If you haven’t patched this vulnerability, you should.  By: Chase PalmerSenior Program ManagerCISSP In early 2015, Magento found a vulnerability known as Shoplift Bug and released a patch for it. Unfortunately, many businesses still haven’t patched this vulnerability, which could threaten their e-commerce integrity.Here is some more information about the Shoplift Bug, how it makes your system vulnerable, and what you need to do to combat it.SEE ALSO: How do Hackers Hack?How does the Shoplift Bug work? Through the Shoplift Bug, hackers can remotely execute code on Magento software. This vulnerability seems to affect both the community and enterprise versions of Magento.The Shoplifting exploit is actually a chain of vulnerabilities in the Magento core software, but is frighteningly simple.  The exploit uses a Python script that forces the server to downgrade the website from HTTPS to HTTP and then uses SQL injection to create a new user with administrative privileges.Once the attacker has access to the dashboard with administrator access, they will typically install software through the console that will create a backdoor that allows the attacker to remotely alter the functionality of the online store, add or remove products, change the price of products, add phony coupons, and much more.Follow for more data security articles like thisWhat should I do? Unfortunately, this exploit was highly automated and nearly all vulnerable instances of the Magento dashboard are assumed to be compromised.  If you don’t know if you’ve patched your site recently or if you’re a Magento user, check on MageReport.com.If you haven’t installed this patch, here’s a list of steps you should take to patching your website:Download and implement the two patches from the Magento Community Edition download pageTest the patches in a development environment first to make sure they’re working properly before deploying them in your production environmentCheck for unknown files in web server document root directory. If you find any, remove the files, keeping a secure copy if possibleCheck all admin accounts to make sure they’re all authorized. Change all admin passwords have you suspect a breachCheck for unknown IP addresses accessing the system, since hackers may be using legitimate credentials to gain access to your system. Examples of addresses could include 62.76.177.179, 185.22.232.218, and 23.245.26.35 If you need help installing patches, refer to Magento’s Community Security patch forum where community members, moderators, and Magento can assist with questions about downloading and installing patches.If you haven’t already installed this latest patch, you should do so as soon as possible.TweetPatch your systemsRemember, it’s important to stay up to date on your systems and patch any vulnerabilities that pop up. Tips to do this include:Sign up for newsletters/notifications from vendors you use: Once they release a new patch, you’ll be notified. Patch the vulnerability as soon as possible: The sooner you fix the vulnerability, the less time you’ll be open to attacksSet up a schedule to regularly patch and update software: This will keep your software updated in its most secure state. SEE ALSO: Security Patches in Your Business: Complying with PCI Requirement 6.1Chase Palmer (CISSP) is the Senior Program Manager and has been working at SecurityMetrics for seven years. He manages the company’s largest corporate partners in running mass Level 4 PCI DSS programs worldwide. Chase has a Bachelor’s degree in Business Management from Western Governor’s University. He currently lives in Provo, Utah, and he loves everything about motorcycles.

Learn what your business is doing wrong with passwords. By: George MateakiWith the recent release of PCI 3.2, one of the changes is the requirement that business must use multi-factor authentication within and out of the network. Multi-factor authentication includes at least two of the following:Something you know (password, code, etc.)Something you have (code sent to your phone)Something you are (fingerprint scan, etc.) Part of the authentication process includes passwords, but unfortunately passwords can bring their own set of problems.The problem with passwordsThe biggest problem with passwords is they can be broken fairly easily through brute-force and dictionary attacks.  Programs like John the Ripper and L0phtCrack are used to crack even complex passwords.Human nature also makes passwords insecure. Employees tend to choose passwords they can remember easily, often making it easy for a data thief to crack through social engineering. Many employees also tend to write down passwords or even share them with others for more convenience.Finally, there’s the matter of storage. Many applications transmit passwords in plaintext, making it easy for hackers to find and use.Unfortunately, many businesses don’t realize just how easily cyber thieves can crack a password, especially if it’s a common one. As a result, they have poor practices when it comes to password security.Here are some things businesses are doing wrong with passwords.TweetDefault configuration: businesses will often keep the default passwords that were established when their routers/POS systems were set up. Most default passwords have been published on the internet, so that makes it fairly easy for hackers to break into your devices.   Sharing credentials: sometimes employees will share accounts and credentials to save time. However, this makes it easy for social engineers to quickly gain access to sensitive data. Not updating passwords regularly: for many hackers, it’s only a matter of time before they crack a password, so businesses that have had the same passwords for their accounts since the day the company started are vulnerable. Choosing words like “password” or “admin”: these passwords are very common and are likely the first words hackers guess when trying to break into your remote access.  SEE ALSO: Top Ten PCI Requirement Failures: Where is Your Business Struggling?Do we even need passwords anymore? It’s true that passwords alone will not secure your data very well, but it’s the baseline. The fact that many businesses aren’t even using basic password security shows how vulnerable their data may be.Eventually passwords may not be needed anymore as technology develops, but currently your devices and applications will still need unique, strong passwords.Password best practices So how do you make sure your passwords are secure? Here are some basic practices.Assign employees unique credentials/change default passwordsMake sure your employees aren’t using the same password or usernames. This will prevent social engineers from getting access to sensitive data simply by targeting one employee. Many companies will create a numeric user name that has absolutely no association with the actual name of the user. Changing the administrator account name to admin may meet the letter of the law but misses the intent. The administrator user name should be changed to something that does not indicate an administrator. This goes for any elevated access account used as the master/root access if the technology allows for this.You’ll also want to change all the default passwords on devices, otherwise you’re opening up your network to hackers. Follow for more data security articles like thisMake passwords long and complexThe longer your password, the better. Just like larger encryption keys are harder to break, longer passwords are more difficult to crack. The PCI DSS recommends businesses have passwords of at least eight characters, though I recommend at least 10-15 characters.You’ll also want to make them complex, using a mixture of numbers, symbols and letters. This seems like a no-brainer, but you’d be surprised how many people don’t follow this rule.Reset passwords oftenTrain your employees to reset passwords at regular intervals. For example, you could have them change passwords every 30, 60, or 90 days. Switching passwords often can help prevent the vulnerabilities of brute-force attacks. The less time hackers have on your password, the less likely they’ll crack it before you change it. The best approach is forcing users to change their passwords using technology per the current policy.Have limited login attempts:Set a number of times your employees can try to log into a system. After a number of unsuccessful logons, have the account lock out the one trying to get in. This will help prevent brute-force attacks and social engineers trying to guess passwords.SEE ALSO: 3 Data Security Best PracticesHow to create a strong passwordNow days, using your favorite sport as a password doesn’t cut it anymore. Here’s a list of the top ten popular passwords for 2015:123456password12345678qwerty12345123456789football12341234567baseballSome additional passwords in the top 25 include, “dragon,” “welcome,” and “starwars.” None of these passwords are secure because they’re too easy to guess, being too common or relying on keyboard patterns. Hackers know these lists well and often use them as a first step to cracking your password.  If any of your passwords are on this list, you’ll want to change them as soon as possible.Your best practice is to do a passphrase that’s unique to you. Take a phrase such as “I wear my sunglasses at night” and use the first letter of each word. Combine it with a number, such as a date, and you have a stronger password. Example: I wear my sunglasses at night= Iwmsg@n1980!You likely know these, but a few other basic guidelines for passwords include:Use a mixture of upper and lower-case lettersDon’t include name or other personal informationReplace some letters with numbersUse nonsense phrases, misspellings, or substitutionsDo not use repeating patterns between password changesDo not use the same passwords for work and personal accountsYou can’t really afford to have weak passwords. Ultimately a password isn’t going to completely secure your data. What you really need is to use a combination of multi-factor authentication, encryption, and other protocols to make sure your data is secure. But having a strong password is a good start.George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.

R&B singer and songwriter Frank Ocean released his new album Blond exclusively to Apple Music. This caused fans to flock to torrent and other illegal file sharing sites to download the album. The entire album has also surfaced for free on Google Drive. (Digital Music News)

Because other popular streaming services such as Spotify and Tidal are unable to stream Blonde, those who are not subscribers to Apple’s service have had to find other means of obtaining the album. A quick Google search has also led some listeners to file locker locations containing the album files. Some Reddit threads have links to file hosting sites like Zippyshare to help share the album more widely.

Since Blonde was released exclusively to Apple Music, some have signed up for the service specifically to hear the album:

I don't fuck with Apple Music #, but I'll do it for you Frank #Blonde #FrankOcean

— Rosicella Luna (@chihuahuarosi) August 21, 2016

#Blonde you know what fuck it in using my free 3 moth trial on Apple Music this is an emergency

— #BLM (@miamia697) August 21, 2016

Welp I caved in and subscribed to Apple Music, and it was so worth it. #Blonde #FrankOcean #Masterpiece

— Ali Philippides (@ClubAliP) August 21, 2016

I just made a whole new apple ID just for a free trial of Apple Music #Blond

— grace keller (@graceakell) August 21, 2016

Others are promoting pirating the album for those who don’t want to pay or sign up for Apple Music:

@FrankOcean FOR ALL MY NIGGAZ WHO DONT WANNA PAY FOR THIS –> https://t.co/6mCybw6vT1 #FRANKOCEAN #BLONDE

— JUULDELATOERET (@juuldelatoeret) August 21, 2016

i'm against piracy but when it's ocean i resort to torrenting #Blonde

— Alec Xavier (@axemfirst) August 21, 2016

Having given exclusive rights to Apple Music, the Frank Ocean brand has gone against Kim Dotcom’s suggestions for stopping piracy:

How to stop piracy:1. Create great content2. Make it easy to buy3. Same day global release4. Works on any device5. Fair price

— Kim Dotcom (@KimDotcom) September 19, 2013

By not making the album easy to buy or obtain, many people feel that piracy is a better option for those who are not subscribers to Apple Music.

The post Many Fans Illegally Download Frank Ocean’s #Blond Album appeared first on Social Hax.