Episode 32 is the first of four shows in a series on Online eCommerce Security. In this show, we talk with Dre Armeda, co-founder of Sucuri.net, who is the sponsor for this series.
Dre gives us a holistic view of what is going on in the world of security and the solutions, as well as the the prominent issues he is seeing these days.
We chatted about:
- The bigger issues we are seeing with online security and why
- The reasons behind both the small and large hacks
- The perception out there that WordPress, as an open-source software, is a security risk in itself
- Why, as a small website owner, you are not safe from the big hacks
- An example of a recent hack that really put things in perspective
- Dre’s top three tips to keeping your site and information secure online
Thanks to Our Podcast Sponsor: Sucuri
Bob Dunn: Hey everyone, welcome to our show. Bob Dunn here, also known as BobWP on the Web. Today is not only episode 32, but it is a first part of a four part series we have started on the WP eCommerce Show. This is where, for four consecutive Mondays, we will be talking with a special expert and sponsor about an important aspect of running a e-commerce site. What better subject to start off with than security? Today we welcome our sponsor, sucuri.net. My good friend Dre Armeda as our special guest. Hey Dre, welcome to the show.
Dre Armeda: Hey, thanks Bob. Great to be chatting with you. How’s it going?
Bob Dunn: Good, good. Finally we got the tables turned. I’ve been on your podcast before three times. Now I get to sit back and ask the questions, which is so cool.
Dre Armeda: I can dig it. Should I throw my voice and pretend I’m you? That might work out better.
Bob Dunn: Yeah, yeah. Just lower it down a couple octaves, and they won’t even know. Before we dive into the guts of online security, for those that don’t know who you are, and don’t know Sucuri, tell us a bit about yourself, what you do there, and who Sucuri is.
Dre Armeda: Sure. Thank you. For one, thanks for having me on the show. Really excited to chat security, and hopefully provide some value to the audience. My name is Dre Armeda. I’ve been around WordPress specifically since right around 2004, where I found it online looking for a means to create a portfolio website. Excitingly enough, I settled on WordPress, created my first theme around 2004, 2005. Things progressively changed significantly throughout the years, starting at that point. We still in the military at the time. I spent 12 years in the U.S. Navy and got out, fortunately, in to the information security space. At the same time I was really passionate about web stuff, and that really converged at some point in 2000s with buddy of mine named Daniel Cid, and then Tony Perez, as you guys know, is the CEO of Sucuri.
We founded Sucuri in the early 2010s. We started figuring a way to monitor website remotely, figure out a way to understand and determine when security things, anomalies, were happening, and how we can alert against that. That quickly translated into, “wow! We’re- We’re able to do this really, uh, successfully. How can we now remediate those issues?” That was the birth of Sucuri. We really looked at finding a way to alert to security issues and then remediating that. I spent the first four and a half years of the company as the founding CEO. We built the company, at that time, about 35 employees world wide. We were cleaning hundreds of websites every day.
Then I stepped down as CEO. Tony, who is also my brother in law, took over as a CEO, and has continued to scale the company with Daniel to an exciting place now. We’re not only offering that detection and response, the remediation capabilities to professional support services, we also offer protection. I think it’s an important thing to understand, from a website administration standpoint, that it’s not good to be reactive alone. We need to really be proactive in the way that we measure security and our risk floor, our security posture. Having some type of protective capabilities is important. Now that’s really what Sucuri is. We clean and protect your websites. We offer a website security stack that offers protection, detection, and response. That’s through various service and web application firewall, as well as monitoring and inventory management of your websites. We have a full incident response team that offers remediation services when something is discovered.
I came back onboard to Sucuri here over the last few months. I stepped into the agency space for a couple of years, and the WordPress space, which was a great time. Got to learn a lot and was in a marketing role while in that endeavor. I’m back at Sucuri now, really helping engage with special projects around business development as well as sales and marketing. Very excited to be back at the company, which is now at close to 100 employees in 26 different countries. We’re really passionate about helping folks think through security more strategically, more holistically.
Bob Dunn: Cool. I’m so glad to see you back there. Everybody is excellent there. I love Tony, but it’s good to see Dre’s face back on the security horizon.
Dre Armeda: I appreciate that Bob. It’s good to be back.
Bob Dunn: Now as I’ve mentioned this is part one of four, and today we want to just do an overview of the state of online security. Then in the remaining three shows, for the next three Mondays, we’ll be focusing more on the topic of eCommerce. With that said, let’s talk big picture here, in general online security. What are some of the biggest issues we’re seeing more these days? Even more importantly, why are we seeing them?
Dre Armeda: Oh wow. Good question. It’s a very broad question. I don’t think the landscape will ever completely change. What I mean by that is certainly it’s evolving, and there’s new attacks, or a higher amount of specific types of attacks, but we still got same issues from before: outdated software, poor credentials, and all that fun stuff that lead to a myriad of attacks. What we’re seeing a lot of are things like reflective attacks. That term reflective isn’t really official. We’re thinking through how to best describe that, but in essence we’re talking about attacks that compromise websites without really compromising them. What I mean by that, and to put it into perspective, think about the ability to hack a website by hacking a website’s DNS, for instance. Control the DNS, control the user sees. It’s very different than what we were seeing with, “Hey, look all of a sudden you’ve got, you know, the result spam SEO, because someone’s, eh, uh, injected this cruddy code through a known vulnerability.”
A little bit different. They’re changing their entire user experience from that DNS level. Or think about the ability to attack an ad network that many websites use, and using that to penetrate a website’s defenses. You’ve probably heard it. Over the years is a lot bigger than just the application layer.
Bob Dunn: Right, and even in the application layer there’s all the themes and plugins.
Dre Armeda: Oh, it’s game on. It’s third party stuff! We haven’t even talked about that!
Bob Dunn: Yeah, oh yeah. Oh jeez. Yup. It’s never-ending. When it comes to online security, we know we’re making ourselves more vulnerable by being out there shopping, and on social platforms, and anywhere else we give out all our information, create passwords. When we’re on our own site, I think some people fall in to the safety net and think, “Hey, I’m not a big site. Nobody really cares about me. I’m never going to get attacked.” What do you say to those people?
Dre Armeda: I say, hackers like cupcakes too. What I mean by that is that your cupcake website is just as big a target, or at risk, as the next person out there. Again, let’s step back in the conversation where we talked about the difference between targeted and opportunistic attacks. Certainly politically targeted, or charged, attacks happen. Monetarily-based attacks against a specific journalist, for example Krebs again, happen. But man, opportunity is out there, and these attacks, in a lot of ways, or in most ways, are automated. They’re looking for what’s out there and easy to grab, make part of that network that they’re building. If this was a true thing, we’d be out of business. Let’s be realistic. Everybody’s a target out there. Most of today’s attacks are automated, and they go after the low hanging fruit. That’s the reality of it. There is no one there sitting there thinking, “Man, I really wanna talk- I wanna attack Bob, cuz Bob, man, like that guy’s …” Maybe there is, but the likelihood of that is probably not high. We’re all just another number.
They’re going to scan ports, they’re going to scan different layers of the stack to see if there is vulnerabilities, and if it’s there, boom, they inject it. There was a big attack on Drupal here over the last couple of years, where they were targeting Drupal, and they’ve got this automated attack to go, “Hey, this vulnerability exists.” You know what they were doing? They weren’t even attacking just Drupal. They were attacking everything. They didn’t care if it was WordPress, Joomla, Drupal, what have you. They had this vulnerability, they would scan everything and throw it over the fence, and see if it would penetrate. They don’t care. We’re all just another number.
Everyone thinks they’re too small until they’re not.
Bob Dunn: Yeah. For everybody, be safe out there, right?
Dre Armeda: Indeed.
Bob Dunn: Now we hear about attacks all the time, and a lot of times we don’t maybe know they’re going on. Some of them, like you said, I think before, there’s a lot of them you may never find. They’re not detected, and they’re not stopped. Can you an example of attack that really puts things into perspective as far as that we don’t know everything that’s going on?
Dre Armeda: I think that Krebs attack here, over the last couple weeks, is pretty interesting. It’s a attack on availability. This is denial of service attack, or distributed denial of service attack, and what they did … Are you familiar with IOT, the Internet of all Things? Everything is automated and connected to internet today. They used a specific botnet that leverages those types of devices to construct this attack. We’re talking amount of traffic that’s reached over the capacity, or the known threshold of denial of service attacks by going over 600 gigabytes per second, for sustained amount of days. That’s happening. It took him offline. In fact, he was on Akamai, the content distribution network. They’ve got low caching capability, all this fun stuff.
They’re one of the big ones in the world. They said, “Sorry, we can’t, we can’t, we can’t, uh, keep you here anymore.” In fact, he’s moved on to Google for his site to be back online. That’s a big deal. There’s a lot of them like this, Bob. The list could go on. We’ve written, actually, a considerable amount. Our researchers write articles all the time about these types of issues. We put out a great article that illustrates some of our points on the 19th, actually, of this month, in which we talk how WordPress sites are being hacked via poorly managed servers. Where attackers are moving laterally, once penetrating the defenses. This is a common occurrence. In fact, years ago Tony coined the phrase, I think I coined it, but he tells me he coined it, the term “soup kitchen servers.” We’ve talked about it for years. It’s still an ongoing issue. We’ve got that up on our blog, you should go check that out.
In essence, website owners forget they have other sites and other stuff on their server, they’re storing backups or what have you, or even developers hosting for their customers have all this stuff on their servers, and the attacks find them, and boom. That access to product environments. They’ve got access to all their stuff. This is happening all the time. I think that’s a very relevant thing that, maybe it’s not a huge attack that finds its way to the media, but it’s an ongoing occurrence, and it’s very relevant to anybody having a site, an eCommerce site, what have you, online today.
We ran another one here earlier in the month where an attacker was generating spam via customers’ website, using WP page dot PHP file. The file is regenerating itself via an injection. Now this is funny. The injection was in theme header files, but this is where it gets crazy. Every time the website owner would delete it, on load it again it would regenerate and the customer’s going nuts. Going like, “How the hell, like … I just removed this thing.” As soon as you’d refresh, boom, nail them again. Again, it’s that infection’s there, and it’s continually attacking.
Talking attacks, again, think availability directly. That’s that Krebs article. We wrote about it, and there’s a couple of them out there. He’s exceeding 650 gigabytes per second. That’s just a ridiculously huge attack. That’s more on the denial of service; it’s not so much spam or malware, but it is an attack that can take down, not just you, but entire network. Like big portions of networks.
Earlier I mentioned reflective attacks. We wrote an article on that where fake free DNS was being used to malicious redirect users. That’s an interesting one. Hey, all of a sudden my DNS records were modified and my site’s pointing somewhere completely else. They never penetrated the website, but they attacked it through other means that could actually affect the website and the user experience. These are all high level, maybe things that we’re seeing in the wild, that I think are really important, maybe people aren’t considering. That whole DNS thing is kind of a big deal. The DDOS attacks are certainly a huge deal, and growing problem, but these … Bob’s site, the cupcake website, these are all very small in the grand scheme of things. But think about some of the big players that had been attacked and had issues over the last, probably, two, three years.
We’ve seen attacks that have nailed Target corporation, with more than 70 million credit, debit card accounts being exposed. Ebay, they were breached; poisoned a huge portion of their dataset and history for all their account. It’s something like 145 million records. Starbucks, last year, had, I think it was last year, they were hacked twice. Their app was hacked twice within a couple months. Dude, all sorts of information was put out there based on that attack. They were using these Starbucks accounts to access customer credit cards. That’s a problem. That is a very, very real problem. Lastly, in terms of examples, think of Zappos. They were nailed not too long ago either. Same thing with something like 24 million users’ accounts were exposed.
These are all real problems. We’re talking DDOS attacks. We’re talking these account exposures, which is a major challenge. And again, the DNS stuff. That redirect one, I think that that’s a really important one people should be focusing on. Okay, great, you’re doing awesome stuff to secure your stack; how are you sure that your DNS stuff is squared away? Does it sit at are your registrar? Is that in your hosting environment? Where are your DNS zones and how are you protecting those?
Bob Dunn: Yeah, that redirect. Yeah, that’s crazy. Who knows where you’d be shot off to. Lots of good examples there. I shouldn’t say good examples, but solid examples, let’s say that.
Dre Armeda: Yeah, all of those.
Bob Dunn: Yeah, really. Okay, lastly, you talked about those horrible ten top tips, and oh yeah, I know what you talk about. I’m going to ask you, even though I’m sure you have tons of tips, what are your two very top tips every single person online can do to tighten up their site and keep their information secure?
Dre Armeda: Bob, I’ll give you my top ten list! No, I’m not. I really feel that we’re getting to a point where the application-based utilities that we’re using out there are something that people are depending on. Security utilities, plugins, and things like that on the server. One of my biggest tips is don’t stop there thinking that these are going to give you all of the security you need, because that is a false sense of security. In a lot of ways, they’re becoming obsolete, because these attacks aren’t just happening on the server. They will not stop these vulnerabilities from being exploited in a lot of cases. You need to start thinking at the edge, because these things are really giving you a false sense of security. They’re becoming obsolete. That’s fine. I know that these things are, they’re good business, and these plugins are awesome, and they do help a lot of people in certain capacities. They are not the end-all.
It’s time to really think about cloud-based solutions, and thinking to the edge. This is a more effective approach to effectively mitigating external attacks. We’re talking brute force, we’re talking DDOS. We’re talking virtually patching these vulnerabilities, known vulnerabilities, at the edge, so when these attacks come in, they never make it into your network. Therefor, they don’t have the opportunity to inject anything, or penetrate into your site. That’s where people get that misconception of, “Hey, I’ve got these plugins on my server. This is awesome.” If you’ve got a known vulnerability there, and it’s not patched, that’s wrap. It’s too late. They’re already on your server.
I think defense adept is really the approach they write. Think about those server-side tools you’re using, or those application-based tools, but also marry that with some type of cloud-based solution to make sure that you have a really aggressive and overlapping security solution or setup. That will absolutely help your risk posture, your security posture considerably.
This is probably my biggest thing, because stuff happens. Your site goes down, files disappear, they’re completely damaged, is the importance of backups that just hasn’t changed. If anything, in any catastrophic event, they’re online. You have a backup. I tell you, there’s a number of times where we seen compromises, and it completely destroyed our client’s websites. The only, literally, the only thing that saved them was having a backup. Have your backups. Have backups of your backups. Have backups at home, on CD. I don’t care if it’s on a server, just not the same one as your production environment. Keep it offline. Keep it in a remote environment. Keep it in a cloud. Have a bunch of them, it’s awesome.
Backups for your backups, baby. I’m telling you, that’s a big deal. You need to keep considering that it’s not a matter of if, it’s a matter of when, and you need to have some type of contingency plan. If you don’t have up-to-date backups, how much does your data mean to you? What is the value that you put behind your website being down an hour, two hours, ten, or longer? So have backups that you can recover as quickly as possible.
Lastly, Bob, I’ll leave you with one last tip, because I can never leave without not talking about passwords. Honestly, it’s annoying still having this conversation. We’re still having this conversation.
Bob Dunn: I know, it’s amazing, huh?
Dre Armeda: Holy cow, but it needs to happen. I’d prefer to recommend folks start leveraging some form of multi-factor authentication, because two-factor authentication is where they need to go. Some tech that allows them to force a user to confirm that they are, in fact, trying to log in. Even in the case that they have a bad password, they’ve got two different things that they need to do to measure and make sure that they’re the right folks to be logging in. Two-form authentication. Multi-factor authentication is, I think, super important. So one, think about marrying your application-based utilities with some type of cloud-based solution, web application, firewalls, or something at the edge. Two, let’s not even consider backups, it needs to happen. It just should be already part of your process from day one. Three, passwords, yes, we’re still having this conversation, let’s really start thinking about multi-factor authentication.
Bob Dunn: Yup, all three of them. Yup. I can’t tell you how many times I’ve talked about all three of those. Especially the passwords and the backups. I feel like-
Dre Armeda: No doubt.
Bob Dunn: Yeah. We can have a drinking, and every time you say password and backup, take a shot.
Dre Armeda: Oh my gosh, we’d be destroyed.
Bob Dunn: Yeah. There you have it in a nutshell. The bird’s-eye view of online security, and as I mentioned next Monday we will be diving into the eCommerce side of things. What can we expect to hear next Monday, Dre?
Dre Armeda: You’re just going to have to tune in, I think. For your audience there we’ve got a lot of cool stuff going on in terms of security, and I think getting a little more deeper-rooted around security in general. Beyond just this high level discussion that we had about today’s online threats.
Bob Dunn: Yeah, very cool. Thanks again, Dre, for taking the time.
Dre Armeda: It’s my pleasure. I’m glad that we were able to hook up and certainly enjoy being on this side of the microphone.
Bob Dunn: Cool. I enjoy being on this side too. Everyone, do mark your calendars and make sure you tune in for our next show. Also, if you’re wanting to prepare your site for optimal online security, or if unfortunately it’s too late, and you’ve been hacked, check out sucuri.net. I would recommend, highly, to subscribe to their blog. He’s referred to a lot of blog posts. I’ll try to get some of those in the transcript, but they have a ton of information over there. I know I’ve sent a lot of people their way myself, a lot of clients, a lot of colleagues, and they always come back happy campers.
It’s good stuff. Until next week, stay safe and tune in for more security tips on the WP eCommerce Show.