Skype blog hacked(blogs.skype.com) |
Skype blog hacked(blogs.skype.com) |
If they had any sort of system access they would have defaced the entire subdomain or the main site. So most likely, this is nothing to worry about. Your account data most likely still in safe hands.
Also considering that their Twitter and Facebook accounts were also compromised, your assumption that it was the blog itself that was compromised is a big one. I don't have any first hand knowledge on that though personally, I'm just saying.
So it looks like Skype doesn't host on its own server. It looks like this is wordpress.com but with custom domain?
curl http://blogs.skype.com -v
< X-hacker: If you're reading this, you should visit automattic.com/jobs and apply to join the fun, mention this header.
EDIT Okay it is
New to wpscan. When it says plugins found are these the vulnerable plugins wordpress.com running?
https://gist.github.com/yeukhon/8211580
And I found the username 7 pretty interesting.... wonder if I am actually doing the ethical thing here :(
just did it on another blog.wordpress.com. How come? On Skype's blog I can access /author/7 or /author/ian but I can't do it on another blog, I get "Oops".
Direct link to the snapshot of the hacked site: http://mraka.eu/snapshot/img/2014/01/01/e0d8888c73483275afea...
Snapshot archive of twitter account: http://mraka.eu/snapshot/v/twitter.com
Direct link to the first tweet snapshot: http://mraka.eu/snapshot/img/2014/01/01/1d6269aa8371ce676587...
Direct link to the first retweet snapshot: http://mraka.eu/snapshot/img/2014/01/01/a0f4c0947281bb0fb19d...
Seems a strange message to send to a country that spies on it's own citizens (and where apparently the citizens are unable to prevent their own government from doing it to them).
But I fully support the message here, I think that spying inside of consumer products is a sign of the abuse of power and monopoly.
Screenshot here: https://twitter.com/MikeElgan/status/418482819611230208
How is MS more evil than anyone else?
EDIT: This really seems like an interesting question: _are_ there any advantages an attacker would have with skype's centralized system that they wouldn't with their previous p2p system? From what we've seen so far, I think the differences (from an attacker's perspective) are trivial.
Simply put, because of their market share, their evil has a bigger impact than other companies evil.
footnote: One is always completely free to decided if evil with more market share than other evils are more evil.
http://en.support.wordpress.com/security/two-step-authentica...
There are also tons of available security plugins & pretty extensive documentation on hardening a self-hosted install:
http://wordpress.org/plugins/tags/security http://codex.wordpress.org/Hardening_WordPress
But hey, what do I know? ¯\_(ツ)_/¯ Only the tip of the iceberg. Some men believe.
Though also in my opinion even having a web-based file editor is pretty terrible...
WordPress isn't that insecure. A lot of third-party (i.e. written by inexperienced developers) plugins for it are, though.
It is 2014, you better prepare a good PR response for when you get breached OR start implementing stronger authentication ASAP.
Saying recent here isn't logical, because after patching the incident, it's not an incident anymore. But I guess you mean how secure you are with a recent version of Wordpress. I think this is though question, because Wordpress relies to a high degree on external components and plugins. There is probably no single pure Wordpress Blog, because the original Wordpress archive already relies heavily on external dependencies. That's where many of the issues were found as correctly pointed out by wyck. However this reliance on external code, without a Wordpress team or at least a software that is evaluating the code-quality or any other metric, you can't be secure. Yeah we can argue with: "But Wordpress is n-times more popular than X." However it still makes WP very vulnerable to attacks. I've cleaned and recovered some hacked commercial wp blogs and shops myself (not installed by me, but the previous dev). So whatever you believe in WP may be, just get over it. There are so many other opensource alternatives that wait for you to be tried out.
Here's a proper solution to secure your account: http://wordpress.org/plugins/google-authenticator/
Without exaggerating, I've downloaded almost any CMS on Github and Bitbucket and Sourceforge and I'm almost done with testing all of them. I think about 15 remain. With all honesty, I cannot say that I'm impressed with any CMS so far. There is just one thing that stood out, with it's concept, but it's still only Alpha grade quality, that's: http://parsimony.mobi/
I've you're curious what I ended up with, just ping me and I'll share my results, after I've really compared all CMS with each other. Currently I would say that there are about ~10 good quality CMS, with hundreds of miserably coded ones. That is a good benchmark, for how good developers are in the real world, I mean there is only so much space at the top of the iceberg. Not everybody can excel with every project they start (well, except people like Fabrice Bellard)
I've not compared Typo3, Alfresco and other Enterprise CMS, because even when they come with all features loaded, they suck at code complexity and user friendliness
You can't tell me that Wordpress is the only blogging platform that fits to all of your requirements, because there are thousands of CMS out there and you'll spend weeks testing all of them.