Phishing scams are always bad news, and in light of the Google Drive scam that made the rounds again last week, we thought we’d tell the story of some spam that was delivered into my own inbox because even security researchers, with well though-out email block rules, still get SPAM in our inboxes from time […]
Vulnerability found in the All in One SEO Pack WordPress Plugin
The team behind the All in One SEO Pack just released a new version of their popular WordPress plugin. It is a security release patching two privilege escalation vulnerabilities we discovered earlier this week that may affect any web site running it. The risks If your site has subscribers, authors and non-admin users logging in […]
Analyzing a Malicious iFrame – Following the Eval Trail
Over the last week, we’ve been working with some interesting malware injections. Developers and malware prevention professionals usually think of hidden iframes that deliver spam-seo or other malware as easy to spot. Take this injection, for example (Thanks to Sucuri team member, Rafael C., for the sample): This is not a traditional iframe src=’http://… code, […]
CloudFlare Meetups: Set your mind on fire.
Education, expertise, and community: these themes define Meetups at CloudFlare. Meetups in our office bring together industry leaders, academics, and field experts to examine topics ranging from the Go programming language, to databases, to cryptography, and more. We’re creating a space for people interested in learning about, and hashing-out, specialized topics together; check out CloudFlare’s […]
Malicious Redirections to Porn Websites
The past week has brought about a large number of cases where compromised websites had hidden redirections to porn injected into their code. All the infections had a similar pattern where they only targeted mobile devices. They are highly conditional as well making it challenging for webmasters to detect. Lets take a minute to explain […]
Sucuri CloudProxy – Website Firewall Enhancements
When LA’s DA says that, “73% of our local businesses appear to have been hacked,” it begins to illustrate the importance website protection will play in the future of business, which is why we’ve placed so much emphasis on website protection on this blog over the last few months. Protection is no longer a, “nice […]
Desktop AVs and Website Security
Brian Dye tells the Wall Street Journal that antivirus tools like his company’s Norton suite are effectively “dead” because they catch less than half of all attacks, but from where we sit, that’s really just half the story. Does Brian mean that antivirus defenses–also know as “AV”– are useless? Probably not. Just like you should […]
Watch a Layer 7 DDOS Attack – WordPress Security
A few weeks back we reported on very large Layer 7 DDOS attacks within the WordPress ecosystem. Today we decided to provide you a little illustration of what that looks like. Remember, there is a big difference between Brute Force and Denial of Service attacks, this is specifically for a large DDOS attack involving 40k […]
Case Study: Analyzing the Origins of a DDoS Attack
Recently a client was experiencing a massive layer 7 DDOS attack, generating tens of thousands of random HTTP requests per second to the server. The architecture of the website included a cluster of three web servers responsible for handling all incoming traffic, which did little to alleviate the pressures brought about the attack. An interesting […]
Killing RC4: The Long Goodbye
At CloudFlare we spend a lot of time thinking about the best way to keep our customers’ data safe. Despite recent troubles, HTTPS is still the best way to deliver encrypted content for the web. As the threat landscape changes we try to keep up with best practices with respect to which cryptographic primitives we […]
