Episode 431 Security With Tim Nash – All About Security



Show Summary

Rob Cairns talks to Tim Nash about security.

Show Highlights:

  1. Our new monthly segment.
  2. General security discussion.
  3. WordPress security.
  4. Businesses need to protect themselves.

Hey everybody, Rob Cairns here and today I’m here with my good friend security expert, Mr. Tim Nash. How are you, Tim?

Hello, I’m alright. How are you?

Doing well and I can see by your window it’s nice and sunny today and have you had any rain? British weather?

Yeah, it’s bucking the stereotype quite a lot, but no, it’s beautiful today, which is why the window is open and the sun’s out. It’s a lovely evening. We. But don’t worry, we’ve been. It’s been pouring down with rain the last few days before this. This is the first time I took the opportunity earlier to take to do some quick videos because there’s like, there’s sunshine. And so I I don’t actually need all the studio lights and stuff to make. Mimic being in a nice sunny place.

Yeah, it’s actually hot and humid here today. We are on this verge for like 40 Celsius all week, so welcome to sticky. My friends. Welcome to.

What you want is a nice, cool evening. It’s 17° here. There’s a little breeze, but that’s it. And that hopefully this is our summer now.

Yeah. So you mentioned you were working on Quake videos, so we might as well dive in there first. You’re doing some interesting video stuff for your YouTube channel. Well, tell us about.

Well, yeah, I. So I I launched the YouTube channel. I’m a YouTuber now. I think I believe I’m actually legally required to say that up front. Whenever I talk to somebody, I have to introduce myself as hi, I’m Tim, and I’m a YouTuber. But yeah, now I start doing some YouTube videos. I’ve not very much on the channel at the moment. I have one long form video and I’ve started doing these little shorts. Which I’ve been putting out on YouTube and LinkedIn. I’m really enjoying it. It’s a lot of fun. And it’s getting engagement, which is cool because it’s interesting how quite a few of my shorts are in fact, just me saying the same thing that I said at a LinkedIn post.

Yeah.

And the engagement is completely different, which is really cool because it means I’m reaching people who obviously looked at the text and went ohh God, it’s the wall of text.

Yeah, I’ve done that experiment where I’ve said something in a blog post and then I’ve thrown it in a 5 minute short podcast and it’s like night and day, the engagement. And I think video and podcasting. And they overlap, by the way, they still draw a different crowd than those who read A blog post or LinkedIn post, or a social media post.

It is very chalk and cheese. There are some people who absolutely hate the, especially the short format that TikTok style format people either you really like it and you find it engaging and it gives you that little dopamine hit or you really hate it. And it’s like I just want to go don’t want to touch it. For me, I don’t. I I I very much was in that camper. While I hate this, but what I have seen is that I can reach people and just give them that little nudge. It’s it’s very much, I guess if you were a marketer, it would be nudge marketing. And for me, as more of an educator, it’s just a nudge education. I I I if I can leave a little thing in your head that makes you think. And the next time we sat down. At the computer you. Go. Oh yeah. What was that? Ohh, yeah. Maybe I’ll go turn that on or I’ll. I’ll go do that or go do something else. So I’m really enjoying it. And I’m also really enjoying doing the scary story. Which which have published one and I’ve got a couple more, added a little bit of a stall. I I came up with this really great script for a story and then some real world stuff happened. That was just a little bit too close to home. And I went into a film the script and I.

Yeah.

Well, I I went to go and edit it and it’s just. Like no, that could go. On the back burner for. A little while, just while life stuff. Goes on so one day that will come out, and in the meantime, we’ve got some more coming soon. I’m really pleased.

That’s awesome. And I should tell you I’m really enjoying the channel and I’m glad you’re doing it and it just brings out, you know, for those people who don’t know you well, it brings out a different side of you. And I think that’s the value of doing the video. So well done, Tim. Keep it up please.

Thank you. I like having a a people I like scaring people, but I like people to actually think that I’m a human being and it’s getting. That balance right?

Me too. I’m. I’m so.

There.

We were talking before the show about two dreaded words. The letters called AI and I always in a security.

Just check we’re talking about Apple intelligence, right?

Yes, you are and and in the security conversation, I always like to go down that road a little bit because we know we on impacts. We know I would believe it’s impacting security right now. Do you have any like quick thoughts on?

I mean, AOL. Well, large language models. To to try and force it to even a little bit down the technical world. Large language models that are having impact insecurity. We’re not seeing the effects. I think most people think we’re not having I it’s I think quite a lot of people still think AI is this like massive robot killing machine. Thing large language models are really expensive to run and use, So what we’re not seeing them is in like wholesale spam and bot attacks. But you are seeing them maybe generating the content for such. Yes, you are. I’m certainly seeing slightly improvements in, say, phishing attacks where it would appear that people have stopped trying to write their own phishing emails and have got an AI to do that for them, which is great because they were rubbish at it and eats. A little bit better.

That.

But on the counter side to that, there are some really cool new tools coming out. Lots of tools around log analysis and being able to pick up on patterns, which is where we always should be throwing computers at. That’s what computers are good at. It’s where we can go here. Is a whole. Ton of data. Find me the better. Now. Up until recently, that would be really really CPU intensive because while we I said computers would be really good at it. Should be in the operative word, and they historically haven’t been an AI like I was to look at the same statistical patterns that they’d say a human would be looking at. And so they’re more likely to bring back patterns that we would consider to be relevant. So that’s quite cool. But no, I I haven’t seen any of that. AI is going to take my job, yet I’m sure it’s coming. I have on the development side. Watching junior developers sort of, I don’t think will exist in five to 10 years at our current. We’re in a very weird scenario where I was talking talking to a friend who’s a. But a son who’s gonna go to potentially, to union, they were talking about whether or not he should go to union or whether he should get a job straight away. And I was like, do you know what, five years ago I just said don’t go to uni, get get that development job because, you know, five years of doing a job versus five years at university. You’re gonna come out of university and go back to being at the bottom junior level anyway. You might as well get the five years experience. Very few companies truly, truly want a degree, but I think actually in the next couple of years that’s going to change because. What do we give juniors to do? How do they learn? We throw them, we we throw them the grunt work, we throw them crud, we throw them. Go. Right. This do this really basic stuff. And what we’re going to need in the five years time is people who can think and who can produce and not necessarily produce the prompts but produce the the thought and the the creativity of where are we going and what are we going to be doing and. Therefore, the next generation of developers are going to be more information architects than they are develop. Numbers and I think suddenly universities are a really cool place to be and they if they adapt because universities are well renowned for adapting really quickly. But the ones that do adapt really quickly have a real opportunity. So I find a interesting.

I do. I do too. I think, you know, it’s funny. You talk about that conversation. I think one of the places universities need to adapt. Truly is not teaching kids linear, and I have a programming background. Before I started in the support before I started in the marketing and I think one of the things I find with a lot of kids is they don’t learn how to problem solve properly and so universities got to teach. I think a better job. For problem solving skill and I think that would be a big big A to the graduates kind of.

I think that’s very true, especially when you think about where computing sits in a university structure. It it sits a lot often in those science and engineering departments. And I noticed when computing sits more with engineering, you find that it’s teaching a much more problem solving approach, but it’s it’s more on the science side. You get not teaching by rote because that that would be a bit too much, but it very much a here is a set of data. You learn it this way we do. It this way. Here our set of problems. Here are the answers and that’s something that you’ve come across all the time here. Here are the problems. Here are the answers. I think I saw a post on LinkedIn the other day. It might have been today where someone was saying I’m going to be doing a video about these 20, how to solve these 20 problems. How would how would you format it? And I was there going well. I’d say show them the route for how you troubleshoot to solve any of these 20 problems. But if you want the views, what you do is solve 20 problems in one minute chunks and you’d get 20 shorts out of it as well. And he was like, Oh yeah, I’ll go. With that room. It’s like ohh no, no. You went to show them, you know, it’s a whole. Teach them on the fish thing. Yeah, show them your your methodology and they’ll they’ll be able to actually, you know, do it themselves. And we lack that at the moment and we’ll us, people are going to turn to AI and type into ChatGPT, how do I solve my problem? And we are in Stack overflow territory. Ohh yes. What you should do is just put a pseudo in front of that. R -, R, F, back slash and delete everything.

Yeah, I get it. So moving on one thing I do want to address in the security realm is this problem called voice validation. And a lot of people that go to their telecom company, they use voice validation. They go to the bank, they use voice validation. And. You just said that AI doesn’t have a big impact in the security world necessarily, I wonder. And this is just my opinion. If you shouldn’t be using voice validation because of AI, because if you’re a well known person, you’ve got a podcast. You’ve done, media interviews, your voice is everywhere. Can your voice be cloned, which will get you past voice valid? Maybe we should hold on that one.

I mean. I mean it, it will. I guess we’re gonna have to sit back. And whenever you do this something it’s like, what is your threat model?

Yeah.

If I am Joe blogs. And I don’t regularly go on podcasts and publish my stuff on the Internet and nobody cares about me particularly. I don’t have an exciting life, and I probably don’t have millions in the bank. And and you know I have $0.24 in the bank and a bunch of credit card debt. Is voice validation on my bank account as big a deal? What’s the worst that can happen? Ohh. Someone’s going to pay my mortgage off for me. Great. Go ahead. Yeah. Other people you know, if you’re a celebrity, you probably should change the pin number on that on your voicemail. Back here in the UK, we had a massive hacking scam throne hacking scandal that went over decades with a newspaper who was hacking into voice maps. Yeah, because primarily the default pin had been kept sane. Now I absolutely believe that I can see the same sort of slime walls. Building a AI model of. Scarlett Johansson, for example, just picking one and using that to hack into some sort of voice, validated whether it’s a. Voicemail or a? Bank or her Tinder account, whatever it is. I can see that happening and it will happen. But to train that model does cost money. So are you going to do this on a widespread scale against millions of consumers?

No.

Probably not at the moment anyway. Are you gonna do it against a handful of celebrities? Absolutely. So your threat model really has to change depending on whether you consider yourself to be a celebrity who’s likely to be hacked in this scenario. Or Joe, who would like his mortgage paid.

Yeah.

Or you have a 7 figure investment portfolio, right? You know, it all depends.

Yeah. I mean, if you’ve got those, you know if you’ve got something where that if you’ve got something worth protecting, you should protect it and your wrist model goes up and your the threat goes up when the more value or wealth or whatever is in there. It doesn’t mean that you’re gonna. Be no one’s going to hack you, but. You’ve gotta be worth hacking for for that sort. Of. Targeted Hack, which is very different from say, hacking a website when someone goes and hacks websites, they’re not well in the vast, vast, vast, vast majority of cases they’re not targeting you, they’re just automated attacks. So. Most people who are hacked when when it comes to their websites, they weren’t targeted. Death site isn’t anything special. It was being used and abused. That’s what it was. Whereas something like we’re talking about here, this is something that’s targeted. And so there’s gotta be a reason to target. You and you’ve got to have enough value proposition to make the targeting worthwhile. So maybe if you do have a, you know, a six figure 7 figure portfolio, keep it quiet, don’t advertise it on LinkedIn, and definitely don’t do it with a nice two-minute video where you carefully annotate all your vowels. And Constance, clearly for somebody to rip off.

Yeah. So you mentioned website. So let’s Segway a little bit. I’m a small business owner. I you and I both know better. And I say I don’t need to take care of my website. Nobody’s gonna touch my small little website.

Hey.

And you’re laughing at me already because you and I both know where this conversation goes and goes very quickly. Why should I care?

I mean, you shouldn’t just get yourself hacked. Problem solved. Give me a ring once you need me to clean it. No, that’s probably the. Worst approach to it’s. Great proach for me. You know, that’s a very no. Why should you care? Because nobody cares about you.

Yeah.

Overwhelmingly, as we said, the the vast majority of what tax on websites are automated and it’s it, it’s a, it’s a business model. So a vulnerability will occur, let’s say, something elemental. For the sake of it, elemental plugin has a vulnerability in it. It doesn’t at the moment. Probably somewhere it does, but it’s not exploit. They come up with a way of proof of concept. Push out an update, but you’re not gonna update your website because the last time you updated your website and you updated elements or everything broke and all your short codes appeared and it looks horrible. So you didn’t, so you not gonna update, but that happened once a day. One elemental puts out this update says Oh yeah, there was a vulnerability in our code. By day two, and we’re not even by Day 2, within a couple of hours we’ve got some bad actors that we’re going ohh, how many sites is element or? Ohh 40 million cool. Right. Well, we’ll target it for you know, for 40 million sites, we’re going to get a few hits. So they’ll take a proof of concept. They’ll build a a payload into that and they will create a simple tool to just find vulnerable sites and they’ll ping them off. They’ll get a big list and then they’ll rock the payload on. Which will give them a nice web shell onto your site, and then they’ll go well. What shall we do with it? Absolutely nothing. Gonna put in a back door and they’ll leave it. They’ll leave it for about 24 to 24 hours to a week. Because they want to see what’s going to happen. In a week they’ll do a basically another round of pings where they’ll go and anything that responds they go brilliant. They put it on a list. Because they now know that you haven’t updated it for a week, you’re probably not gonna update now. This is this is your gold. You’ll find their back doors in place. Everything’s good. So what? They’ve got a list and they’ve got, say, 50 to 100,000 of these sites. They will put this in the big CSV and put it up to so. They’ll say I’ve got 100,000 sites with login details. For sale for X. Dollars and it’s a very small amount. You you will. You will hate to discover how little your site is worth, but we’re talking pennies and somebody else will buy that and go cool. Thank you very much. And then they’ll log in and they’ll put in whatever they wanted, whether they want to distribute malware, whether they want to use your site to spam pills by e-mail. Whether they want to turn your little shop and just card skim off. But whatever they want to do but. That’s like we now have two or three parties down the chain and then when they finished abusing you. They just put you on another list and resell you and resell you and resell you so your their site makes them more money than it made you very quickly. That’s really hard to get back from. Not least because you’ve got like your customers have been lost. Your site is hacked. You’re feeling rubbish about this. I mean, let’s face it, it’s not a nice thing to go through, but. Having your site hacked. It’s just a horrible situation for everybody. It’s unlikely to be the nail that totally destroys your business. But so many companies start that death spiral. When an incident like this happens, when you go to the insurance company and they say. Yeah, of course. You’ve got cyber insurance. Ohh, it doesn’t cover that. Or of course, you got cyber. Insurance. You did tell the. The updates you were told to though, right?

So true. True, true.

That works.

So the other thing too that you didn’t mention while we were talking about your small sweeping hack is there’s a potential that site might get hacked to leverage in that attack against bigger sites. Right. And that’s often what happens. These bot firms go out and find all these small sites, and then they use them to help bring down a bigger fish in the chain. And that happens, I think more than people think, right?

Yeah. I mean right back at the start of this, when we were talking about this idea that they were gonna scan for the vulnerability and deliver the payload. Well, when I say that I don’t mean the bad actors sitting there on a computer in the in their basement, doing that, they sent the command from their basement, but they will send that to a command and Control Center. It sounds really cool, but just means a server they’ve already had. And then they will be using other servers that they’ve already hacked to then send out and do all of this. So and it all feeds back into their machinery and into their network and you get these large scale bot Nets. And a botnet doesn’t have to be from a web server. You know it can be a toaster if you like. Some of the largest bot Nets we see on the the Internet are all from IT. Things, so Internet of Things and it’s. Once you’re in there, it’s very difficult to get out of it as well. They don’t just leave you alone. You’ll find even if you secure your signs up and you do all the do all the things you’re meant to do. If you start looking at your log files, you’re going to be hammered for the rest of your life. Now, it shouldn’t affect your site if you’ve done things properly, but it is very noticeable. Just the sheer amount of bot traffic you get following effect sighted. And and that stays with you.

Yeah, it’s it’s astronomy. Cool. Back in the day, we all know, and I’m sure you know, but I know there’s there’s a my pass podcast know about the lake Legendaries, social reengineering, hacker Kevin, Nick and Kevin wrote a number of books. His biggest book, called The Art of Deception, and he talks about how he did all this hacking. From social reengineering. And and then he is autobiography or memoir, If you wanna call, it goes to the Waters, talks about more how he ran from the FBI for years and years. If everybody’s anybody’s interested. It’s working interestingly to say the least is social reengineering. Still the problem today as it was 20 years ago. I would say yes, but what’s your?

Yes, I mean, I don’t, it certainly hasn’t. It’s certainly more of a problem whether or not it has the. Again, that we’re back to whether or not it’s a, a really targeted attack versus a widespread attack. What we’ve seen over the last few years is the just the sheer amount of automated attacks has made. Died so much that those specific targeted attacks, percentage wise have got smaller and smaller. That doesn’t mean they’ve become any less of us any less of them. It just means that the amount of automated and tax has increased so much, but it’s still an issue and you actually see a lot more. Even. And when you, well, you might not see it so much in physical pen testing so much or no. As I say, pen testing but physical in physical attacks, you saw you, you can see this as it’s sliding to shift into things like social engineering, into spear fishing, right, as opposed to fishing. There’s lots of these different routes it’s taking. It’s taking and. Changing and we’re going back to our AI conversation. When we do get to the point where CPU costs come down, where models can be trained. You might see more of this star stuff happening. More often, maybe. Because that cost limit. Means that you you can do much more than is closer to what a human hacker can do versus what an automated bot type scenario is that we have today can do.

Yeah, I agree with you. Now, one of the problems we have in the WordPress community and you and I see it all the time. WordPress is not secure. And I would argue that the problem is word press is now depending on which stat you reach somewhere between 46 and 50% of the mark, give or take. And my argument has always been a do you trust word press to make it more secure? I so and trust. The plug in manufacturers that you’re using or plug in developers to make it some more secure. I do in my. Stack and the argument is the bigger the market share, the more of a hack attempt you are and it’s one of the reasons for years on the computer side, we’ve seen Windows by Microsoft be a big target because it has 70% of the business market. What are your thoughts on the percentage versus not being more secure or less secure?

I mean. It’s worth always saying that. Visibility does not indicate how secure something is, so if we if we testing a, you know if I’ve got a piece of software over here and it’s been used by a million people and I have a piece of software over here being used by one, that one, some piece of software by 1 isn’t inherently any more or less secure than the one by a million.

Thank you.

If a million people are gonna expose that software to the Internet, more bots, more things are going to look at it more and from a bad actors point of view, finding a zero day in WordPress, especially in WordPress core. Is worth their time.

Yes. Yeah.

A A vulnerability in a big plugin, let’s say Yost, let’s say elemental. Let’s say woo commerce is worth their time to develop and exploit to make use of it. Uh. So from the point of so when people talk about scales and argument arguments about scale. Word Press hasn’t become any less secure because it is bigger and in many ways it’s. You could argue it’s the opposite, that it’s been it now has many more eyeballs on it. That project of one. Being used by one, there was no incentive for a security researcher to look at it.

Yes.

There is. There is a lot of incentive for a security research, including monetary 1, to look at WordPress and we are lucky that. However, however people feel about them that automatics do provide a bug bounties on behalf of WordPress that we do have. Some maturing bug bounty systems and this is a good thing because it doesn’t mean that we are paying people to find things. Some of the leading security vendors, people like Patch, Stack and word fence are providing bug bounties and are paying people. This is a good thing because it provides good visibility. UM. Are those things balanced? As in, are there enough good people looking at it versus enough bad people who are using to explain it? Don’t know. I don’t think I. I mean obviously I use WordPress. I don’t think I would use WordPress if I thought that it was inherently a bad proposition. So I do think you have to be really careful about what plugins you use. I I almost take umbrage with the idea that WordPress is insecure. I WordPress core is doing a pretty good job, especially if you. Do you do like? For like comparisons against other CMS’s. Uh. It’s it still has more CD’s against its name, but again, I think that’s down to scale and more people, more eyeballs on it, and on the whole, the oopsies haven’t been well over the years. There’s definitely been some big oopsies, but in recent years there haven’t been too many dramatic big oopsies. From WordPress core. Where it all comes down and it’s plugins and themes, the shift to the new sort of site editing, full site editing and those minimal themes. Is seeing that attack surface change? Not necessarily sure it’s. I I’ll go and say it’s with you. I thinking in my mind it’s reduced, but it’s also introduced a whole new one. All of a sudden SQL injections, they’re a very interesting proposition. I mean, they always work.

4.

But now you have full control of how everything on the site through an SQL injection is is interesting. So we get we’re reducing NAG tax service, but we still got these big plugins and until we either dramatically change how plugins interact and work with WordPress which I can’t see happening because one of the big things about WordPress is. You can build a plug-in no matter who you are, and for almost whatever you want, and you could be a priest and build a plugin. Or you could be a big development agency and build a plug-in, and sometimes the priest writes much better code than the development agency.

In.

And we would be nice if we could potentially bring in more API’s, more ways to limit and to reduce down some scopes of some of the threat surfaces. But people can write once you write PHP code. It’s. That’s it. You’ve you’ve given them server access. They’re they’re that user. They can just work their way around it anyway, so. It’s it, it’s. Hard to it’s a hard one to solve. But I don’t think WordPress is the problem. I think people.

Are the problem I I agree with you on that one. In terms of. Protecting WordPress so we all know there’s a pilot security plugins out there. Choose one. There’s word fence. There’s I themes, solid security. There’s patch stack itself, solids based on patch stack. Now the database. Several others securities, got ones and and there’s a few more. Should you be running a firewall piece of software? Or a security plug-in at the site level is that we’re doing.

Hmm, interesting. Yes, yes. No, maybe.

I knew that was coming.

I’m going to preface this with I’m not quite comfortable saying this. My website doesn’t have a word sense themes, so any of the ones you mentioned. OK. I’m I’m I’m quite happy not running with that. What I do have? Is a good server side level firewall structure.

Thank you.

What?

Now there are some potential advantages to having your wife understand your application more fully. So if your application if your WAF actually knew what plugins were installed and what vulnerabilities were inside those and could prevent create rules dynamically, that’s quite cool and that’s what a lot of the WordPress security plugin wafs. Offer with varying degrees of success. It should be said. But to do? That dynamically is really intensive and quite awkward and most. Some abilities, though, let’s. Say, let’s use the SQL injection. And wires can block an SQL. Most SQL injections, the commonly formatted ones, regardless of what plugin is being exploited as the vulnerability in it. Because of the nature of the how the payload looks and appears. So a single raft rule in something like mod security or NAXI or whatever your waffle. Sorry sets. This could can do the job that the same plugin would have had to have right written. Dozens. I’ve got hundreds of lines of code to do. And have that performance impact versus almost none, but at the same time, there are sometimes where word press security plugins do have their benefits. I I. For me, I would say you should have some sort of two factor authentication. I think that should. I personally use a separate plugin to do that. I can see why somebody might want to do use their bundled in security plugin that does all of this same thing for user activity logging. I think this is a really important thing that should be done. I there are other things that you know, I make tweaks to say session user sessions, how how long user sessions left. This is something that I do. I’ve got it as. A separate little. Plugin. I can understand if you if a security plugin bundled that in. I think actually the only one that I know of that does is solid.

It does, yes.

Yeah, but yeah, I don’t think any of the others do something similar. Again, I you know, if you want to make use of things like bcrypt or argon 2 for your password hashing, you need to. You would use a separate plugin. Again, not that many of the security plugins do. These sort of things. They tend to focus on. Things that people think are important, not necessarily what are important and more interestingly, what hosts have been protecting you from for all along. My favorite one is you’ll find quite a lot of these plugins will tell you how many times they’ve blocked some some bad actor from logging into your site. And that one thing annoys me more than anything else for several reasons. One, I don’t care. Because well done, well done, unplugging for supposedly doing your job. Congratulations. You should get a little little reward. I do care, however, if someone what I want to know is when someone has logged in for me and and none of them do that. They all do the we blocked 60,000 logins. None of them say. We block, we we, you know you logged in last at 2:00 PM on a Tuesday in Peru. It’s like ohh, wasn’t it in Peru? That’s a bit weird, but the the bigger thing that frustrates me about this is that almost certainly when they’re blocking doing their logging and blocking, they’re actually stopping the server from doing its job, which should be to be blocking this stuff. We should be doing that at the server level. And you’ll manage WordPress hosts. We’ll almost certainly be doing it, and there’s a reasonable chance that you’re blocking it too early, so the IP’s aren’t being put into the into the disallow list from the server at the server level, which means they’re not being distributed out, which means they’re not. Being able to. Be used by other people and the final that is, they’re storing that data the where it says 60,000 logins.

OK.

In your database and you know what one really easy attack is. We’ll just send sixty to 100,000 IP addresses at your login page. And we’ll just completely ****** up your database and kill it. Yeah, so yeah, failed login attempts is a pet peeve of mine. And if you find anybody who, if you see that on a system, whether it’s a dedicated plugin, there are plenty of them or inbound in one of these security plugins. It’s just like just.

My my biggest pet peeve. There’s people who think changing the WordPress back end URL to log in is secure and I’m not a big fan of security by obscurity, so I should tell you that so I don’t even bother and people say but and I’m like no butts. If people’s gonna hack your site, there’s a million and other ways they’re gonna get in there. Beside changing the back end. Yeah. How do you feel about that?

I mean it this you know when you’re sitting there going when you I’ve I’ve seen sort of like pentest reports from people and this has been like high up on the thing and it’s like OK, if I had nothing better to. Do. In my life. Ever. And it was raining.

Yeah.

And I I done everything on my To Do List my bucket list was done. Then I might start to try and wrap my head around the problem of hiding the back end of my my shirt. But. At least a couple of the biggest plugins out there that do this are overwritten by this sneaky trick that only the only good people know, which is instead of typing in the word WP admin, dash admin or WP dash login, you just put slash admin in and it automatically rewrites.

Yes, of course.

Which apparently is so sneaky of you that nobody. No one knows this trick beyond, obviously us too. And. And yeah, Needless to say.

And the and the thousand of people now listening to this podcast.

Yeah. Well, on it, we’ve just ruined security by obscurity for everyone.

Yeah, yeah.

It doesn’t make.

A difference, potentially it might. I mean the the argument for blocking bots to. I mean, I would just let bots add it as long as you’ve got a strong password and a good two factor authentication, I don’t really care if bots hit the login page. There is an argument saying, well, they are creating a performance hit. They are adding to CPU. Train and you know if the attacks big enough it it, it would be making a damage. I think that there’s probably as much if not more CPU performance issues with doing the rewrites for legitimate users. Then there would be. For the blocking, for hiding it from the bad users, I mean. That’s not always the case, but in the vast majority of it is. So there are much better things to waste your time on and CPU cycles, right? Agree I.

Agree with you the same thing as changing like the WordPress hash codes. There are security plugins that do that well folks. If you can get access to the WP config file. Guess what? You know. So like.

I mean there there are sometimes where you do want to change those salts, not not vaguely and regularly changing the salts is gonna be a painful experience, but there are occasions where you might want to change the salt. That should be a one off event. I actually find it particularly frustrating when I see people who have been plugin installed to change the salts they’re just like.

OK.

I don’t like the idea that you have a plug in that’s editing the config file. That’s that’s that’s asking for trouble. So if you are going to do that, you know you can just generate. I don’t. If you see a live would be a fun the the better way to do it, just manually go in and just put in some rubbish in those salts.

Normie.

Oh. If you going to stay become big, go to the defined. You can write your own. Rubbish in there.

Yeah, no, no question. I was thinking about this last week before I talked to you about doing this show and. I manage, I do updates for about 300 sites, so I have a fee and I just finished going through and doing a security audit on all user audit on all 300 sites. So one of the things I always look at on a regular basis is users, user roles. And is the user still with the company on an ongoing basis or not? So having worked in the corporate world and I said the corporate world debate, Fortune 500, I worked in healthcare for 21 years we used. Still, if you left the hospital I was with, we would terminate the writing. And I don’t know how many times I’ve seen on a WordPress database the bad actor has been a former employee who’s logged in and done something after he’s let go. He shouldn’t have been and why we don’t minimize user roles. So first of all, don’t give everybody the admin access because they said it’s their site and they can have it. My answer is no. And if you don’t like it, go elsewhere. And then my other answer is we need to be very careful that we terminate old accounts that aren’t needed and user role management. And I’ve gone so far. Tim is, if somebody insists on admin, I’ll use a plug in that will dumb down the admin privileges and they don’t even know. I’ve gotten that. What do you think of that scenario and user role management?

So I first of all I I think it’s really clear to say that sometimes you don’t even realise when these things happen. A really good example is one of them. Major managed WordPress hosts just creates themselves an account. And for a long time that. Accounts password was test.

Yes.

Of course, everyone on. Do you know what? It used to fail. You know it was weird how they got mass hacked repeatedly. Knowing who your users are, it should. Be like one. On one, you know coming along and going logging in. Who is this person? What access do they need? Why do they need it? How long do they need it again, as you say, corporate world, this is all pretty much standard things. This should be and it shouldn’t change in many ways. Corporates or WordPress sites do quite well at this because they tend to well I say tend to. They have things like single sign on options so these can be controlled through LDAP and other systems elsewhere. Whereas if you’re just manually doing it, at least you should be going in and going. What role do they have? What capabilities do they have? Because most people don’t realize that a role is just they. A group of capabilities that is applied to that user at the point that they’re given the role. Now you can go in and change the capabilities of a user. So you can have Bob, who’s a subscriber but has all the capabilities of an administrator. And it’s really hard to work out if Bob has those capabilities unless you’re looking for it and you’d either be if you’re in default WordPress unless you’re using something like dpci, you can’t actually see any of that. You’d have to be either looking in the database, looking at dupli to be able to see the capabilities of that. Even use them now. There are plugins that will extend this out so you can see users capabilities and things. But yeah, I I I think in fact I put out a short today which was basically exactly what you were describing, which is I go along and as an exercise, log into the site and drop every administrator user down. The editor. Just do it. All of them, obviously, probably keep yourself. Though if you drop yourself, that could be quite a fun exercise. Getting yourself back up. But drop yourself. I mean, that’s what I as I should say. But it’s perfectly easy to do on my own personal site. I am an I am only an editor. If I want to give myself, I literally have a.

Oh yeah.

Adobe PC I command called give me God Mode and it bounced me up for an administrator for two hours. At which point I get downgraded again. So if my account was ever compromised, you just get an editor. And that’s all you would ever have. Be it drop over the down one head, Sir. Wait and see who complains.

Yeah.

And I guarantee that in the first couple of weeks you probably will get one person because they’re the person who’s doing the work.

I just got one.

Yeah, they’ll be that person. Who’s who’s, who’s gonna tweak that setting? Add that user or do the plug in updates? The rest will be silent. They won’t notice. Yeah. And then especially bosses and PA’s, or people who work directly for the boss. But they feel they have. To have it because they are the boss.

Or the OR the typing to.

I said.

Thing to be able to say, but that CC level person to be able to say, actually you don’t need this. You don’t even need an account on it. What are you doing with an account on here? Are you gonna publish? The blog post yourself. Yeah. Let let them be in there to see if they have to. But like if you do have people who are really care about this thing super duper boss level role. Which you just add a role called. I don’t know Uber administrator or or just admin. It’s a site site admin role and then just set it to editor anyway. You can there are plugins to allow you to customize roles, so you can do it again and. You do it day. PCI. Which is how I’d recommend doing it.

And then my favorite subject backups, backups, backups. So people say backups on the security function. Yes, it is, first of all. I would argue. I would also argue that we shouldn’t depend on our hosts to do our backups for us. I’m a big believer that I’ve seen too many cases of hosts having backup servers hacked. It happened to one big host in the UK. It happened to a big host in Montreal a year ago. It’s happened all over the. Voice. And then folks, when you’re taking backups. Please, please, please check to see if your backup your store works because I have gone to fix it numerous sites but we have a backup. You do do you? Where is it? Ohh, we don’t know. It goes to some repository and it’s like you don’t know. And then when we find it and you try and do a restore to a test domain, it’s through store. It doesn’t work. And that happens more than I can count. So. Backups can be your most precious thing. I’m a big fan of keeping multiple backups. And when I say multiple, I’ll go back. I’ve gone back over a month before. What’s your thing around backups?

I’d like to just slightly pick my own things, but if anybody, everybody’s interested if you visit my YouTube channel. I’ve got a video called Memes Gone.

Go ahead.

That.

And I encourage people to watch it. I’m not gonna spoil. It but I’m. Gonna encourage people to watch it. It’s a little scary, but by the end of it, you will take good. Backups. Your your, your brain will kick into why we are going to take good backups. I I think we taking good backups is really important. I just like never relearn your host, your host. They take the most perfect backups, but they’re their backups. They’re not yours. Now, even if we ignore security, we ignore anything else. We’re just talking data portability here in that I might not want to be with that host next week. That data is mine.

Yes.

So you want a copy of your data? For me, I, but most of my clients, I I recommend that they take daily backups for a couple of clients. We take hourly database snapshots. I the way I from my own personal stuff, I take a daily backup. That is a a backup of the files in my uploads folder. And of my database and that’s pretty much. It. Because everything else I have in version control or I can get from somewhere else. So I trying to minimize what’s in the back up to the things that are core and vital to the things I’m doing and then. But the important part of this is that most people think that’s where your backup stop is. When you put it on the backup place. And you’ve left it there. But that’s not a backup. That’s a prayer. Yeah, or a loop, a desire, A wish that you might one day be able to restore this until you’ve tested that. Now backup only becomes a backup when you’ve restored, and you can show that you’ve got a process where it’s successfully restored. Now that backup is worth something. Up until this point. That backup. It’s just. Ah, and so. I always encourage people to do backups and the next stage is go OK? How are you going to test these backups? And for me, I really like testing backups by using them in other things. So from my own personal site for example my backup I then use and I drop down and put it on my. What is effectively my staging site, yes? Because then when I’m doing testing. I’m testing based on the backup. And so I’ve got a very. So it’s a reversing process. So what happens is let’s say it’s midnight, I will do a backup on my daily backup. I will drop it on my staging sites. At 1:00 I’ll do the updates my my plug in updates and any tests that will be done is done on that staging site. They all pass. Then I go and push them on the live site. This way I’ve got this nice loop where the backup is always being tested. Yes. So I always know it’s working. I’ve always known and I and my body, if the backup fails that first round of tests before I do the updates, I won’t do the updates. So I’m not because I don’t have a guaranteed backup to it. And now that cycle approach works really well, it’s.

Oh.

Bit fidelity set up a bit of a pig, but once you’ve got that set up it just works seamlessly and it can be fully automated and using them in your dev environment so that everybody’s using the same backups, Dev, Dev. Option. Just regularly making use of these backups means that you’re guaranteeing that they’re there, cause if you don’t regularly use them, if you just sit on a shelf. What’s the point?

And here’s the other thing worth mentioning. 1 copier backup file. It’s not a true. Backup we have seen in this business. Multiple people have had computer stolen and guess where the backup hard drive is right next to the computer that just got stolen. So hi, Mr. thief. Take my hard drive too. With all my data. Please take it. I use a. Synology NASA. I have a Synology off site. Believe it or not. So I have one at a friend’s house that I kindly pay for Internet access for. That’s part of our deal. So I have it in their basement and my two synology’s actually sink overnight when everybody is sleeping. So not only do I have a back up here if my house burns down. Or something happens, or a fire, or Mr. Steve Foxon and says I’ll take their answer. Guess what? I’ve got a copy of that away from the computer. So people also gotta remember it’s not just the file, it’s the medium that matters as well.

Yeah. I mean, for me, I I do. I have a backup that’s in the cloud. I use some company called rsync.net which is a based over in Switzerland and then I have a server just down there. And. I have a secondary hard drive that’s elsewhere.

Yes, you are a thing.

Sorry, nicely said that. He’s a very similar sound being set up, something a story that I always tell people about backups. And you saying about keeping them in the same place many years ago I worked in the university and there was a a, a lovely lab who was doing his PhD.

And she.

And he got his bag stolen. This will age me as well because he got his bag stolen. And he he lost his laptop, which was impressive. He had a laptop. He also lost his jazz drive.

Ohh, you’re dating yourself?

He he lost his jazz drive, which was his back up, yeah.

And and my favorite story is I have had forget web stuff in my day. I’ve had three or four hard drives go back and you and I were talking in the pre show. We’re talking about my house a little bit up just in the hospital. The first time I went to a diabetic scan. I went through. 14 years ago and I was in the hospital for three weeks. It came out. My computer at home in those days, laptops were still expensive. I did desktop at home. I turned it on and all I heard was could chunk could chunk, could chunk and you know what that sound is? Them. That’s a say, the hard drive die, basically. And I had been in the hospital for three weeks, so the machine hadn’t been on. And fortunately, in those days I used the backup product that’s still around, but morphed out called Carbonite. And I before I went to an elaborate backup setup to take more control and I was able to go buy a new hard drive and within a couple of days do a restore and I was back up and running. I have lost four hard drives, big hard drives of my time. I have never lost an ounce of data at all. Now what I would also say, and people say this to me all time. Ohh I don’t have web assets, I’m like OK. You have photos of loved ones that are not with us that can never be replaced. Yes. So why aren’t you doing something? I never thought of it that way, so forget the whole website which you and I are in true to it, what are your most prized possessions? And those ones that can’t be replaced are the ones you need to take care of.

Yeah. And you, you will never. Yeah. The problem with backups and with this sort of scenario is you don’t really start thinking about these things. Until you’ve had the problem. Yes, and it’s too late. Yes, especially the family photos, I mean.

Socially.

Even looking back on myself like I’ve. There’s. I’ve had hard drives fail constantly and there have been points in my life where I didn’t do good backups, so I know I have lost things in my life. That I’ll never. Get back because they were gone now, for all I know, that might have been, there might be a photo on there that. Could have been that really special photo. I actually probably. I thought back up. We got backups. I got hard drives that died. I don’t actually know what’s on them. That’s the worst bar. In fact, I’ve got one sort of just under my feet here that’s an IDE drive. That I I keep speaking as a project. I’m actually cause the thing about ID drives and the it’s proper spinning rust is that unlike say a a flash drive, it’s repairable in theory. I I could certainly potentially get the data off of like you know, it’s just a stuck cylinder so I could in theory get it going and it’s been sitting there in my project pile to go and. Try and do. Partly cause I don’t remember what’s on it and that you know, quite scary. You know what? What was on there 2530 years ago?

Yeah. And then while we’re talking about hard drives and again, it’s partially web, but partially. Not, but people need to get through. That if you’re going to dispose of. A hard drive. Ah. And here’s where it gets interesting. I had a company when I worked in healthcare, they were called Dominion Business Machines. They owned one of the biggest interesting enough antique typewriter collections in the world. That’s one of the claims to fame they were. In that, but they now do automated stuff, and one of the brothers who now owns the company their father started it, who I know quite well. Jim Sanderson and I developed the protocol that divinian business machines uses today. To destroy hard drives and destroying a hard drive doesn’t mean I pick up the hard drive. I run to my local recycling depot and I say here, please take it. For me, that means and I just went through this with my own mother who’s 79. She’s like, what do you do with an old hard drive of an old laptop? And I say if I’m not gonna reuse it, the first thing I do is I write military format as zeros and ones all over the drive. That’s my first step. The second thing I do is if this were a business, I would go to a hard drive destruction place, take them in a pile and we would serialize all the hard drives to cover our you know what? Yeah, I consider where that’s on my project on my own podcast, I think. And we would serialize them all so that if something comes up, we’ve got ourselves covered and we would actually take those hard drives and drop them in a commercial. Designed exactly for this purpose, because those of us who know know we can recover data off a hard drive if they’re not destroyed properly. If they’re not for business, I would say take a good drill and drill some holes in it. The lesson there was I was a. Expert witness in a court case many, many years ago where and I can’t mention names where a high-priced executive. Had a wife who was dropped dead gorgeous and decided to have an affair with a 22 year old. Model. And he denied it and denied it, and he even formatted the family PC that sat in the living room until I went in with some tools and and and found all the data that he thought he got rid of and managed to give the divorce attorney all the expose the pictures of him and his new girlfriend. Which led to a multi $1,000,000 legal settlement. So the lesson here is data is never gone till it’s physically gone.

Ohh. I thought the lesson was don’t take explicit pictures of you girlfriend is having. Yeah, well, having you repair. But OK, we’ll go in later. Is never gone. That’s fine.

That that’s another thing. That’s another story.

We can do that.

That’s another story like yes. But yeah, you gotta you gotta be careful. Your date is. So that’s part of the security, right?

Yeah, I think it’s a safe. Say you you need to. I I I personally from if you it’s your own drive and you don’t care about it. A drill is very therapeutic and then if you wanna take a sledgehammer to it that’s fine. But do do the drill 1st to make sure you go for anything cause actually whacking it a few times with a sledgehammer. Unless it’s in lots of pieces at. The end of that whacking. Probably hasn’t done enough.

Yeah, sure.

But yeah, no, I we, I used to work at a place where once a month the lorry would turn. Up. And they have, like drawers that you pulled down. And you would you’d sign away the hard drive and it get put in and it gets slotted in. And you then would be like this crunching noise and whirling blades and. Then they opened it up and the next. One, and this was a giant lorry and.

Yeah.

All it and you had like little compartments that you’d slot them in and it’s big business and it’s an expensive business it it costs quite a lot of money to dispose of. That and to the point that I think it might have actually at some points cost more to dispose the hard drive than did to buy them at one point.

That’s.

It’s.

Worth saying that car drives are cheap relatively so don’t be afraid to buy them for your backup systems. And do assume that they’re going to fail. If you’re if you got spinning rust, it will. You know, it’s just when that’s fine. Just work with that, make sure that you’re using something that’s doing raid, something like or if you’re not using something that’s got a physical raid, something like ZFS or Seth or any of these butter FS solutions that will allow you to just add things into a big, big array. And then just let it fail once it fails, take it. Out destroy it.

Rated rated is a wonderful thing we had one I used to on call when I worked. In healthcare and one we had a a big rate server that. Drove an ER application. So ER is kind of critical and I had to drive. Go down at one in at not one in morning, 11:00 at night on a Friday night. The worst possible time. And it was an IBM Sir. And we, IBM and our service company did not have a drive in Toronto. They had to actually airlift me by UPS, a ray drive from Philadelphia, PA, on a UPS flight. Believe it or not, in the Toronto and put it in. But the beauty of rate is. If one drive goes in a rate server that’s got four or five rate drives, you’re not up a Creek. You got to get it changed to build the rate, but you’re not done. Thank God, and that’s you.

At least you’re not done on that first drive. The problem is. When you go ah, yeah. Isn’t really great. We don’t have to worry about it then another one goes. Isn’t great. Great. We don’t have to hang on. When do we reach parity? Ohh hmm, right.

In this case, in this case I didn’t wait for morning. I said OK, so you got air warfare drive out of Philadelphia. When do I got it? 4:00 in the morning. I said get it here. And they’re like, you really want that drive delivered at 4:00 in the morning? I said yes, please. And we have a 24 by 7 service contract. So the service company that you had to work for, IBM had to lock in. Not that I couldn’t have put a ray drive in the server. But sorry, guys, that’s what we pay you for. And then we had to sit there and watch. For the rate to rebuild itself. But better that than waiting for a second one to go. As you say, the third one to go. We’ve covered a lot today, which I really appreciate, Tim. I always appreciate you three quick takeaways with what’s going on in the world right now for people, for security, can you do you have three quick ones?

Ohh three quick ones. Time to exploit is getting shorter, so then you need to patch is the window. Patch is getting shorter as well, so if you’re up regularly.

100.

Dating you’re even if you think ohh. It will never happen to me because you’ve been at this for 20 years and you’ve been updating websites and every time you hear us talking about how you have to update regularly, you think you have no I can still patch once a month on a on a Tuesday you can’t. Exploitation is now. Measured in hours, not in days and not in weeks, which is what we would have been doing would have been talking about exploits in weeks, even two years ago. So in the last two two years it’s gone down. I I really see a scenario very soon. We’re gonna be talking about updates in. You need to be updating every 12 hours, not every once a day or once a few every.

Minutes. Few days I don’t. I don’t want to take, I don’t update turn.

So.

On or off.

Auto updates on from vast majority of people. OK, there are scenarios where it doesn’t work for you for any given person, there are scenarios where you might not want it, but the vast majority of people, the vast majority of companies and the vast majority of agencies. Auto updates should be on enabled and you should then spend the time learning building out test suites so all that time you’ve you’ve spent doing updates cool, we’ve just gained you that back. Brilliant bad news is now you have to build that into testing. Once you’ve done that you have set yourself for lifes going forward. So I I I’m a real advocate of automatic updates, especially when we’ve got the rollbacks features coming in. There really isn’t an excuse for most people like I always do put an asterisk there because there is some nice way, right? So that was my number one, number two for word. Press specifically is that as we’re getting more and more automatic updates, people are we are seeing an uptick in changing in direction and we are seeing a lot more spear phishing campaigns and that’s where a phishing attempt looks really legitimate and is targeted against you then normally. Grabbing your e-mail details from somewhere, your username details and they’re then validating those against your website now. Often that’s by going to slash the rest API user endpoint and they are literally doing it, comparing the MD5 in your gravatar e-mail. Compare it to your e-mail to see if it’s the same so they can send you with legitimate details that say hey, log in here. So if you getting those sort of things two factor authentication is really super important. We are seeing some more bypassing of two factor authentication through user session. By checking. And so you meet those sessions where possible. It’s not a bigger deal as I think quite a lot of people make it out to me. I heard some. I’ve seen some statistics like 40% of all the WordPress hacks we’ve done this way. It’s like no cause we’d know about it if that was the case, but. It’s still an. Issue is becoming one issue. And the the third one is we still the biggest problems we’re still having is we need to educate people, so get. People to listen to this podcast. And and other podcasts and other pieces and come listen to us talk about this stuff and don’t. Go La La. La La it won’t happen. To. Me education is the only way we’re going to fix any of this. So.

And and by the way, the minute you don’t happen think you’ll happen to me. You’re letting your guide me down and it will happen to you. So keep being on top of educating yourself moving forward.

Sounds good.

Thanks, Tim. Somebody wants to find out what you’re doing, get a hold of you employ you has the best way.

If they come to timnash.co.uk, which is my website, you can get all my details. You can go find me on the various social bits though tend to be focused on either mastered on on LinkedIn these days, so I’m not a. Experiment person very much anymore. I’m doing depending on when this comes out, I don’t know. I am doing a workshop called confidently cleaner hat site in the 16th of July at like 1:00 PM. EST. So if you want to come along to that details on how to get yourself on the place on the website tinus.co.uk.

Thanks, Tim. Have an amazing day, my friend.

And you lovely to talk to you as always.


Similar Posts