Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:03 PM

Tumblr Hack: 4 Security Reminders For SMBs

Following GNAA's defacing of several thousand Tumblr blogs, take these security reminders to heart -- especially if you use popular publishing platforms.

 9 Ways Skype Professional Network Helps SMBs
9 Ways Skype Professional Network Helps SMBs
(click image for larger view and for slideshow)
The ease and speed with which anyone with anyone can create a website these days can be a great thing, especially for smaller businesses short on resources or technical know-how. Unfortunately, those same benefits double as security risks.

That was on display Monday when the online troll group GNAA compromised the popular blogging platform Tumblr. Several thousand affected sites were taken over by a page that, to put it mildly, was not safe for work. Tumblr acknowledged the breach on Twitter. It announced later in the day that the problem, which Tumblr said affected "a few thousand" accounts, had been resolved.

"We quickly identified the source, removed the posts, and restored service to normal," the company said on its own Tumblr blog. "No accounts have been compromised, and you don't need to take any further action."

[ Cybercrooks don't necessarily just follow the money. Read more at How Cybercriminals Choose Their Targets. ]

The security firm Sophos attributed the breach to a fast-spreading worm. Any Tumblr users who visited an infected site while logged in immediately and unknowingly re-blogged the worm. In essence, the worm made use of one of the features that has made Tumblr a hit: the ease with which users can share and re-share content.

That's among the reasons Tumblr makes an attractive target for hackers, trolls, and the like: Plenty of people -- to the tune of 170 million -- love it. That also means plenty of SMBs use it for marketing, customer service, microsites, or even as a full-blown Web presence. The same can be said of other low-cost, easy-to-use publishing platforms such as WordPress, Blogger, and others.

Whether you use Tumblr or not, here are four timely website security reminders.

1. Check your code.

Most website security problems start with the underlying source code. That appears to be the case in Monday's breach, according to Sophos' technical breakdown of the Tumblr worm. Code vulnerabilities can lead to malware, SQL injections, and other security exploits. Whether you write your own code, use someone else's, or manage a combination of both, don't simply trust that it's all safe and secure.

Give your code a regular checkup. Start with your Internet service provider or website host; ask what vulnerability testing and monitoring services they provide. It's possible such services are included as part of your existing agreement. If not, there are loads of security vendors out there who would be glad to take care of this for you, often in automated behind-the scenes fashion -- so long as you can pay their asking price.

For SMBs on a small budget -- or a nonexistent one -- there are free tools out there that can help. Netsparker offers a free community edition of its Web application security software, for example, that scans for SQL injections. (It also offers a free trial of its more robust paid edition.) Google's Webmaster Tools also offers site checkups for malware and other potential problems, as well as help with remediating known problems. The latter is a must to ensure your site stays off Google and browser blacklists in the wake of an incident.

2. Stay current on software.

Just as you stay on top of Windows updates, Adobe patches, Web browser versions, and other important downloads, you should stay current with any website publishing platforms you use. WordPress is a good example -- the wildly popular content management system regularly releases new versions, in part to fix security issues and other bugs. Yet 55% of WordPress sites are running an older version of the software. One reason that can cause problems: The release notes for new versions typically announce the security flaws in the previous versions -- something hackers can use to exploit sites that don't stay up to date.

3. Kill old sites.

Did you start that corporate blog with the best of intentions, only to let it languish in the great Internet desert of forgotten sites? Consider deleting it altogether unless you've got a good business reason to keep it up. "Dead" blogs and other mothballed websites make nice targets for hackers, since they're often running on outdated code or publishing platforms. (If you've stopped updating your blog, you've probably stopped updating its publishing tool, too.)

Even if the forgotten site doesn't necessarily provide a back door into more valuable targets, it can pose the risk of embarrassment and reputation harm -- such as attacks that plaster racist or obscene language across the page. You likewise don't want sites or pages associated with your business unwittingly hosting porn, malware, spambots, or other potentially damaging stuff.

Any Web application is inherently a threat vector, to use security industry lingo. There's no sense in maintaining threat vectors that no longer provide any business value. Eliminate unnecessary risks.

4. Use minor incidents to better defend against major ones.

Monday's security breach was somewhat embarrassing for Tumblr. It was certainly a disruption -- albeit a brief one -- for the several thousand affected sites. But the bottom-line impact was more akin to online vandalism than the types of security issues that lead to bank account losses and other lasting consequences. It wasn't the first incident of its kind; it won't be the last.

That's not to say you should take such cases lightly. Rather, use them as reminders to safeguard your valuable business assets. Assess and prioritize your security risks and act accordingly. Use common sense and good basic security practices, such as strong passwords. Don't be an easy mark for criminals, hacktivists, or people who wreak online havoc just because they can.

Small and midsize businesses are falling prey to cyberattacks that cost them sensitive data, productivity and corporate accounts cleaned out by sophisticated banking Trojans. SMBs are typically on the hook for these losses and lack effective means to prevent them. Our Small Businesses, Big Losses report explains what makes these threats so menacing and shares best practices to defend against them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.