Archive for the ‘News’ Category

java logo drawn

Bumper security update for Java released

Bumper security update for Java released

oracle java logo

Oracle has released a bumper update package for Java that closes lots of security holes in the software.

The update fixes 51 separate security bugs in Java, which owner Oracle says is used on billions of devices.

About a dozen of the bugs were serious enough to allow attackers to take remote control of a compromised system, researchers said.

Java is one of the most popular targets for cyber-thieves and malware writers seeking to hijack home computers.

In its advisory about the update, Oracle urged customers to patch the software as soon as possible “due to the threat posed by a successful attack”.

Programming language Java has proved popular because software written with it can easily be made to run on many different types of computer.

Twelve of the holes in Java addressed by the update topped the table that ranked the severity of security weaknesses in software, wrote Qualys security expert Wolfgang Kandek in a blogpost.

If these bugs were exploited, attackers could bypass ID controls and take over a target system, he added.

He said those seeking to exploit Java would probably seed web pages with booby-trapped links in a bid to catch vulnerable machines.

Security glitches in Java are favourites among those that write and run so-called “exploit kits” that seek to compromise vulnerable websites and other systems.

Security blogger Brian Krebs said if people needed to run Java, it was well worth taking time to apply the update.

Those that did not need the software should consider disabling it altogether, he said.

“This widely installed and powerful program is riddled with security holes, and is a top target of malware writers and miscreants,” he wrote.

The update is available via the main Java website and has prompted follow-up action from other electronics firms. Apple has released an update to the version of Java that runs on its computers. This update points people towards the official version of Java from Oracle instead of that supplied by Apple.

In the past, Apple has faced criticism over the speed with which it updated its version of Java.

This article originally appeared on the BBC News website

Irish Web Design – Bumper security update for Java released

kimberley cookies

Irish Cookie Regulations

Irish Cookie Regulations – Update

This article was writted by Philip Nolan, Head of Commercial Law Department and Partner MH & C and Oisin Tobin, trainee, MH & C. Philip Nolan is a Partner in the Commercial Contracts and Outsourcing Department at Mason Hayes & Curran.

kimberley biscuits cookies

The Irish Regulations transposing the new European rules on cookies have come into force. While website operators will need to exercise care to ensure that they are complying with the new regime, these new rules are less onerous and disruptive than originally anticipated.

Cookies, or small items of code placed on a user’s computer by a website, are vital to the functioning of the modern web. Cookies allow website operators to determine how users browse their sites and are a technical prerequisite for the operation of more advanced websites, such as those which require their users to log-in. Cookies can also be used, more controversially, to monitor user behavior for the purpose of targeting advertisements.

The rules governing cookies are being overhauled across Europe at present due to an EU Directive adopted in 2009. While all Member States are obliged to implement the Directive, they are given a certain degree of freedom as to the exact manner in which they chose to do so. The Irish measures which implement the Directive, and which have just come into force, seem to minimize the potential negative impact of the Directive for websites and web businesses based in Ireland.  As a result, it would seem that the new Irish regime may prove to be an additional attraction to international web based businesses considering Ireland as their EU base.

Under the new regime, all websites must have user consent before they place a cookie onto the user’s computer.  The Irish rules do not require that this consent be explicit and therefore, it would seem that consent may be implied.  In addition, they must provide the user with clear, comprehensive, prominently displayed and easily accessible information about the cookie, particularly as to its purpose. While this regime is somewhat tougher than the previous rules, which required that websites give a user the ability to “opt-out” of the cookie being used, these new rules contain a number of provisions which should ensure that websites can become compliant without having to radically overhaul their design.  The regulations note that the methods of providing information and giving consent should be as user friendly as possible. In certain circumstances users may be able to give consent via their browser settings and many consider that the use of browser settings for consent may become a popular means of managing consents. Cookies which are technically required to operate the site are exempt from these new rules.

Notably, a provision in an earlier draft of the Irish regulations, prohibiting the current practice of providing the relevant disclosures about cookie use in a privacy policy, has not made it into the final regulations.   This means that privacy policies may continue to be used, once user friendly and prominently displayed, to provide information about cookies in compliance with the new rules.

In summary, it would seem the Minister for Communications has struck quite an effective balance between the privacy concerns of web users in relation to the use of cookies and the concerns of industry in relation to over-regulation of the internet.

Attribute to Philip Nolan, Head of Commercial Law Department and Partner MH & C and Oisin Tobin, trainee, MH & C. Philip Nolan is a Partner in the Commercial Contracts and Outsourcing Department at Mason Hayes & Curran. For more information, please contact Philip at pnolan@mhc.ie or + 353 1 614 5000. The content of this article is provided for information purposes only and does not constitute legal or other advice. Mason Hayes & Curran (www.mhc.ie) is a leading business law firm with offices in Dublin, London and New York. © Copyright Mason Hayes & Curran 2011. All rights reserved.

Irish Web Design – Irish Cookie Regulations

microsoft logo as medallions

FBI and Microsoft move in on Internet Criminals

FBI and Microsoft move in on Internet Criminals

american fbi logo

American FBI and Microsoft shut down the €375m theft botnet known as Citadel

The American FBI and Microsoft have cooperated in order to break up a massive network of hijacked home computers that have been responsible for stealing more than €375m from bank accounts around the globe.

The Citadel network was set up by a group of criminal gangs who remotely installed a keylogging program on upwards of five million machines in order to steal data.

About 1,000 of the 1,400 or so networks that made up the Citadel botnet are believed to have been shut down.

Co-ordinated action in 80 countries by police forces, tech firms and banking bodies helped to disrupt the network.

“The bad guys will feel the punch in the gut,” Richard Boscovich, a spokesman for Microsoft’s digital crimes unit said.

Control code

The cybercriminals behind Citadel cashed in by using login and password details for online bank accounts stolen from compromised computers.

This method was used to steal cash from a huge number of banks including American Express, Bank of America, PayPal, HSBC, Royal Bank of Canada and Wells Fargo.

Citadel emerged after core computer code for a widely used cybercrime kit, called Zeus, was released online.

Underground coders banded together to turn that code into a separate cybercrime toolkit that quickly proved popular with many malicious hackers.

In a blogpost detailing its action, Microsoft said Citadel had also grown because malicious code that could take over a PC had been bundled in with pirated versions of Windows.

The millions of PCs in the criminal network were spread around the globe, but were most heavily concentrated in North America, Western Europe, Hong Kong, India and Australia.

Despite the widespread action, which involved seizures of servers that co-ordinated the running of Citadel, the identity of the botnet’s main controller is unknown.

However, Microsoft has started a “John Doe” lawsuit against the anonymous controller, believing him to use the nickname Aquabox and be based in Eastern Europe.

In addition, the FBI is working with Europol and police forces in many other countries to track down and identify the 81 “lieutenants” that helped Aquabox keep Citadel running.

Microsoft has also started action to help people clean up an infected computer.

Typically, it said, machines compromised by Citadel were blocked from getting security updates to ensure those computers stayed part of the botnet.

With the network disrupted, machines should be free to get updates and purge the Citadel malware from their system.

FBI and Microsoft move in on Internet Criminals – Irish Web Design From an article on BBC News

cookie image

Cookies and what you need to know about them

irish web design cookie monster

Cookies and what you need to know about them

This website, as almost all websites do, uses cookies,  to help provide you with the best experience when you visit.

Cookies are simply small text files which are placed on your pc, laptop or mobile phone when you browse a website.

The cookies help us to:

  • Make our website work as you’d expect
  • Save you having to login every time you visit the site
  • Remember your settings during and between visits
  • Offer you free services/content (thanks to advertising)
  • Improve the speed/security of the site
  • Allow you to share pages with social networks like Facebook
  • Personalise our site to you to help you get what you need faster
  • Continuously improve our website for you
  • Make our marketing more efficient (ultimately helping us to offer the service we do at the price we do)

We do not use cookies to:

  • Collect any personally identifiable information (without your express permission)
  • Collect any sensitive information (without your express permission)
  • Pay sales commissions

You can learn more about all the cookies we use below

Granting us permission to use cookies

If the settings on your software that you are using to view this website (your browser) are adjusted to accept cookies we take this, and your continued use of our website, to mean that you are fine with this. Should you wish to remove or not use cookies from our site you can learn how to do this below, however doing so will likely mean that our site will not work as you would expect.

More about our Cookies

Website Function Cookies

Our own cookies

We use cookies to make our website work including:

  • Making our shopping basket and checkout work
  • Determining if you are logged in or not
  • Remembering your search settings
  • Remembering if you have accepted our terms and conditions
  • Showing you which pages you have recently visited
  • Allowing you to add comments to our site
  • Tailoring content to your needs
  • Remembering your preferences such as colours, text size and layout
  • Remembering if we have already asked you certain questions (e.g. you declined to use our app or take our survey)

There is no way to prevent these cookies being set other than to not use our site.

Third party functions

Our site, like most websites, includes functionality provided by third parties. A common example is an embedded YouTube video. Our site includes the following which use cookies:

  • Google
  • Youtube
  • Embedly
  • Twitter
  • Facebook

Disabling these cookies will likely break the functions offered by these third parties

Social Website Cookies

So you can easily ‘Like’? or share our content on the likes of Facebook and Twitter we have included sharing buttons on our site.

Cookies are set by:

  • AddThis – provide us with lots of sharing buttons all in one neat package

The privacy implications on this will vary from social network to social network and will be dependent on the privacy settings you have chosen on these networks.

Site Improvement Cookies

We regularly test new designs or site features on our site. We do this by showing slightly different versions of our website to different people and anonymously monitoring how our site visitors respond to these different versions. Ultimately this helps us to offer you a better website.

We use:

  • Chartbeat.com
  • VisualRevenue.com

We use cookies to compile visitor statistics such as how many people have visited our website, what type of technology they are using (e.g. Mac or Windows which helps to identify when our site isn’t working as it should for particular technologies), how long they spend on the site, what page they look at etc. This helps us to continuously improve our website. These so called “analyticsâ€? programs also tell us if , on an anonymous basis, how people reached this site (e.g. from a search engine) and whether they have been here before helping us to put more money into developing our services for you instead of marketing spend.

We use:

  • Google Analytics
  • chartbeat.com

Advertising Cookies

Cookies are widely used in online advertising. Neither us, advertisers or our advertising partners can gain personally identifiable information from these cookies. We only work with advertising partners who work to accepted privacy standards such as http://www.youronlinechoices.com/uk/iab-good-practice-principles

You can learn more about online advertising at http://www.youronlinechoices.com. You can opt-out of almost all advertising cookies at http://www.youronlinechoices.com/uk/your-ad-choices although we would prefer that you didn’ as ultimately adverts help keep much of the internet free. It is also worth noting that opting out of advertising cookies will not mean you won’t see adverts, just simply that they won’t be tailored to you any longer.

We use:

  • DoubleClick – owned by Google

Banner Adverts

We fund our site by showing adverts as you browse our site. These adverts are usually managed by a partner specialising in providing adverts for multiple sites. Invariably these partners place cookies to collect anonymous data about the websites you visits so they can personalise the adverts to you, ensure that you don’t see the same adverts too frequently and ultimately report to advertisers on which adverts are working. Our partners include:

Remarketing Cookies

You may notice that sometimes after visiting a site you see increased numbers of adverts from the site you visited. This is because advertisers, including ourselves pay for these adverts. The technology to do this is made possible by cookies and as such we may place a so called “remarketing cookieâ€? during your visit. We use these adverts to offer special offers etc to encourage you to come back to our site. Don’t worry we are unable to proactively reach out to you as the whole process is entirely anonymised. You can opt out of these cookies at anytime as explained above.

Turning Cookies Off

You can usually switch cookies off by adjusting your browser settings to stop it from accepting cookies (Learn how here). Doing so however will likely limit the functionality of our’s and a large proportion of the world’s websites as cookies are a standard part of most modern websites

 

This article on the Irish Web Design website called ‘Cookies and what you need to know about them’ contains content that fiest appeared appeared in the Irish Examiner

http://www.irishexaminer.com/info/cookiepolicy/

supermarket cctv footage

Secure your CCTV

This is an interesting article that Irish Web Design found on the BBC News Features and Analysis Section.

The subject of securing your systems from outside access applies to virtually every computer.

Those businesses with security systems that can be accessed on the web or by mobile phone should pay particular attention to how their system is secured.

cc tv camera

How to hack a nation’s infrastructure

By Mark Ward Technology correspondent, BBC News

I’m watching a live video feed of people visiting a café in London.

It’s a small, busy place and is doing a good trade in tea, coffee and cakes. That woman has dropped some money. A child is running around. Later, another customer thinks they have got the wrong change.

Nothing too gripping, you might think, except that the feed should be private, seen only by the cafe’s managers. Somebody forgot to click a box so now anyone who knows where to look can watch.

That CCTV feed is just one of many inadvertently put online. Finding them has got much easier thanks to search engines such as Shodan that scour the web for them. It catalogues hundreds every day.

“Shodan makes it easier to perform attacks that were historically difficult due to the rarity of the systems involved,” Alastair O’Neill from the Insecurety computer security research collective told the BBC. “Shodan lowers the cost of enumerating a network and looking for specific targets.”

It is not just CCTV that has been inadvertently exposed to public scrutiny. Search engines are revealing public interfaces to huge numbers of domestic, business and industrial systems.

Mr O’Neill and other researchers have found public control interfaces for heating systems, geo-thermal energy plants, building control systems and manufacturing plants.
Remote work

The most worrying examples are web-facing controls for “critical infrastructure” – water treatment systems, power plants and traffic control systems.
Industrial plant Many industrial systems are networked because they are in remote locations

“There’s a tremendous amount of stuff out there right now,” said Kyle Wilhoit, a threat researcher from Trend Micro who specialises in seeking out those exposed systems and helping them improve their defences.

Mr Wilhoit said such control systems, which often go by the name of Scada (supervisory control and data acquisition), get put online for many different reasons. Often, he said, the elements of such critical systems were in far-flung places and it was much cheaper to keep an eye on them via the internet than to send an engineer out.

It’s not just finding these systems that is a danger. Security experts are finding lots of holes in the software they run that, in the hands of a skilled attacker, can be exploited to grant unauthorised access.

“For attackers, the potential pay-off for compromising these systems is very high,” said Mr Wilhoit.

Governments are turning their attention to increasingly public vulnerabilities in such critical systems. The US Department of Homeland Security has established a computer emergency response team that deals solely with threats to industrial control systems. In the UK, government cash has been made available to help intelligence agencies and law enforcement deal with cyberthreats.
Continue reading the main story
“Start Quote

“The threat is there – it might not be biting you yet but you had better be ready for the day it does”

Jeff Parker ICSPA

A Cabinet Office spokesman said cyber-attacks were one of the “top four” threats to the UK’s national security.

“Billions of pounds are being lost to the UK economy from cybercrime each year, including from intellectual property theft and cyber-espionage,” he said. “Industry is by far the biggest victim.”

The spokesman added that government was working with industry to harden critical infrastructure against attack, and had set up a series of initiatives to share information about threats and the best way to tackle them.
Bad decisions

The number of web-facing industrial and critical systems that these search engines find is only going to grow. That could introduce a whole new problem if the work of Greg Jones from security firm Digital Assurance is any guide.

Mr Jones bought several smart electricity meters from eBay and took them apart to see how well they protected the information within them. The models he bought are the same as those likely to be used as the UK converts its relatively dumb electricity grid to a smarter alternative.

A few days of work saw Mr Jones and his colleagues extract the passwords from the small chunk of memory inside the meter.
Warning text Many of the systems found by Shodan should have a restricted audience

“They had the same credentials in them – factory default passwords.” In addition, he said, basic steps to stop people fiddling with the hardware, or at least reveal tampering, had not been taken.

The traffic the devices swapped with utilities looked like it would be easy to spoof. If smart meters are rolled out in large numbers this could mean problems as it would give any attacker a way to trick that smart grid into making some catastrophically bad decisions.

“There are some really good standards out there governing smart meters,” said Mr Jones. “Our evidence suggests that those suggestions are not being followed.”

This is despite the government body that advises on security, based at GCHQ in Cheltenham, drawing up standards for validating the security, or otherwise, of the meters. The UK was already supposed to be well on the way to making the grid smarter but the project has been delayed because of worries about the central control system.

What is clear is that critical infrastructure and industrial plant control systems are coming under more scrutiny from both attackers and defenders.

That has its upside, said Jeff Parker, one of the directors at the ICSPA, which advises governments and businesses on cyber-protection.

“Is that a benefit? If it raises awareness of vulnerabilities, then, yes, it can help,” he said. However, it might take a lot of work to harden systems and ensure they were adequately protected.

“The threat is there,” he said, “It might not be biting you yet but you had better be ready for the day it does.”

Read the original article here: http://www.bbc.co.uk/news/technology-22524274

Secure your CCTV – Irish Web Design

you tube audio tabs

Google Chrome Audio Tabs

As we are currently working on a music website we were especially interested to hear that Google Chrome are about to add an ‘audio icon’ to any tabs that are making noise.

you tube audio tabs

How often does it happen that there are a number of browsers open with multiple tabs on each and you find yourself wondering where the noise is coming from.

Once they release this feature you will be able to tell immediately which tabs have audio running.

The tabs are also designed to tell the Chrome browser which tabs have audio running.

As you may know Chrome closes tabs if it is running out of memory.

With this new feature Chrome will discard the tabs with the audio indicator active last.

So if you’re listening to something in a tab near the back of all your tabs Chrome won’t assume that it is inactive.

This function is already in the latest build of Chrome meant for developers and ‘early adopters’ but at present it’s not always stable.

Expect to see it in an update to Google Chrome in the very near future.

Google Chrome Audio Tabs – Irish Web Design

darby o gill and the little people

Tourism Ireland Website

IIA STATEMENT IN RESPONSE TO TOURISM IRELAND AWARDING CONTRACT TO LONDON BASED COMPANY

In response to the Tourism Ireland decision to spend €2.5million on the development of the new Tourism Ireland website www.Ireland.com the Irish Internet Association on behalf of its members would like to express its serious disappointment that an agency of the state have preferred to employ the services of a London web development company over an Irish one.

paddywhackery begosh begorrah

There are a number of points that need to be addressed. Firstly, as a country in a job crisis we should be doing everything in our powers to support jobs locally. On principle as well as in practice, this ethos should be of highest importance for government agencies leading by example. In this specific instance, IIA members were shortlisted for this tender and we know that domestic rates are far more competitive that those reportedly paid. In accepting that price is not the only factor and that technical merit was the other criteria used, it is worth noting that on the subjective yet technical issue of design and user experience, the general view is that there are already some basic user experience shortcomings with this site.

Secondly, we must look at the broader ramifications of this decision. The majority of global technology companies have elected Ireland as their European base given the high quality of talent here. Beyond the specifics of this particular case, the political message that this decision is sending out to the world is counter-productive and anti-jobs. On the one hand, we have the IDA and Government Ministers working to increase foreign direct investment with a strong focus on the technology industry. On the other hand, in this single decision, we have a state agency saying that it is not possible to secure high quality and good value web design and development services here.

Tourism Ireland is responsible for attracting visitors to Ireland. Holiday tourism is important but so too is business and education tourism. They are asking people to visit a vibrant and welcoming country but is it also one that is so insecure about itself, so lacking in faith in its own people that when given the choice they will partner with a foreign company rather than an Irish one? The argument that this spend represents less than 10% of its total budget for the year is reminiscent of boom years when pockets were deep. The measure of value in these straitened times should surely not be that they got it for a small % of a large amount but rather that they got it for the very best possible price and in doing so factored in the multiplier effect of keeping those jobs in Ireland and promoting the world class standards that exist within our country.

Tourism Ireland’s new website was designed by Hugo and Cat — a creative agency for a digital world.

To quote their own website:

“Creativity from Insight

Consumer engagement. Conversion. Advocacy. A full house in buzzword bingo – but they’re what our clients come to us for.

We’re a digital creative agency specialising in content marketing, experience design and technology, underpinned by strategic planning. We’re all about big ideas without a big attitude, so you’ll get to know the people creating the work that gets your audience talking.

Why not stop by and say hello?”

Originally published on the IIA website

Bock The Robber had an amusing take on the whole farce:

At first glance it appears that the cat did most of the work, and a very well paid cat he is indeed, while Hugo did most of the talking. But what a talker Hugo is, persuading the Tourism Ireland management that a website should cost €2.5 million to design and build.

How appropriate for this pantomime.

Hugo and Cat

Let’s say the cat is on a hundred grand a year, which is good money by any standards in a time of austerity, especially when all you need to survive is the odd fish-bone. This means that the moggy needed to spend 25 years working on the project, which, you’ll agree, uses up several of his lives.

Two and a half million buckaroonies for a website isn’t chickenfeed. but hold on. A man like Hugo would have no ordinary cat. Any feline in his world would be the very cream of cat programmers, so let’s say he’s on a grand a day, because he’s worth it. That means he spent 2,500 days developing this website. Giving him weekends off to prowl the rooftops flashing the dosh at the lady cats — Loadsamoney!! — he still spent a full ten years on the job. That must be a hell of a website, wouldn’t you think?

Well, yes, you would think so, but you’d be wrong. This is the most confused, ill-functioning website you might ever have seen. It starts nowhere and it goes nowhere. It looks like somebody stole it and crashed it into a wall. If there’s a wrong way to do it, a right way to screw it up, nobody does it like us, and so, in their wisdom, the authorities awarded the contract to a London-based firm, rather than a local developer, even though their tender was not the lowest. Not that there’s anything wrong with a firm simply because it’s based in London, but since there’s no shortage of developers in Ireland, it seems surprising that Tourism Ireland couldn’t find a single one that came within a whisker of Hugo and his feline friend. Nobody was up to scratch.

ireland

Of course, the formidable managerial intellects at Tourism Ireland weren’t satisfied with spending the two and a half million on Hugo’s cat. They also decided that they should buy the domain name ireland.com from the Irish Times for half a million euros.

For some reason, they felt it was better to have an American domain representing Ireland than our own .ie extension.

Why?

I don’t know. This doesn’t seem like a decision based on professional advice, but of course, as usual, I might be wrong. I’d be very interested to hear what professional advice they had when they drew up the request for proposals. Were any web professionals involved in preparing the tender documents? What factors persuaded Tourism Ireland to award the contract to a company whose tender was not the lowest? What personnel prepared the detailed specification ? Did any external consultants assist in completion of the specification? Did any external consultants assist in evaluation of the completed design to ensure compliance with the brief? If so, who did these consultants work for?

So many questions.

One question has finally been answered, of course.

We now know that a cat can most certainly laugh.

Originally published on Bock

Irish Web Design notes that the website does not perform very well on mobile devices and smart phones.

bank of america signs

Little and Large Websites Attacked

Little and Large Websites Attacked

The coordinated attacks used to knock a large number of websites offline grew became more powerful in the past months. According to the American company Prolexic who run the world’s largest and most trusted distributed denial of service (DDoS) protection & mitigation service, there has been an eight-fold increase in the average amount of junk traffic used to take sites down.

bank-of-america logo

Chase Bank Logo

citi bank logo

wells fargo logo

Attackers have moved on from just using compromised PCs in homes and small offices to flood websites with vast volumes of traffic, and are now using Web servers, which have vastly more more bandwidth available.

The recent ongoing attack on servers running the WordPress blogging application is constantly seeking new computing power that can be harnessed to form vastly bigger botnets.

Prolexic reported that well-financed attackers  are increasingly able to coordinate with fellow crime organizations in the large-scale assaults.

These types of attacks appear to be here to stay and can only be achieved by having access to significant resources  including manpower, technical skills and an organised chain of command.

The most prominent targets of the attacks have been the America’s largest banks, including Bank of America, Wells Fargo Bank, Chase Bank which at times have become completely unreachable following the flood of traffic.

Prolexic believes these attacks are not individual youngsters flexing their muscles, because the efforts involved in the harvesting of hosts, coordination, schedules,  specifics and the sheer military precision of the attacks suggests the presence of experienced criminals that recruit ‘digital mercenary groups’ to do their work for them.

San Francisco-based CloudFlare’s network was recently bombarded by data sent by more than 80,000 servers across the Internet that all appeared to be running WordPress.

Attackers will enter a legitimate user name along with passwords that are known to be invalid, which, when repeated millions of times overwhelms the servers as they perform database lookups and then report the authentication failure which the system struggles to record it in the internal logs.

The vast increase in applications such as WordPress and Joomla  could become to this decade what the early versions of Microsoft’s Windows XP were to the previous decade. In the 2000s it was easy to compromise desktop PCs and turn them into spam-sending engines or botnets to perform various nefarious acts.

Nowadays using a server that is at least ten times as powerful as a desktop computer can do a great deal more damage.

Recent Irish websites that have been attacked include the websites for the Department of Justice and the website of the Department of Finance.

Little and Large Websites Attacked

Irish Web Design

living social logo

Living Social Website Compromised

The mighty Living Social website is the latest to be hacked, attacked or as they put it “experienced a security breach”.

livingsocial logo living social

Irish Web Design have carried out a series of actions to protect all the websites they have designed and currently manage.

Irish Web Design is currently considering the best course of action to take to keep all the websites in their care safe in the future.

We will be posting the results here and will also send the  details directly to our clients.

If you are not currently a client we are happy to keep you informed if you send us a message from the Contact page of this website.

In the meantime this is the content of the message subscribers received from Living Social earlier on.

IMPORTANT INFORMATION

LivingSocial recently experienced a security breach on our computer systems that resulted in unauthorised access to some customer data from our servers. We are actively working with the authorities to investigate this issue.

The information accessed includes names, email addresses, the date of birth of some users, and encrypted passwords; technically ‘hashed’ and ‘salted’ passwords. We never store passwords in plain text.

The database that stores customer credit card information was not affected or accessed.

Although your LivingSocial password would be difficult to decode, we want to take every precaution to ensure that your account is secure, so we are expiring your old password and requesting that you create a new one.

For your security, please create a new password for your account by following the instructions below.

  1. Visit https://www.livingsocial.com
  2. Click on the “Create New Password” button (top right corner of the homepage)
  3. Follow the steps to finish

We also encourage you, for your own personal data security, to consider changing password(s) on any other sites where you use the same or similar password(s).

The security of your information is our priority. We always strive to ensure the security of our customer information, and we are redoubling efforts to prevent any issues in the future.

Please note that LivingSocial will never ask you directly for personal or account information in an email. We will always direct you to the LivingSocial website – and require you to login – before making any changes to your account. Please disregard any emails claiming to be from LivingSocial that request such information or direct you to a different website that asks for such information.

We are sorry this incident occurred, and we look forward to continuing to introduce you to new and exciting things to do in your community.

Sincerely,
Tim O’Shaughnessy, CEO

 

Living Social Website Compromised

Irish websites attacked

A report from the BBC News website reported:

WordPress website targeted by hackers

Wordpress website
WordPress users are advised to change their user names

WordPress has been attacked by a botnet of “tens of thousands” of individual computers since last week, according to server hosters Cloudflare and Hostgator.

The botnet targets WordPress users with the username “admin”, trying thousands of possible passwords.

The attack began a week after WordPress beefed up its security with an optional two-step authentication log-in option.

The site currently powers 64m websites read by 371m people each month.

According to survey website W3Techs, around 17% of the world’s websites are powered by WordPress.

“Here’s what I would recommend: If you still use ‘admin’ as a username on your blog, change it, use a strong password,” wrote WordPress founder Matt Mullenweg on his blog.

He also advised adopting two-step authentication, which involves a personalised “secret number” allocated to users in addition to a username and password, and ensuring that the latest version of WordPress is installed.

“Most other advice isn’t great – supposedly this botnet has more than 90,000 IP addresses, so an IP-limiting or login-throttling plugin isn’t going to be great (they could try from a different IP [address] a second for 24 hours),” Mr Mullenweg added.

Matthew Prince, Chief Executive and co-founder of Cloudflare, said that the aim of the attack may have been to build a stronger botnet.

“One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” he wrote in a blog post.

“These larger machines can cause much more damage in DDoS [Distributed Denial of Service] attacks because the servers have large network connections and are capable of generating significant amounts of traffic,” he added.

Hi-tech crime terms

  • Bot – one of the individual computers in a botnet; bots are also called drones or zombies
  • Botnet – a network of hijacked home computers, typically controlled by a criminal gang
  • Malware – an abbreviation for malicious software ie a virus, trojan or worm that infects a PC
  • DDoS (Distributed Denial of Service) – an attack that knocks out a computer by overwhelming it with data; thousands of PCs can take part, hence the “distributed”
  • Drive-by download – a virus or trojan that starts to install as soon as a user visits a particular website
  • IP address – the numerical identifier every machine connected to the net needs to ensure data goes to the right place.

Many Irish websites attacked, and further information provided by Blacknight revealed that:

Last Tuesday they began to see high load on a small number of their shared hosting servers, upon investigation they saw the cause was an unusual number of login requests to the admin section of WordPress sites.

It quickly became obvious the scale of this attack was far greater than the usual attacks seen on self-hosted WordPress sites and was the work of a large botnet.

Our technical team work around the clock to ensure servers and services remain online and work as expected. While many hosting companies began reporting the attack and took action at a server level, including in some cases blocking access to wp-login, we worked to mitigate the issue at a network level. This was due mainly to the large number of servers involved.

The attack slowed down on occasions during the week and then increased again with some characteristics changing to overcome the defence mechanisms that were put in place.
By Friday afternoon the attack was no longer growing and the number of new IPs we were seeing had reduced greatly, the attack continued to slow at the weekend.

So here are some numbers and statistics that we are happy to share.

Over the week our Engineering team recorded over 10 million login attempts originating from over 190,000 IPs, of that we blocked 65,000 IPs from over 183 countries, from our network during the attack.

Top 30 – blocked IPs by country

13866 : BR, Brazil
6313 : TR, Turkey
2909 : MX, Mexico
2419 : IN, India
2252 : PL, Poland
2171 : ID, Indonesia
1862 : VN, Vietnam
1795 : AR, Argentina
1751 : KR, Korea, Republic of
1568 : RS, Serbia
1431 : GR, Greece
1392 : PT, Portugal
1366 : FR, France
1319 : TH, Thailand
1281 : EG, Egypt
1185 : VE, Venezuela
1118 : MA, Morocco
1035 : DZ, Algeria
907 : RU, Russian Federation
873 : CL, Chile
801 : BA, Bosnia and Herzegovina
796 : UA, Ukraine
775 : SA, Saudi Arabia
769 : ES, Spain
754 : RO, Romania
752 : IT, Italy
728 : CO, Colombia
569 : MY, Malaysia
527 : PE, Peru
475 : US, United States

 

Visit Us On TwitterVisit Us On FacebookCheck Our Feed