyone has been split into four teams: Team A, Team B, Team C and Team D. During office hours, each team has 2 hours per week to get their respective virtual soldering irons out and create something new and exciting.

Lets have a look at the creations of each team:

Team A

Team A Yoga Buddy

Team A want with an Arduino system that involved attaching accelerometers to specific points on your body. The accelerometers would then measure the position of your limbs according to the yoga position that you were trying to achieve.

Team B

Team B Temp Sensor
Team B built an Arduino thermostat that would measure the temperature of the Reconnix server room. If the room reached a certain temperature, the device would send an alert to one of the technicians via Slack.

Team C

Team C Notification
Team C created an Arduino notification system for the tickets raised at Reconnix. The device would show how many tickets were in a queue. The colour of the display changed when the ticket reached a certain limit.

Team D

Team D Jelly Baby Sensor

Team D created an Arduino safe box and intruder system. The box sounds an alarm when an intruder tries to take the contents.

Pat Nice was the judge. She thought all of the ideas were great, and that each team showed great ingenuity. However, as they say, there could be only one.

So, the winning ideas was…

(drum roll please)

Team D!

Their protective safe device, which was protecting a bag of Jelly Babies in the demonstration, was the winner. Their prize is an all expenses paid visit to Bletchley Park during work time! Well done Team D.

Until then, stay classy, Arduino Fans.:)

That’s it. The R.I.S.E. Challenge is finished. Now it’s your turn. What did you think to the challenge? Should we do another one? Let us know. Leave a comment below. :)