Think Like a Hacker Episode 101

Episode 101: Supporting Remote Students with Free Site Audits & Cleanings

Wordfence announces a new program offering free site cleaning and site audits to public schools in the United States. We talk about why we’re offering this program and how to help schools take advantage of it. We also talk about the growing prevalence of WordPress as a content management system and how the incoming administration is using WordPress. We also talk about two unpatched Windows 10 denial of service vulnerabilities, a breach affecting over 1.9 million Pixlr users, and phishing kits exposing stolen passwords via Google search.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:30 Announcing Free Site Cleaning & Site Security Audits for K-12 Public Schools
3:49 Preventing Carding Attacks: Thwarting Credit Card Fraud on WooCommerce
6:49 WordPress Powers 39% of the Web; Biden Administration sticks with WordPress
9:21 Windows 10 Denial of Service Unpatched Vulnerability
11:14 1.9 Million Pixlr User Records for Free on Forum
14:40 Phishing Kits Expose Stolen Passwords via Google Search

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 101 Transcript

Ram Gall:
Hello, and welcome to Think Like a Hacker, the podcast about WordPress security and innovation. I am Ram Gall, Threat Analyst and QA Engineer at Wordfence, and with me is our Director of Marketing, Kathy Zant. Hi, Kathy. How are you?

Kathy Zant:
I’m doing great, Ram. How are you? Welcome to 2021.

Ram:
I know. It’s pretty exciting. This is my first podcast this year.

Kathy:
Yeah. You’ve had a bit of a break, almost a month off from podcasting. How did you ever survive?

Ram:
I don’t know. I missed it terribly. I did. It’s fun to get to chat with you every week.

Kathy:
It is a lot of fun. I know we’ve been keeping you pretty busy in threat intel. Every time I wake up in the morning, it’s like, “Oh, well, Ram’s going to have a busy day today.” It’s been a busy start to this year, hasn’t it?

Ram:
It has a bit, yeah. I know that you’ve been working on some pretty impressive stuff lately, too. What’s this I hear about site cleans for K through 12 schools?

Kathy:
Yeah, yes. This is an interesting little offering we have. Obviously, in the past year things have gotten a little crazy with the world and education in general because of the pandemic that has hit. A lot of schools have gone to remote learning and are leveraging technology, including WordPress, in order to connect educators with students. And because of that, we wanted to do something to help some of these schools. A lot of them have been financially strapped and challenged because of these new challenges that are on their plates, and they’ve had to ramp up into a new mode of education. So we wanted to help, and the best way that we can help is to provide services to schools. So we’ve limited it right now to public K through 12 schools in the United States. That may change in the future, not sure yet. We’re just launching that now.

Kathy:
So if you are an administrator, a teacher, even a parent and your kids are in a K through 12 school, and that school is using WordPress, we want to help you. We want to ensure that your students are safe, that malicious actors are not targeting schools that may not have security personnel on staff. So we’re helping you not only with cleaning up hacked sites. If you have a site that has been attacked and has malicious code on it, we will help you get that cleaned up and get you secured with Wordfence, but we will also help you with some proactive security measures, namely security audits.

Kathy:
Now, security audit at Wordfence goes through almost 60, I think it’s about 60, different factors that they look at in a WordPress site to look for any types of vulnerabilities, any security best practices that aren’t being followed. And we basically become the security expert for your school to make sure that your school’s WordPress website is as secure as it can be. So it becomes an educational process, not only for those who are using WordPress, but it becomes a process for everybody at the school. So that kind of trickles down into the classroom, and we think everyone should learn more about security. What do you think, Ram?

Ram:
I think that educating the educators is a great way to go about things.

Kathy:
I think so, too. We like to give back where we can and obviously, we can’t help everyone in the whole world, but we think education, especially public education, is incredibly important, giving opportunities to everyone. So we want to help those educators and help those institutions. So if you want more details, there’s links in the show notes. If you know of a school that could use our help, please definitely send that link to them. We would be happy to help them right now. There’s just a queue and we will let you know where you are in that queue, and we’ll get to work helping you get secured. So, that’s the deal with that. Now I wanted to talk to you, Ram, about our next… How’s Wordfence Live going? That’s been a lot of fun lately, hasn’t it?

Ram:
Well, yeah. Well, speaking of educating our users, we have been doing our weekly livestream on YouTube. Next week’s is going to be pretty exciting. We’re going to talk about WooCommerce security, and specifically we’re going to talk about carding attacks. Now-

Kathy:
Carding attacks. What is a carding attack?

Ram:
Carding refers to more or less the entire process of stealing credit card data and testing out those credit cards to see if they can be used and using it to purchase stolen goods. And as you might understand, if you’ve got an e-commerce solution like WooCommerce installed on your site, any step in this process is probably a concern for you.

Kathy:
Definitely, and especially with the challenges of everybody working remotely. A lot of people have lost their jobs in the last year, and so their side hustle has become their main hustle. And a lot of that is using things like WordPress and using WooCommerce in order to get e-commerce set up and going. So a lot of these people who are rather new to the e-commerce space are dealing with carding attacks. So we want to help people who are using WooCommerce, and there’s millions of sites using WooCommerce, understand where these attacks are coming from and some strategies to cope with them. Did you have some statistics on how many attacks like this are actually happening?

Ram:
So these statistics are actually from the FTC and these are only self-reported statistics or reported by law enforcement. So this is really only a drop in the bucket, probably, of the actual number of attacks. But apparently in 2019 there were 650,000 reported identity theft attacks, $325 million lost in fraud via website. 135 million of that was credit card fraud. But again, a lot of this information is self-reported where people just say, “I lost it on a website,” but they don’t necessarily specify the method, or they say, “I lost it via credit card,” but they don’t necessarily specify how. So either way, it’s a big, expensive deal, and that’s just with these limited statistics.

Kathy:
Yeah, it sure is, and it’s only going to get bigger. So we’re going to dive deeper into this. This is just a taste of why we’re diving into this next week on Wordfence Live. So if you’re running a WooCommerce site or if you know someone who is, send them over to Wordfence Live on YouTube, there will be a link in the show notes for that as well, because we’re going to show you how you can make things very difficult for cyber criminals who are doing carding attacks. That’s our favorite thing to do, make things difficult for the attackers, right?

Ram:
Yes. There is no such thing as perfect security, but if you make it hard enough, if you make it difficult enough, if you make it enough of a pain, then all the attackers who are motivated by profit, which is pretty much all of them these days, are going to find an easier target.

Kathy:
Definitely. Well, we had an article that we saw on Search Engine Journal talking about how prevalent WordPress is these days on the wide interwebs. What’s the number now, Ram?

Ram:
WordPress is a fairly dominant content management system. I think it was 35% of all sites on the internet last year. Now it’s 39.5% of all sites on the web, and it is 64.1% of sites with a content management system or CMS. That is to say that it’s almost two thirds of all the sites that weren’t basically coded, built from code rather than in a site management system.

Kathy:
Well, every site is built by code, but who’s throwing all that code together, I guess is the question?

Ram:
That’s really what I’m saying. It’s two thirds of the sites that weren’t custom coded.

Kathy:
Gotcha. Okay, great. And there’s a new site out on the web. Well, it’s an old site for a new site.

Ram:
It’s a site that’s been around for a while, but it’s using a new CMS and guess which CMS. That’s correct. Whitehouse.gov is using WordPress.

Kathy:
It is using WordPress, and this was written about on January 20th on WP Tavern as well as a number of other sites, where they were taking a look at what whitehouse.gov, what the new administration is using. And of course, I poked around in the source code too and saw an interesting note, comment in the source code. Basically, the USDS or the digital… Is it the digital service? They’re looking for people to work with them in order to bring communication to more people and to make government more accessible. So we’ll have a link to that in the show notes as well. I think it’s pretty interesting. Onward and into the future, eh?

Ram:
I mean, WordPress is, in a way, the future.

Kathy:
And the past, but it’s even more the future.

Ram:
The WordPress is all. WordPress is the past. WordPress is the future. WordPress is the present. WordPress is all.

Kathy:
Yeah, WordPress is everywhere. It’s definitely become a big player not only with people putting up blog sites, but WordPress is powering more and more very complex sites, not only with WooCommerce, which has really staked its claim as one of the leaders in e-commerce, but learning management systems, membership sites. There are so many different things that you can do with WordPress, and I think that is really the key to its success and why it’s become such a dominant player in internet development.

Ram:
I know we haven’t covered all that much security yet in this podcast. And I think part of that is just because everything was SolarWinds forever.

Kathy:
And SolarWinds is still going on, isn’t it?

Ram:
It is still going on. It is still a dumpster fire that is still burning.

Kathy:
It is.

Ram:
But we have some more lighthearted, I guess you could call it, security news this week.

Kathy:
What’d you find?

Ram:
A security researcher, Jonas Lykkegaard, discovered two Windows 10 denial of service vulnerabilities, effectively. One was a single line command that can corrupt an NTFS formatted hard drive by referencing basically one of the drive indexes.

Kathy:
Oh my gosh. That doesn’t sound fun to me. And this article states that it is still unpatched.

Ram:
Apparently, yeah. I mean, bear in mind that patches typically come out on Tuesdays. So hopefully, we’ll see something this coming Tuesday. But, yeah, that’s not the only one he found. He found another thing where you can just paste the link into your browser and it’ll give you a blue screen of death and also potentially put your computer in a boot loop. That’s basically the path for a kernel connect device. I guess it expects an extra parameter and if you don’t supply that parameter, it just boot loops your computer, which is, again, not something that should happen.

Kathy:
Wow. Okay. Well, we will probably see a patch for this sometime in the near future, but that is a very frightening vulnerability. I mean, it’s one thing to have malware on your site. It’s another thing altogether to have your computer basically locked up like this.

Ram:
Yeah. I mean, it is frightening. The good news is that these are not things that you know an attacker can reach into your system and do, unless they have another intrusion vector. So don’t paste these commands into your browser, don’t type them into your console. You’ll probably be fine unless, of course, someone is already in your system, in which case you’re probably not fine anyways. And they probably have more productive and more profitable things to do than exploit these vulnerabilities.

Kathy:
Yeah, definitely. All right. So we found another story about a hacker posting almost two million user records for free on a forum. What’s the story here?

Ram:
So that was Pixlr, which is an online photo editing service. But I mean, pretty much every time we see a data breach, it’s an unsecured S3 bucket. As to why this keeps happening, it’s because, from what I recall, it’s S3 buckets are unsecured by default and it’s kind of a pain to get them secured. You might not actually know that it’s unsecured unless you check. So AWS is a dark art.

Kathy:
It sounds like it. Wow, that sounds pretty frightening. But I mean, these types of data breaches happen all the time. Is there anything really unique about this one?

Ram:
Unique? I don’t know about that. It did contain email addresses, login names, and hashed passwords. I guess it’s unusual that the passwords were hashed with SHA512, which is a very secure way to hash something so it can’t be reconstructed. But it depends on whether or not the passwords were salted. And that’s what I really want to know is, if the passwords were salted, then it will be very hard to reconstruct them. And just so our listeners know, a hashing is basically where you take any amount of data and run a one-way mathematical function on it and get a fixed length string back consisting of, in human-readable views, zero to nine and the letters A through F. It’ll usually be like 32 characters long, or 40 characters long, or 64 characters long if you’re viewing it human-readable. And it should be unique to that piece of data. I mean, it’s not going to be, but you shouldn’t have two hashes being the same thing.

Ram:
Anyways, I’m kind of getting off track, but you shouldn’t be able to reconstruct what a password was just from its hash, but you can do a thing and it’s called… There’s an technique called rainbow tables, where you just take a whole bunch of possible passwords and you run them through the hash. Then you can just check whatever hash you have and compare them to the stuff you’ve already hashed, and if it matches up, there’s your password. So websites do something called salting, which is adding a random chunk of data to the password before it gets hashed.

Kathy:
That’s something you see in your WP config file. You see salts in there.

Ram:
You do. You do, and that is one of the things that protects your users in case your database ever gets exfiltrated. That is something that generally makes it a lot harder for attackers to reconstruct passwords from data breaches. So it doesn’t really matter which algorithm they used if it wasn’t salted, and we don’t know. So if you were using Pixlr, please change your password. They probably made you change it anyways, but if they didn’t, please change it.

Kathy:
Right. And this is just another reminder that you should always be using unique passwords everywhere, because you never know when a site that you’re using that password on, whatever password that password is, gets into some kind of issue with a breach like this and that password is exposed somehow.

Ram:
I just switched over to a password manager over the holidays.

Kathy:
Did you?

Ram:
So that was one of my big tasks over the holidays was switch to a password manager for everything.

Kathy:
Excellent. Welcome to the future again.

Ram:
I know, right?

Kathy:
Yeah. Now, one thing that is never going to help you, if you’re dumping passwords into phishing kits that are on hacked sites. We saw something happen there. What’s going on with this one, Ram?

Ram:
Oh, so this is fun. A couple of researchers found some phishing credentials that were indexed by Google because, okay, so it’s fairly typical for attackers to take over WordPress sites and to host phishing pages and send links to those phishing pages to victim email addresses saying, “Hey, we need you to sign into Office 365. Here’s a link to this completely trusted website that is totally not a sketchy website because it’s a legitimate hacked website that we hacked.”

Ram:
Anyways, a lot of the time, these phishing kits, they’ll store the stolen credentials in a text log or something for easy access by the attacker. And usually, smart attackers put something in place so that those stolen credentials aren’t indexed by search engines. They’ll put a robots file or a noindex tag or something on there, or even they’ll password protect it. But in this case, they kind of forgot to and Google was serving up all these stolen credentials.

Kathy:
Oh my gosh. That’s crazy. So not only did the hacker get these passwords, everyone did.

Ram:
Yeah.

Kathy:
That’s crazy.

Ram:
Yeah. These were, at this point, public passwords-

Kathy:
Oh my gosh.

Ram:
… and you never want your password to be public.

Kathy:
No, not at all. Interesting. Okay. Well, that’s fascinating. Wordfence has a number of signatures that will detect a phishing kit if your site is ever hacked. And obviously, we’ve talked a number of times on the podcast, as well as on Wordfence Live, on techniques to stop yourself from getting phished. The thing is, is with phishing, it’s never as complex as you think it’s going to be, obviously. I mean, they can’t even protect their own treasure and loot, so to speak. We’re not dealing with SolarWinds types of hackers here, are we?

Ram:
We are not. We are dealing with people who typically go after low-hanging fruit. Unfortunately, I mean, that is where the money is.

Kathy:
Very unfortunately. Well, that’s all the stories we have this week, Ram. We’ll do it again next week, hey?

Ram:
We will, and I’m looking forward to it.

Kathy:
I am too. And if somebody wants to follow you on Twitter, you are at?

Ram:
@ramuelgall.

Kathy:
And I am @kathyzant. We will talk to you again next week on Think Like a Hacker. Bye.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!

Comments

No Comments