Date aired: Jun 1, 2016
On May 18, 2016, we released our first Website Hacked Trend Report, providing insights on the top open-source CMS security, out-of-date software, and the specific malware families we work with every day. Sucuri Co-Founders Tony Perez and Daniel Cid dive into the details of trends for Q1 2016 including Drupal, WordPress, Joomla! and Magento.
Tony Perez & Daniel Cid
Sucuri Co-Founders
Tony is a Co-Founder at Sucuri. His passion lies in educating and bringing awareness about online threats to business owners. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. Daniel Cid is the Founder & CTO of Sucuri and also the founder of the open source project – OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.
Question #1: Is more secure use a wordpress install in Windows IIS vs Linux?
Answer: WordPress can be used securely on both Windows and Linux. If you are more familiar with Linux and you can manage it well, use it on Linux. If Windows is your operating system of choice and you can harden it properly, use it on Windows.
Question #2: Are they saying that the out of date platforms is due to us (the end user) not updating the platforms? Or those that created the plugins not providing updates?
Answer: We’re saying that the problem today exists because of poor management and administration by website owners. Website owners today seek the “easy button” in all things, including security. This is the mindset that most website owners have. This is facilitated by the idea that creating and maintaining a website is easy.
Question #3: Does having a dedicated site works best in minimizing hacking?
Answer: Not sure we understand the question here. Ideally you have a functionally isolated environment, where you’re not having a one too many relationship between accounts and websites. So no more 1 account with 50 websites installed.
Question #4: How is it that my hosting company was unable to detect my site being hacked but I and Google was able to locate it? Even after the hosting site doing a test run they were still unable to detect it.
Answer: Hosting companies are not antimalware companies and they generally do not have the tools and expertise necessary to find the newest infections. Their business is hosting and their goal is to provide a secure space for you to deploy your site. What happens inside the site is your responsibility. You have to think of hosting companies more like a cable or internet provider. They are responsible for providing you connectivity and a “space” online, nothing else.
Question #5: Is a theme site hack the same as an SEO Spamming? We used a theme and customized it but discovered years later that the theme was not updated, what does this mean?
Answer: A theme site hack can be used by an attacker to achieve multiple objectives, one of them is SEO Spam. As for the lack of updates, it would fall into your responsibility as the website owner, or on whoever was responsible for maintaining the site
Question #6: When hacking is done can it also affect your email accounts tied to that site as well?
Answer: It depends a lot on the type of compromise and where your email server is hosted. Generally a websitespecific hack won’t affect your email, but it is really dependent on the level of access the attackers can get and their objectives.
Question #7: Do you have the “Infected Websites” numbers related in proportion of installations?
Answer: No
Question #8: I have nobody to care about my websites security, does Sucuri cover all security aspects so I can just install and relax?
Answer: We provide a service that covers a number of security aspects. Most everything should be addressed, but we like to encourage a relationship with our customers where it’s a balanced engagement. We’ll do a lot, but website owners have to do their part. (i.e., if you don’t properly configure, or use good passwords, there will be problems).
Question #9: What’s the difference between iThemes and Sucuri, now that iThemes uses Sucuri for Malware search/removal?
Answer: iThemes is a great application security plugin to help harden your WordPress installation. Sucuri is a website security company, offering a full suite of securityrelated services that are platform agnostic. We protect websites via our Firewall, monitor for issues via our monitoring platform, and provide professional incident response services when everything goes to crap. iThemes does integrate our monitoring service, but if it detects an issue, they encourage website owners to come directly to us in order to enhance their security.
Question #10: I love Sucuri Team. By the way, i meet personally Tony in the Joomla WOrld Conference in Bangalore, last year 🙂
Answer: Ah thanks, means the world to us!
Question #11: When a website is compromised in your experience the attacker routinely logs in to install additional software, “manage it”, create other users, etc or is this an automated process done strictly through bots or other means?
Answer: A majority of the instances we see are automated. They also do install and configure new users. Automation is key for attackers.
Question #12: After you identify an infection if you solely restrict access to the administration area through htaccess or specific ip’s login allowances, how well that tactic works to begin the identification and clean up process to prevent future incidents?
Answer: It honestly depends on a number of things, including whether the attacker has direct access to the web server via a backdoor. If they have backdoor access, restricting to an admin role will do little to protect you.
Question #13: How about a bullet list of things to do for website hardening (settings on the Sucuri website).
Answer: Great recommendation, we’ll look into this.
Question #14: For Tony and Dani: the failure to update sites in our case was due to the fact that our developer never discussed the importance of updating. Additionally, all of our experiences / nightmares related to MS Windows OS updates makes one naturally hesitant to update. As for my wp site, I now update immediately.
Answer: We agree, this is a big problem. It’s like what we said on the webinar, it’s very easy to tell people “just update” but it’s a different thing altogether to be the person that has to do the updating. When we look at the statistics, yes a small percentage of people have issues on platforms on WordPress, but that’s not the case on other platforms. And even on WordPress, who wants to be part of that small percentage? And we’re just talking core, move into plugins and themes and things become more complicated.
Question #15: How can we find and delete a backdoor on a WP site?
Answer: Backdoors are a special type of malware that is made to be hidden and hard to find. We talk more about them here and provide tips on how to find & Deall with Backdoors
Question #16: I know host like wpengine list plugins they abhor (or prefer). That implies that some plugins are insecure. Does anyone publish a public list of the worst?
Answer: Not that we’re aware of. Those lists aren’t just about insecurity though, it could have resource implications within their environment as well.
Question #17: is there a way of making all updates automatically? greetings from switzerland insteed of making them monthly
Answer: The update frequency is fully dependent on the developers. You could look into maintenance companies like maintainn.com or even a tool like iThemes Sync to help manage multiple web properties if on WordPress. If on Drupal, you could look at services like Drop Guard.
Question #18: Top 3 things web owners can do to prevent an attack on their WordPress site Q: How to detect attacks when not blatantly obvious?
Answer: 1 Focuson their Access Control 2 Employ Website Application Firewall << Will address “not blatant” attacks 3 Start doing basic Website Administration and Management
Question #19: Do you have any stats about which popular hosting companies are hacked more than others? (i.e., GoDaddy vs BlueHost vs HostGator and other popular shared hosting servers)
Answer:No, we don’t.
Question #20: Do you have any suggestions for getting web clients to take security seriously? We offer a great rate to provide website monitoring and monthly software updates. Half of my clients say ‘thanks, but no thanks’. I keep going back and share stories of sites that we have had Sucuri clean up. They still don’t get it.
Answer:Introducing the discussion early in the conversation, talking discovery phase of a project. Unfortunately,some people won’t ever get it until they feel the pain.
Question #21: Given that so many script based vulnerabilities are coming via HTTP POST doyou recommend trying to set up logging of HTTP POST for forensics?
Answer:Sure, that’s always a good idea if you know what you’re doing. The more information you record, the better it’ll be to perform forensics later.
Question #22: Hi, Tom here. we are using your services already. My question is. Does your WebsiteMonitoring cover discovering SEOSpamming? and can you detect SEO Spamming with your scanners?
Answer:Absolutely!
Question #23: how do I know if a plugin is still actually used?
Answer:Depending on what platform you’re using, if you log into your administration panel it should tell you if it’s active or inactive.
Question #24: How do you educate WordPress administrators on advanced malware attack removal before it spreads pass early detection?
Answer:Very carefully.. :).. But honestly, it’s difficult. Security is a fulltime job, and why we say it’s not a DIY project
Question #25: How do you educate WordPress administrators on advanced malware attack removal before it spreads pass early detection?
Answer: Advanced Persistent Threats (APT) is not necessarily something we see affecting most website owners. They’re often targeting large enterprises / organizations. If you’re concerned with this definitely engage our team and we’ll engage to better understand your requirements and current challenges.
Question #26: I am looking at using the Soliloquy slider. Do you have any experience with the security of this plugin?
Answer: Nope, sorry.
Question #27: I get so many spammed “comments” and “new users” that I removed comments and abilities for others to join. But I STILL get loads of comments and “joins.” Can’t find how the sites are being accessed.
Answer: It depends a lot on the CMS and what modules / plugins you have installed. We would need more information to help out.
Question #28: I had 7 WordPress site with malware of Bluehost, all got blocklisted by Google. Why did they all get hit and not just some?
Answer: Once an attacker has access to an environment it only makes sense to affect as many properties as possible. This doesn’t mean it always happens this way, but in many instances it does. The attackers automated bots look for specific files, once it finds them it injects the payload like a worm.
Question #29: I notice that there are many attacks on my fonts in my plugins folders, what are they trying to change to compromise my site from there?
Answer:Good place to hide a backdoor.
Question #30: I see a lot of .htaccess redirects. Is this because the CMS needs to be hardened or should the host be hardened?
Answer: Well if the attacker is compromising your website and injecting malicious redirects on your .htaccess then I’d say you definitely have a few security issues going on.
Question #31: If a site continues to get 404 errors reported in Google Search Console is that a sign of a website infection or just an attempt at SpamSEO? How do you stop the continual spam 404 errors?
Answer: We wrote a great article on this here
Question #32: In the case of something like TimThumb, that’s buried inside of OTHER plugins, so people don’t see it on their list of plugins, and they have no idea. Especially if it’s an old plugin that isn’t being maintained anymore, so you don’t ever see an update for that dangerous plugin. How many of us might never notice that some plugin we installed 4 years ago haven’t been updated in 2 or 3 years? I’m a conscientious manager, but I struggle with this one ” Wait, it’s been HOW LONG?” And that doesn’t even go into the issue of having to research updates to see if they’re likely to break my site. Maintaining plugins is the biggest problem I have.
Answer: Yes, agree, this is a tough one. Same applies to plugins that are embedded into themes and frameworks (i.e., RevSlider).
Question #33: Most clients don’t want to pay for management, what to do?
Answer: Yeah, this is a tough one. Sometimes with some education and communication they will understand the needs, other times they only learn once they feel the pain of a compromise
Question #34: My client’s site got hacked by Rokui’SH was a Joomla platform, going to move to WP Engine Host. They got her database, so we shut it down. Can you work with wpengine?
Answer: If it’s a Joomla! CMS you won’t be able to move to WP Engine, they are focused specifically on WordPress. But yes, we can work with them.
Question #35: Regarding test sites, my organization uses the GoDaddy Managed WordPress platform, which offers 1click staging. I’ve been told these staging sites aren’t a vulnerability for us despite the fact that the plugins/themes are not kept uptodate (though the core is). These staging sites are discouraged from search engines but they aren’t passwordprotected. Do you get the sense that these sites could be problematic, and if so, how do you suggest I address this with GoDaddy?
Answer: It depends, don’t know exactly how they’re configured. If those staging sites are on the same account or server they could be a problem. Without knowing more on how they do it, it’s hard to say.
Question #36: So much info about htaccess robots.txt and wpconfig php and what should be or not should be included. Can sucuri provide a basic start point for securing through these methods. for the different platforms??
Answer: We stopped doing this because it’s completely unmanageable. It’s why we have the Sucuri Firewall now, the threat landscape changes daily. To try to maintain a list like that would be too much for even the most motivated website administrator.
Question #37: This has probably been asked a number of times, but I have had nothing but issues with audio and video on this webinar will the recording be made available to participants?
Answer: Yes, it will, and sorry about that. We’re looking into ways to improve this in the future.
Question #38: This is the first webinar that has been held on a day I could attend. Is it possible to get recordings of previous webinars? I would really like to view more!
Answer: Yes you can view all of our webinars here
Question #39: What hosting companies do you recommend?
Answer: It honestly depends on what you’re looking to do. There are some great unmanaged platforms where you can deploy your servers, like Linode, AWS, Google and Digital Ocean. You can also use providers that do some of the work for you, including SiteGround, WPEngine and many others, depending on your needs and budget.
Question #39: What is your recommendation for keeping track of Joomla Plugins/Components which do not use the Joomla Update system. Is there a website which collects this information on Joomla plugins?
Answer: If you are using any premium/ paid extension, I recommend checking with the developer if they have a security mailing list and tracking that. The Joomla! Vulnerable Extensions List is a great resources as well.
Question #39: You spoke about hardening WP when installing. It’s a manual process. Do you ever foresee the WP Development team writing a script to do that automatically upon installation?
Answer: The web is moving to a secure by default mindset, so some of the work is being done by default and will get better over the years. However, a lot of the hardening is also specific to your hosting and usage, and that will have to be done manually.
Question #1: Is more secure use a wordpress install in Windows IIS vs Linux?
Answer: WordPress can be used securely on both Windows and Linux. If you are more familiar with Linux and you can manage it well, use it on Linux. If Windows is your operating system of choice and you can harden it properly, use it on Windows.
Question #2: Are they saying that the out of date platforms is due to us (the end user) not updating the platforms? Or those that created the plugins not providing updates?
Answer: We’re saying that the problem today exists because of poor management and administration by website owners. Website owners today seek the “easy button” in all things, including security. This is the mindset that most website owners have. This is facilitated by the idea that creating and maintaining a website is easy.
Question #3: Does having a dedicated site works best in minimizing hacking?
Answer: Not sure we understand the question here. Ideally you have a functionally isolated environment, where you’re not having a onetomany relationship between account and websites. So no more 1 account with 50 websites installed.
Question #4: How is it that my hosting company was unable to detect my site being hacked but I and Google was able to locate it? Even after the hosting site doing a test run they were still unable to detect it.
Answer: Hosting companies are not antimalware companies and they generally do not have the tools and expertise necessary to find the newest infections. Their business is hosting and their goal is to provide a secure space for you to deploy your site. What happens inside the site is your responsibility. You have to think of hosting companies more like a cable or internet provider. They are responsible for providing you connectivity and a “space” online, nothing else.
Question #5: Is a theme site hack the same as an SEO Spamming? We used a theme and customized it but discovered years later that the theme was not updated, what does this mean?
Answer: A theme site hack can be used by an attacker to achieve multiple objectives, one of them is SEO Spam. As for the lack of updates, it would fall into your responsibility as the website owner, or on whoever was responsible for maintaining the site
Question #6: When hacking is done can it also affect your email accounts tied to that site as well?
Answer: It depends a lot on the type of compromise and where your email server is hosted. Generally a websitespecific hack won’t affect your email, but it is really dependent on the level of access the attackers can get and their objectives.
Question #7: Do you have the “Infected Websites” numbers related in proportion of installations?
Answer: No
Question #8: I have nobody to care about my websites security, does Sucuri cover all security aspects so I can just install and relax?
Answer: We provide a service that covers a number of security aspects. Most everything should be addressed, but we like to encourage a relationship with our customers where it’s a balanced engagement. We’ll do a lot, but website owners have to do their part. (i.e., if you don’t properly configure, or use good passwords, there will be problems).
Question #9: What’s the difference between iThemes and Sucuri, now that iThemes uses Sucuri for Malware search/removal?
Answer: iThemes is a great application security plugin to help harden your WordPress installation. Sucuri is a website security company, offering a full suite of securityrelated services that are platform agnostic. We protect websites via our Firewall, monitor for issues via our monitoring platform, and provide professional incident response services when everything goes to crap. iThemes does integrate our monitoring service, but if it detects an issue, they encourage website owners to come directly to us in order to enhance their security.
Question #10: I love Sucuri Team. By the way, i meet personally Tony in the Joomla WOrld Conference in Bangalore, last year 🙂
Answer: Ah thanks, means the world to us!
Question #11: When a website is compromised in your experience the attacker routinely logs in to install additional software, “manage it”, create other users, etc or is this an automated process done strictly through bots or other means?
Answer: A majority of the instances we see are automated. They also do install and configure new users. Automation is key for attackers.
Question #12: After you identify an infection if you solely restrict access to the administration area through htaccess or specific ip’s login allowances, how well that tactic works to begin the identification and clean up process to prevent future incidents?
Answer: It honestly depends on a number of things, including whether the attacker has direct access to the web server via a backdoor. If they have backdoor access, restricting to an admin role will do little to protect you.
Question #13: How about a bullet list of things to do for website hardening (settings on the Sucuri website).
Answer: Great recommendation, we’ll look into this.
Question #14: For Tony and Dani: the failure to update sites in our case was due to the fact that our developer never discussed the importance of updating. Additionally, all of our experiences / nightmares related to MS Windows OS updates makes one naturally hesitant to update. As for my wp site, I now update immediately.
Answer: We agree, this is a big problem. It’s like what we said on the webinar, it’s very easy to tell people “just update” but it’s a different thing altogether to be the person that has to do the updating. When we look at the statistics, yes a small percentage of people have issues on platforms on WordPress, but that’s not the case on other platforms. And even on WordPress, who wants to be part of that small percentage? And we’re just talking core, move into plugins and themes and things become more complicated.
Question #15: How can we find and delete a backdoor on a WP site?
Answer: Backdoors are a special type of malware that is made to be hidden and hard to find. We talk more about them here and provide tips on how to find & Deall with Backdoors
Question #16: I know host like wpengine list plugins they abhor (or prefer). That implies that some plugins are insecure. Does anyone publish a public list of the worst?
Answer: Not that we’re aware of. Those lists aren’t just about insecurity though, it could have resource implications within their environment as well.
Question #17: is there a way of making all updates automatically? greetings from switzerland insteed of making them monthly
Answer: The update frequency is fully dependent on the developers. You could look into maintenance companies like maintainn.com or even a tool like iThemes Sync to help manage multiple web properties if on WordPress. If on Drupal, you could look at services like Drop Guard.
Question #18: Top 3 things web owners can do to prevent an attack on their WordPress site Q: How to detect attacks when not blatantly obvious?
Answer: 1 Focuson their Access Control 2 Employ Website Application Firewall << Will address “not blatant” attacks 3 Start doing basic Website Administration and Management
Question #19: Do you have any stats about which popular hosting companies are hacked more than others? (i.e., GoDaddy vs BlueHost vs HostGator and other popular shared hosting servers)
Answer:No, we don’t.
Question #20: Do you have any suggestions for getting web clients to take security seriously? We offer a great rate to provide website monitoring and monthly software updates. Half of my clients say ‘thanks, but no thanks’. I keep going back and share stories of sites that we have had Sucuri clean up. They still don’t get it.
Answer:Introducing the discussion early in the conversation, talking discovery phase of a project. Unfortunately,some people won’t ever get it until they feel the pain.
Question #21: Given that so many script based vulnerabilities are coming via HTTP POST doyou recommend trying to set up logging of HTTP POST for forensics?
Answer:Sure, that’s always a good idea if you know what you’re doing. The more information you record, the better it’ll be to perform forensics later.
Question #22: Hi, Tom here. we are using your services already. My question is. Does your WebsiteMonitoring cover discovering SEOSpamming? and can you detect SEO Spamming with your scanners?
Answer:Absolutely!
Question #23: how do I know if a plugin is still actually used?
Answer:Depending on what platform you’re using, if you log into your administration panel it should tell you if it’s active or inactive.
Question #24: How do you educate WordPress administrators on advanced malware attack removal before it spreads pass early detection?
Answer:Very carefully.. :).. But honestly, it’s difficult. Security is a fulltime job, and why we say it’s not a DIY project
Question #25: How do you educate WordPress administrators on advanced malware attack removal before it spreads pass early detection?
Answer: Advanced Persistent Threats (APT) is not necessarily something we see affecting most website owners. They’re often targeting large enterprises / organizations. If you’re concerned with this definitely engage our team and we’ll engage to better understand your requirements and current challenges.
Question #26: I am looking at using the Soliloquy slider. Do you have any experience with the security of this plugin?
Answer: Nope, sorry.
Question #27: I get so many spammed “comments” and “new users” that I removed comments and abilities for others to join. But I STILL get loads of comments and “joins.” Can’t find how the sites are being accessed.
Answer: It depends a lot on the CMS and what modules / plugins you have installed. We would need more information to help out.
Question #28: I had 7 WordPress site with malware of Bluehost, all got blocklisted by Google. Why did they all get hit and not just some?
Answer: Once an attacker has access to an environment it only makes sense to affect as many properties as possible. This doesn’t mean it always happens this way, but in many instances it does. The attackers automated bots look for specific files, once it finds them it injects the payload like a worm.
Question #29: I notice that there are many attacks on my fonts in my plugins folders, what are they trying to change to compromise my site from there?
Answer:Good place to hide a backdoor.
Question #30: I see a lot of .htaccess redirects. Is this because the CMS needs to be hardened or should the host be hardened?
Answer: Well if the attacker is compromising your website and injecting malicious redirects on your .htaccess then I’d say you definitely have a few security issues going on.
Question #31: If a site continues to get 404 errors reported in Google Search Console is that a sign of a website infection or just an attempt at SpamSEO? How do you stop the continual spam 404 errors?
Answer: We wrote a great article on this here
Question #32: In the case of something like TimThumb, that’s buried inside of OTHER plugins, so people don’t see it on their list of plugins, and they have no idea. Especially if it’s an old plugin that isn’t being maintained anymore, so you don’t ever see an update for that dangerous plugin. How many of us might never notice that some plugin we installed 4 years ago haven’t been updated in 2 or 3 years? I’m a conscientious manager, but I struggle with this one ” Wait, it’s been HOW LONG?” And that doesn’t even go into the issue of having to research updates to see if they’re likely to break my site. Maintaining plugins is the biggest problem I have.
Answer: Yes, agree, this is a tough one. Same applies to plugins that are embedded into themes and frameworks (i.e., RevSlider).
Question #33: Most clients don’t want to pay for management, what to do?
Answer: Yeah, this is a tough one. Sometimes with some education and communication they will understand the needs, other times they only learn once they feel the pain of a compromise
Question #34: My client’s site got hacked by Rokui’SH was a Joomla platform, going to move to WP Engine Host. They got her database, so we shut it down. Can you work with wpengine?
Answer: If it’s a Joomla! CMS you won’t be able to move to WP Engine, they are focused specifically on WordPress. But yes, we can work with them.
Question #35: Regarding test sites, my organization uses the GoDaddy Managed WordPress platform, which offers 1click staging. I’ve been told these staging sites aren’t a vulnerability for us despite the fact that the plugins/themes are not kept uptodate (though the core is). These staging sites are discouraged from search engines but they aren’t passwordprotected. Do you get the sense that these sites could be problematic, and if so, how do you suggest I address this with GoDaddy?
Answer: It depends, don’t know exactly how they’re configured. If those staging sites are on the same account or server they could be a problem. Without knowing more on how they do it, it’s hard to say.
Question #36: So much info about htaccess robots.txt and wpconfig php and what should be or not should be included. Can sucuri provide a basic start point for securing through these methods. for the different platforms??
Answer: We stopped doing this because it’s completely unmanageable. It’s why we have the Sucuri Firewall now, the threat landscape changes daily. To try to maintain a list like that would be too much for even the most motivated website administrator.
Question #37: This has probably been asked a number of times, but I have had nothing but issues with audio and video on this webinar will the recording be made available to participants?
Answer: Yes, it will, and sorry about that. We’re looking into ways to improve this in the future.
Question #38: This is the first webinar that has been held on a day I could attend. Is it possible to get recordings of previous webinars? I would really like to view more!
Answer: Yes you can view all of our webinars here
Question #39: What hosting companies do you recommend?
Answer: It honestly depends on what you’re looking to do. There are some great unmanaged platforms where you can deploy your servers, like Linode, AWS, Google and Digital Ocean. You can also use providers that do some of the work for you, including SiteGround, WPEngine and many others, depending on your needs and budget.
Question #39: What is your recommendation for keeping track of Joomla Plugins/Components which do not use the Joomla Update system. Is there a website which collects this information on Joomla plugins?
Answer: If you are using any premium/ paid extension, I recommend checking with the developer if they have a security mailing list and tracking that. The Joomla! Vulnerable Extensions List is a great resources as well.
Question #39: You spoke about hardening WP when installing. It’s a manual process. Do you ever foresee the WP Development team writing a script to do that automatically upon installation?
Answer: The web is moving to a secure by default mindset, so some of the work is being done by default and will get better over the years. However, a lot of the hardening is also specific to your hosting and usage, and that will have to be done manually.
See all Questions & Answers
ExpandTony Perez & Daniel Cid – Sucuri Co-Founders
TONY
Hey guys! How are you? My name is Tony Perez. Some of you guys remember me from previous webinars, when we talked about the impacts of compromises and how hacks happen. And with me today I have our founder, and my business partner and friend, Daniel Cid. (Hey guys) I want everybody to welcome him. This is his first public speaking in a while, and we’re not even public. We’re in private. Just you and I. This is progress my friend. He’s going to be kind of walking us through some of the data we’ve collected and analyzed over the first quarter. I think this is really exciting. We’ve kind of tried this back in 2012, didn’t quite get the momentum but now we’re kind of ready, we’re positioned better. We have better telemetry data to be able to work with. So with that, I’d like to turn it over to you DANIEL to kind of start walking us through this.
DANIEL
Sure. Hey guys, Thanks for joining us here for our first hacked report webinar. I’m personally really excited to be here and share these stats which takes days of work, years we’ve been doing for the last few years and I’m mostly behind the scenes type of guy. This is my first webinar so if i screw up, when I screw up, just be nice to me, Tony will help me and…
TONY
We promise not to get physical in this interaction.
DANIEL
No, no, no, no. It’s probably going to be my last webinar anyways…So I will not duplicate what we said in the document. So if you haven’t read please read after we finish here, the link over there in the white please read the report, please read it after we finish here. So what I will try to do is share important takeaways, and insight of what we learn from this data. Tony I think the pieces or what we think is most important for website owners. I think it’s important that they get into the document and read the details. They’ll pull their own insights from that. But this is specific to things like we thought were high level enough. Things they could mix and match, and maybe some of our own opinions from thoughts.
DANIEL
And we will give you some homework in the end.
TONY
You know people don’t like homework, right?
DANIEL
Everyone likes homework. Anyway, to get started, first we want to clarify what are these reports about. Here at Sucuri we do incident response for thousands of websites every single month. Incident response is just a system for website cleanup. Most of our sites come to us when they are infected. They’re blocklisted, they have a spam issue, they have whatever. And they come to us for help. So this data is based on these sites, and we work across all major websites – CMSs, web servers, industry types, website types and we have a really good visibility on what’s really happening on the overall market share of compromised sites and that’s why we decided to help share this report. To help the individual process what is going on.
TONY
That’s an important point right. This telemetry is specifically based on our audience and the data that we collected. It isn’t necessarily maybe sync up 1:1 with the market share and how the platform fits in the larger scheme of the internet. But it is enough data that provides us good potential correlation data of this is interesting, why is this happening and provide some thoughts on that.
DANIEL
And hopefully when you look at the data between the compromised sites you see the similarities, what behaviors all these webmasters did to cause their sites to be hacked,
TONYThis is true.
DANIELAnd if you can follow them you’re probably in a good place security-wise
TONY
And I think a lot of emphasis should be placed on the CMSs like the Drupals, the Magento’s of the world, WordPress and Joomla’s. And they’ll probably be able to take the most from this.
DANIEL
And before I start, I want to give credit to where the credit is due. This is our remediation group. These are the guys that do the hundreds of cleanups every single day and work 24/7 cleaning up sites for you guys.
TONY
I think the picture is a little misleading. They actually do like their job. You know what I mean?
DANIEL
They’re smiling.
TONY
They’re smiling yeah. Hey tell us a little bit about the remediation team. How are they configured?
DANIEL
Their major team is kind of divided into two main groups – one are the researchers and the other incident responders. They actually go to your site and clean it up. They work side by side analyzing malware trends, analyzing issues and make sure together that we can clean the websites as fast as possible in a way that won’t be reinfected.
TONY
Got it. So you’ve got that this incident response team are working with the customer day to day. Engaging with them, collaborating, fixing their security issues, whether it’s infections or not. And they kind of work hand-in-hand with the researchers, together they kind of stay ahead of emerging threats. It kind of drives the information we’ve collected, as well as the kind of information we disseminate. Via things like our blogs and social and kind of all that malware research and labs.
DANIEL
So if you haven’t read our blog, check it out.
TONY
Yeah for sure.
DANIEL
There’s a lot of insight of what we’ve been learning in this journey through the last few years. So now we’re ready to get started… The first number that I want to point out is that we clean up thousands of websites every month during the first part of the year we cleaned up around 15,000 sites, but we only took only 11,000 of them that we had enough data, enough organized data that we could go deep to see what was going on during the time of the compromise, and that’s where these numbers come from. That 78% of all the compromised sites we worked on were using WordPress; 14% were running Joomla, 5% Magento, 2% Drupal. That is an interesting number to think about – 78% WordPress, 14% Joomla, 5% Magento, 2% Drupal. I want you to think about them because I want you to compare them to the overall market share of CMSs. You see, when you look at the data provided by BuiltWith, WordPress has about 50% of the market. Drupal has 6, Blogger 4, Joomla has 4. Even if we look at DopplerTech a company who uses the same to track CMS users and other things like that, they give WordPress 58%, Joomla at 6, Drupal at 4. But when you compare these numbers to the overall share of compromised sites, WordPress has 70 something percent, Joomla has 16.
TONY
It doesn’t seem to make sense. Your market share is fundamentally there for them. The distribution we’re finding in our telemetry data of people who are coming to us for support.
DANIEL
We wouldn’t expect them to match.
TONY
Similar, close.
DANIEL
unless one CMS is easier to hack than the other. So does this data tell us that maybe WordPress is more insecure than the others and that Joomla is probably the most insecure of them all. We have two times the data of our compromised sites than we have in our overall market share.
TONY
I’m going to keep an open mind on this one. See where you’re going with it.
DANIEL
I would say that maybe yes, I think that they are more insecure, that Joomla and WordPress are more insecure than they’re supposed to be, but is that really true?
TONY
Okay
DANIEL
Because insecurity is a very indirect term. What’s really secure? When you look at the core code of WordPress, Joomla, Drupal they’re really really secure, the developers behind these platforms really know about security and they’re responsive and they patch things quickly. They’re thought and mindset is on security a lot of times. What they do makes a lot of sense so why would that happen though? What I want to say is that generally what add the insecurity is not the core of the CMS. You don’t see insecurity on the core of the CMS. You don’t see insecurity on the WordPress core or on the Joomla core a lot – I think the problem is at a higher level, a little bit higher level, is how the websites are being deployed, how they’re being managed and how people extend the CMS.
TONY
Okay okay, I see where you’re going with this. I think you have a lot of people on the webinar right now probably holding their breath. What did he just say? I can already see them on Twitter bashing us…these guys…I think I kind of understand where you’re going with it. I think what you’re trying to say is that from a holistic standpoint insecurity doesn’t necessarily mean development or web administration but as a whole there’s a problem. Because I think at a core perspective, from a development perspective, the platform and the development process there is security and a lot of emphasis on security and the platforms themselves are secure, but either the way it gets distributed, the way it gets managed, the way it gets maintained, the way it’s communicated and marketed to an audience says that’s what makes the platform insecure. This actually becomes really interesting when you look at different platforms, like for instance WordPress, and the market they target they predominantly market a lot of DIY’ers, end users, it’s about how quickly can we get up and running. You know they have this infamous five-minute install. And that kind of talks to your point specifically, right? The messaging, the marketing more specifically around platforms is. Hey get online quickly and continue to see how open source changes the landscape of online websites.
DANIEL
Absolutely. And that goes to what Tony is saying. Jon Watson from CloudProxy he tweeted something very interesting. He said “All I’m saying is that it takes a lot longer than the famous ‘5 minutes’ to install WordPress properly. And by that I mean hardened” that goes to what you’re saying, WordPress is secure, but to deploy WordPress securely, it takes a lot longer.
TONY
Yeah you can’t draw a line. You can’t say from a developer standpoint, I’m set, I’m secure, the rest is on you, the enduser. As communities, regardless of what platform you have, we have a responsibility to the larger ecosystem, right? And we have to ensure security applies across proper stacks. And we’re communicating. It’s not about 5 minute install, but it’s a continuous process. Just think about it.
DANIEL
The code is a small piece of the overall picture.
TONY
Absolutely. I love 140 characters. They kind of restrict you to allow you to get a point across.
DANIEL
And that moves us to the second number I want to share. Out of all the websites we work on, 77% of them are WordPress, out of those WordPress sites, for example, 56% of them were outdated and that’s the core of WordPress outdated, in Joomla it was 85%, Magento 97%, Drupal 81%. That’s a lot of outdated sites that we are dealing with.
TONY
You know, this is a really interesting insight, when we were first talking about it. It kind of makes you wonder what’s happening because if WordPress for instance, where we have the most telemetry data for it still runs at about 56-60% out of date, and they have auto updates and force updates
DANIEL
They have auto updates, force updates and just really simple one click updates. Tony Absolutely, they’ve placed a lot of emphasis on backless compatibility compared to some of the other platforms, and their process for updating is easy. You have a lot of managed host environments and those are quicker to patch and even then, they made up of 77% of the customers or the websites who came through our environment infected. Still 66% it begs the question, what happens to the other platforms. Especially when you think of Magento and Drupal that target fundamentally different audiences. Drupal for instance, we see them a lot in the enterprise organizations. What do we have in those organizations? We have pretty stringent governing that dictates how things get put into production. Right. If we’re suffering at this scale, it makes you wonder what are the other impacts we could be making to address the problem.
DANIEL
And when we look at these numbers, what it really tells me is that we’re really bad at website management because the easiest part of your website management, if you have insight, the easiest thing to do on your site of anything you could be doing is update. Because the update process is simple. Just click. For most it’s simple and they’re still not doing that.
TONY
It kind of goes to what I was saying right? In security or larger organizations, we understand that the importance of patch management and vulnerability management. How do we convey this to the end user? And that’s the real challenge. It’s easy for us as from the development standpoint to, just update? Tell that to the end user who has the website that fully depends…
DANIEL
And he doesn’t want it to break, if it’s working, don’t touch it
TONY
You know how they say, oh less than 1% of the websites break. But are you okay to be that one collateral? A small percentage. I can assure you they don’t want to be that percentage.
DANIEL
So I want to go back to our question. We ask about, for example is WordPress or Joomla core more insecure because percentage wise they have more in the compromised sites (right) back than it it has on the overall market share. And I will tell you the answer is no, the core is not insecure. But are they being used insecurely? This data tells us yes. They’re using their websites and managing their websites in an insecure way.
TONY
It kind of goes to the root cause and why it’s getting infected.
DANIEL
And outdated CMSs, they are not the problem, they are just the consequence. The results are bad website management, again, people are not managing their sites properly. That’s why we see so many outdated. That’s why they don’t take security on any part of the site’s lifecycle which starts with deployment, management, and it is extended.
TONY
And you kind of mentioned a very interesting point, right. Are the results for lack of management a lot of organizations just don’t have some sort of inventory or understand what they have. I’ve talked to large organizations, as you have, and we’d love to help you, how many websites do you have? And they say, I have no idea. I really have no idea what I have. How is the organization meant to design it…and these are organizations with good governance in place. How is the everyday website owner supposed to do that? It’s one of those things we like to say in security, you can’t secure what you don’t know you have. But then we start to look at the applications themselves and the extent of modules, plugins and components. So we start thinking, we haven’t even moved into that yet. We’ve only been talking about the core of the app. What happens when we look at the extensibility of the app?
DANIEL
That’s next and that’s even scarier. When I look at these numbers, and that is the other set of numbers that I really want to show you, guys, is that out of the overall number of WordPress, let’s just dip down to WordPress. When you look at WordPress and look at the outdated sites, 25% were split into just 3 places: TimThumb, RevSlider and GravityForms. About 70% of all compromised sites are running TimThumb How is that possible, this thing happened 4 years ago.
TONY
That’s crazy though. And they’re still contributors. And I think the important thing to emphasis is that just that these plugins are out of date, these are plugins that have no known vulnerabilities. Patching is designed to patch a number of things, including vulnerabilities. But these, 25% of them had an out of date vulnerable version of either the script or the plugins.
DANIEL
And TimThumb is part of it years ago. That was spread everywhere. Every other company is vulnerable to that and still people have it outdated.
TONY
And we have a challenge here. We just talked about the challenges at the core of the application. Now we look at some of these scripts, RevSlider, Gravity Forms, right. RevSlider is one of those platforms for instance…
DANIEL
Two years ago.
TONY
Yeah, it was two years ago, but it was embedded into themes and frameworks…how many organizations come to us with a compromise, this is the vector, oh, I didn’t even know I had it.
DANIEL
And the developers of Gravity Forms, Revslider, they did everything right. They patched it quickly. They warned all the users. They posted about it on their blogs, we posted about it in our blogs. We told everyone to patch an issue and still users are not listening. But are they not listening or they really don’t know.
TONY
I think it’s a combination of things right. I think they don’t know, or maybe it’s an instance like Gravity Forms. I spent a lot of time talking Carl Hancock, the owner of Gravity Forms, and what he told me was, what are we supposed to do as an organization? At this point we can’t get the information out to the website owner. What if it’s not apart of our maintenance plan. At what point as a business do we just hey, give it away for free, but what does that do for the economics of your business when you depend on a sustainability license but people don’t want to pay for that. It’s a big challenge and I think organizations have to look for alternative solutions to address this.
DANIEL
At the end, the security of your website is your responsibility. Not anybody else.
TONY
I think a classic example of this is in ecommerce right. A lot of organizations misinterpret what PCI means. And if you for instance have an ecommerce, or we have an ecommerce issue, and a credit card gets stolen, that Visa and Mastercard, like us are a service provider.
DANIEL
It’s your responsibility and that goes back to how do you fix this website management problem? There’s a lot of things that can be done. But I want to start off with something simple. And that’s going to be the homework for the day. Just a little task. Because a lot of these issues happen because I think people don’t know what they have on their sites, what sites they have and what’s going on with their environment. So, to start, I really would like for us to create an asset list with all your sites.
TONY
Pretty simple.
DANIEL
How many sites do you have? Simple instructions. You list all the sites you have one-by-one. Like your GoDaddy account, other domains list all of them. Which ones are currently active. Which ones shouldn’t be active. Which ones are you still using. List there. Which ones should not be pointed to? List there. And then you go to the second step. You list all the necessary plugins and modules that you need to be running on each one. Which ones do you really need to be running right now? And you add it to your spreadsheet. And then you go a little bit deeper and talk about who is supposed to have access to each one of these sites. Site one should be distributors, should be developers, administrator. Just list each one of them. And after you do that, what else do you want to do? You remove everything else that you don’t need.
TONY
I just please want to back up. The last thing we want people to do is say I removed everything you said and deleted the data, you know.
DANIEL
But you remove every test account. I don’t want to see any test plugins. I don’t want to see any demo sites, test sites.
TONY
Which happens all the time right?
DANIEL
Happens all the time.
TONY
And I think that’s by design by the hosts. They allow you create multiple sites and people are allowed to install whatever they want. Happens all the time. Cross-site contamination. A lot of lateral movement within the accounts. It’s a challenge.
DANIEL
And after that what do you do? You upgrade everything that’s left. All the plugins. All the sites. And you repeat every month. Microsoft has an interesting concept. Every second Tuesday of the month they do their patch on Tuesdays. Every Windows administrator knows it’s patch Tuesday, I have to patch. It becomes this process, and they know that when this patch will be available, they have to patch. So maybe we can create this patch Tuesday for websites, or the last Friday of the month for websites, when you go to your asset list or inventory. You add any new sites that you created. You add any new plugins. If a developer left your company, you remove him from there and go remove in your website and you update everything that’s left.
TONY
I think this is a really interesting idea.
DANIEL
That’s a very very simple way to start. Fixing the website management problem. There’s a lot more stuff to do. Don’t get me wrong. Maybe we can talk about it in our next webinar. We can go deep, deep and deep in what to do. I just want to say that it is simple stuff. That is what it is.
TONY
And I think this would allow for not just for the basic maintenance, but say an organization partnered with an agency. Or maybe they partnered with a service provider and maintained that commerce that allowed to manage the environment. They communicate with them and say – hey, this is what I have. Right now a lot of these organizations will go to their service providers and say – hey, I just took care of it, but they have no visibility…what should be active, what shouldn’t be active, what should we be maintaining.
DANIEL
If you are an industry provider and you manage your client website. You have to monitor all your sites every time. I hope you do. And if you do monitor your sites, that is the perfect time to add all your sites to monitoring to make sure you are planning for any problem, both time and security issues. Because I know most of you have more than one site and so do your own clients. The majority of them have at least a dozen of domains, some disabled, some enabled, some are just test, and a very few they really care about, but guess which ones always get hacked first? It’s the one that they forget about.
TONY
Oh yeah for sure. What happens if they don’t do this? And what are the implications of this?
DANIEL
Then, we move to the next stage, it is the malware family distribution. Your websites get hacked and they get injected with malware. And I want to talk about the first one here, it is backdoors. Almost 70% of every site we clean has a backdoor of some kind, injected in them. And you know when we go deep analyzing this backdoor, and we find the command control that the hackers are using, we analyze then we see they have this list of all the sites they hacked, site 1, 2, 3, 4, 5, and they have how to access the backdoor, backdoor 1, 2, 3, 4, 5.
TONY
So what you’re telling me is that the hackers are implementing good asset management.
DANIEL
They manage the sites they own because when they hack a site, they use this term own the websites. They manage the sites they own really well. The asset list they have is kind of nice, the site, the host, the php version, the patched version, when they were installed. They do everything. In the infection last year on Joomla, we were seeing the text that was hacking the site with the Joomla vulnerability and patching the site for you…You know what? Because they own the site and they want to keep their property themselves.
TONY
You know what it reminds me of is when you have a little brother and you beat up on your little brother. And then someone else tries to beat up on your little brother and you’re like – whoa, whoa, whoa this is my little brother. I beat him up, not you. Same exact thing. I get it.
DANIEL
So if you don’t do the proper management of your site, and the asset management, the attackers will do for you. But what you do is that they will inject whatever they want, they will inject backdoor, the first one, then 60% have malware, which is the drive-by-downloads, that try to compromise your visitors, or SPAM SEO, which is actually what I want to talk about know. This number has been growing year over year over year. You see more and more sites with spam SEO. And that is one of the things that don’t really affect your users. Your users will probably never notice. You will probably never notice, until you go to Google and search for your site and you find Viagra, Cialis, Nike shoes, or Casinos.
TONY
I think one of the biggest drivers for spam SEOs is pharma hacks. Back in the day you know.
DANIEL
That’s how it started.
TONY
Three years ago, there was a good study done by a university. I forgot their name but they estimated that the pharmaceutical affiliate program generated close to 20-30 million dollars a year for this space, because it was compression based. There was a lot of incentive for blackhats to give it a go. In fact, what is really curious about this is when you look at the statistics around blocklist, whether it’s on AVs or search engines, this isn’t accounted for. The only thing they account for are the things that have a nefarious effect on the end user. Because they’re caring about the endpoint.
DANIEL
Because all this blocklists, they care about the endpoint. So, when you go to visit a site, if the site has a chance of compromising you, then they might blocklist the site, but if it is just spam SEO, they won’t affect you as a visitor, they don’t care. However, Google, Bing and all the major search engines, they will see the SEO, and that will hurt you a bit.
TONY
Unlike some of the other infection types, as you were saying, spam SEO is one of those things that affects the business owner and the website. And the webmaster. Because this will affect your search engine, your rankings, your result pages. You’ll lose ranking. And you’ll lose your domain authority. It has an adverse effect on them economically and potentially in other ways as well.
DANIEL
And most of the hacking really hurt the tech, because they are conditional injectors, where they only display the spam when it comes from Google, or when it is coming from Bing. If you visit, and you do a view source, it looks good. I think it is a mistake.
TONY
It’s always a mistake.
DANIEL
But when you actually go to Google Webmaster Tools and you check your site, all this stuff is coming. What is going on? TONY Because they’re targeting Google. And it’s actually interesting, so we’ve seen spam SEO grow but we have actually seen the inverse of that in other platforms…or other infections
DANIEL
…defacements. Defacements are actually one of the things we are seeing going down. Five years ago, I remember every time I saw a site was hacked, the hackers would add a defacement. I just hacked your site, your security sucks! That is the type of message they do. And now we rarely see that anymore. And the main reason I think is that before a lot of the hacking was just for political or personal reasons. I want to show off my skills, that I hacked whatever.
TONY
You’re not talking from experience are you?
DANIEL
No.
TONY
Oh ok
DANIEL
But now it is all about…money.
TONY
Yeah, I think that’s exactly right. If we think back maybe 5-10 years, it was just about…the environment was fundamentally different. Now we have things like booter service, now we have malware service, of the industry is much higher. There’s incentive to go after this stuff.
DANIEL
And specially because the other thing about defacements they actually tell the webmasters that they have been hacked.
TONY
That’s exactly right.
DANIEL
So, as soon as they visit their site, they see they got hacked, they want to clean that up. Now, when you look at Spam SEO, they try to hide it from the webmasters. A lot of the new drive-by-downloads, they actually try to hide from the webmasters.
TONY
Because of malware advertising…attack where you don’t necessarily compromise the website…distribute an ad and using it in a way to generate revenue. It’s impossible to replicate some of these instances.
DANIEL
Their goal is to maximize the time they can stay in your site and also maximize what they can do. For example, if you look at these numbers of the malware trends year over year, you see that they don’t add up to 100%. It means that when someone hacks your site and inject spam SEO, they don’t just inject spam SEO, they also use it for phishing, for mailer, maybe to DDoS others.
TONY
That’s interesting. So it’s not mutually exclusive. So just because you have a backdoor doesn’t mean you don’t have phishing or doesn’t mean have seo spam, in fact, the inverse of that. You can actually expect 70% of websites to have a backdoor that allow them to bypass your controls while still distributing malware or potentially being used to phish, spear phishing attempts to get entry to an environment or some kind of information. They kind of try and combine that information together.
DANIEL
Because not only do they inject stuff , they do proper asset management, they also really utilize the resources. So if they own a resource, they are going to really fully utilize that. And that is what this number tells us. And, as you can see, year after year, things have been pretty consistent.
TONY
Yep. In some areas for instance, if we look at spam SEO we kind of see growth there and actually the biggest growth is in the last year. And I think that talks to the economic return. We’ve also seen the reverse of that happening on the defacements. Everything else has been pretty consistent. In fact, malware can be looked at increasing from 40% to 60% of malware distribution. That talks to the web, and the website specifically, are still the number one distribution mechanism for things like that, like downloads.
DANIEL
And that is pretty much it that I want to share. It is this key point that I want to share with you, Guys. And what I really want you to think about and do your homework now is to start with your asset list. What do you do when you think about website management? What do you do when you think about security appliance? But to start, I want to think about the asset list. You create an asset list for your site. Start by that. And probably on the next webinars we will be adding more and more to it.
TONY
You know what might be interesting is seeing who might be listening and see if they could send us their information and we can take a look at it.
DANIEL
We would love to review it for you, Guys.
TONY
And we’re not talking complicated. Maybe a simple spreadsheet. Maybe basic questions and if it’s valuable and we’re seeing this over and over again, we’ll send more information and how to continue from that.
DANIEL
When you think about complex security, you fail in very complex ways. When you do things simple, they just work.
TONY
Perfect. Well thank you so much. I think this is great. I think the only homework I would add is to encourage everyone to go read the report, ask us any questions and share it and get that information out. Because for us it’s all about education and awareness. And then I kind of want to dive in on ways to maybe think of security. How do I take the information that Daniel just shared and make something actionable out of it? Or how should I be thinking about security? I guess and the first place I like to start is, security is a continuous process. It’s not a static state.
DANIEL
That is what I told you.
TONY
Exactly. It’s a continuous process. And it’s hard, right? Because as a business owner, you always have challenges. Marketing is a continuous process, sales is a continuous process. Well guess what? Security is no different. How you update your design is the same way how you update your security. The threats continue to evolve.
DANIEL
Think about creating a site and not writing any content.
TONY
Exactly! I created a website with no pricing changes, no product changes, no changing of the demographics to someone else. Same thing. And the other thing to think about is that our attack service is much bigger than the application we’re running. Whether it’s WordPress, Joomla, whatever the case may be. And in fact it’s more complicated if you look at, it’s not just about the environment on which it sits, but it’s also about the environment and how you engage the web, right? We see this in PCI for instance.
DANIEL
PCI is really interesting, because PCI is focused on e-commerce, the sites that pass credit card data, and when you go to the PCI requirements, they cover everything. They talk about your physical security, they talk about your networking, they talk about your servers, and they talk about your applications, and they also talk about how to connect them.
TONY
Your habits.
DANIEL
So even your laptop that connects to the CVE, which is the credit card data environment, should be on compliance as well. And you cannot just ask for one security, because it is a chain of security. If one thing breaks, you break the chain….You need both.
TONY
And I think that’s an important thing for every website owner to understand. Everything is interconnected, right? You may have the best configuration at the server level, or at the application level. But that doesn’t necessarily mean that you’re secure locally. Maybe you’re running a Windows XP box with no antivirus…
DANIEL
I hope no one does that.
TONY
…and you spend the evenings surfing bad websites on God knows what, right. And then you wake up in the morning and it’s like the gift that keeps on giving. And so I think a good way to think about this is like a fight prong approach. And in security we always have this debate between protection and detection, which one is better than the other. And we like to think of it as all encompassing. It’s not one or the other. How are you protecting your environment? How are you detecting in the event that the protection fails or some other indicator occurs that may lead you to know that something is happening and just how complex that change is. And then of course what’s going to be your response solution from this. And this is very common in the security world, and it could more common in the website world, but we like to extend that and include in that maintenance administration. And the reason we emphasize this is because for the everyday website owner they normally don’t place any emphasis on this. We talks about this at finding a baseline, and no one really talks about business administration because it’s not sexy. It doesn’t generate sales. Know what I mean? But then we talk about best practices like – hey, every website visitor is not an administrator role. Well I highly doubt they’re all administering that website.Things like least privileged and defense in depth. Those are really important concepts.
DANIEL
The things that operate the system security will be the aim of that, to get better. Nobody logs in, I hope nobody logs into your Linux service root, you log in as a user, if you need to run administrator commands, you type sudo, you do sudo. Now, when you go to WordPress, I see every single user logs in as admin, even with a different username, but you add the administrator role.
TONY
You gotta think right. We’ve been at this 20 years or more for instances. But when you look how young the web ecosystem is, specifically open-source CMSs, and the Drupals and Joomlas and Magentos and WordPresses, it’s fundamentally different. Know what I mean?
DANIEL
I usually joke that the current state of CMSs, how people use them, is kind of like the way we used Windows 95. Everybody is at administrator level, everybody uses the terminal. We just have to change this mindset that is what is important.
TONY
I think a good place to start is to stop looking at technology as that silver bullet or that easy buy, you know. It’s like – if I just install this plugin, or if I just install all these ten things I’m safe I’m secure. It’s not necessarily like that right, because security is a lot more complex involved process. It’s people process and technology working together harmoniously to get the information out.
DANIEL
You know, we clean a lot of websites, like you saw, and the majority of them have a security plugin installed
TONY
All of them do.
DANIEL
Well, few of them run it. And they still get hacked because the webmaster just thought about maybe if I installed these plugins, I will fix my security, but they forget about the process, the people and everything else that is around security.
TONY
I always like to joke it’s like going and buying a piece of hardware firewall into my network and saying – hey, i bought this firewall, I put it into my network, I plugged it in, I turned it on and I left and I said I’m secure. And yet you have allowed everything in the world, you haven’t configured anything…I don’t understand, all you’ve essentially done is put on a very fancy door but the door is wide open.
DANIEL
We had a user a few years back that bought a plan, didn’t add sites, didn’t configure anything…
TONY
Didn’t communicate with us. He just purchased.
DANIEL
And said who come I got hacked? I purchased an account and you didn’t do anything. Well, but I bought your service. I said, you have to use it.
TONY
Buying, using, and configuring are fundamentally different. And so we like to remind everyone that security is not a do-it-yourself project. Contrary to the platform you’re using and what you’re communicating, it just isn’t. And we’re seeing this more and more and I think this data accurately reflects that and says – hey, this definitely is not. And so here at Sucuri, what we focus on is providing a comprehensive package where we work in conjunction with the website owners. It’s not a matter of come to us and you never have to think about security; it’s work with us, let us be your complimentary source and we’ll provide you three core pieces of it.
DANIEL
If any company tells you otherwise, run…
TONY
They are lying. If somebody says we will keep you 100% secure and you have to do absolutely nothing – they’re full of shit right. It’s not gonna happen right because it’s a collaborative process. We can do a lot of stuff, but we can’t do everything. So we’ll provide protection while we’re trying to mitigate, exploitation attempts against vulnerabilities. We have a continuous monitoring or detection engine that looking for potential threats, if there’s a compromise. We also provide a professional incident response team where we go in and address the actual issue.
DANIEL
Our goal is to give you all the tools you need to have a secure site. The tools are there and if you install them and configure them, and we will help you configure, we will help you install.
TONY
We just require communication. And it has to be some level of understanding from the website owner themselves. And so with that, a reminder that we’re providing a discount for anyone that’s up to 20% through Friday. And if you have any questions, I’d like to turn it over to you Kristen and see if we can answer anyone’s burning questions.
KRISTEN
We have a lot of burning questions so we’ll give a few to you so that you can respond. So first let’s go to this one. How was it that my hosting company was unable to detect my site being hacked, but I, and Google were able to locate it. Then after the hosting did a site test run, they were still unable to detect it.
DANIEL
The first thing is that hosts are not security companies. They know hosting really well, so they do not know security really well. Specially when you go deep in your website, they are not an antivirus company that clean and scan all the things, so them missing a malware or missing an infection is actually common, right?
TONY
And a lot of them actually use server-level scanners like Plan A/B…absolutely, They will find server level malware but they won’t necessarily find web-based malware which is essentially why companies like us, exist. With that being said, we have to understand the intent of organizations. For instance, a host. A host’s intent from a security standpoint is for the perimeter and the environment. Which is why they provide you an account. One of the biggest challenges that web hosts have is how do we address the end user though? Because if I give you an account, and I allow you to do anything you want because that’s what you paid us for, how do I address that problem? It’s been a long time since we’ve since mass compromises in shared hosts. What we see is compromises in accounts, on shared hosts. So if I purchase a site on BlueHost and I install 150 different sites on there, and then I get infected. So…
DANIEL
That is not BlueHost fault, because they give you physical security, they give you the server security, they give you the space. What happens within your space is your responsibility, never push the blame to anybody else. So, for example, if you have a desktop on the network , and you are on ComCast, and you have a virus on your desktop, that is not ComCast. That is your fault. They are giving you the network and the bandwidth.
TONY
And in terms of your specific question – why it couldn’t be detected. We have to stop thinking in absolute. Security is not an absolute. So for instance, it depends, what was the infection? So for instance, if Google detected it as SEO spam, we just talked about SEO spam. We even talked about how difficult it is to detect. A lot of these organizations again, focus on the systems, the administration, providing you the environment yet they’re not a security companies. They’re not designed to target the stuff. And Google’s resources dwarfs everyone else’s. And remember, we talked about conditional payloads, malware specifically designed to target Google, so Google may see something that nobody else is going to see.
DANIEL
A lot of malware try to hide. They are heavily coded, they are heavily obfuscated, so.
TONY
And I can assure you, that the $399 that you paid that month is not paying enough overhead to provide you the security services that you might have been expecting. You may have been unaware of but unexpected nonetheless because of just not knowing. With that person, so what’s the next question?
KRISTEN
Alright, next question. Do you know the percentages of hacks…that happened in Q1 were targeted attacks, meaning targeted to a particular business or website or how many were just automated from the platforms and plugins being targeted?
TONY
That’s actually a very good question. We’re going to be providing more information in the future on attacks, and how they happen. But for those who attended the last webinar where we talked about how hacks happen, we would say what, greater than 95% of the attacks we see are automated. Very rarely do we see targeted attacks, and those targeted attacks are usually a big brand, big enterprise. It’s very rare…
DANIEL
Often they happen against Sucuri
TONY
Of course like Sucuri, we have a lot of targeted attacks because a lot of blackhats don’t like us for a variety of reasons but I can assure you that a majority of the websites and the owners out there don’t suffer from target attacks.Most of them are like, hey…TimThumb is a perfect example.
DANIEL
They are vulnerability based. The attacker has a known vulnerability they want to exploit, or a collection of vulnerabilities. Most of them have multiple vulnerabilities. They have TimThumb, RevSlider, Gravity Forms, they have a big list and they go against every website they can trying each one of them.
TONY
They have crowders…
DANIEL
So, even if you protect against the top 995, if you miss one, they are going to hack you because of that. Next question KRISTEN.
KRISTEN
Alright, next question is a theme hack the same as SEO spamming? We used a theme hack and customized it but discovered years later that the theme was not updated. What does that mean?
TONY
Ask the first part of the question again?
KRISTEN
the first part of the question was hacking a theme the same as SEO spamming.
DANIEL
So, hacking the theme can be used for a variety of things. They can hack your theme to inject SEO SPAM, they can hack you theme to inject drive-by-downloads or even put phishing. So, hacking the theme is just where it is, it is not the action.
TONY
Exactly. The way we’re thinking about it, we’re thinking about it incorrectly. Whether they hack the theme, or the core, or the plugin, a hack is a hack. It’s what they did once they were successful whether they distributed SEO spam or maybe they did phishing or maybe they did malware, and they took some action of distribution of something regardless of what they hacked. The theme just so happened to make sense because they probably adjusted the function, or the header file or the footer file. It would just load every time the theme loads.
DANIEL
And there is a lot of malware that even hides in the htaccess which is below the load, or they even hack your dns instance. It is before you can even see what is going on the php level or the WordPress level.
TONY
I think the important thing here to take away is that SEO spam is the result of what they did once they successfully compromised the environment. The same as malware distribution or phishing. It’s all a part of the same malware families. But it doesn’t necessarily matter what they ended up hacking – themes, plugins, environment. Whatever the case may be.
KRISTEN
Okay. The next question is, when a website is compromised, in your experience, does the attacker routinely log in to install additional software, manage it, create other users etc or is this an automated system strictly distributed through bots and other means.
DANIEL
It is mostly automated. All the malware, when they do, for example, if you look even at the GravityForms, RevSlider and TimThumb, they do, the first thing they do is upload the backdoor and from there is actually where they do the compromise, to the backdoor they inject the payload to the SEO SPAM, the drive-by-downloads, but then the first step is always the backup. And they use it for whatever they have to do.
TONY
The thing I would add to that. While the attack themselves are automated, you can also say that attackers have a tendency to install either users, plugins or themes. But the fundamental difference here is that they don’t necessarily do it manually. They automate it. So it’s the same exact thing. So we’ve seen attackers where they log in say from a platforms admin panel and then we can see the logs immediately in half a second they’ve already modified the post, they’ve modified this.
DANIEL
That is automated.
TONY
It’s automated. You don’t see someone clicking that fast. It’s practically impossible.
DANIEL
And the majority of them, when they look, they have thousands of websites hacked. It is not feasible for them to do it manually, one by one.
TONY
They are mostly automated and yes. They do install users, they do install plugins. They do make configuration changes. But again, all automated.
KRISTEN
Okay now we’re going to take our last question and it is that most clients don’t want to pay for security management. What do we do?
TONY
We wait until they get compromised. Then they’ll pay.
DANIEL
No, not really. But you can start with the simple ways, for example, the asset management. You can do a lot of this stuff for free if you don’t want to pay. You can install the asset management, track on a spreadsheet, you can install log security, which is open source and free on your server and you can install Snork (?) , you can do a lot of this stuff for free. You can do monitoring with the free open source OSSEC. There is a lot of stuff you can do for free if you know how to do it. If you are technical enough, you understand how to manage your server, you understand how to install and configure your automated security updates, then you are fine, you don’t have to pay for anything. You can do it yourself. But if you are not technical enough, and you don’t know how to do these things, if you try, you will make mistakes, and you will probably make things even worse.
TONY
Absolutely. I’m a bit facetious when I say wait to get compromised but that’s the actual reality. There are a lot of things they can do. They can go and read articles and configure all these tools but the fact is a lot of organizations are not going to do that. They’re not going to invest that kind of time. There has to come a balance. The organization has to weigh the risks and say, okay, I’m not going to pay. In my experience what I’ve found is at least when we talk to end users on our websites is that they usually recognize the value of it once they feel the pain. It’s very difficult to convey the impact if they haven’t felt it themselves. Oh I’ve had my website for ten years and I’ve never been hacked. Well, the landscape has changed a lot in ten years.
DANIEL
If you own a house and something breaks, if you are handy and know how to do stuff you can fix it yourself, and you will do great. If you are like me, you will have to hire someone, because every time I try I make it even worse. I spend money and time doing, then I have to spend money and time hiring someone to fix it.
TONY
And remember right, it’s not a static process. It’s not a static thing, it’s a continuous process. Configuring the tools and applying the tools are but what piece of the pie. Now you have to stay ahead of all the threats and continue to make changes to the configuration as the environment changes so don’t pay if you don’t like. That’s fine. Hopefully it’ll work out perfectly. If not, you’ll find yourself in a predicament where youll be suffering a lot of anxiety and stress because of an action that could’ve been addressed prior. So with that, no more questions, right Kristen?
KRISTEN
That was our last question so that brings us to the close of our webinar. I want to thank everyone for their participation. Are you guys going to go to Twitter and take some more questions?
TONY
Yeah, for sure. We’re always on Twitter so come add the hastag #asksucuri . We will continue to answer the best we can and like Kristen said we will be responding to the questions the best we can the next couple of days. Be mindful that it is actually Daniel and I responding so it might take us a little bit of time.
See Full Transcript
ExpandIn the website security community, our name is known for fast site hack cleanup and responsible vulnerability disclosure. As thought leaders in website security, we are committed to sharing what we know. Follow our concise and helpful website security guides and tutorials so you can learn how to clean and secure your website.
Join us on April 5th as we cover the latest findings from our 2022 Hacked Website Threat Report. We’ll shed light on some of the most common tactics and techniques we saw within compromised website environments.
All software has bugs – but some bugs can lead to serious security vulnerabilities that can impact your website and traffic. In this webinar, we dive into the steps you can take to migrate risk from infection and virtually patch known vulnerabilities in your website’s environment.
The threat landscape is constantly shifting. As attackers continue to hone their tools and exploit new vulnerabilities, our team works diligently to identify and analyze threats posed to webmasters. Join us on July 6th as we cover the latest findings from our Hacked Website Threat Report for 2021.
In this webinar we will highlight the various activity, access, and error logs WordPress site administrators have at their fingertips. Plus, learn how logs can best be used to manage, troubleshoot, and most importantly, secure your sites.
In our latest webinar, we'll describe action items that can improve the security state of internet-connected devices we all use every day. These devices will include common household staples such as: WiFi Routers, iOS/Android devices, and personal computers.
Join us as we delve into the minds of hackers to explain targeted attacks, random attack, and SEO attacks. Find out why bad actors target websites.
A feature benefit guide for our agencies and end users. Why use our firewall? What kind of protection does it offer? How does it affect the efficiency and speed of my site? Will it affect my server's resources? Find out the answers to these questions and more in our webinar…..
Cross-site contamination happens when one hacked site infects other sites on a shared server. This webinar is for beginners and web professionals to understand cross-site contamination and how to prevent it…..
If you're considering security for your site or are new to our services, this webinar will guide you through Sucuri's simple setup processes. Potential notifications, support options for various scenarios, and ways that you can also work to keep your site malware-free will be discussed…..
Learn how you or your agency can account for security with your client projects. Presented by Sucuri Co-Founder, Dre Armeda, this webinar shows how you can get involved and help clients who are not aware of some of the security risks involved with managing a website…..