Thoughts On Security

Security is in a constant evolving state and keeping up with the various changes can be heard. As my journey continues in the security industry, I will share thoughts and opinions based on personal experiences. Thoughts are mostly around website security, sprinkled with general security concepts as well, but all tailored to the everyday enduser.

Impacts of the LastPass Hack

Published in Security on June 16, 2015

This week was a particularly tough week for those that depend and promote the use of password managers. Unfortunately, not because of the compromise itself, but because of the loss of faith in such technologies that it undoubtedly introduced into the market. The sad reality is that the only reason it’s news is for no other reason than the fact it was a very popular service – LastPass – and had the words compromise and hack in the title.

Yes – LastPass was Compromised

The impacts however are not as severe, all things considered, as it might appear at face value.

YoastCon: The State Of WordPress Security

Published in Security on June 9, 2015

Almost five years ago, Joost started the company Yoast, offering website reviews and free plugins. Yoast’s core business was, and is, sharing knowledge and making it easier to create usable websites. Five years later Yoast has turned into one of the biggest WordPress plugin providers with 21 employees (and counting)!

To celebrate reaching five years, awesome growth, and much success, Yoast celebrated with a conference: YoastCon!

The conference was held in de Lindenberg in Nijmegen, with myself, Chris Lema, Marcus Tandler, Karl Gilis, and Joost de Valk speaking, and Marieke van de Rakt, Thijs de Valk, and Taco Verdonschot giving workshops.

The State of WordPress Security

My talk was on the current state of WordPress security. There is no denying that WordPress, powering over 23.5% of the top websites in the world, has become the platform of choice for bloggers and businesses alike.

With this fame however, WordPress has become a target, making it the top targeted platform on the web by malicious actors with ill intent.

The Dynamic and Complicated Online Threats

Published in Security on June 1, 2015

This May I was thrilled to travel to Prague, Czech Republic as a keynote speaker for J And Beyond 2015, An International Joomla Conference to deliver the talk The Dynamic and Complicated Online Threats (Challenges Website Owners Face). I was also thrilled to have my company, Sucuri, sponsor the event.

After investing the better part of five years analyzing and assessing the state of security within the realm of websites, I travel the world engaging website owners in an effort to address the security challenges webmasters face today through education and awareness. The website landscape continues to evolve, affecting website owners around the world. We have to take a minute to look at the website landscape, appreciate the nuances that the end-users are struggling with and look forward at what the future holds for us.

The purpose of the talk is a high level orientation of the existing threat landscape affecting all website-owners, especially those leveraging CMS applications like Joomla!

Check out the video of my presentation below:

Website Access Control and Security

Published in Security on January 23, 2015

Website security has become a hot bed over the past few years. More and more companies are joining the game in hopes of capitalizing on what they perceive to be huge opportunities. The one vector that seems to be all the rave is Access Control.

When I talk to access control, I specifically talk to mechanisms in place to restrict access to a resource. Think how you connect to your website. Are you using WordPress, Joomla, Magento or some vBulletin? Maybe it’s a custom PHP, HTML, ASP website?

Regardless of the platform, you have some form of access vector you employ daily.

If you’re a WordPress user, you’re likely leveraging /wp-admin. If you’re on Joomla, you’re using /administrator, and so on and so on — each platform providing its own means for connection. Access vectors don’t stop there. They extend well beyond the application itself. Think about things like File Transfer Protocol (FTP), Secure File Transfer Protocol (SFTP) and Secure Shell (SSH). These are transfer protocols that are still part of your website access vectors.

This can be extended further when you think about things like your hosting panels and database log in panels, additional forms of access vectors. But now we start diving into a very deep rabbit hole.

Updating Permalinks in Ghost

Published in Security on December 8, 2014

When I think about blogging, there is perhaps no more important feature or concern than impacts to SEO. It’s perhaps one of the biggest concerns many will likely experience when performing a migration to the Ghost blogging platform.

I recently migrated my personal blogs to this platform and share some insights into the installation process in case you want to give it a go.

As you might expect, it’s had it’s up’s and down’s, much like when I first got started with WordPress. Needless to say, I’ve been making my way through it over the past few days. I’ve learned a number of things, and one such thing pertains to permalinks.

Install Ghost .5 on CentOS 7 w/NGINX

Published in Security on December 6, 2014

I recently wrote of the migration from WordPress to Ghost. In this post I want to share with you the installation workflow I used. I plan to go cradle to grave through the process.

I’ve tested it a number times, and it works every time, so even if you’re a novice you should be able to get it going. Just follow the steps:

Assumption: You have a clean install of Centos 7.0. For my scenario I’m using a droplet from Digital Ocean. What’s really awesome is that Digital Ocean actually provides a preconfigured Droplet for those that want to leverage Ghost. I believe it’s built on Ubuntu. I personally prefer Centos.

Ghost: Blogging For The Future

Published in Security on December 5, 2014

It’s only been recently that I have come to the realization that I fit into the blogger category. In doing so, I have started to place more emphasis on the technologies I’m employing to get my work done.

Ghost: Just a Blogging Platform

For the better part of 5 years I have been an adamant WordPress user. Not sure if you would say I was a power user, but I definitely employed it in my day to day activities, whether at work or at home. In that time frame I have witnessed the evolution of the platform.

Website Security and Auto-Updates

Published in Security on November 27, 2014

If we could only auto-update our applications when vulnerabilities are identified, then we’d surely be safe… that seems to be today’s mindset. To a certain extent, that’s true, but it’s also false.

The idea of auto-updates is not new, it’s been around for a while. It’s all the rave as of late when we talk about websites. It only makes sense, if you know that the weakest link in the chain is the end-user (whom for whatever reason is unable to update) then remove the weakest link, and remove the choice.

The Challenges of Auto Updates in Website Security

There are however a few challenges that come to mind when I think about Auto-Updates, specifically how they relate to Website Security:

Does little against Unknowns
Introduces an unmanageable access point
Goes against best practices
Requires applications to write to itself

How Hosts Manage Your Website Security

Published in Security on November 7, 2014

Hosts are concerned with the security of their infrastructure, not with your website.

This is a distinction that most website owners fail to make, and it’s made more evident to me every day. This same misunderstanding however puts hosts in a precarious situation where clients expect security, and to some extent get it, but on the other it’s not the type that matters nor will it address today’s challenges. This is all compounded by the economics that drives the hosting ecosystem.

I should probably clarify however that this is probably not a blanket statement for hosts. But for a majority of today’s Shared hosts that deal specifically with end-user websites, it’s very much the case.

Website Security is about Passwords?

Published in Security on October 30, 2014

Perhaps the thing that annoys me the most when I hear security being shared with end users is when they get the information wrong or overemphasis on things they don’t understand or can’t support. This is the problem in the way we communicate, especially in the WordPress community. This is applicable to all communities though, regardless of platform.

To be clear, in case the title was misleading, this sentiment is wrong and we should do a better job at communicating security.

It All Lies Within the World of Passwords

Most of the nonsense I hear around this comes from folks with a very small perspective into the world of security, and as of late seems to stem from the access control guys (those that are fighting the password game).

How We Think About Website Security

Published in Security on October 30, 2014

I recently attended WordCamp San Francisco (WCSF) where Matt Mullenweg, founder of the WordPress project and CEO of Automattic, gave his annual State of the Word.

WordCamps are informal, community-organized events that are put together by WordPress users like you. Everyone from casual users to core developers participate, share ideas, and get to know each other.

WordCamp Central

As I sat there and listened to the various accomplishments the platform had achieved, one common theme continued to pop in my head around security. It’s a theme that plagues all platforms, not just WordPress. It’s something that my business partner and I struggle with on a daily basis — it’s the biggest vulnerability every website and CMS faces, it’s users.

WordCamp Europe 2014: WordPress Security Starts With Posture

Published in Security on October 16, 2014

Recently I spoke at WordCamp Europe 2014 on the topic WordPress Security — It Starts With Posture. The threats website owners face today range in scale and complexity — from large DDOS attacks leveraging WordPress core functionality, to vulnerabilities found in some of the largest plugins in the ecosystem.

The Security dilemma is not shrinking, it’s getting bigger.

Today more than ever, it’s important we take the time to educate and bring awareness to the things everyday website owners can do to improve their over security posture.

Web security is not a turn of a knob, or click of an option, it’s about state of mind — it’s about good posture.

Check out the video of my presentation:

Watch The Video

Accounting for Security in Website Projects

Published in Security on October 5, 2014

Many know very little about me, my past what I used to do, most just know me for my time in security. There was a time though that I spent as Project / Program Manager for a couple different organizations. I even dabbled in a WordPress centric design / development shop called CubicTwo in early 2010.

The scale of the projects and programs I was involved in ranged from $50,000 to over $6,000,000 (multiple at any given time) and varied in complexity (these weren’t simple websites, they were enterprise level systems). While different in size and scale, they did hold similarities to what most website projects today look like, just at a very different level. I fortunately had the luxury that my stakeholders didn’t require any education on the importance of security, being they were municipalities or government entities, the security discussion was a lot easier.

This however is not the case for everyday website projects, and worth taking some time to discuss.

What’s wrong with your pa$$w0rd?

Published in Security on September 5, 2014

The discussion on access control seems to be common place these days with the latest revelations news. Found this video on some research Lorrie Faith Cranor is doing on the subject very interesting and insightful.

Importance of Updates in Website Security: WordPress, Joomla, Drupal and CMS’s

Published in Security on August 17, 2014

In my recent post talking to the dilemma that is WordPress Security, there seemed to be some confusion as to my position on updates. Allow me a moment to provide clarity on the subject, yes, updates are very important.

My previous statements are specific to the importance level of updates, it was designed to foster a very different type of conversation than one you would have with an everyday website owner. An everyday website owner doesn’t care about the nuisances or philosophical arguments that occur at higher echelons of a specific domain their concern is what affects them right now.

For the everyday website owner, along with a variety of other best-practices, you should be applying updates as they become available. This post is more specific to you and your needs and what you must understand about the world that is Updates.

The Dilemma that is WordPress Security

Published in Security on August 9, 2014

The past few weeks WordPress Security has come to the forefront of the discussion again, as it often does every few months. As is often the case, it’s highly emotional and generates a lot of discussion. Chris Lema shared a post, Our discussions around WordPress security should change, and that sparked some interesting conversations.

He’s absolutely right, it should.

What many fail to realize within the community however is that the crux of the problem goes beyond Access Control and Software Vulnerabilities. The problem is the end-user, the website owner, the grandma turned website owner, the full-time mommy turned SEO expert, and the message that is pushed from top down through the various niches / factions of clicks within the community.

The irony of it all is that it revolves around the concept that made WordPress so popular — it’s ease of use.

WordCamp Chicago 2014: WordPress Security Is All About the Basics

Published in Security on July 2, 2014

Recently I had the opportunity to share my insights from the past five years working at Sucuri at WordCamp Chicago 2014 held at the University Center in downtown Chicago.

My talk, WordPress Security: It’s All About the Basics, focused on experiences with end-user security issues and threats in the web security industry.

With the goal of greater awareness of security issues for website owners, I share information about the latest security threats and trends, what to watch out for and be careful of, and as always some (hopefully valuable) takeaways and recommendations for the future.

Check out the video of my presentation:

Watch The Video

Explaining XSS and CSRF By Google

Published in Security on June 25, 2014

Came across this video earlier today and found it very informative — explaining the difference between XSS and CSRF (XSRF). I find that most people rarely understand or differentiate between the two so hopefully this video helps. It’s laid out in a very clear way.

WordCamp Philly 2014: The Key to WordPress Security Is Awareness

Published in Security on June 12, 2014

This past weekend, I had the opportunity to speak about WordPress Security at WordCamp Philly 2014 as part of the Power User Track.

It’s critical to understand that the key to website security is awareness — and that is exactly what we achieve in this talk.

Getting down to the basics and sharing insight that very few can share through the experiences we have ascertained at Sucuri. The latest threats and trends will be shared, and of course, some good, hardening takeaways and recommendations.

Checkout the video of my presentation:

Watch The Video

Secure Your Traffic on Public WiFi

Published in Security on May 5, 2014

Often when I give talks on website security one of the various discussion points is, and rightfully so, around your individual posture when interacting on the web. This often means being aware of things like transferring your data insecurely over the web.

This insecure act is often achieved through the use public WifI access points (i.e., Starbucks, Airports, Hotels, etc.). The most obvious solution, or what feels like the most obvious is to work off a Virtual Private Network (VPN). When talking to a Network / Systems / Security individual this is the obvious choice, but to the everyday consumer it’s not.