3 places security vulnerabilities are hiding now

When it comes to plugging security vulnerabilities, IT departments have their work cut out for them. Hackers are always looking for new ways to launch attacks on companies.

Here are three areas many organizations may neglect, but often contain security vulnerabilities attackers are going after now:

WordPress plugins

Organizations have a lot of tools available to help make building and maintaining a website easier than ever. One of the most popular options is the content management system WordPress, which is used on more than 60 million sites.

One of the strengths of the platform is the availability of plugins that can enhance the software’s basic functionality. Currently, developers can create and upload their own extensions and make them available to all users.

But the big downside with that model: There are no requirements for security that developers must follow. The end result is that many of the available extensions contain serious security vulnerabilities, according to a recent report from Checkmarx.

In fact, 10 of the 50 most popular plugins are vulnerable to attacks such as SQL injection, cross-site scripting and path traversal.

Furthermore, seven of the 10 most popular e-commerce plugins contain security vulnerabilities, researchers said. Those flaws could allow attackers to steal sensitive data from a company or its customers, or hijack the company’s site and use it to spread malware or conduct other attacks.

What should companies do about it? While many of the flaws exist due to a lack of standards for plugin developers, organizations can protect themselves by testing their sites for flaws and making sure all plug-ins are kept up to date so that security vulnerabilities are patched.

In addition, web admins should make sure they only download plug-ins from reputable sources and that they remove all plug-ins that are no longer used.

Mobile Bluetooth connections

We’ve written a lot about mobile malware — especially Android viruses — that get onto devices because they’re disguised as legitimate apps and downloaded by users. However, as mobile attacks become more sophisticated, hackers are also finding other ways to get their malware onto devices.

In one example, hackers moved beyond sneaking viruses into an official app store or offering the malware for download elsewhere and created an entire fake app store designed to look like the Google Play market and hosting the malicious apps there.

Later, researchers discovered a scam in which hackers sent phishing emails with a malicious .apk file — the file type used for Android apps — attached.

And now, experts at Kaspersky Lab have found a new Trojan that can exploit Android security vulnerabilities to send text messages to premium rate numbers, download malware to a device, and collect and transmit sensitive data from the phone — as well as infect other Android devices via Bluetooth.

In addition to a number of techniques used to conceal the malware, Kaspersky researchers said the Trojan can spread itself by downloading a copy of the file from a central sever, scanning for nearby Bluetooth-enable devices and attempting to send the file to them.

That’s another reason organizations might turn off Bluetooth discoverable mode for company-issued devices, and include a rule in their BYOD policy that the feature must be disabled for personal devices.

USB ports

While a lot of malware these days is spread by compromising legitimate websites, there’s also been a rapid increase in viruses spread via another method: infected USB drives.

In the first quarter of 2013, McAfee discovered more than 1.7 million samples of malware that exploit computers’ USB autorun feature to install themselves on victims’ machines.

That was a significant increase over the 1.3 million samples found in the last quarter of 2012, and nearly three times the 600,000 examples that were discovered a year ago, according to a recent report from the security firm.

Despite those numbers, USB autorun malware isn’t exactly new. Even back in 2011, a study from Sophos found that two-thirds of a random sample of lost and recovered USB drives contained malware. However, the continuing increase shows that individuals and businesses aren’t doing much to protect themselves.

IT can help prevent attacks by keeping antivirus software up to date and making sure AutoRun is disabled on Windows machines. USB malware often exploits that feature to launch a virus without requiring any action from the user other than plugging the drive in.