Episode 455 Security With Tim Nash – Preparing For The Holidays
Show Summary
Rob Cairns talks to Tim Nash in their monthly segment security with Tim Nash.
In this podcast, they talk about preparing security for the holiday season.
Show Highlights:
- How to prepare.
- Scams and attacks on websites go up during the holidays.
- How to prepare your security for the holidays.
Show Notes
Rob:
Hey everybody, Rob, Cairns here. And today I’m here with Tim Nash doing our monthly security segment. How are you today, Tim?
Tim:
Hello I’m doing well. How Are you?
Rob:
Doing good. It’s, you know, you said it’s not totally sunny there. Well, I’ll tell you here. It’s rainy and drizzly, and I think you’ve sent some English weather to me as a gift.
Tim:
Well, enjoy it. You know that that is now. We’ve had our summer that that is what we have now till June next year.
Rob:
Yeah. Yeah, it’s. So true, you know, in Toronto summer ends when the Canadian National Exhibition is over and that ends on Labor Day weekend. And the kids go back to school, even though technically it’s not over for a couple weeks. We consider summer done, so they.
Tim:
It’s amazing how much more productive I’ve been this weekend and completely coincidental that it’s the week that the kids have all gone back to. School here as well.
Rob:
Yes, I’m sure I’m sure. So today we were talking before we went there and we thought we’d talk. Holidays are coming up right in the US. Thanksgiving is the big kind of started the Christmas shopping season, which is at the end of November. I do marketing as well and I always tell clients you better get your ducks. In a row. Now cause waiting till November’s too late. And I thought we talked about prepping security for the holidays and where you should go with that. Now the first question is if you haven’t started, should you be starting now or? When I wait for a month.
Tim:
Well, I mean, if you’re not, if you’re not doing something about the security now, then you should be regardless. But there’s some stuff you should be thinking about ahead of this. While I’m hoping that most people’s ducks are in the row when it comes to just general security, they’re securing their site. Especially if you need Commerce site, this is going to be the point where you possibly want to be starting that user education so that you’re not mixing your messages during your marketing season. So that’s a good starting point. There’s it’s lots of websites don’t have any sort of explanation of security or this, and this is a really good time where you can be saying, hey, we are never going to send you a random DM or with a link to a crypto scam or we’re not. You know, we’re going to enable, you know, this is how you use your two factor. These sort of things. This is where we see all these trust markers that we. Want to build up? Ahead of time, now is a really big if you were, if I was in fact. Personally, I don’t want this started way back a couple of months ago and this to be a continual thing. But yeah, building up a, a, a campaign around this idea of supporting users and security for your users is a really good starting point. And if you start back too late, you’re gonna end up clashing with your marketing material around the day. The other thing is that some of the security stuff you can do is not. Directly, you know it can be directly related to the testing you’re gonna be doing for your site. For example, I’m hoping somebody’s e-commerce site is gonna be fantastic, and you’re gonna get millions of customers. Or you might get millions of bots.
Rob:
Yes.
Tim:
Cool. This is the time for us to. Be load testing, yes. Because this way we can spot these problems ahead of times, whether that is actually and when we talk about denial of service attacks.
A lot of the HTTP layer denial of service attacks is bugs in applications that allow for an extended or a larger, either a bigger payload, IE the thing that comes back, or the thing you send to it can be made really big. Or something that can chew as much processing time as possible so we can make the CPU and the memory work harder, leave them and leave network connections open. Now these are all sort of things that you would find. And. Also causing problems for normal users, yes, and especially ecommerce sites are really bad at this AR really good example is filters on e-commerce sites notorious for being a nice place where you can. Set up a. Horrible little thing where you can add lots of different filters. And then as a bad actor, you can just hit that endpoint over and over and over again.
Rob:
And here we.
Tim:
Go. Yeah. And you’re down. But Google is just as likely, or Bing or any of these search engines are just. As likely or they use. It’s just as likely to hit these endpoints as well, because they might go ohh. I’ve turned on all the we’ve all met the user who turns every filter on because they didn’t realise that that how to get all was to not have any filters on.
Rob:
You were talking about, well, management, which on an e-commerce side, I think a lot of e-commerce people don’t do well. Should you be going to a web host that will automatically scale your plan depending on where your load management is and they just put the switch. Or do you think that’s?
Tim:
I mean, it depends how they’re flipping that switch. Quite a lot. Of sites, even hosts that say we auto scale.
That doesn’t mean it auto scales in real time, or even quickly. Worse, auto scaling probably comes with auto scaling billing. The last thing you want to be is in a scenario where you’re going. We did brilliantly. We got $10,000 worth of sales and then you get your hosting bill and go. Oh, $24,000.
Maybe a WS’s auto scaling set up with creating an infinite number of EC2 instances was a bad idea. Yes, this is less to be honest. That’s a a a bit of a A flippant 1 where you you find the costs get burning into our CDMS block storage units. Things like that normally actually your number of VPS’s or compute instances, you get a good idea in your head of of how much we’re. Pending, but if you set all of this just to auto scale up and it comes with, it will auto cost up as well. Some hosts though are really good and they will just scare you at least a little bit of a ramp before they come and say hi. Your site’s doing well. And to renegotiate that contract.
Rob
Yes.
Tim
And you want those ones because the last thing you wanna do is be costing your host money. Because if you’re costing your host money. They are much more likely to be looking at you as a problem, not as a. Source of income. They’re gonna treat you very differently. So you wanna be in a position where you’re that your host is treating you, wants to treat you well because you’re actually a good investment for them. You’re only too much of a good investment because that means you’re being ripped off. So you’ve gotta find that magical line between still being a good investment for your host. Uh, but uh, yeah, still having value for you?
Rob
I would agree with that. You know, it’s funny. I was. I was thinking about before this conversation about holidays and all that. And we know at holiday time the scammers go up tenfold because they know we’re all busy. I blame AI a little bit for this, but not totally. I’ll tell you that now I think. I think this the phishing emails are getting better because of AI. I saw a good one the other day. I’ll share with you. Somebody sent one of my best friends. An e-mail from the RCMP. The Royal Canadian Mounted Police that had the RCMP logo on it. That basically said, you’ve been summoned the corn and quick here. And this friend of mine was smart enough to pick up phone and say Rob help now. And I kind of looked at and.
Tim
Wasn’t the way you were a lawyer as well you add to your many hats.
Rob
But we don’t issue the RCMP doesn’t issue court. Something’s obviously by e-mail. So that’s the and I’ve got a couple of good friends who work for all Canadian police, mountain police and I very nicely took the e-mail one in. Communications at that and sent them the e-mail. And they’re like, oh, thank you very much. That’s the new one we haven’t seen. So they’re hoping that in our business, we get caught on this stuff, right. And I think we just gotta be more aware of holiday time and less work than less aware.
Tim
I mean specifically for a I I guess it’s aimed bit more larger ecommerce source, one of the things that perhaps we’re seeing more is that the as you say the attempts of phishing is getting better though there’s some interesting stuff around the fact that. Some phishing emails are deliberately backed. I I was, I watched the fascinating talk on the psychology around phishing emails and the argument is that if you make your phishing e-mail bad and obvious. Then the person who falls for it. Is much more likely to be on the line throughout the whole scam.
Rob
Hmm.
Tim
Whereas if you make a really good phishing e-mail, well now you’ve got people who you’re still gonna have the people who are alert in your pipeline. So you’re gonna. Have to work to weed them out, but a really dumb phishing e-mail that shouldn’t. People shouldn’t have clicked on and shouldn’t have got fooled. Someone that gives you the hey? Well, like these people. We can take them all the way, and so they don’t have. It’s like a an attempt. At pre filtering. Which is quite scary. This idea that you know and and. These are these, these. Are businesses and so they are just. Pre qualifying their leads with terrible things but. We are also seeing much better ones. And they see them for smaller and smaller niches. It I mean the amount of hey, your WordPress database needs to be updated that then takes you to a generic WordPress login form and you can not and I’ve seen a few which have targeted sites where they’ve also had the you know.
Rob
Or yes.
Tim
MHM. Even like down to the return to your site, link is correct. So if you did click on it you would end up going back to your own site and it pre populates your username in there because of course it’s pinned. It’s got it from the. Site in the first place. So there’s a lot of trust. Factors suddenly building into these things. Those sort of scams are easy to fall for if they are combined with some sort of pressure. Attached to of course. Updating your database. A common I say common, a scam that is that did the rounds a few years ago. I’m not sure if it’s still as common, getting contacted and being told this is your web host. Your site is offline. We need you to log in to fix it.
Rob
Oh yes, I’ve seen that.
Tim
And what the bad? Bad actor does. Is he literally set up a DDoS attack? On the site. So when you arrive on your website, it’s ideally down or really slow. And then you suddenly say you’re like ohh, OK, uh and they’ll say ohh we we we just need you to send the. Credentials. Might be someone on the phone saying just give us your credentials and they, but that’s how scams work. They they they need to have. They send you this something that looks legitimate and they need to stop you from. Questioning that and the best way to do that is pressure, pressure, pressure, pressure, pressure. You’re getting something in your like why am I being pressured to do this?
Rob
No question.
Tim
Whether it’s a telephone call, whether it’s an e-mail. A legitimate place will go. Yeah. No, no. Phone us back. Don’t worry. You know, go to our website, look at the telephone number, ring us back on that. It drives me mad that in the UK, banks will phone you. And then when you go and go. Right. We need some. Personal information. No, no, no. No. No, no, no, no. You, you, you rang me.
Rob
Yeah.
Tim
You validate you. I validate you.
Rob
Is this?
Tim
If you actually run any sort. Of phone line support. One really nice, actually simple thing you can do. To completely restore a trust net, work for phone calls. Have a effectively a ***** that is like 8 characters, 8 characters long, split in half and so that when somebody logs can log into your site. They log into their user area. They can see that ***** as a support thing. The person on the phone says. Here are the last here. Are the last four characters of that *****, bumper, bumper, bump. Now you tell me. The 1st floor bumpty bumpty bump you both can see the whole knot.
No, you know. That you’re talking, that’s you can’t guarantee it, but now you. Between you, you now have a actual handshake mechanism for a phone. Call for support.
Rob
Yeah.
Tim
Number of places that implement this always zero time. It will take to implement an hour.
Rob
I know.
Tim
Instead, my bank would like me to ask you would like me to stand on one leg tap my tummy, do things on my head while giving them my entire life history, only for them to go. So what is the animal that you selected 10 years ago? On our yeah, that’s like.
Rob
Ohh well.
Tim
It clearly was up beep.
Rob
And and I should tell you, Tim, I am the poster boy for having his credit card compromised way too many times. It has now happened for the sixth time since December 15th. As of two weeks ago, so I get all this bank stuff I.
Tim
That’s how, as somebody who has gone through many years of testing client e-commerce sites, yes, with a very small transaction.
I have learned very quickly to I don’t know if you have them in Canada, but here they rolled out year few years ago. Most big banks and most banking applications give use this idea of a virtual credit card where you can all choose a virtual number.
Rob
Don’t have them here. The US does, and the UK does. We do not.
Tim
These are becoming valuable because before this.
My card would routinely get compromised because. Some when I was doing some testing for some for somebody, my card details wandered off onto into the ether for these individual sites. That site gets compromised, my card gets compromised. Really. Yeah. Virtual card credit cards are amazing because you can just go. Yeah.
Rob
Yeah, mine has happened every month for the last five months. And I was talking to my bank the other day and I said the way this is going, you should just set up monthly to send me out a new MasterCard every month because. And and the problem is from a security standpoint, they refused to tell me where. And I always I’m sure it’s an online site. I’m paying a bill and I always say, but if you’re not gonna tell me where, then you can Courier me out. A new credit card in 24 hours at your expense because you’re not helping me. And yeah, and this.
Tim
I think this is again something that’s really only happening recently, but just this ability in your in your banking app to go, huh? As it says, active card check and you’re. Like, yeah. I don’t know why it’s gardening in. I don’t know. Peru. Uh, no, I I, I I don’t think that I want to deactivate that card check. Yeah. So that they they won’t do any further charges.
Rob
Now what I’ll tell you.
Tim
Things like that are starting to appear. But they’re going so slowly.
Rob
But I’ll tell you, in my case it’s not charges. It’s been in an area where it was compromised. So it’s just the banks have a tendency to invalidate cards in a high area compromisation. So that’s problem. But we’re talking about payments and we’re talking about going there on holidays. Is there a payment processor that’s better or worse than another in your opinion of handling e-commerce payments, stripes square, etcetera, etcetera? Is there somebody that’s really bad and should be stayed away from or is there somebody really?
Tim
Ohh, I’m sure there are plenty that I could say that are really bad. So first of all I would say you look for. Payment gateways over are not going to make you go through full PCI DSS, which means that you’re not. Basically, I’m not saying don’t do that because you don’t want security. I’m saying that because if you’re needing to go through that process, chances are that means you are collecting the credit card data. You’re. Health and posting that data to the to the merchant server. We we we don’t want the card to do that. So you want something that has a good iframe based implementation or it has a good redirect implementation. I feel a lot of what I do. I do. You strike. That’s convenience. I don’t. Don’t think they are the greatest by any stretch. I think they. You. They it. It’s interesting to watch. I’ve been involved in payment gateways for.
20 odd years and it’s been really interesting to watch. Development, I mean nearly it must be nearly 20 years ago, was the first. There was a payment company called Braintree, which now we’ve bought out by PayPal. But they were the first to really come home, come with this nice I frame implementation and they had some really clever ways for subscript managing subscriptions. And they got bought by PayPal and it was just like.
Rob
Why I know.
Tim
And this was at the time that, like PayPal Pro was around as a thing. That was like sort of like a proper payment game. It wasn’t really. And outside of that, you had some weird little esoteric payment gateways. All bank merchant banks doing it. Now you’ve got lots of options. Uh. But we seem to be coalescing around things like strike. There are few few alternatives. I have a really good friend, Aaron, and he runs a if you’re, if you’re looking for a good WooCommerce payment gateway systems, he runs a payment company called We RG. Sorry, he runs a. Plug in pay payment, plug in company called we RG and he’s bought some of them really big. Merchant banks that have a good set of controls. So that’s people like Barclaycard, Lloyds, there are and a few others. I really recommend their plugins over and certainly I’d recommend those plugins over a lot of the ones that I’ve seen. Implementations, not just vary by the by the payment gateway implementation, varies by the plugins, yes, and there are some terrible WooCommerce pays. Plugins. So if you’re looking at a WooCommerce payment plugin that’s not written by a specialist payment plugin company, I would not touch it with a barge pole because there are so many little. Things you have to. Do and. I’d also say I probably wouldn’t touch the inbuilt woo woo commerce stripe. Gateway because I’ve had a look at it, it’s not terrible. It’s not brilliant. There are much better versions out there. Yeah, it’s interesting to see people who are also layering. Basically using stripe underneath, but then they add their own white labeling on top of. Which gives you some interesting payment models.
Rob
I have preferred in my business. I don’t use stripe and people look at me and say you don’t and I made a decision a long time ago to settle with square of all people. And that’s Jack Dorsey, who founded Twitters other companies and. I’ve actually been pretty happy. I should tell you from a payment gateway perspective. As a merchant, I stay away from PayPal as far away as I can as a consumer will use it if I have to.
Tim
See I I I think it’s really interesting that having worked on both sides and that a bit of a disclosure I’ve done PayPal, I’ve been quite influential in my actual career. Yeah. They, I, I I was involved with several events that they ran and I went, I spoke at PayPal Innovate Conference in San Francisco like 2012. So you know they they flew me out to San Francisco. They gave me a laptop, they they treated me well. They they do some good things and they do some bad things. As a merchant. As long as you really understand what you’re doing, PayPal is a not a, not a terrible business model to be in. They do have relatively good protections as a buyer. PayPal is probably one of the best in terms of hey, I’d like a refund. Because you have two layers attached to that you have hey, PayPal, I’d like a refund. No, fine. Hey card issuer, I’d like a refund and charge back. Ohh, what’s that? PayPal you suddenly want to? You certainly want to give me that refund. No worries there. So in terms of if I’m a buyer and I see PayPal, that’s not that though interestingly, I have shifted much more when where you see buttons for PayPal, you quite often see buttons for Apple Pay and Android Pay Google Wallet. Yeah, well, Google Wallet, is it? That’s what it was. Yeah, Google Wallet. You can tell I’m. An Apple user, can’t you?
Rob
What do you think of those?
Tim
They have some convenience factors that make them useful.
Rob
It’s on your phone, yes.
Tim
It’s on your phone. You can actually use Apple Wallet and not not be on your phone. You can do it through using your your, your Mac or I don’t think you can use it on a PC, but there are opportunities for not, isn’t it? Here in the UK, contactless is. Default for small to medium transactions and has been for a long time. Yeah, so we, you and I I think it’s much more certainly comparative to the US.
Rob
Here to.
Tim
Things like Apple Pay are much more commonplace. You see them.
Rob
In Canada.
Tim
Nobody blinks if someone’s using Apple Pay or.
Rob
And candidates about 5050 so.
Tim
Yeah, yeah. But obviously you are now what, carrying around really expensive. Thing that has your, you know probably probably password manager on there as well. So this the your phone is becoming like this centralized hub of everything that can get possibly go wrong and when it get yeah and. In case of some of the payment methods, you don’t even need to be logged in to be able to go and bump it. Yeah, similar with a. A watch, you know, but the watch is most of the time they can just tap and pay. I mean, that’s not enabled on mine. Well, I can sort of see the convenience. But I’m not sure I wanna lose at at. At the moment a the banks will refund that. If you and if they’re.
Rob
At the moment is the keyword, yeah, so.
Tim
At the moment I feel relatively. Comfortable using using apples things like. That Apple Pay but. I think long term when the this was something that happened here, was that to incentivize contact. The banks effectively assume the risk for the for the for the businesses.
Rob
For the business, no, no, no question I did. I know I carry. I use a Pixel watch because I’m an Android user and I do not have my Google Wallet on my watch. I do on my phone, but I don’t own my watch. And yeah, Android Google Wallet has just changed that. Every time you open Google Wallet. You must enter in your cell phone pin number again. As an extra level of security. They just made that change in the last month and a half, which is better than nothing. One of the reasons I. Use Google Wallet. I’m a transit rider and my transit. Debit card that I put money on is in my wallet because Rob has a tendency. If he doesn’t do it, I leave it at on the cute keyboard. After I put money on it at home and that doesn’t do me any good. But I agree with you. Our phones have become. Potentially a security nightmare because they’re the hub of everything we do. Your banking is on there, your password manager is on there. Your contact list is on there. Do you want me to?
Tim
Keep going. Yeah. No. Well, I mean, for for most people in the UK, your health data is on there because, yeah, during COVID, there was a really big push to get. A COVID app on there which.
Rob
My name is Annas.
Tim
But. And as part of that, people would then go up to that. Hey, did you know that the NHS has an app that’s really useful? It’s really useful. You know, this ability to look out. Ohh. I have a doctor’s appointment or ohh. My blood tests are in. I can go and have a look. But that usefulness comes.
Rob
At a price.
Tim
Yes, and and and. That cost is gonna be.
Rob
Of course.
Tim
You need really robust controls on your phone.
Rob
Yeah.
Tim
Yes, you know. Right down to and and. Our next sort of big battleground is going to be around convincing people that, hey. You can’t be allowed to turn off the security features in your phone. Yes, it’s that’s your life. Is your your life is your phone. We’re getting close to that point, and that’s terrifying.
Rob
A friend of mine, a friend of mine. I was in the clinic. I go for wound care. Cause as you know, I have a wound and I was in there the other day and when the nurse was was picking my brain about security. You. Those I I do a lot of that and she said Rob, isn’t your phone your life? And I said exactly, it’s not like the days when you carried a palm pilot and a phone and then and then and then it’s all there. So if I’m gonna walk out of the house with. One thing. It’s not my wallet, it’s not my laptop. It’s not my iPad. It’s my phone, right? Yeah.
Tim
One one of the most liberating things over the last few years, especially as I know worked for a an employer, has been actually slowly being able to strip some stuff away from my phone. Like Ohh e-mail.
Rob
Yes.
Tim
Social media I. Getting getting rid of some of these things has been really nice from a personal perspective, but also from a security perspective because. Having 80, your phone is often protected by your face, your thumb or a four digit code. Mm-hmm. Now if someone puts a gun to your head, you’re gonna point. Put your face where they tell you to. If someone’s gonna do that with your or your thumb, you’re not gonna. You’re not gonna have it. So and your 4 digit code. Let’s face it, you’re gonna give it up the second. So you are gonna people who are who are mugs.
Rob
Yes. It’s.
Tim
It’s give us your phone. Give us your pin. Number yes. Yeah, and they’re.
Rob
Yes.
Tim
Smart enough to double check it before they they.
Rob
Of course.
Tim
And so and once that’s happened, that’s your life gone. Unless you you can get to a point where you can log in to Find My Device and be able to see.
Rob
And by and by the way, if they get access to your phone, they probably got access to your SUV outside because it’d be silly enough. Not my mother, cause I wouldn’t let her do it to use her phone to start and open her SUV.
Tim
Well, but I mean, your SUV maybe, but certainly if your emails on there or even if they couldn’t get into anything they can sure reset everything.
Rob
Yeah. Yes.
Tim
Yes, cause where does reset passwords go there we go to that e-mail. That’s sitting on. There, even if you so even if you have extra biometric security levels on things like your password manager or. No more. Do you want your e-mail? I wonder how many people have an extra password sitting on their e-mail on their phone. I imagine that they could. We’re gonna be. Small percentage.
Rob
Of. But what? What would you do if I told you that my password resets do not go to the e-mail on my phone and they go to another account that’s specifically reserved for signing up stuff and sits on my laptop at home?
Tim
I would be slightly proud of you until I’d start digging into exactly how you.
Rob
Thank you.
Tim
Had that but. Generally that’s I think having a dedicated account for signing in and signing up is not is a good idea on but separated away, especially one that you obviously can then segment out.
Rob
That’s a conversation for you. Yes.
Tim
Vigilante. So you know, with plus or plus your whatever the site name is or whatever, yeah. Or if you’re using something like fast mail will give out like aliases.
Rob
I use fastmail and I love fast mail. I’ve used fast mail for almost a year, and from a privacy perspective. One of the things that sold me on fast mail was you can set up rules in the smartphone app, believe or not, not even security side of it. I knew they were good for that, but you can go into the app on your mobile and set up rules. On the fly. And that makes my life like are you a fascinator user, Tim?
Tim
I do for one of my accounts. I’m I’ve been slowly but surely spending my. What feels like years, but I’ve only been trying this for two years to to get my business side away from Google to Google basis.
Rob
Yes.
Tim
But it’s a. Hard drug to get yourself away from.
Rob
And for postal, it’s a harder drug if you like photos, I’ll tell you that now.
Tim
Thankfully, I never used Google Photos, so I was, yeah, so thankfully that’s not. I’m not in that position. But yeah, just general.
Rob
He’s talked about that.
Tim
The trying to Dego is a business. It’s quite a complicated thing to do, especially if you’re you do have like external collaborators and just a load of stuff on there and.
Rob
I have I have a tech 9 phone, yeah.
Tim
So do you use someone like? Oh no, they’ve gone out of my head. There’s one of these sort of enhanced Android OS’s. Or do you use? Stock I.
Rob
Are you?
Tim
Stuck right on that.
Rob
Stock going? There no stock. Yeah, I do. I’m lazy, so going back to getting ready for the holidays. OK, so we’ve talked about what the individual should do and one thing I want us to want to fully move on is. If you’re single. Be really, really careful. The romance scams with this time of year, everybody’s single people get only they’re increasing greatly. I was listening to an ARP scam podcast the other day about romance scams and the whole days. Just be careful.
Tim
I mean, I think we should just probably broaden that to everybody. If you’re not single. Because the life choices instead.
Rob
Yes. Because you’re you’re being fair. Yes, because they seem to go way up at this here. I mean, way up and. You know, and if you’re unsure or call somebody, call your friend, call Tim. Call me like, really ask because I get calls every day. I was saying to you before we went there about calls from friends and I get a call almost every day saying what do you think about this? What do you think about that? That and at least. These people are smart enough to say hey. I need to put the brakes on and talk to somebody who knows what’s going on out there and that would.
Tim
So every day pretty much around 10:00 in the morning, I will get a phone call and it’s a phone call from a an automated AI voice. It’s it’s getting better, but I I’ve been tracking it’s improvements telling me about my daughter who is currently in a Spanish jet.
Rob
Well.
Tim
And that I need to she wants me to get in touch with her and that they are. They’re they’re gonna put me in touch with her. They’re bearing in mind that my daughter is at primary school and is not wandering around and staying. So it’s it’s one of those. Things that you’re not going. No boy can move back to the before we were saying these things rely on instant. Adding of pressure.
Rob
MHM. It’s.
Tim
Gonna be somebody who? Their family, their their kid, went backpacking in Europe and they’re like.
Rob
Yep.
Tim
Are they in Spain? They might be in Spain. Oh my God, they might be in jail and they need to do that once and get enough enough of a percentage through. So it’s Just Dance daughter.
Rob
You know my answer to that. What’s the family password do you have? And if you don’t have that password, go away. That’s my answer.
Tim
I mean that there will obviously be. Terms where that could go badly wrong.
Rob
Yeah, but generally for some stuff it’s a good idea.
Tim
Yeah. Are you having a I I also just having your family. You know, even if everybody’s listening to this is going, I will never fall for this. We’ll look at your family and around you. Will they? Yeah, and and as part of that reinforcing for them. You may find you learn things you might end up finding that actually it’s. It is easy to. Be fall for. It I’ve had colleagues fall for scams. I’ve had colleagues fall for phishing emails that I’m there going. You know who worked at web hosts? With me going.
Rob
I know.
Tim
But why and why not legit? It’s like it doesn’t. There’s no way this looks legit. What what’s legitimate about this? You know, it’s like they’ve spelt this wrong. They’ve got this here and it’s like, and this organization doesn’t exist. Well, yeah, but it looks all right.
Rob
I doubt. It’s. So going back to the whole, so we’ve talked about prepping yourself as an individual, which is good and we’ve talked about payments, which is good and going back to the whole web thing, we’ve talked about DDoS attacks cause they go up at this time of year. Lucky us, they certainly go up around Black Friday in the US we’ve seen.
Tim
Ohh yes.
Rob
Over the years, I just shake my head. Every year I sit around Black Friday and I watch my phone ring every year. It’s like, can you help with this? Can you help with this? Can you? With this it it has hit the point where I have implemented special Black Friday pricing to help with stuff and I’ll tell you that pricing goes up not down. Because that’s the way it is, you know, and and we’ve talked about that. Is there anything else? If you’re playing on the web or have a website, especially commerce, that you should be doing specifically for the holidays that you shouldn’t do any other time of year?
Tim
So I mean, I’m not gonna necessarily say specifically for holiday because I do think most things we should continually, yeah. Couple of things to be keeping in mind that’s gonna be coming up. You’re gonna find that you’re gonna be. Yeah. Things like the amount of ransomware attacks goes up because there’s nothing like holding someone to.
Rob
So.
Tim
And some of the biggest on the busiest day of the year. Yeah, they’ll they’ll pay. So things like making sure your backups are in perfect order is at a critical moment for fighting ransomware. You’re gonna find that you will just see this increase in traffic and that’s the key thing. So anything you can do to make sure that your traffic is simplified, this is where I would be going. OK we want to make the simplest process flow possible for our users. Anyway. Way. So this is the time where I’m I’m really sitting there encouraging people like, hey, you know that really fancy personalization super duper wonder feature that you’re going to implement that’s going to save your company millions of pounds and do all of this yet get rid of it? Yeah, because you want your payment flow to be as tight as possible, so there’s no opportunities for any problems making sure that anything like if you have any sort of JavaScript that you are that’s remotely being remotely called on a payment flow page that’s opening up problems and that can be anything from translation. Software accessibility helping stuff. These are all things that you need to sit there and go. Do we need this? On the checkout flow. And the answer is should be in 90% of cases. No, we probably don’t, in which case take them off. If it’s, it’s probably too late to be thinking about things like content security policies. Be great if you were, if you. Already had them implemented. But your marketing team is likely to have said, hey, we. Want to have? We want to track goals and so we’re going to install this brand new. So you need to be thinking about oh, freezes now to stop that happening. And if you’re starting to thinking about how you’re gonna. Check conversions now. You’ve probably doing that too late.
Rob
Probably to it now, cold freezes. Interesting question. We know and I don’t know if you’ve heard rumblings where press 6 point 2.2 is gonna drop shortly after we record this podcast right next week. And we know 6.3 is gonna drop in November right in the middle of the Christmas holiday. Now I’m an e-commerce site. Do I do that update or do I not?
Tim
Ohh see this. This happens pretty much every year.
Rob
Yes, that’s why I’m asking.
Tim
It’s it’s a very frustrating approach and normally I say it’s happened every year quite often we do get a life reprieve because somebody finds a bug that or something gets pushed back. So we normally that RC releases it it it happens over the sort of Black Friday period and it normally gets pushed into the first week of December. But yeah, should you update? The biggest problem we have at the moment with WordPress in terms of update. It’s is that. For all of. Saying all automatic updates, update, update, update, update. We bundle security releases in with non security releases.
Rob
It’s a problem.
Tim
And consequently, I can’t tell you not to update, because if there’s a, if there’s a security issue, they will and they bundle that in with a minor update. But with something else you you have to update that to a security release. I think that that. Is my golden. Rule. If it says the words. If it’s a security release. You have to update.
Rob
Mine. Mine too. Mine too, to the point that if the security fix is in an update, a lot of people hold those back 24 or 48 hours. I don’t and I manage 375 websites and county from a security perspective, I tend to roll them right away because the bad actors go in and figure out what the security fixes. Alright. And they go and exploit them right away.
Tim
Normally what happens is when we get a major release, yes is that. That might come bundled with a security patch, but they’ll also release a minor release of the previous version.
Rob
No questions.
Tim
I’m happy when that scenario to hold onto that minor version.
Rob
Oh, I agree.
Tim
For the for the little bit of. Time. So I’m sort. Of happy with that. That’s like would I update? A to the latest version of WordPress, my biggest client e-commerce site the night before actually for me, yes, I would, because I know that they have a full suite of tests that. We can run. That they put that their the system will system will not let them update unless it passes those tests and I’m confident in our testing. Question. So for me, yes, what I recommend it to a client who I don’t who doesn’t have that and I don’t know how they’re. Doing their testing. Probably not. I’ll probably be they’re going. Holding your horses. Are you sure you wanna do that? But the vast majority of people will be absolutely fine. The amount of effort that goes into WordPress core to stop backwards compatibility issues. It’s pretty phenomenal, really when you think. About it, yes. So you probably are absolutely safe to do so. Personally, I would. I I I don’t like updating things without testing regimes in place of some sort. But if your current testing regime is you go into your website and going ohh yeah, that’s fine.
Rob
I agree.
Tim
Well, then you might as well just update anyway, because it will look fine.
Rob
No question. We talked a little bit about updates. I’m gonna go down the road of going into the holidays and watching form plugins. Because we know lately form plugins have been notorious. I. I think I was reading the other day. Isn’t there another bug out with gravity forms and I won’t even tell you what contact form 7 is worth and the gransky you’re bringing. As I say it but. That would not be on one of my websites personally, but. You gotta watch. Your form software going into this time of year, I think even more so
Tim
I mean the. Thing about a form software is it’s it is by its very nature. Yeah, putting something on the front end for a bad actor to put inputs into, yes. So we when we talk about threat or attack services, an attack surface is something that.
Rob
Yes.
Tim
A bad actor can use or manipulate.
To do something now, if you don’t have any forms on the front end, there’s very little things for for bad actors to therefore manipulate. If you put a form there, well, OK, now each field is something to manipulate. The form itself is something to manipulate the end point that you’re pointing it to is somewhere. So forms have a really form. Plugins have a really important job about how they secure their endpoints, and they do this to a varying degree. Most of them, however do a semi competent implementation and nearly always with the bigger ones it is the. Other plugins that work with them or extend them tends to be the causes. You don’t find the big form plugins having. Too many issues though they can do. There’s nothing to prevent them from them. You know, there’s no such thing as when you the sort of scale of something like gravity forms or to a certain contact form 7 though, it’s a much smaller plugin or ninja forms or.
Rob
Forms there was the other one that was compromised recently.
Tim
Yeah.
Rob
That, that, that. Sort of that sort of scale, those core plugins, they no one’s gonna say they’re bug free, but they’re really robust where they they where it falls down is that they’ll have a. Extension that sends your data to Bobs site and that extension will do something silly that will overwrite something that will cause these problems so much like we’re when we say we’re press itself, WordPress core tends to be very secure, it’s the plugins and themes that are at fault. It’s the same with the male flow for with the male forms, with the with forms plug in. That on the whole, they tend to be alright. It’s the things around them that tend to be an implementation, especially if you’re implementing your. If your boss has said no, I don’t want the look of that, I want you. To restyle it all. And you, you end up doing something where you like completely build the form out yourself and then you’re. Posting it into the yeah, I’ve seen some horrible implementations of things like that.
I’m I’m sure. So you have, you know, I think it’s just about a lot of it and we’ve talked about this before. It’s how you do things, your processes and whether you trust the vendors and the plug in companies and the person doing your update for you to do a reasonable job. And and by. The way test your restore for your backups. Right. I mean that’s.
Tim
I mean, let’s let’s. Start with a simpler 1. Let’s start with backups. I I I I’m very much of. I I like my minimums. So it’s like, what do I consider a minimum? Let’s start with a backup. OK, now we can see. Do we have a backup? I mean, can we? Is there something in that backup? Brilliant. Then we can get to. OK. Can we restore this backup? And to be honest, it’s only then that it’s like now. We have a backup. Yeah. Till that point we had. It might be a.
Rob
I agree. Backup, who knows?
Tim
But yeah, I think we need to be rolling this down to. Because there are still. Plenty of people who don’t maintain their own. Backups.
Rob
No.
Tim
Who are actually really. I had a client the other day. Who? They they went to restore the backup that their host provided, and they loaded a different website.
Rob
Yeah.
Tim
It was for that the host had screwed up on the back end. And uh, they got a random website on the host network to restore.
Rob
That is a good one.
Tim
And so obviously they sent that back saying. This is a problem and the House realized that they’re hashing the way they’ve done their hashing. They didn’t know what any of these sites was.
Rob
Oh.
Tim
So that basically people would just restore rouletting.
Rob
I had a a former client recently. A year ago she got hacked and the first thing I said is, do you have a backup? Well, yeah, we have backup installed. Wait, where is it? But we don’t know what we don’t know what Google Drive we sent the backup to.
Tim
No.
Rob
Yeah, and and it was like. So and I was very handed with him and I said, you know, you don’t have a backup. Ohh yeah. We have 1. So where is it?
Tim
I mean it’s a very secure backup. Yes, you’re funny.
Rob
Anyway, it’s so yeah, I agree with you. You got to start there. There’s a reason major companies do backup and recovery weekends and test all of that stuff, right? I.
Tim
Mean they? Yeah, I mean. And if you can get this into a cycle, which again is automated, if you see, that’s if you if you control your infrastructure then. One of. The. Key benefits for me of managing my own infrastructure is that ability to say. Actually I can. I know all my. Backups work because I test them. Because they are in use constantly.
Rob
I can tell you mine are all work because I test them too on a regular basis. I just.
Tim
By using them rather than they, that really is the only way I think you can truly. I mean you can open them up and look at them. But so yeah, in both of our cases by using them every day, yeah, we’re guaranteeing that, hey, we have these backups. We’re using them. We can restore from them. We can test with them, we can. Test against them, yeah.
Rob
Is there anything else that a site owner should really do going into the holidays? I know I know a lot of it overlaps what you should do every day, but is there anything that comes to mind?
Tim
Well, let’s take this as. An opportunity to audit our admin users.
Rob
Yes. Please.
Tim
Password policy in place. In fact. I mean, if you, well, NIST doesn’t have a standard. NIST guidelines no longer include password recycling. If you haven’t maybe done a password, recycle it in the last 5-6 years or wherever you’re setting it to. This might be the opportunity to say, hey everybody we if your password was, you set your password back when you thought that Princess 123 was strong. Would you mind you know, OK, we’re gonna just manually. Also, everybody know? But yeah, getting your getting those sort of, uh, this is also a good opportunity. Like OK, we know that things like that number of malware infections increases. We know these sort of things. So lowering our the the length of time for our sessions, this is actually good for our side of things as well. Reducing our session times down so that you know the amount of time you’re logged in is limited, but and you have to re log in regularly, but that will help with things like cookie stuff being in cookie session hijacking. Targeting your admin users and your site management users now means that you’re not going to have to do it on the day. Making sure you’ve got 2 factor enforced and enabled now. Yeah, and people are used to doing it because they need to be able to do that under pressure. And so if you say ohh no on the you know the on the 1st of November. We’re like, right, we’re implementing 2 factor. It ain’t getting implemented. It’s just nuts, but if. You do it.
Rob
Love you.
Tim
Now you probably have time to be rolling this stuff out on that, monitoring all the usual good stuff that we talk about all the time, but this is the time to be doing your audit, your checks, everything through.
Rob
So.
Tim
Leaving it till last minute, especially if you’re launching a new site and then around Black Friday.
Rob
Yes.
Tim
I wouldn’t be. You wanna be testing stuff now? We wanna be doing. We wanna be doing our audits. We wanna be doing our checks now.
Rob
And may and maybe launching that site on Black Friday is a bad idea to start with. I mean, I I have a client who’s about to launch an e-commerce site with 2000 products and we’ve held that launch off till January. On on purpose, it’s ready to go. We’ve held it off. We do not want to near be near the Christmas shopping season. It’s just not happening.
Tim
I mean, there’s obviously the weighing up of those opportunities between. The the the potential for a great season, but there’s also a potential for great disaster there. So weighing that risk up and weighing up the appetite for the company.
Rob
I agree with you. Jim, are you working on any? On another note, do you have any more workshops coming up that people should go see or your weekly guides on LinkedIn or anything else going?
Tim
On. Yeah. So I got a couple of things I’m doing at the moment. In October the 31st on Halloween, I will be at WordPress, London, which is a monthly meet up. Yes, but we are trialing something and on the after morning and afternoon of WordPress London, we aren’t doing a very PLD N master class.
Rob
Ohh boy.
Tim
And it’s all gonna be on a really fascinating we what we what we do is we get people to come along to an in person work. And uh, the the folks who run a PLD and said make it super interesting. So I said right, I know exactly what I’m doing. And they were like, oh, is it gonna be a scary tech? No. It’s gonna be on risk management and assessments. Love that Mia went risk. What was like. Mm-hmm. But it’s so we were. Doing our workshop all about how you. It’s a WordPress website. How we manage that risk? How we assign risk, how we calculate whether or not we’re willing to let something pass or not pass, and what mitigations we’re gonna put? In. Which sounds dull, but I promise you it’s really, really fun and it will be really fun because it’s me and you get me for like 5 hours of me. And that’s quite intensive. So we’re gonna give them lunches and everything. So that’s at wpldn.uk slash. 1st and every couple of weeks from now through September and October, I’ve I’m maybe I’m beyond, but for now, September, October, I’m going to be doing a live on LinkedIn. So if you don’t follow me on LinkedIn, you know it’s linkedin.com/in/T dash and you can see when I go live. Really doing covering all sorts of little interesting subjects that just appeal to me, but I’m also going to do couple of plug-in reviews where people I asked people a few months ago. Hey, give me your plug in and as long as you don’t mind me. Saying not pleasant things about it necessarily live and they were like and loads of people gave me their planning. Said please because you know there’s real value in getting that that sort of security review. So we’ll do a mini code. Reviews we’ll do. A full one, because that’s that can be days of work, but we can have like go through a little bit of code and I’ll be just talking through what I’m looking for. What? When I’m doing manual code reviews, I’ll also show off some of the automated tools I use. So that people. See a little bit what I. Do because I I think a lot of it. It sounds really complicated and scary and I want people to. Sort of. See it and. Go. Ohh actually that just looked laborious and boring.
Rob
Yeah.
Tim
That’s why we hate him.
Rob
They don’t understand. As a side note, when you do code inspections, do you do them on your main machine or do you do them in a virtual machine to protect them?
Tim
Ohh and it it sits on. A nice little virtual. Machine.
Rob
I’m sure you do.
Tim
I have. I have a nice little testing rig, but it is set up for doing all sorts of. I have several. Testing rigs depending on whether I’m doing a code review, whether running a website review and then I have a whole dedicated machine for. The hacks where I know it’s compromised and it sits in the corner, but they they they vary cause obviously a code review has very specific tooling around it. A website review is sort of much more strictly controlled because. When people ask me to review their website, sometimes it’s because they want to have improvements. Sometimes people are not the most honest with me and will say we’d like to review to review the site. Well, that’s code for us, we’re pretty sure. We’re hacked, but we.
Rob
Yeah.
Tim
Don’t want to admit it, but if you find it, that’s fine. So I have that middle machine and then I have. Yeah, I actually. So those are virtual machines and I have a physical machine which is the these sites are hacked and compromised will deal with these separate. So I can literally just put it away far away from my actual machine.
Rob
And what’s your website again, Tim, just for?
Tim
So my website istinas.co.uk. Sometimes it’s up to date and sometimes it’s not, but at least it will link you to things that might be relevantly up to date.
Rob
And while you’re there, get on the time’s newsletter. It’s worth a read. So Ohh thank you. You’re welcome. And you have a wonderful day. And as always, thanks for joining me, my friend, you.
Tim
PocketCasts
Radio Public
Spotify
Stitcher
Apple Podcasts
Amazon Music
