Thoughts On Security

Security is in a constant evolving state and keeping up with the various changes can be heard. As my journey continues in the security industry, I will share thoughts and opinions based on personal experiences. Thoughts are mostly around website security, sprinkled with general security concepts as well, but all tailored to the everyday enduser.

Website Security and Auto-Updates

Published in Security on November 27, 2014

If we could only auto-update our applications when vulnerabilities are identified, then we’d surely be safe… that seems to be today’s mindset. To a certain extent, that’s true, but it’s also false.

The idea of auto-updates is not new, it’s been around for a while. It’s all the rave as of late when we talk about websites. It only makes sense, if you know that the weakest link in the chain is the end-user (whom for whatever reason is unable to update) then remove the weakest link, and remove the choice.

The Challenges of Auto Updates in Website Security

There are however a few challenges that come to mind when I think about Auto-Updates, specifically how they relate to Website Security:

Does little against Unknowns
Introduces an unmanageable access point
Goes against best practices
Requires applications to write to itself

How Hosts Manage Your Website Security

Published in Security on November 7, 2014

Hosts are concerned with the security of their infrastructure, not with your website.

This is a distinction that most website owners fail to make, and it’s made more evident to me every day. This same misunderstanding however puts hosts in a precarious situation where clients expect security, and to some extent get it, but on the other it’s not the type that matters nor will it address today’s challenges. This is all compounded by the economics that drives the hosting ecosystem.

I should probably clarify however that this is probably not a blanket statement for hosts. But for a majority of today’s Shared hosts that deal specifically with end-user websites, it’s very much the case.

Website Security is about Passwords?

Published in Security on October 30, 2014

Perhaps the thing that annoys me the most when I hear security being shared with end users is when they get the information wrong or overemphasis on things they don’t understand or can’t support. This is the problem in the way we communicate, especially in the WordPress community. This is applicable to all communities though, regardless of platform.

To be clear, in case the title was misleading, this sentiment is wrong and we should do a better job at communicating security.

It All Lies Within the World of Passwords

Most of the nonsense I hear around this comes from folks with a very small perspective into the world of security, and as of late seems to stem from the access control guys (those that are fighting the password game).

How We Think About Website Security

Published in Security on October 30, 2014

I recently attended WordCamp San Francisco (WCSF) where Matt Mullenweg, founder of the WordPress project and CEO of Automattic, gave his annual State of the Word.

WordCamps are informal, community-organized events that are put together by WordPress users like you. Everyone from casual users to core developers participate, share ideas, and get to know each other.

WordCamp Central

As I sat there and listened to the various accomplishments the platform had achieved, one common theme continued to pop in my head around security. It’s a theme that plagues all platforms, not just WordPress. It’s something that my business partner and I struggle with on a daily basis — it’s the biggest vulnerability every website and CMS faces, it’s users.

WordCamp Europe 2014: WordPress Security Starts With Posture

Published in Security on October 16, 2014

Recently I spoke at WordCamp Europe 2014 on the topic WordPress Security — It Starts With Posture. The threats website owners face today range in scale and complexity — from large DDOS attacks leveraging WordPress core functionality, to vulnerabilities found in some of the largest plugins in the ecosystem.

The Security dilemma is not shrinking, it’s getting bigger.

Today more than ever, it’s important we take the time to educate and bring awareness to the things everyday website owners can do to improve their over security posture.

Web security is not a turn of a knob, or click of an option, it’s about state of mind — it’s about good posture.

Check out the video of my presentation:

Watch The Video

Accounting for Security in Website Projects

Published in Security on October 5, 2014

Many know very little about me, my past what I used to do, most just know me for my time in security. There was a time though that I spent as Project / Program Manager for a couple different organizations. I even dabbled in a WordPress centric design / development shop called CubicTwo in early 2010.

The scale of the projects and programs I was involved in ranged from $50,000 to over $6,000,000 (multiple at any given time) and varied in complexity (these weren’t simple websites, they were enterprise level systems). While different in size and scale, they did hold similarities to what most website projects today look like, just at a very different level. I fortunately had the luxury that my stakeholders didn’t require any education on the importance of security, being they were municipalities or government entities, the security discussion was a lot easier.

This however is not the case for everyday website projects, and worth taking some time to discuss.

What’s wrong with your pa$$w0rd?

Published in Security on September 5, 2014

The discussion on access control seems to be common place these days with the latest revelations news. Found this video on some research Lorrie Faith Cranor is doing on the subject very interesting and insightful.

Importance of Updates in Website Security: WordPress, Joomla, Drupal and CMS’s

Published in Security on August 17, 2014

In my recent post talking to the dilemma that is WordPress Security, there seemed to be some confusion as to my position on updates. Allow me a moment to provide clarity on the subject, yes, updates are very important.

My previous statements are specific to the importance level of updates, it was designed to foster a very different type of conversation than one you would have with an everyday website owner. An everyday website owner doesn’t care about the nuisances or philosophical arguments that occur at higher echelons of a specific domain their concern is what affects them right now.

For the everyday website owner, along with a variety of other best-practices, you should be applying updates as they become available. This post is more specific to you and your needs and what you must understand about the world that is Updates.

The Dilemma that is WordPress Security

Published in Security on August 9, 2014

The past few weeks WordPress Security has come to the forefront of the discussion again, as it often does every few months. As is often the case, it’s highly emotional and generates a lot of discussion. Chris Lema shared a post, Our discussions around WordPress security should change, and that sparked some interesting conversations.

He’s absolutely right, it should.

What many fail to realize within the community however is that the crux of the problem goes beyond Access Control and Software Vulnerabilities. The problem is the end-user, the website owner, the grandma turned website owner, the full-time mommy turned SEO expert, and the message that is pushed from top down through the various niches / factions of clicks within the community.

The irony of it all is that it revolves around the concept that made WordPress so popular — it’s ease of use.

WordCamp Chicago 2014: WordPress Security Is All About the Basics

Published in Security on July 2, 2014

Recently I had the opportunity to share my insights from the past five years working at Sucuri at WordCamp Chicago 2014 held at the University Center in downtown Chicago.

My talk, WordPress Security: It’s All About the Basics, focused on experiences with end-user security issues and threats in the web security industry.

With the goal of greater awareness of security issues for website owners, I share information about the latest security threats and trends, what to watch out for and be careful of, and as always some (hopefully valuable) takeaways and recommendations for the future.

Check out the video of my presentation:

Watch The Video

Explaining XSS and CSRF By Google

Published in Security on June 25, 2014

Came across this video earlier today and found it very informative — explaining the difference between XSS and CSRF (XSRF). I find that most people rarely understand or differentiate between the two so hopefully this video helps. It’s laid out in a very clear way.

WordCamp Philly 2014: The Key to WordPress Security Is Awareness

Published in Security on June 12, 2014

This past weekend, I had the opportunity to speak about WordPress Security at WordCamp Philly 2014 as part of the Power User Track.

It’s critical to understand that the key to website security is awareness — and that is exactly what we achieve in this talk.

Getting down to the basics and sharing insight that very few can share through the experiences we have ascertained at Sucuri. The latest threats and trends will be shared, and of course, some good, hardening takeaways and recommendations.

Checkout the video of my presentation:

Watch The Video

Secure Your Traffic on Public WiFi

Published in Security on May 5, 2014

Often when I give talks on website security one of the various discussion points is, and rightfully so, around your individual posture when interacting on the web. This often means being aware of things like transferring your data insecurely over the web.

This insecure act is often achieved through the use public WifI access points (i.e., Starbucks, Airports, Hotels, etc.). The most obvious solution, or what feels like the most obvious is to work off a Virtual Private Network (VPN). When talking to a Network / Systems / Security individual this is the obvious choice, but to the everyday consumer it’s not.

WordCamp Minneapolis 2014: The Basics Of WordPress Security

Published in Security on April 28, 2014

Over the years, I have seen and experienced an amazing amount of security threats, vulnerabilities, malware attacks, and other problems website owners face. Recently I had the opportunity to speak at WordCamp Minneapolis 2014 on The Basics of WordPress Security, specifically targeted for the website owner or end user.

In this presentation, I share insights into security threats and trends site owners should be aware of, provide tips and recommendations on keeping your website secure, and share some of my experiences and insights from working at Sucuri.

I also participated in a panel discussion on Commercial WordPress Products with Reid Peifer, Marc Benzakein, Carl Hancock, and Ben Fox that was moderated by Kiko Doran.

Check out the video of my presentation and thanks to Matt Porath for snapping this great photo!

Watch The Video

WordCamp Las Vegas 2013: Real WordPress Security, Kill The Noise!

Published in Security on December 28, 2013

This month I joined my business partner Dre Armeda at WordCamp Las Vegas 2013 to speak about web security.

Our presentation, titled Real WordPress Security, Kill The Noise! cut through the false sense of security many website owners enjoy to address the real security issues, threats, and vulnerabilities facing WordPress websites and their owners.

But don’t worry — it’s not all doom and gloom.

While we address the issues, we also provide tips and recommendations on how you can secure your website and our no nonsense approach to reducing risk with WordPress.

Check out the video of the presentation:

Watch The Video

WordPress Security: Learning From Hacks

Published in Security on December 7, 2013

This evening I will be giving a presentation at WordSesh at midnight PST (0800 UTC).

This goal of this presentation is to learn from hacks as the name implies. It’s fairly straight forward to talk about hardening and malware, it’s something different all together to understand the attackers. That’s what this presentation attempts to do in a very short time period (45 minutes). In it I share two scenarios that were recently analyzed at my company, Sucuri.

Here is the presentation I’ll be giving and the video:

Forensics: Analyzing a WordPress Attack / Hack

Published in Security on November 8, 2013

Recently one of our honeypots was it by an attacker and in the process we were able to gather a bunch of good intelligence on the actions taken by the attacker.

I write and detail the forensics of the attack in my latest post, for Sucuri: Case Study: Analyzing a WordPress Attack – Dissecting the webr00t cgi shell – Part I. My goal is to put out a part II next week in which we break down the shell used.

All in all, it was pretty interesting and amusing at the same time. Any questions or insight let me know.

Check Out The Article

OSSEC: Stop Agent Email Notifications from Being Grouped

Published in Security on August 22, 2013

This a quick post, for those of you that manage multiple agents under your manager, there might be instances where your email notifications will group different agent notifications together.

This has to do with two things:

Number of emails sent in an hour
Grouping setting is On

Default Max Emails

By default, OSSEC has a max email setting in their configuration, when it reaches the max, it will then group and email all remaining emails. In this instance, it bundles them all together, which leads to different messages from different agents being bundled.

OSSEC – Detecting New Files – Understanding How it Works

Published in Security on July 27, 2013

I recently saw some discussion in the OSSEC distribution list of someone having an issue with getting OSSEC syscheck to work right in real-time. It reminded me of a similar issue I had with my own configuration and others I have read about, so I figured I’d write something to shed light on how OSSEC’s syscheck works in real-time. Thanks ofcourse to Dani for the assist.

Syscheck – Integrity Checking Daemon

If you’re familiar with OSSEC, then you know syscheck, if you’re not then this section will get you caught up – I hope.

Syscheck is the integrity checking daemon within OSSEC. It’s purpose is simple, identify and report on changes within the system files. The way it works is simple, when you first install OSSEC it runs an initial syscheck scan, this scan will go through and capture the check sum of every file on the system (every file you have identified in your configuration file – /var/ossec/etc/ossec.conf). Once the baseline is set, syscheck is able to perform change detection by comparing all the checksums on each scan. If it’s not a 1 for 1 match, it reports it as a change. If new files are added, it identifies it as new, and reports it.

Simple, right? Right…

Enable 2FA with SSH Connection

Published in Security on July 24, 2013

If you don’t know, I’m a big fan of two-factor authentication. I often talk about it integrated into your web applications access points, like wp-admin in WordPress and administrator in Joomla, but in this post I’m going to talk about leveraging it with your SSH connections.

When configuring your server access points it’s important you enable Public Key authentication in the place of passwords. Mainly because, unlike passwords, you can’t exactly brute force the access point with the keys enabled. There is also a functional aspect to it, not having to worry about passwords is great. Once you have it configured you can quickly access any of your boxes without having to remember or store the passwords. An example of where this would have been in your favor is the SSHD rootkit outbreak in February. With public keys enabled, those affected would have been spared compromises as passwords would not have been stolen.