Do you run your website on WordPress? Have you checked the integrity of your core install lately for SPAM like “Google Pharmacy” stores or other fake stores? We have been tracking and analyzing a growing trend in SEO Spam (a.k.a., Search Engine Poisoning (SEP)) attacks in which thousands of compromised WordPress websites are being used […]
Archive | Security
RSS feed for this sectionDisclosure: Remote Code Execution Vuln in Disqus
We recently found a security vulnerability in the Disqus Comment System plugin for WordPress. It could, under very specific conditions, allow an attacker to perform arbitrary remote code execution (RCE). In other words, an attacker can do anything he wants with a vulnerable website. While the flaw itself is very dangerous, it may only be […]
Case Study: Complexities of “simple” malware
You know when you pull a string on a sweater and it just keeps going and going? You wonder when or if it will ever stop? From time to time, that’s how malware can feel. Even if you’re not a website security expert, it’s important to understand just how complicated hackers are willing to make […]
Q&A with Ryan Lackey
Lackey being hoisted onto Sealand in the North Sea circa 2000 How did you get into computer security? I started using the Internet when I was young—in the early 1990s, before I was a teenager. I was drawn to security for two main reasons: First, I was interested in how individuals could stand up to […]
CloudFlare Acquires CryptoSeal
We’re excited to announce that CloudFlare has acquired the Trusted Computing and virtual private network (VPN) as a service company CryptoSeal. CryptoSeal was founded by Ryan Lackey, a well-known engineer in the security community whom we’ve admired for some time. The company was funded by Y Combinator and angel investors from the security community. At […]
Is my website hacked? If you have to ask then, “Yes.”
The problem with phishing, and therefore the reason so many people have trouble with it, is that the code is fairly benign and can be very difficult to spot because it usually looks almost exactly like legitimate code. Oftentimes, a website owner won’t know their site is hacked with a phishing scam until site visitors […]
Naming Project Galileo
What’s in a Name Earlier today, CloudFlare announced Project Galileo to protect free speech on the Web by using its sophisticated anti-DDoS resources. Seventeen (at last count) free speech, public interest, and civil society organizations are helping us identify at-risk, in-need websites for the Project. If one these websites comes under attack, CloudFlare will make […]
CloudProxy + SPDY = A Faster Website
Our CloudProxy Firewall already protects and speeds load times for 1,000′s of websites. Now, it’ll be even faster. We’re happy to announce that we just added support for SPDY (pronounced speedy) across all of our plans and servers. Any website being protected by our CloudProxy firewall can enable SPDY support with just one click: If […]
Serious Cross Site Scripting Vulnerability in TweetDeck – Twitter
This morning as I was logging into various social networks I was presented with a popup with “XSS on Tweet Deck.” This obviously set every hair on my neck on fire, it’s obviously not the normal welcome screen. After some investigation, I found a tweet from one account that I follow that had the following […]
WordPress Plugin Alert — LoginWall Imposter Exposed
When you work with malware for a while, you start to become very good at pattern recognition. A couple sites in every hundred cleaned might be infected in a similar way and remembering the initial problem helps to quickly solve the problem for the current site. You might not know exactly why something seems fishy […]