Episode 79: High Profile Twitter Accounts Compromised in Coordinated Attack

A number of high profile Twitter accounts including those of Elon Musk, Apple, Uber, Bill Gates, Joe Biden and others were compromised as a part of a coordinated bitcoin scam attack. The attack lasted a few hours and netted the attackers about $100,000 worth of bitcoin. We talk about how this attack could have possibly happened and lessons for businesses with remote workers accessing company systems.

We also talk about a vulnerability our Threat Intelligence team discovered in the All in One SEO Pack plugin used by over 2 million WordPress sites. This vulnerability could be used by a malicious contributor account to take over a WordPress site.

We also discuss SigRed: A 17-year-old ‘wormable’ vulnerability that could be used to hijack Windows servers, a vulnerability that could have severe ramifications for enterprise Windows networks. This vulnerability was patched on July 14.

And we take a look at some privacy concerns with the increasingly popular TikTok app and how Apple discovered TikTok spying on iPhone users.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
1:25 2 Million Users Affected by Vulnerability in All in One SEO Pack
4:00 High Profile Twitter Accounts Compromised in Coordinated Attack; comprehensive timeline of events
27:29 SigRed: A 17-year-old ‘wormable’ vulnerability for hijacking Microsoft Windows Servers
30:58 Apple Suddenly Catches TikTok Secretly Spying On Millions Of iPhone Users

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 79 Transcript

Kathy Zant:
Hi, everyone. Welcome to another episode of Think Like a Hacker, this is the podcast about WordPress security and innovation. We hope you’re having a great summer. We’ve been pretty busy here at Wordfence with a number of things, and I can’t wait to share them with you. If you are listening, you might want to head over to the blog because this has a video component today, because we have a somewhat breaking news story that we wanted to cover today. And Chloe Chamberland and Ram Gall are joining me on the podcast today to talk about one of the biggest security stories that has come out recently. And that is the hack, the widespread and coordinated attack, on a number of verified Twitter accounts that was announced yesterday and we saw the ramifications of that happening. Ram and Chloe, how are you guys doing today?

Chloe Chamberland:
I’m doing good.

Ram Gall:
I did not get hacked. So I’m doing pretty good. I mean, at least as far as I know.

Kathy:
As far as you know. Yeah, yeah. My account seems to be safe. I’m not asking anyone for any bitcoin, so things are looking good for all of us. But it looks like a number of high profile accounts did indeed have some interesting tweets posted, but we’ll get to that in a moment.

Kathy:
We have another story that is more WordPress related and I wanted to cover that quickly first, because that is some of our primary research that we’ve done here on our threat intelligence team. Chloe Chamberland, you found this vulnerability, didn’t you, in the all in one SEO pack plugin. Tell us a little bit about what you found and what happened.

Chloe:
Yeah, so I basically found the contributor+ vulnerability. So it can only be exploited for users that have contributor level access or above. And it basically allows them to inject a malicious JavaScript into the SEO title and description fields. And that JavaScript will later be executed once a victim browses to the all post page, or if they access the post directly, maybe previewing the post or just going to it directly.

Kathy:
Great. Yeah. And you did a proof of concept walkthrough of like how an attacker could possibly exploit this to basically take over an entire site, didn’t you?

Chloe:
Yes I did. So there’s all sorts of different things that you can do once you can put JavaScript on a site, but one of the most worrisome things would likely be that you can put administrator accounts on there or you can inject back doors and that basically gives hackers of back way into your site and then they can escalate all the damage from there.

Kathy:
Yeah. Interesting. So definitely check out that blog post on the Wordfence blog. And there’s a video there that shows exactly how this could be used to take over an entire site. I know a lot of publishers that are using contributors and give people contributor-level accounts. And so if they were using this and a hacker knew of this vulnerability, they could definitely take advantage of that. But it’s patched now, right? In the latest version that came out?

Chloe:
Yes. I believe it’s 3.6.2.

Kathy:
Excellent. Great. So definitely check that out and thanks for all of that work, keeping WordPress users safe, that’s a 2 million install? Over 2 million?

Chloe:
Yes, it was.

Kathy:
So a lot of people. I keep seeing that getting retweeted from our blog posts that people are definitely spreading the word. So if you know if someone who’s using All in One [SEO Pack] or actually is using contributors, definitely send them that post and let them know to update so that they can keep themselves safe.

Kathy:
Okay. And now we should probably get into this huge story where high profile Twitter accounts were compromised in this coordinated attack. This happened on July 15th. We saw evidence of it happening in the afternoon, and basically they were posting to these high profile accounts like Elon Musk, Apple, Uber, Joe Biden’s account. Who else did we see get compromised with that? There were a few other very high profile accounts.

Ram:
We had Bill Gates.

Kathy:
Bill Gates, too?

Ram:
The Apple account, like the official Apple account. Kim Kardashian was the last account to post. And I think after that point, they actually managed to shut it down.

Kathy:
Yeah. We’ve seen interesting things happen with Twitter in the past, they did delete Donald Trump’s Twitter account. An administrator said that he had violated terms of service in 2017 and that had made some big news, but that was an actual Twitter administrator making that decision to delete that account. But we’ve never seen anything like this. And it does look like this was a coordinated attack for the purpose of spreading this Bitcoin scam.

Kathy:
Twitter stock actually took a bit of a dive after this event happened. And it really underscores how important Twitter has become to not just the conversation in society in America, but worldwide. So this really could have been manipulated for a much wider effort. Ram, you took a look at a website that basically elucidated the entire timeline of what had happened and when they saw these attacks happening. What did you find out?

Ram:
So it’s actually a crypto site, which I guess they took an interest because this was a crypto scam. And the initial attacks were actually against crypto accounts. Relatively high profile crypto accounts, Angela BTC, finance, a number of other accounts that effectively are big in the cryptocurrency community. And initially it looked they were pushing a malicious domain. From what I can understand, the original Bitcoin address that they asked to send money to was listed on that domain, though it’s entirely possible that there was also some sort of other exploit running on that site. They took it down since then. So there’s not really a way to know, and I haven’t seen it mentioned, but it would be doable. And then at some point about two and a half hours or a little after two hours after they started, they started hitting other high-profile accounts, starting with Elon Musk, Uber. Yes. A lot of very famous people.

Kathy:
And Elon Musk has been kind of used by this crypto scam for quite some time. I’ve been seeing this on Twitter for a while and other social media where people are posting accounts, it’s not Elon Musk’s account, but they’re saying, “Elon Musk, he’s doing this giveaway, if you send Bitcoin to this address, he’ll double it and send it back to you.” So he’s been used quite a bit and we’ve seen with Bitcoin, you can research what is being transferred. So you can see it a Bitcoin address and see what has been transferred to that address. So you can kind of tell how successful these scams are.

Ram:
Yeah. If anyone ever asks you to send them money to a Bitcoin address, the first thing you should do is do a Google search, or your search engine of choice on that Bitcoin address. Because if it’s been used in scams and yes, bad actors do use multiple addresses, but they won’t switch them out that often. So if a Bitcoin address has been used in a scam in the past, you can do a search for that Bitcoin address and security organizations track these things. They’ll keep track of which Bitcoin addresses were used for scams. They’ll keep track of how much money was sent to them. Bitcoin is not as anonymous as a lot of people seem to think, certainly less traceable than say stock buying or selling, but you can definitely find some things about the people behind an attack by the Bitcoin addresses. In this case, for instance, even though they used a couple of different Bitcoin addresses, they noticed transactions between the Bitcoin addresses indicating that they were likely working together.

Kathy:
Gotcha. Okay. Now, does it look like an attack that… What do we think happened? What can you speculate based on the evidence that we right now? Does it look like a Twitter administrator had done this? Or what do you think? What is the evidence telling us?

Ram:
So far, there’s been a reasonable amount of conjecture, and I believe Twitter has confirmed this, that an administrative panel was used and that one or more people with access to that panel were social engineered so that attackers could somehow use that panel to make these changes. Now, what kind of panel it was, what its capabilities were, that’s up for conjecture. A lot of large companies will just have relatively low-level customer service agents the ability to send password resets, or even in some cases change the email address that password resets go to or turn off two factor authentication. So it doesn’t necessarily mean that the Twitter employees were actively in on the scam.

Ram:
As Chloe was saying, you could socially engineer people into doing all sorts of things that they might not intend to do. And if you can gain access to, let’s say a relatively low level account that still has some permissions, just like with the All-in-One SEO pack thing, you can still do some major damage. So I think that’s called the principle of least privilege.

Kathy:
Yeah. Chloe, can you explain, first of all, let’s take it back a little bit and let’s talk about what is social engineering? Because we hear that term thrown about, and maybe we should just kind of make sure everybody understands what social engineering really entails.

Chloe:
Yeah. So it’s basically exploiting the trust relationship with another human and tricking another human into doing some sort of action. So for example, I can walk into a building and I can say that I’m the handyman that I’m dressed up like a handyman and everything. And so you kind of have that trust with me that I’m a handyman.

Chloe:
And I tell you that I got called in because I need to go check on the wiring or something. And then you kind of trust me, because I have this outfit on and I look like I am who I say I am, but I’m not actually who I say I am. And give me that access and I go in, and from that point forward, I have this access that I shouldn’t have had because I’ve exploited that trust with you by presenting myself as someone I’m not.

Kathy:
Exactly. And they’re usually doing something that seems somewhat innocuous, that it seems natural.

Chloe:
Yeah, exactly. And this can happen over the internet so I could send you an email and I could spoof my email and pretend that I’m Bob your neighbor and I need your door code to get into your house, but I shouldn’t really need that or your gate code because I dropped something on the side of your fence.

Chloe:
And then I get into your gate and I go on your back door, because you left it unlocked on accident, but I can pretend to be someone I’m not, and as an attacker, hopefully exploit that trust with you.

Kathy:
Interesting. So that could have been done to a Twitter customer service agent? And… “I’m Elon Musk. I need my account reset and my two factor authentication turned off.” So they could be pretending to be him and socially engineer a customer service rep?

Chloe:
Yeah. So I did some poking around, it looks like there’s a form on Twitter where you can contact them about getting your password reset. So that’s one possible way that they could have gotten in touch with someone and kind of escalated from there. Perhaps they got the email of some higher level, higher permissioned employees at Twitter. And they sent them an email exploiting a trust relationship of some sort with maybe an attachment.

Chloe:
And maybe they clicked on that attachment and it installed malware on their computers and kind of escalated from there. But it all starts with that social engineering attempt at the beginning. And once they exploit that trust, you can kind of escalate in so many different ways. And there’s so many different ways to get that initial trust gained. Especially if not good enough, security awareness training.

Kathy:
Got you. Okay. So security awareness. Ram, with the timeline that you saw, were there pauses between where these things were being posted to these accounts?

Ram:
Yes, actually there was a relatively long pause between the absolute first post and the next one after that. And then they all seemed to happen in rapid succession, which makes me think that maybe they had to establish some sort of proof of concept. And once they had established the proof of concept, they sort of had to decide on the strategy. It seemed like they were in kind of a hurry. It’s been mentioned that a vulnerability of this magnitude, [what] it would have been worth … so effectively, the attackers apparently made somewhere around a hundred thousand dollars off of this scam. Actual value of an exploit of this magnitude is worth millions on the black market. So it seems like they might’ve been in a hurry to monetize as quickly as possible before they were caught.

Kathy:
Got you. What they were doing was going to get figured out pretty quickly.

Ram:
Yeah.

Kathy:
Okay. All right. Interesting. I was going to ask about least privilege, and how would that protect against something like this, but go ahead and make your point.

Ram:
Oh no, I was just going to say that yes, least privilege could have possibly prevented this in some cases, but it might not have been enough. Because if the people targeted were people whose actual job was to help people reset their passwords and an attacker actually compromised their computer, then they could probably take remote control actions on that computer and use that access to make account changes just like Chloe was saying.

Kathy:
Okay. Yeah. And Chloe, what is the least privilege? Because you just wrote about that this morning with the All in One SEO plugin.

Chloe:
Yeah. So the principle of least privilege is basically giving users the least amount of privileges they need to do their job. So if a Twitter administrator needed to reset passwords, for example, they should be able to reset passwords, but maybe not also disable two factor authentication. So if we’re talking about this example and let’s say that the user that was compromised had access to, let’s say Twitter’s database and passwords. They shouldn’t have this access, but let’s say in a scenario they did. Perhaps they have the ability to reset passwords, they have the ability to access the passwords. But in reality, all these really should be able to do is reset those passwords. So that principle of least privileges is making sure that they only have the privilege to reset the password, but not the privilege to access those passwords in a database directly. Does that kind of make sense?

Kathy:
Yeah. That makes sense. Definitely.

Ram:
Kind of like when you get a refund at the store, they have to have a manager type in the code to approve it.

Chloe:
Yeah, exactly.

Kathy:
Interesting. Okay. Yeah. So it sounds like something happened. And everybody is working at home now, right? So everybody with this whole COVID thing going on, we’re all kind of being forced into really learning how to work as a remote team. So you may have somebody who’s a customer service rep for Twitter, who has access to a system and they are working from home on a computer that they own, and their personal email may have access there and they might get phished from their personal, it might not even be a Twitter email account that gets phished, it might be their own personal account. But because you’re intermingling those personal computers with your work functionality, you are running sort of a risk, aren’t you there?

Chloe:
Oh yeah, for sure.

Kathy:
So what would you advise … so let’s say someone who is watching this is running a company and they have distributed team that six months ago, it wasn’t a distributed team, but they’re forced into being a distributed team and, “Oh, just use your personal computer and just log in. Here’s how you log in.”

Kathy:
What advice would you give a CEO or a CTO or even an operations person, who’s got a team now that they’re managing that’s using personal devices, like their phones or personal computers? What advice would you give?

Chloe:
Yeah, so one thing I can think of right off the bat is make sure an antivirus software is installed. If you get targeted by a phishing attempt and you click on something, because you accidentally did it, you accidentally trusted or whatever reason, if there’s not malware in the link or whatever, that antivirus can help protect you against it, and maybe block the download from happening. You should make sure that if you’re having people on their personal devices and on the work, I would recommend maybe installing a virtual machine onto your computer directly so that maybe you can do your work stuff on your virtual machine. Whereas you log out of that virtual machine and whatever, when you’re done with the work day and then continue on doing stuff on your personal computer. There are ways to escape a VM, but it’s more sound and secure than it would be to intermingle both your work and personal lives on a device.

Kathy:
Is there security training that you can do for employees?

Chloe:
Yeah, for sure, you should definitely be doing security awareness. Especially transitioning from this being in an office to working at home environment. You should go through that training again if you’ve already done it or just start doing it at least now. Where we work, we do security awareness training and our Director of Information security actually tests us and recently, we all passed. So after repeated attempts, every now and then someone might click on the link or whatever. But as we keep learning about these phishing campaigns and how they happen, eventually we got to a point where nobody clicks on them. So awareness and training is very important to help educate users and your employees and everything to help keep you and your company assets safe.

Kathy:
Yeah. Phishing fire drills, right?

Ram:
One other thing I wanted to bring up, two other things actually, and that is to make sure that you or your employees keep their machines patched and up to date at all times. We’ll actually go into a problem that needed to be passed pretty quickly a little bit later, but a lot of exploits basically rely on unpatched vulnerabilities.

Ram:
So the chances of them getting exploited is a lot lower if you keep your machine patched. And how Chloe was saying using a virtual machine, that is ideal. But even if not all of your employees are savvy enough to do that, using a separate browser for work and personal use, even that will help. Because that way, if they’re clicking a link in the browser they use for personal use, it won’t open that link in the browser that has an open session maybe where you’re logged into a sensitive control panel area. Because a lot of those dangers happen because you’ll be logged into something sensitive in a certain browser. So if you do anything risky in a separate browser, you’re less likely to have cross contamination, basically.

Kathy:
Good point. Is phishing considered social engineering? Does it fall under that umbrella?

Ram:
Spear phishing does.

Kathy:
Spear phishing, yeah.

Kathy:
Define spear phishing.

Ram:
Chloe, you can take this one or I can, but it’s effectively a targeted phishing campaign, where you do some research about the person you’re targeting, find out who their boss is, so that you can maybe pretend to be their boss and send them an email. Find out what kind of documents their boss might ask for and send an email asking for, “Hey, I need this kind of document that your boss always asks for.”

Kathy:
So like phishing in general would just be the misspelling of Bank of America, and you’re getting an email that looks kind of like Bank of America, but there’s some fairly obvious things that are wrong there. Whereas a spear phishing attack is very, very targeted. They know things about you or your company or your boss or your coworkers that will sort of lull you into that sense of it being just a normal routine, everyday thing, and clicking on a link that does a very bad thing.

Ram:
Exactly.

Kathy:
Okay. I started on Twitter in like 2006, and I think, some friends dragged me on there, hey, look at this new way to chat. It was not what it is today, but it has really evolved into something that is the go-to place for people to find out news about what’s going on in the world. A go-to place to find out what a particular political person might be saying about, what direction your country might be going in. It is the place where people go to find out what their friends are up to. But it’s really the keys to understanding our world are really in the hands of a few social media companies. And when something like this … I mean, it’s kind of ridiculous almost that this was a Bitcoin scam.

Ram:
Yeah.

Kathy:
I mean, if somebody had this kind of access to Twitter, they could do something like … I think we were joking earlier about pretending that logging into some political persons account in the United States. Senators saying that we are declaring war on North Korea tomorrow at noon. And then having that be sort of like a North Korean hacker coming in and posting that. Hacking into one of these senators accounts and then using that as a pretense for some kind of physical war-like action, or banning the whole world from Pyongyang. Right? So-

Ram:
I think they already are, but.

Kathy:
We already are. But I mean, this has a lot of implications, not just to world politics, but the safety of our physical world as a whole, because of how popular opinion or beliefs of what people think to be true can be manipulated in this way.

Ram:
Misinformation is a bad enough when it’s coming from John with nine numbers after their name. And it’s probably a bot. It’s much worse when it comes from someone with a trusted brand, especially like this targeted verified users. So there was already a degree of trust that this person is who they say they are, these are their real opinions. This is for real. And it could have been much worse.

Kathy:
It could have been. Yeah, we saw it was $100,000 in Bitcoin that actually changed hands. Was that the number we saw?

Ram:
A little bit more than that, maybe like 110, I don’t know what the final count was, but it was relatively a meager amount of money.

Kathy:
Considering what could have happened.

Ram:
It was probably less than many of the people who have access to those admin panels at Twitter make.

Kathy:
Probably, yeah. So there’s been some speculation that someone had actually paid a Twitter employee for this access. What do you think about that speculation?

Ram:
I think it’d be way too easy for them to get caught, for one thing. And also the amount of gain for that type of thing. I feel like anyone who’d actually planned for it, it seemed like they didn’t expect it to work. And I feel like if they actually had an inside source that they were bribing, they would have been more certain that it would work and they would have used it for something bigger.

Kathy:
Interesting. Interesting. Yeah. I think that’s an interesting observation that it doesn’t look like they thought it would work. So it’s like, “Okay, well how do we make money with this guys?”

Ram:
Yeah. What’s the fastest way we can get away with this before we get caught or before we get shut down.

Kathy:
Interesting. Well, we’re speculating a lot. Is there any other like data that kind of points in a certain way that we haven’t talked about? Because I mean, eventually we’re going to figure out. The news is going to come out. There’s usually always a post mortem with something of this nature, like the Twitter or not Twitter, but Target hack that happened in 2013, where they found out that HVAC heating and air conditioning laptop had gotten compromised. And after 19 days of having access to that, they eventually pivoted into the point of sale, cash registers at like over 800 Targets across the country.

Kathy:
And that was like obviously a huge monumental deal. But we didn’t find out that day what had happened. It took quite some time. So we’re going to probably have a post mortem and a hack of this nature, news will come out of what actually happened eventually. But right now it’s kind of like, we’re seeing some signs of what could have happened, but I guess we’ll have to wait and see, huh?

Ram:
That we will.

Kathy:
Yeah. But now you told me Ram, that there was a story bigger than Twitter.

Ram:
It’s probably not bigger than Twitter for like most of the people and the rest of the world, but I feel like for those of us in InfoSec, it is in a way bigger. It’s the SIGRed exploit, it’s effectively, it got a 10 CVSS score and it’s in issues in the Windows DNS server.

Kathy:
Interesting. This looks like a 17-year-old vulnerability that’s being used, and they think it might actually be used in the wild.

Ram:
Well, they did say that it’s wormable and there is some speculation that it may already have been used at least by Checkpoint. At least if I’m reading their disclosure correctly, but the long and the short of it is that all right, DNS system, domain name system, basically boils down to you ask a server, “Hey, I want to know where this domain name is. Can you give me its IP address?” And you can ask any computer running a DNS server that, and it’ll find out for you eventually.

Ram:
So basically the exploit was, if you, as an attacker control an evil domain that returns a specific maliciously crafted record, you can ask one of these Windows DNS servers. Hey, can you look up my evil domain for me and tell me what it says and where it’s hosted. And if you craft the request just right, you can take over the computer that’s posting that DNS server, the Windows computer. Then since, it’s effectively a high level process. It gives the attacker access to what’s called the domain controller or domain administrator. And at that point, the attacker would then have access to the entire corporate network connected to that machine.

Kathy:
Okay. So that’s definitely on a scale of 1 to 10, is a 10, or as you said earlier, possibly an 11.

Ram:
I’d call that 11. Like, I mean, it’s still, it’s on some level, it’s a buffer overflow exploit from what I can see. It doesn’t seem easy to do. And like initially it needed to be done from inside the network, but it looks like they may have found a way to exploit it from outside the network as well, which would make it in an 11, I think. Since, it gave them domain administrator capabilities.

Kathy:
Yeah. That is pretty scary. No, this was patched on what, July 14th. So if you’re updating all of your Windows servers, you should be okay?

Ram:
Yes. It was patched on this past patch Tuesday, please update right now.

Kathy:
Okay. So if you are forced by some force of nature to use Windows servers, make sure your Windows servers are updated in order to patch this very critical 11.

Ram:
I mean, it is hyperbole. There’ve been other big Windows exploits in the past. And I feel like this is probably on a similar level as them.

Kathy:
Yeah.

Ram:
Like the EternalBlue thing, and yeah.

Kathy:
Definitely important to update. All right. We wanted to cover one final story today. And this is a personal vendetta for me because TikTok is in my house because I have a child who likes TikTok and Forbes reported earlier this week that Apple has caught TikTok secretly spying on millions of iPhone users. They were caught capturing clipboard data in the past and they claim to stop doing so. But this article on Forbes showed a video where they were actually showing TikTok accessing information as it was being typed. Ram, you saw that video, too. What did you notice about that?

Ram:
So effectively, from what I understand about iOS, when they say clipboard data, that’s not just stuff you manually copy and paste. Because of the way predictive texts works, I believe that’s literally everything you type, period.

Kathy:
Yeah.

Ram:
So.

Kathy:
Interesting. Yeah. Yeah, so that video was showing someone actually typing into a field and then a little toast was coming down.

Ram:
Yeah, they developed an app to test it.

Kathy:
Yeah. Okay. And so, and the release of the new clipboard warning in the beta version of iOS 14, that developers now have access to, it was showing that TikTok was actually accessing this. So obviously this is a privacy concern, but this is not the first time.

Ram:
What I was going to say is, yes effectively, it’s not just everything you type while you’re in TikTok, it’s everything you type while you’re in any app, which is kind of bad. And the worst part is they were caught doing something similar in the past and they said they would stop and they didn’t stop. They just changed how they did it.

Kathy:
Sneaky, but they’re not the first app to have done this, are they? They noticed-

Ram:
No. No, not at all.

Kathy:
It was LinkedIn was sued over allegation that it was secretly reading Apple users clipboard content. That was from an article that was in Reuters on July 10th, 2020. So they were actually sued for doing that so that seems to be something that … when you just have something in a browser, right? I mean I understand how internet technology works. So you have a browser and obviously you have cookies and there’s cross site tracking that’s happening in a lot of cases where people want to know about who’s visiting their sites, analytics. Google Analytics is tracking that type of information. There may be other types of things that they are using to measure heat maps on a website, things like that. But it’s kind of like within the context of what you’re doing there, but with these apps because they are on these devices they have a little more leeway. Don’t they? In terms of what they can do.

Ram:
Yes and no. If they’re actually respecting the device controls or the access controls and if you’re actually careful when you install them, it’ll show you what they ask for permission to do. And if they don’t have any sneaky workarounds. One of the things that’s most troubling about the TikTok thing is that last time they got caught capturing clipboard data it was because if you copy say a picture while using TikTok, you can then gain location access to that user’s phone. So they basically had from that point on location access for all the users, even if the users didn’t allow it.

Kathy:
Interesting.

Ram:
Another … this is not confirmed yet, but at least one person who has been reverse engineering the TikTok app has claimed to have found code that allows, at least in the Android version of TikTok, that allows them to download, unzip, and execute arbitrary code. Effectively that would be a backdoor. Now they haven’t made any claims that it’s actively in use or that it’s even functional at the moment, but that would be very problematic if it were the case.

Kathy:
Gotcha. Interesting. So Chloe, what kind of advice would you give someone who has these types of applications on their phone? Obviously you want to get rid of the applications, but I mean should people be treating their phone as securely as they’re treating their personal computer? I mean a lot of times we’re accessing the same information from our devices as we are from our computers. But we are more concerned with the security on our computers than we are on our phones. Shouldn’t we be considering them equally?

Chloe:
Yeah, for sure. And what worries me the most about TikTok is there’s a lot of these kids out there using apps like that and sometimes parents don’t know. But if you do know your kid is using these, you should definitely take those security precautions to help make sure that their data is secure and their things aren’t getting exposed. And I think it’s very important to take the same level of security on your computers and all those devices and make sure you apply that same security to your phone and those same principles. And also make sure that you’re teaching that to your kids if you can and make sure that they stay secure online as well.

Kathy:
Huge point.

Chloe:
Yes. There’s a battle of wills in my household over the usage of TikTok at the moment, so. I won’t say those details.

Kathy:
I imagine.

Chloe:
I mean, that’s their social network. For a lot of us it’s Twitter or it’s Facebook. I mean, for my current … the WordPress community is all on Twitter and am I going to give up Twitter because of these hacks happening? Probably not, but.

Ram:
You use Twitter in a browser. Don’t you?

Kathy:
I do use Twitter in a browser. How’d you guess?

Ram:
I don’t know, but I do, too. On a separate device.

Kathy:
Yeah. Yeah. And then also on your phones a lot of time people have their personal apps. I mean I personally don’t like the Facebook app because when I did use it it was battery drain crazy. But my phone I use for work more than I do anything and so I have to be really sensitive because Slack is on there, all of our conversations. So I’m really judicious about the types of apps that I’m allowing on my phone and I go through them every once in a while and say, “Okay. Do I really need this? When was the last time I even [used this]?” I had the great idea that I was going to do intermittent fasting with this Zero app.

Ram:
I’ve used that one. I have totally used that one.

Kathy:
It’s pretty cool. Very simple, easy to use. But I’m not using it so do I need to keep it on my phone? Should I delete it?

Ram:
Yeah. And I mean they mentioned with LinkedIn got caught doing it, too. So it’s not just TikTok that’s doing it. They might be one of the worst offenders, but the amount of data they collect is not actually that unusual for a social media network. If there’s any concerns, a lot of it is about how careful they are in handling the data. They didn’t use an encrypted connection to their API until very recently. They don’t encrypt the messages you send on it. They don’t allow two factor authentication. A lot of it’s not just how much data they’re collecting, but the fact that they don’t seem to be very careful with your data.

Kathy:
That’s another thing. Everything you type into a social network, you’re typing into an interface whether it’s web or on a phone or whatever. But it’s going to be stored on somebody’s server somewhere and who knows how long they’re keeping it. I am so glad that when I went to college that there was no collection of what I was doing at the time. But I feel bad for people who are going through college now and crazy stuff that they’re doing and that’s all documented and it becomes a part of their permanent record. The Violent Femmes would be proud, which is how old I am.

Ram:
It’s alright. It’s alright. I would date myself by saying that the precursor to this Bitcoin scam was the old chain emails from Bill Gates talking about how he was planning on giving away his money back in the ’90s. Do you remember those?

Kathy:
Yes, I do. I remember those all too well and he never did give away any of that money on those chain letters.

Ram:
I know.

Kathy:
Geez. Thanks Bill Gates.

Ram:
Yeah.

Kathy:
Anyway. Okay. So thank you guys for joining on Think Like A Hacker. This was a lot of fun. Maybe I’ll rope you into doing this again sometime.

Ram:
Yeah, let’s do it again.

Chloe:
Yeah.

Kathy:
Yeah. Cool. I think it was a big story, obviously on top of mind for a lot of people of what this all means with the Twitter thing. TikTok, I know for a lot of parents is top of mind and I feel sorry for anybody running a Windows enterprise network with all these servers that have to patch to keep the 11 down to dial it back down to 0. Right? Spinal Tap dialing it down to 0 from 11. So thank you for joining Think Like A Hacker and we will be back again soon with more news in WordPress security and innovation. If you liked this and you’re on YouTube thumbs up, follow us, and subscribe to us. We will have office hours coming up again soon where we will be, I think, going over how to audit your site security. So that will be loads of fun. And we will have another Think Like A Hacker episode coming up very soon. Thanks for joining us.

Please give us a like or give us a review on Apple podcasts.

Follow @kathyzant, @ramuelgall, and @infosecchloe on Twitter. Follow Wordfence on your favorite social media: Instagram, Facebook, Twitter. Also, subscribe to the official Wordfence YouTube channel where we host Wordfence Office Hours on Tuesdays as well as post important proof of concept videos.

The post Episode 79: High Profile Twitter Accounts Compromised in Coordinated Attack appeared first on Wordfence.

Read More

Episode 78: Targeted Phishing Bypassing Security Checks and a new DDoS Record

This week, we look at some targeted phishing attacks that are bypassing Microsoft Outlook’s protective filters, and phishing campaigns using calendar invitations to target unsuspecting recipients. We also look at some successful bitcoin scams and a new record for a massive DDoS attack that targeted an AWS customer.

Drupal pushes out some security fixes, and zero-day vulnerabilities found in numerous Netgear routers.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
2:35 Targeted phishing campaigns are bypassing Microsoft Outlook spam filters, and Wells Fargo customers targeted by calendar invites
4:48 Bitcoin scam using vanity addresses nets $2 million
5:55 AWS said it mitigated a 2.3 Tbps DDoS attack, the largest ever
7:37 Drupal patches critical security flaws
9:07 Netgear zero-day vulnerability allows full takeover of dozens of router models

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 78 Transcript

Welcome to another episode of Think Like a Hacker, the podcast about WordPress, security, and innovation. I’m your host Kathy Zant from Wordfence and today we’re going to dive into some security news.

There’s not much happening in the world of WordPress security. Even the attackers that we’ve seen ramping up some significant attacks in the recent months have been pretty quiet. Maybe it’s the doldrums of summer, or maybe the craziness in the world is hitting the hacking world. Either way, we’ll take a little bit of quietude after the frenzy of activity we had in May 2020. We hope you’re well. Let’s get into some news.

First a note about Office Hours. A couple of months ago, Tim Cantrell and Scott Miller, a couple of the Customer Service Engineers here at Wordfence, came up with an idea of doing Wordfence Office Hours to bring you a way to learn how to use Wordfence. Usually we do these types of things at WordCamps, but since we’re all quietly waiting for life to get back to normal, we figured we’d provide that value in other ways. Since our quiet start, we’ve moved to live streaming on YouTube, and it’s been pretty active. If you haven’t joined us for our Wordfence Office Hours, we invite you to come join us every Tuesday at noon Eastern, 9:00 AM Pacific. Past episodes are archived up on YouTube where you can watch us walk through some of the features of Wordfence to get the most out of the plugin. You can also look at some of our walkthroughs of Wordfence central and Wordfence login security [on our YouTube channel].

We’ve also been joined in the past few weeks by Chloe Chamberland, who’s one of our threat analysts here at Wordfence, who has discovered a number of plugin vulnerabilities over the recent months. And she showed us how hackers compromised vulnerabilities in WordPress plugins. And last week we took a look at how to clean a hacked site using Wordfence. We have some additional episodes coming up that I think you’ll find interesting. Ram Gall is going to join us to show us how hackers can compromise vulnerable plugins without capabilities checks and what plugin coders can do in order protect against these types of exploits. And we’ve also got some interactivity, so you can come play with us. We have a lot planned with Wordfence Office Hours in the coming weeks. So please come join us.

Let’s dive into some news.

Our first story is about a phishing campaign that is bypassing some spam filters in Outlook, Microsoft’s email platform. These are targeting Bank of America customers, and it’s a phishing campaign that is targeting only a few people in an organization. And because it’s only targeting a few people, this low volume is enabling these to slip past Microsoft’s email security. Also, because this phishing campaign is passing all of these security checks because it’s using a Yahoo email address rather than a Bank of America email address, it’s authenticating to the types of checks that they do on domain authentication. So technologies like SPF, DKIM, and DMARC are helping to verify if an email has been sent from the domain it claims to be originating from, and because this is coming from Yahoo, it looks okay with those checks. But in this case, the email’s originating from Yahoo.

So the email body doesn’t have any domains that can be recognized as malicious. So the phishing domain that they’re using nulledco[.]store was registered on June 1st, has a valid SSL certificate and is not in any security databases. So it is not being flagged as malicious.

What does this tell us? Well, it’s telling us that spammers and phishers can bypass some of these security tools that we have in place to identify malicious emails coming in. So the responsibility still lies with us. Any email that comes in, whether it’s from a bank or our friends, any email that ends up in your inbox still should be looked at with some scrutiny to determine whether or not that is a valid email. And when you’re going to your bank just type in the domain name yourself, don’t click links in emails, [that] would be my advice.

And in a related story, Bleeping Computer also is reporting that there is a phishing campaign targeting Wells Fargo customers that is baiting customers with calendar invites. So you’ll want to watch out for those as well.

Our next story is about Bitcoin giveaway scams. I see these on Twitter all the time, and I always wonder who falls for these. And apparently some people have. ZDNet is reporting that Elon Musk’s name is being used in vanity Bitcoin addresses, and they have been successful in scamming users out of about $2 million. Not even quite sure why Elon Musk’s name tricks people into falling for these scams, but basically these vanity addresses have Elon Musk’s name in them and they have noticed that about $2 million has been harvested by these attackers. So just to educate our friends, that Bitcoin scams exist and to not fall for them, if there is a Bitcoin giveaway, make sure that you walk the other way. Bitcoin’s like $9,000 at the moment, I’m sure that will change, it’s so volatile, but interesting to see that these vanity addresses are all it takes for people to fall for these scams.

Our next story also from ZDNet, AWS said it mitigated at 2.3 terabyte per second (Tbps) DDOS attack. And this is the largest DDOS attack ever recorded. The previous record for the largest DDOS attack was 1.7 terabytes per second, recorded in March of 2018. So this report doesn’t identify the targeted AWS customer, but it says the attack was carried out using hijacked CLDAP web servers, and caused three days of elevated threat for AWS Shield staff. So connectionless lightweight directory access protocol, it’s an alternative to the older LDAP protocol. It’s used to connect search and modify internet shared directories.

This protocol has been abused for DDOS attack for about four years and CLDAP servers are known to amplify DDOS traffic by 56 to 70 times initial size, so highly sought after protocol for attackers. And this is a common option that is being used by DDOS for hire services. And CloudFlare has reported that 92% of the DDOS attacks that it mitigated in the first quarter of 2020 were under 10 gigabytes per second (gbps). And about half of those were even smaller, under 500 megabytes per second (mbps). So a 2.3 terabytes per second DDOS attack is pretty significant. And it sounds like someone was targeted in this attack. It’ll be interesting to see if we see more of this.

Our next story comes from portswigger.net. They’re reporting that Drupal has patched a couple of critical security flaws. Drupal is a content management system, similar to WordPress. The flaws that were patched first up was a cross site request forgery or a CSRF that was in the form API. It was failing to properly handle certain form input from cross-site requests. The second critical vulnerability was an arbitrary code execution risk. An attacker could trick an administrator into visiting a malicious site that could result in creating a carefully named directory on the file system. And with that directory in place, an attacker could attempt to brute force a remote code execution vulnerability. And Windows servers were most likely to be affected by that. These critical vulnerabilities were resolved in Drupal versions 7.7.2, Drupal 8.8.8, Drupal 8.9.1, and Drupal 9.0.1. There were a few other vulnerabilities patched in these updates, but they were less critical. There are full details on the Drupal site and we’ll have a link for you in the show notes to check that out if you are managing Drupal sites along with your WordPress sites. Definitely important to keep all of your open source software patched and to keep everything safe.

Our final story is about a zero-day flaw in NETGEAR routers that allows for full takeover of dozens of router models. This is coming from ThreatPost and it was published on June 19, 2020. This unpatched vulnerability in this web server of the device firmware gives attackers root privileges, according to researchers. They discovered the zero-day vulnerability that puts 79 device models at risk for a full takeover. So the flaw stems from a memory safety issue that’s present in the firmware’s HTTPD web server. Basically, there’s a web server on your router that allows you to basically browse to that router and configure the settings that you want on a router.

Now, unfortunately, with this flaw, authentication isn’t required to exploit the vulnerability, which means that anyone can exploit it. Authenticated vulnerabilities means that you have to be an authenticated user, you have to be logged in with username, password, or some kind of credentials that logs you into the device. But with this one, you don’t need to be authenticated. Anyone can exploit it.

Now what’s kind of frightening about this is that this security researcher states that they informed NETGEAR of the vulnerability in January, but they’ve still not delivered a patch for affected devices. So this is what typically happens in the security world. Security researchers find a vulnerability, you go to the manufacturer of the device or to the plugin author in many of our cases and you disclose the vulnerability. You provide a proof of concept, show how it works, and then you work with that vendor to ensure that the vulnerability is patched.

So in this case, the researcher was asked by NETGEAR to extend their deadline for public disclosure until the end of June. And the researcher decided not to extend that deadline, it’s been six months, of course. And they discovered the flaw initially in the NETGEAR R7000 routers series, but then they eventually identified 79 different NETGEAR devices and 758 firmware images that include a vulnerable copy of this web server. So what does this mean for you? If you are using one of the affected devices and you should go check out this ThreatPost article to determine whether or not you are using a NETGEAR router with this vulnerability, you’re going to need to watch for a patch. And when that patch is released, you need to make sure your router is patched so that you have all of those security fixes in place.

This is not the first problem with security for NETGEAR. In March, NETGEAR patched a critical remote code execution bug that could allow unauthenticated attackers to take control of wireless AC router Nighthawk, the R7800. So NETGEAR is no stranger to some security issues. It’s really important. You think about patching your computer and making sure that that’s all updated. Obviously you think about your WordPress website and want to ensure that that is updated. But you have to consider every device that’s on your network, including the router that allows you to access the internet, that needs to be patched as well.

So, yeah, not much going on in WordPress security, which is nice, but there’s a lot going on in the security world as a whole. Obviously staying on top of all of these security stories is our beat. And if we think it’s relevant to you, we will cover it. If there’s a story you would like us to cover, we will take that little tip, send it to us at press@wordfence.com and our researchers will get on it. If there’s a story you’d like us to cover in WordPress that is beyond security, we’d love to take a look at that as well.

And join us on the office hours, every Tuesday at noon on the East coast of the United States, 9:00 AM on the West coast. We have a few of us coming from the East coast and a few of us here in Arizona, and we look forward to showing you some secure coding practices coming up next.

We will talk to you soon again on the podcast. Hope if it is after the 4th of July, that you have a safe holiday, if you are here in the United States. And if you are elsewhere, we hope that your summer is peaceful and that things are well for you. Stay safe and we’ll talk to you again on Think Like a Hacker.

Please give us a like or give us a review on Apple podcasts. Definitely join us over on YouTube. Follow me on Twitter and I’ll let you know what the whole Wordfence team is up to. Of course, if you’re not following Wordfence on your favorite social media, we are Wordfence everywhere, whether it is Instagram or Facebook or Twitter.

The post Episode 78: Targeted Phishing Bypassing Security Checks and a new DDoS Record appeared first on Wordfence.

Read More

Defiant Participating in Privacy Shield Framework

Defiant, dba Wordfence, is now listed on the Privacy Shield certification list participating in both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks. The purpose of these frameworks is to allow for the lawful transfer of personal data from the European Union and Switzerland to the United States.

Two years ago when the General Data Protection Regulation (GDPR) was enacted in Europe, we painstakingly worked to ensure that Wordfence was in full compliance with these new regulations governing data protection and privacy for those located in the European Economic Area (EEA).

Defiant’s inclusion in the Privacy Shield Framework underscores our commitment to data protection standards aligned with those that meet EU legal standards for data acquisition and processing.

Our legal, operations, and compliance teams worked diligently over the last few years not only to ensure we are in compliance with GDPR, but also certified with Privacy Shield. This is no small task. Our team spent countless hours invested in the process to ensure full compliance. Meeting the requirements for any organization requires an analysis of all business processes as well as the establishment of new ones.

If you have questions about Privacy Shield and Defiant Inc, you can review our Privacy Shield Policy, and you are welcome to ask questions in the comments.

The post Defiant Participating in Privacy Shield Framework appeared first on Wordfence.

Read More

Defiant Participating in Privacy Shield Framework

Defiant, dba Wordfence, is now listed on the Privacy Shield certification list participating in both the EU-U.S. and Swiss-U.S. Privacy Shield frameworks. The purpose of these frameworks is to allow for the lawful transfer of personal data from the European Union and Switzerland to the United States.

Two years ago when the General Data Protection Regulation (GDPR) was enacted in Europe, we painstakingly worked to ensure that Wordfence was in full compliance with these new regulations governing data protection and privacy for those located in the European Economic Area (EEA).

Defiant’s inclusion in the Privacy Shield Framework underscores our commitment to data protection standards aligned with those that meet EU legal standards for data acquisition and processing.

Our legal, operations, and compliance teams worked diligently over the last few years not only to ensure we are in compliance with GDPR, but also certified with Privacy Shield. This is no small task. Our team spent countless hours invested in the process to ensure full compliance. Meeting the requirements for any organization requires an analysis of all business processes as well as the establishment of new ones.

If you have questions about Privacy Shield and Defiant Inc, you can review our Privacy Shield Policy, and you are welcome to ask questions in the comments.

The post Defiant Participating in Privacy Shield Framework appeared first on Wordfence.

Read More

Episode 77: WordPress 5.4.2 Released, Fake Ransomware Bitcoin Scams

This week, we look at the WP 5.4.2 release and a ransomware bitcoin scam targeting site owners with a “You’ve Been Hacked” email. We also look at an FBI warning about online banking app malware, the Verizon data breach report and what is says about WordPress, and how some white hat hackers are becoming millionaires responsibly disclosing vulnerabilities via HackerOne.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:20 WordPress 5.4.2 security release fixes multiple XSS vulnerabilities
1:47 High Severity Vulnerabilities in PageLayer Plugin Affect Over 200,000 WordPress Sites
3:05 Ransomware Bitcoin scam claiming sites are hacked
5:40 FBI warns of increased hacking risk if using mobile banking apps
8:08 $100 million in bounties paid by HackerOne to ethical hackers
10:00 Verizon data breach report: Web application attacks rise to account for almost half of all data breaches
11:17 Owners of DDoS for hire service get community service

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 77 Transcript

Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. It’s been a few weeks, a lot going on here at Wordfence, including a couple of very well attended live events on YouTube. More on that later. First let’s get into the news.

Our top story, WordPress 5.4.2 was released on Wednesday, June 10th. WordPress’ latest release contains 23 fixes and enhancements, including patches for six moderate-risk cross site scripting and other security bugs.

Wordfence Threat Analyst and Senior QA Engineer Ram Gall took a deeper look at the release. He found that most of the security patches were fixing vulnerabilities only exploitable in rather specialized cases. One of the cross-site scripting issues addressed by the update meant authenticated users with low privileges were able to add JavaScript to posts in the block editor. A separate issue gave authenticated users with upload permissions, the ability to add JavaScript to media files. And the release also had another bug, not cross site scripting, that resolved an open redirect issue in the wp_validate_redirect function. An issue where comments from password protected posts and pages could be displayed under certain conditions was also resolved. Special shout out and a thank you to the security researchers that found these vulnerabilities and responsibly disclosed them to the core team, and a shout out, of course, to the core team who got this release out.

Our next story is about high severity vulnerabilities that were patched in the Page Layer plugin. This affected over 200,000 WordPress sites. Chloe Chamberland posted this on the Wordfence official blog a few weeks ago. At the time of this writing, these vulnerabilities have already been patched. If you’re using Wordfence, the firewall is protecting against exploits. Both free and premium users are protected against this being exploited. One of the flaws allowed any authenticated user with subscriber level and above permissions, the ability to update and modify posts with malicious content amongst other things.

The second flaw allowed attackers to forge requests on behalf of a site administrator to modify the settings of the plugin, which could allow for a malicious JavaScript injection. Chloe demonstrated this both on the video that is included on the blog post, as well as during Wordfence Office Hours on June 9th. These are available on the Wordfence YouTube channel. I suggest checking those out. There are links in the show notes. Chloe really makes understanding these exploits easy and makes it easy for all of us to understand how to protect our sites better.

Our next story is about fake ransomware Bitcoin scams. Now I’m sure we’ve all received one of these at one point or another. We have been seeing these in email inboxes for quite a while. Last year, they were claiming to have video of people accessing rather questionable and embarrassing content, and were basically trying to get people to pay Bitcoin so that those videos would not be exposed. Of course, it was all a scam. Now they’re taking aim at site owners, claiming that your site is hacked, and the only way to save the personally identifiable information from your site’s database is to pay a ransom. So the scammer sends an email to the site owner with the subject “your site has been hacked” and the body of the email claims hackers have exploited vulnerabilities to gain access to the site’s database, and that they have “moved to the information to an offshore server.”

The email then threatens to ruin the site owners reputation by selling the site database or notifying customers that their information was compromised, and they are also threatening to de-index the site from the search engines by using black hat techniques. Now, this is all stuff that could happen, but much like the previous scams that we have seen in inboxes, it’s a scam and it’s not true, and you may be receiving these emails without your site actually hacked.

There is actually a Bitcoin abuse database on what you can look up what’s happening with an individual Bitcoin address. So you can enter in that Bitcoin address and it will report what the owner of that address has been up to. So if you put in the Bitcoin address of any of these email scams that people are getting, you’ll see that other people are receiving similar types of email scams trying to target sites, even some sites that don’t even have a database. So far, it appears that these campaigns have not been very successful. Yay. People are deleting them and they are not convincing site owners to pay the ransom. I’m sure these scammers will move on to another scam. We just need to be aware that anything that shows in your inbox may or may not be true, and if anyone ever threatens you online requesting Bitcoin or any other cryptocurrency, or even money, to really look deeper at those types of ransom types of requests, because they are most likely a scam.

Our next story comes from Bleeping Computer. They are reporting that the FBI is warning of increased hacking risks if you are using mobile banking apps on your smartphone. So the FBI is reporting that financial technology providers are estimating more than 75% of Americans are using mobile banking in some form, and the studies of U.S. financial data are indicating a 50% surge in mobile banking since the beginning of 2020, most likely due to all of the lockdowns and COVID-19. So the FBI is anticipating that these malicious actors will try to exploit new mobile banking customers who are unaware of how these banking apps work, and they may be using things such as fake banking apps and app based banking trojans. One thing that is important to remember is if you download an app, it is going to ask you to give it permissions that it will require an order to steal your information, to steal your usernames and passwords.

This malware does not go snooping around in Android or iOS, but it will actually stay dormant and only surface when you open a legitimate banking app and then it will ask for information. So then these Trojans will create a false version of the bank’s login page and overlays it on top of a legitimate app. Once you enter your credentials into that Trojan app, obviously you are exposing your credentials to an attacker.

So what can we do? Obviously be very careful when you’re on your smartphone. In the cryptocurrency space, security has been an issue for a very long time. And I’ve known people who are big into trading cryptocurrency, and they actually have a separate laptop, a separate machine, that they do all of their banking on, and that’s the only thing they do with that specific laptop. Maybe it’s time for us to start applying some of these more stringent controls for our other financial institutions and only have one browser, for an example, that you use for banking or transferring of funds or cryptocurrency trading, or stock trading, whatever you’re doing with your money. And just functionally isolate what you’re doing with your financial institutions in order to mitigate these types of risks.

Our next story is from PortSwigger, portswigger.net, and they are reporting on the Verizon 2020 data breach investigation report, and they are stating that web application attacks rise to account for almost half of all data breaches. So the actual number is 43% of breaches trace back to attacks against web applications. Of course, your WordPress website is a web application. This is double the results from last year, and the vast majority of those data breaches were motivated, of course, by the prospect of illicit financial gain. This is up from 71% in 2019.

Now, how does this affect WordPress? Attacks on content management systems that include WordPress, Joomla, Drupal, NoneCMS accounted for about 20% of all cyber attacks. And more than 28% of attacks targeted technology platforms supporting websites, such as ColdFusion and Apache Struts. Now, what can we take from this data? I mean, I don’t find this to be entirely too surprising.

Your website is the easiest thing for an attacker to attack. It is your front door on the internet for your business. It’s much easier for them to target your website than say your email systems or your accounting systems, though if they had that kind of information, they’d probably target that as well. Obviously with any front door, it’s good to have a lock and key and maybe a security camera or security system preventing these types of attacks on the front door, which is why Wordfence exists. Good to have a firewall on that front door and make sure those malicious attacks cannot occur, and a malware scanner to tell you if indeed it happened.

Our next story is also from Bleeping Computer and this was published on May 27th. They reported that a hundred million dollars in bounties had been paid via HackerOne to ethical hackers. This is a feel good story, hacking being profitable, white hat hacking being profitable. Always good to put some attention on that. They’re reporting that over 700,000 ethical hackers are using the bug bounty platform to get paid for security bugs in the products of over 1900 HackerOne customers. Of course, it’s impossible for us to know how many cyber breaches have been averted by responsible disclosure of security vulnerabilities, but with the average cost of breaches around $8 million, the savings to businesses who are running websites and other applications are probably in the tens of billions.

So HackerOne announced that eight of the hackers using their platform had become millionaires with 19-year-old Santiago Lopez being the first white hat hacker to earn over a million dollars by reporting security vulnerabilities responsibly to HackerOne. Kind of exciting.

Our final story from June 7th, from Krebs on Security is about a DDoS for hire service that got six months of community service. This company was called vDOS and the co-owners operated this for four years, basically taking money from customers and launching over 2 million DDoS or distributed denial of service attacks, knocking many internet users and websites offline. They’ve been sentenced to six months of community service by an Israeli court. Now it looks like vDOS was responsible for a majority of the DDoS attacks that had clogged up the internet between 2012 and 2016. Their subscription packages were sold on how many seconds the DDoS attack would last, and in four months between April and July 2016, vDOS was responsible for launching over 277 million seconds of attack time. It was kind of hard to get all of this data because after they would perform these attacks, they would wipe their servers. Pretty scary stuff.

Now, obviously, operating this type of service is illegal in numerous municipalities; purchasing these types of services is also illegal in numerous jurisdictions. A commenter on Krebs article stated that one of the defendants had actually turned his life around and is working for a legitimate company now. Let’s hope that both of them do and let’s hope more of the malicious attackers that exist out on the web find ways to maybe become ethical hackers, go look for vulnerabilities on applications and submit their bugs to places like HackerOne for bug bounties. There are ways that some of this cyber crime can get turned around.

The news for today. I would like to invite you to join us for Office Hours on YouTube. You can find us on the Wordfence channel every Tuesday at noon Eastern time on the East coast of the United States, and 9:00 AM Pacific time. Next week, we will be fixing a hack. So we’ve been doing some live hacking over the past couple of weeks with Chloe Chamberland, and now we’re going to take one of those hacked sites and show you how to use Wordfence to clean it up. So join us over there.

As always, thank you for listening to Think Like a Hacker. Might have a couple of weeks where I am off doing some interesting things in my life that I’ll talk about later, but we will come back with all of the news in WordPress security and innovation, just as soon as we can. Stay safe and we will talk to you soon.

Go ahead and give us a like or give us a review on Apple podcasts. Definitely join us over on YouTube. Follow me on Twitter and I’ll let you know what the whole Wordfence team is up to. Of course, if you’re not following Wordfence on your favorite social media, we are Wordfence everywhere, whether it is Instagram or Facebook or Twitter.

The post Episode 77: WordPress 5.4.2 Released, Fake Ransomware Bitcoin Scams appeared first on Wordfence.

Read More

Episode 76: Ongoing Attacks on WP Growing in Volume Plus Numerous Plugin Vulnerabilities

On this week’s Think Like a Hacker podcast, we cover an active attack campaign targeting WordPress sites and numerous plugin vulnerabilities. This active attack campaign has been ongoing and has outpaced all other attacks on WordPress vulnerabilities. Our threat intelligence team has been tracking this attacker for months now, and we’re seeing these attacks intensifying. We also look at vulnerabilities found in Google’s Site Kit plugin and the Page Builder by SiteOrigin, and why it’s so important for plugin developers to have a Responsible Disclosure Policy published in an easy to find location on their site.

We also look at how a combination of two vulnerabilities were used in a zero-day active attack on sites running Elementor Pro and the Ultimate Addons for Elementor plugin.

We also look at some new updates to Fast or Slow, the new global site speed profiling tool created by the Wordfence engineering team, and the impromptu hard launch the site experienced when it rose to the #1 position on Hacker News on May 8, 2020.

May has been a rather busy month in WordPress security and for the Wordfence team. Enjoy the podcast, and stay safe.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:24 Fast or Slow rises to the #1 position on Hacker News, and our team launches a re-architecture and expands profiling to 18 global locations.
5:37 Vulnerability discovered in Google Site Kit grants attackers Google Search Console access.
7:50 28,000 GoDaddy hosting accounts compromised.
9:32 Combined Attack on Elementor Pro and Ultimate Addons for Elementor put 1 million sites at risk.
13:34 Vulnerabilities patched in Page Builder by SiteOrigin affects over 1 million sites.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 76 Transcript

Hello my WordPress friends and welcome to episode 76 of Think Like a Hacker. This is the podcast about WordPress, security and innovation. I am your host, Kathy Zant. We have a number of stories this week about WordPress security. So, let’s get started.

First, a quick note about Fast or Slow. This is the application developed by the engineering team here at Wordfence. On Friday, May 8th, we started to see some increased traffic to the site at fastorslow.com. Upon further investigation, we found that Fast or Slow was being featured on the front page of Hacker News, which was surprising and big news. We had only soft launched this application, mailing to just a few select recipients and just watching how the application performed with a lot of traffic coming at it because it is rather complex.

Fast or Slow is a tool that measures your site performance from various locations around the globe. Obviously you are in one location and when you look at your site, it may respond differently for you than it does with someone on the other side of the world. So we wanted to create a tool that allowed people to measure performance across a wide variety of geographic locations.

So one of the users that we had mailed to saw the value and shared to Hacker News, and we had the experience of an impromptu hard launch. The site is growing since then, garnering additional traffic from places around the world. The team was actually in the midst of rearchitecting parts of it for growth, preparing for growth. The site now is prepared for future growth. We’ll have some news about that coming soon.

We created Fast or Slow for ourselves, and it’s really great and exciting to see it received so well by the web development community, even beyond WordPress. So thank you to everyone who is using Fast or Slow and watch for those improvements and features to be added soon. If you haven’t looked at it yet, why not. Go to fastorslow.com and see how your site is performing around the world.

You may have noticed I didn’t get a podcast out last week. Part of that was watching that meteoric usage of Fast or Slow. But there was also just an insane amount of security research and news happening in the WordPress world in the first week of May. Now we’re in the second week of May and it certainly does not want to be the neglected younger sibling of the month. So we’ve had another week of just a ton of news in WordPress security. So let’s get started with that.

Our first WordPress security story is a continuing story that started on Monday, May 4 when we loaded things up in our virtual offices as a remote team around the world. Ram Gall on our QA and threat research team noticed a dramatic increase in the number of attacks hitting sites running the Wordfence firewall. Most of these were cross-site scripting attacks that were targeting smaller plugins with rather old vulnerabilities. But the news there was just the sheer volume of attacks.

We published a post detailing what we were seeing because we were fairly certain we’d start seeing additional attacks coming from this threat actor. True to form, about a week later, we saw another uptick to the point where this singular threat actor, now it could be a group of people, but this singular campaign was launching more attacks against vulnerabilities than any other vulnerability exploding campaign happening that is targeting WordPress in the world.

So Ram Gall, Chloe Chamberland, and Mark Maunder, took a look at what was happening and not only did we find that these threat actors had fixed a bug in their code, we found that this threat actor has been around for a while. We were starting to see similar patterns and markers from a campaign that was happening earlier this year, that was using Bulletproof Hosting to launch attacks against sites worldwide.

What is our take from this? WordPress obviously is running about a third of the internet and threat actors are always going to keep targeting WordPress. Once you know a system and you know probable vulnerabilities and probable exploits, you’re likely to keep targeting it. So what we’re seeing with this particular threat actor is that their attacks are maturing, in both size and the vulnerabilities being targeted. The great thing about Wordfence Premium is that this real time blacklist that’s part of Wordfence Premium tracks this attacker. So as they move from IP address to IP address, the blacklist follows them, ensuring their attacks can’t even see your WordPress site. So if you do have a vulnerability that they’re targeting, they won’t even be able to see it because those IP addresses are going to be blocked by this rolling blacklist. It’s the most powerful feature of Wordfence.

To me, especially for a site that’s critically important, it’s a must have for your WordPress site. It’s too bad those other content management systems don’t have something as powerful. But again, Wordfence is very specific in the WordPress world, protecting WordPress sites, and our threat intelligence is all about WordPress. So count that as another reason to stick with WordPress.

Our next story is about a vulnerability in the Google Site Kit plugin, installed on over 300,000 WordPress sites. Chloe Chamberland discovered this vulnerability. It allows attackers to add themselves as an owner of the site within Google search console. Owner access will allow them to modify site maps, remove pages from Google search engine result pages, or even to facilitate black hat SEO campaigns using your site. We strongly recommend that if you are using this, that you update to the latest version of the plugin, which is version 1.8.0 of Site Kit by Google. This is a really powerful tool for WordPress site owners.

I was at WordCamp Sacramento last fall, and I was able to see this demonstrated before it even launched. Jake Goldman from the web design agency, 10Up introduced Google Site Kit to a packed standing room only crowd. So I’m sure this talk will make it up on WordPress.TV soon. You might want to check that out. If you’re using Google’s tools to manage your rank in search engine results, having quick and easy access to the data within Google to help you make good decisions with your site is really helpful. So I think this is going to be a great tool for website owners worldwide. Again, as a note, just because a plugin has a vulnerability doesn’t mean that plugin should not be used. It just means that it’s a bug and it needs to get fixed. It’s great that Chloe and Ram and our threat intelligence team continue to uncover these vulnerabilities and work with developers to patch these important plugins. Those of us who are premium customers are supporting that. That supportive Wordfence helps us produce that research and get it out to everyone in the community as quickly as possible, including through this podcast. Education is such a huge part of security because when you have that information, it helps you make good decisions about the data you’re getting and that’s the backbone of security.

Our next story was covered widely in the general tech press. 28,000 GoDaddy accounts were compromised. This is just a small percentage of the company’s 19 million customers. So according to the disclosure that GoDaddy released, on April 17 they discovered and began investigating suspicious activity and it dated back to about October 2019. As soon as they identified this, they began their remediation. They have no indications that this threat actor was using customer credentials and no data shows that they had modified any hosting accounts. They just changed those passwords as a precaution. This only affected SSH logins. SSH stands for secure shell, and basically it gives you a command line access to the server for the account you’re logging into. If you have what they call sudo privileges, it grants you access to basically the entire server in order act as the route administrator. That’s likely not a problem on GoDaddy accounts. Just to put a trivia for something to understand about SSH and how critical it is.

So our advice is if you are using GoDaddy as your hosting provider, and you are not using SSH to login on that command line, you can turn this off. Or you can turn it on when you are using it and then off as a security precaution when you’re not. Again, 28,000 customers sounds like a lot, but it’s really just a drop in the bucket for GoDaddy’s wide user base.

For our next story, on May 6 there was an active exploitation campaign happening that was targeting Elementor based WordPress sites. Now this active attack was targeting a specific combination of two different vulnerabilities. The first was a vulnerability in the popular Elementor Pro plugin, which we estimate as installed on over 1 million WordPress websites. Now, just to differentiate, this does not affect the Elementor plugin that is installed on up to 5 million websites, now, that’s available in the WordPress repository. This vulnerability only affected the Pro version of this plugin. It let anyone with an account, even a subscriber level account, upload a file to the site. That file could be an image, or it could be a PHP backdoor, thus allowing someone to take over the whole site.
This is what we call an authenticated vulnerability, meaning someone has to have an account in order to exploit it. It sounds like not that big of a deal, right? You could just turn off subscribers in many cases and protect your site, but for sites using WordPress as an eCommerce platform with customer accounts or membership sites with member logins or LMS sites with student logins or anything else that requires subscriber accounts for the functionality of the site or greater, it’s kind of a big deal.

With this attack on the zero day vulnerability, another plugin came into play. This plugin is called the Ultimate Addons for Elementor. This is a paid plugin and it’s made by a company called Brainstorm Force. We estimate that this has an installation base of about 110,000. That’s just our estimate. It could be greater, it could be less. This team also makes the lightweight Astra Theme for WordPress. This plugins vulnerability allowed anyone to create an account on a site, even if subscription registration was turned off. So attackers were using this vulnerability to create a user account. Then they proceeded to use the newly registered accounts to exploit the Elementor Pro zero-day vulnerability and essentially achieve remote code execution.

We were alerted this vulnerability and this act of exploitation by someone whose WordPress site was compromised. Then a hosting provider shared their log files with us. We were able to corroborate and verify these reports of active exploitation. Brainstorm Force posted in the wordpress.org forums that they had to fix in place and had contacted Elementor. We had contacted Elementor immediately upon discovery of this and wrote a firewall rule, obviously to protect sites from exploitation that is currently available to premium customers. It didn’t take long for a fix to get posted, but there was a time when the [existence of] a zero day exploit was exposed in numerous Slack channels, as well as the wordpress.org forums.

This is just a testament to how fast the WordPress community acts when a security vulnerability is found. As a reminder, if you find that your site is hacked or you see chatter in a Slack forum or elsewhere about an exploit happening, it’s really important to get notification to the developer of that vulnerable plugin or theme as soon as possible. When things are publicly discussed like that, it puts the entire community at risk. Of course, Wordfence customers receive firewall rules to protect their sites.

Congratulations also to Elementor who just recently hit 5 million active installations with that free plugin in the repo, even in the midst of the Zero Day vulnerability. A reminder that Zero Days are just celebrity bugs. Responsible developers who patch quickly to protect their customers and they’re continuing to create amazing software, these companies will always succeed.

Our final WordPress security story for the second week of May is about the page builder by SiteOrigin plugin. This is installed on over a million sites. Chloe Chamberland found two vulnerabilities in this plugin. Both of these flaws allowed attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser. The attacker needed to trick a site administrator into executing an action, like clicking a link in an attachment for this attack to succeed. The patched version is version 2.10.16. Both free and premium versions of the Wordfence firewall protects against these vulnerabilities via the built-in cross site scripting protection. This developer patched very quickly and was very thankful for the report of these vulnerabilities via responsible disclosure. They even bought a premium license for Wordfence as a gesture for thanking us to make their software even more secure. So we thank you. That was a great gesture and made us feel really great.

See, a lot of people think that security researchers and developers have a contentious relationship, and that developers look at us with contempt for finding vulnerabilities. It’s simply not true, especially in the WordPress community, this open source community that makes WordPress what it is. Finding and patching security bugs before the hackers find them, making everyone safer, developers understand this. They’re grateful for the additional support in finding vulnerabilities and disclosing them responsibly and getting things patched. It’s also really helpful when these developers have easy to find responsible disclosure policies so that security researchers from Wordfence and elsewhere can contact developers securely, quickly and easily. Especially in cases when there might be active attacks happening, like what we saw last week with the Elementor plugins, the faster we can get in touch with developers, the faster we can contact you and explain what’s going on and give you a proof of concept, showing you what’s happening, it’s going to protect the entire community.

So there are links in all of the show notes for this. Go check out Chloe’s blog posts, both for the SiteOrigin Page Builder, as well as for the [Google] Site Kit. She’s got some proof of concept videos in there that show you how these vulnerabilities are exploitable. I think these videos are great. It really helps explain how vulnerabilities work and also gives you an idea of how the firewall works.

If you like these videos, we have a treat coming up on an upcoming episode of Wordfence Office Hours. We’ve moved Wordfence Office Hours to YouTube, and we’re doing them every Tuesday at noon eastern, 9:00 AM Pacific Time. Chloe will be joining us on an upcoming episode. She’s going to show us how she hacks sites. So there’s going to be some live hacking on Office Hours, which is going to be fun. Chloe is also an amazing human being and I can’t wait for you guys to all meet her. Though if you have been listening for a while, you’ve heard my interview with her a few months ago, weeks ago. This quarantine thing and lockdown his me all discombobulated with days and months.

Anyway, join us for Office Hours, every Tuesday 9:00 AM Pacific, noon on the East coast. It will be very exciting. You can go subscribe to the Wordfence channel on YouTube. I’ll put a link in the show notes. If you hit the bell on the video placeholders for office hours for the upcoming episodes, you’ll get a reminder when the next Wordfence Office Hours is. As of today, we have two episodes up on YouTube. You can go check those out. If you expand the description box, you can see some timestamps of sections of the show so you can dive in and learn more.

In the most recent episode that we recorded on May 12, Tim Cantrell, who joins me along with Scott Miller on Office Hours, he talked about a phishing campaign hitting a lot of inboxes. It is targeting website owners. So that’s definitely something to listen to. It’s yet another bitcoin scam hitting all of these inboxes. I’m excited that more of our team is going to be joining us for future episodes of Office Hours. It’s a heck of a lot of fun, especially since we miss seeing all of you at WordCamps.

Thanks for listening to Think Like a Hacker. Go ahead and give us a like or give us a review on Apple podcasts. Definitely join us over on YouTube. Follow me on Twitter and I’ll let you know what the whole Wordfence team is up to. Of course, if you’re not following Wordfence on your favorite social media, we are Wordfence everywhere, whether it is Instagram or Facebook or Twitter.

Give us a follow and we will keep you updated on all of the security news hitting WordPress. Thanks for listening and we will talk to you soon.

The post Episode 76: Ongoing Attacks on WP Growing in Volume Plus Numerous Plugin Vulnerabilities appeared first on Wordfence.

Read More

Episode 75: The WordPress 5.4.1 Security Release & More Plugin Vulnerabilities

The Wordfence Threat Intelligence team unpacked the security updates in WordPress 5.4.1, and they published quite a few blog posts about vulnerabilities in popular plugins like Ninja Forms, LearnPress, and the Real-Time Find and Replace plugin. These plugin vulnerabilities affected over one million WordPress sites. As a few of these were Cross Site Request Forgery vulnerabilities, so we take a look at how these attacks work and how to avoid becoming a victim to a malicious CSRF request.

We also look at more scams targeting COVID-19 fears and stimulus funds, and Google’s upcoming crackdown on Chrome extensions set to happen in August 2020. We also look at the privacy concerns expressed by many in the information security field about contact tracing initiatives by various companies including Google and Apple as well as governmental agencies.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.

0:18 Unpacking The 7 Vulnerabilities Fixed in Today’s WordPress 5.4.1 Security Update.
1:18 High severity vulnerability patched in Ninja Forms.
3:55 High severity vulnerabilities patched in LearnPress.
4:34 High severity vulnerability patched in Real-Time Find and Replace Plugin.
5:56 What is a Cross Site Request Forgery (CSRF) attack?
8:48 Coronavirus stimulus scams are here. How to identify these new online and text attacks.
10:07 Google announces Chrome Web Store Crackdown set for August 2020.
11:21 Security experts warn: Don’t let contact-tracing app lead to surveillance, while Australians download their app over 1 million times, echoing concerns from the CBP data breach from 2019.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 75 Transcript

Hello, my WordPress friends, and welcome to episode 75 of Think Like a Hacker, the podcast about WordPress, security and innovation. We have a lot to dive into with WordPress and security news, so let’s get started.

Our first story is about WordPress version 5.4.1 that was released on Wednesday afternoon, at least afternoon in the United States. Ram Gall on the Wordfence Threat Intelligence team spent some time digging into the vulnerabilities that were patched in WordPress 5.4.1. He found seven total vulnerabilities that were patched, five of which were Cross Site Scripting. All of the vulnerabilities looked to be exploitable in certain situations only. Ram put out a blog post that we will link to in the show notes that will tell you more about those vulnerabilities if you want to dig further. This should be a pretty easy update, and if your site is set to autoupdate WordPress, you likely have already received these patches and bug fixes, making your WordPress install even safer.

Next up we have a number of plugins with vulnerabilities that were reported in the last week.

First up, Ninja Forms. Now Ninja Forms is one of the most popular plugins for getting forms activated on your WordPress site. It is installed on over one million WordPress sites worldwide. Ram Gall found a Cross Site Request Forgery to Cross Site Scripting vulnerability. So Ninja Forms has been around for a while, so it has a legacy mode, which allows users to revert styling and features to those of the plugin’s 2.9 version. As a part of this feature, it adds several Ajax functions, which appear to be intended to import forms and fields between legacy mode and default mode. So all of these functions use capability checks, so they’re checking to see whether or not the user that’s using that function has the rights or the capabilities in order to use it.

But two of the functions failed to check nonces, which are used to verify that the request was intentionally set by a legitimate user, so this opens up that plugin for a Cross Site Request Forgery. And then that Cross Site Request Forgery could be used for Cross Site Scripting, injecting malicious content that could affect users of the WordPress site. Now the great thing about Ninja Forms is that they have a vulnerability disclosure form on their site, so it makes it incredibly easy for security researchers to get in touch with the plugin development team and report vulnerabilities that may be discovered.

Our Threat Intelligence team is always looking for possible attack vectors, ways that attackers can get into WordPress. So when we find a plugin developer that has an easy way to get in touch with them, it means that plugin vulnerability is going to be patched much faster because we’re not trying to find appropriate channels to communicate with those plugin developers. A lot of plugin developers don’t have a security inbox set up with an actual proof that we’re talking to that plugin developer, and not just reporting security vulnerability to perhaps a malicious attacker that then might use that. So it’s always good if you are a plugin developer, to ensure that you have a vulnerability disclosure form or process elucidated on your website, so security researchers can get in touch with you.

So this blog post has a link to information, basically, first of all, showing you how Ninja Forms is doing it and also something from Hacker One talking about the importance of vulnerability disclosure policy on your website.

Next up, LearnPress. LearnPress is a learning management plugin installed on over 80,000 WordPress sites. Ram Gall also discovered high severity vulnerabilities in LearnPress and worked with that developer to ensure that those are fixed. Those two vulnerabilities include a privilege escalation vulnerability, as well as a post creation and modification vulnerability. Wordfence Premium and free users are currently protected from exploitation of those vulnerabilities, but still ensure that you are patched to the latest version of LearnPress if you are using that.

Next up, a vulnerability discovered by Chloe Chamberland. This is a Cross Site Request Forgery to stored Cross Site Scripting vulnerability found in the Real-Time Find and Replace plugin. This is installed on over 100,000 WordPress sites. This is a nifty plugin; I didn’t realize that it existed. And I can think of about 100 ways to use it, so realtime find and replace provides functionality so that you can dynamically replace HTML content basically on the fly with new content, so you’re to permanently changing source content within the database or within a plugin. That replacement data just basically loads before it’s delivered to the user’s browser, so hence the “real-time” find and replace.

Chloe found this Cross Site Request Forgery flaw that allowed stored Cross Site Scripting. It’s been fully patched in version 4.0.2, so make sure that you update to the latest version that is available if you are using this nifty plugin. One great thing about this vulnerability is that if you’re using Wordfence, whether you’re using the premium version or the free version, Wordfence is protecting you from any exploitation here because our built in Cross Site Scripting firewall rule was sufficient to block any exploitation here.

So a few of the vulnerabilities we’ve discussed today have been Cross Site Request Forgery vulnerabilities. And I thought it might be interesting to look a little deeper about what a Cross Site Request Forgery actually is. So from the Open Web Application Security Project, which basically defines the types of vulnerabilities that exist, and they have an incredibly — if you’re into information security — they have a great website where you can learn a lot more about the types of vulnerabilities and different exploits. So Cross Site Request Forgery, this is what they say, “It is an attack that forces an end user to execute unwanted actions on a web application in which they are currently authenticated.”

So what does that mean to you, the website owner? This means that an exploitation of a vulnerability cannot happen without an attacker doing something to trick you into performing some kind of action. Now how would an attacker do this? Well, let’s think about some of the ways an attacker might communicate with you. If you have chat set up on your site, they could send you a message via chat that was specifically crafted that would take advantage of a vulnerability that might exist on your site. They could send you an email, again, with a specific link that if you clicked on that link, it would perform an action that if you were authenticated into your WordPress administrative dashboard, would take over your site, or post malicious content in a form that ends up then posting it to the front end of your website.

So these are targeted kinds of attacks. An attacker would have to know that you have a vulnerability on your site. This isn’t something that’s just going to be blindly hit by a bunch of bots. Now a bot or a spam mailer might send you a link that you may then click on that was specifically crafted, and hoping that you were authenticated, would get into your WordPress administrative dashboard, and then perform some kind of of malicious action.

So now that we know that these types of vulnerabilities can only be exploited when you are clicking on a link, what does this tell you? If you are a WordPress administrator, it’s really important to take a look at anything that might’ve been submitted by an anonymous site visitor, a comment in your comments on your WordPress dashboard, something within a chat, something within your email. And be very suspicious of any links that are inbound. And of course, use a firewall. And ensure all of your plugins and your themes and your WordPress core are all updated, and Cross Site Request Forgery is a lot less dangerous.

Next up, a story from CNET about coronavirus stimulus scams are starting to show up. These scams are showing up in various ways that are preying on unsuspecting and vulnerable people, so things like donating to a charity online, donating to charities through social media, contributing to crowdfunding campaigns, even purchasing products online, or giving personal information in any way that has promised you any kind of money or benefits in any way related to coronavirus. These warnings are coming from the FBI, so look out for any kinds of scams that are preying on your emotions.

In this article, they also quote Trustwave, which stated that 33% of all data breach incidents were the result of phishing or social engineering attacks. Now these are attacks on the human in the equation, much like a Cross Site Request Forgery attack. It requires a human to be vulnerable, so most of security again is education. Educate yourself. Educate others. Make sure that you are aware of the types of frauds that exist and guard your assets.

Next up, an article from ZDNet. Google states that in August of 2020, they are going to basically purge useless Chrome extensions from the web store. Google says that because of Chrome’s success as a top browser platform, they’re seeing an influx of spammers and fraudsters. I always like to report on these stories as a reminder to go into all of your browser extensions and look for anything that looks like it doesn’t belong there, or looks like something that you aren’t using anymore. Just like you need to protect your WordPress site from plugins with vulnerabilities, it’s really important to protect your browsers from any kind of malicious actions. The Google Chrome story currently has over 200,000 extensions, so use your extensions very carefully. They are a part of your browser, so if you’re browsing to your bank accounts, if you’re browsing to any kind of social media, anything that you’re typing into that browser session can be captured as a part of just being resident in your browser.

Our final story today was reported in ZDNet on April 29th. And security experts in the UK are warning the government there to not let coronavirus contact tracing applications lead to surveillance. More than 170 researchers in the UK working in information security and privacy signed a joint statement about their concerns over the NHS, the National Health System’s plans to use a contact tracing app to help contain the coronavirus outbreak.

Of course, in the United States, Google and Apple are working together on a joint initiative for Android and iOS devices using Bluetooth. You’ll need to download an app in order to participate in this. Now the NHS and the government in the UK rejected the joint approach put forth by Apple and Google to help trace the spread of the virus. And they are going to have their own separate tool in the UK.

The BBC has reported that Australia’s COVIDSafe contact tracing app already has over a million downloads. Australian Prime Minister Scott Morrison, has said that social restriction could be eased if enough people start using this app. So that government says that 40% of the population need to download it before they can start easing social restrictions.

So obviously, I work in tech, and I know that technology can solve a lot of problems. And I agree that public health is a huge problem. But I also work in security, and so I will be a little controversial here. Obviously, there are a lot of people who are looking forward to these types of contact tracing apps to slow the spread of a highly contagious disease. Privacy and security is incredibly important to all of us, and it’s been really heartening to see so many governmental organizations, including the EU, coming up with GDPR to safeguard people’s personal information, same thing in California and Nevada.

And working in security, if you’ve listened to this podcast even once, you’ve heard of vulnerabilities. And you’ve heard about numerous instances when there has been a data breach. Even though in Australia, for example, there are privacy concerns. And the government said that only state health authorities would qualify for access to the data that may be collected by the COVIDSafe contact tracing app. Sounds great, right? They are going to protect the privacy of any data that may be collected by some of these contact tracing apps. Sounds great. Well, as a cautionary tale, I just wanted to remind everyone of the story that we covered in podcast episode 21, where CBP, the border patrol basically said that traveler photos and license plate data images were stolen in a data breach.

This data was stolen through a malicious cyber attack that was reported in TechCrunch in June of 2019. So even those these contact tracing apps have the best of intentions to protect your privacy, malicious attacks and breaches happen. We report about them all the time. Assume that they’re going to happen. So just the fact that our government is going to aggregate further information about our movements, and these tech giants like Apple and Google are going to be doing so as well, it will behoove them to protect our privacy. Or we need to find additional ways to opt out of that kind of surveillance.

I don’t think that COVID is going to go away any time soon. And I don’t think the changes in privacy are going to go away any time soon either. And unfortunately, data breaches and malicious attacks are not going to go away either. I grew up in Illinois, Northern Illinois. And there are tollways everywhere. And when I was a little kid, and they’d start building a new road, and they’d put it in as a tollway, I remember my parents talking when I was little, and talking about these tolls and how they were being collected in order to pay for the road, and that the tolls would go away once the road was paid for.

Well, if you’ve ever driven through Northern Illinois, the tolls never went anywhere. Those funds were re-appropriated, and found new homes. Maybe they’re paying for schools or whatever, but the promise of those things going away never happened. And I think the same thing is going to happen with these contact tracing types of applications. Even if COVID ends up being less of a threat sometime in the future, I think these types of contact tracing apps will continue to exist, and they’ll find additional reasons for them.

I just find it’s a very slippery slope and very interesting. And this is my controversial podcast for, so far for 2020, I’ve been pretty tame, but here we go again. They’re always doing something, aren’t they?

So that’s all we have for you this week on Think Like a Hacker, the podcast about WordPress, security, and innovation. Follow us on Twitter at @Wordfence, and follow me at @KathyZant. Follow my boss at @mmaunder because he’s always got something interesting and gets a little controversial himself sometimes.

We are doing Wordfence office hours every Tuesday at 9:00 AM. We are moving over to YouTube for those instead of Zoom. Well, we’re still going to use Zoom to broadcast to YouTube. We’re finding the best technologies that are working for us, so we’d love to have you join us over there. We’re doing it every Tuesday, 9:00 AM Pacific, noon on the East Coast of the United States.

Thanks for listening to Think Like a Hacker, and we’ll talk to you next week.

The post Episode 75: The WordPress 5.4.1 Security Release & More Plugin Vulnerabilities appeared first on Wordfence.

Read More

Episode 74: Staying Safe When Hackers Use Sophisticated Attacks

Stories this week about targeted attacks using 0days in iPhone and iPad devices and a sophisticated phone scam targeting a security professional that ended with a $9,800 wire transfer underscore what we all know: malicious attacks are becoming increasingly sophisticated. We give you some ideas how to stay safe.

We also cover a recent plugin vulnerability in the MapPress Maps plugin affecting over 80,000 WordPress sites, Google’s report that they’re seeing more than 18 million daily malware and phishing emails. We also cover the recent funding that Frontity received, and look at what this might mean for faster WordPress sites.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:34 Critical vulnerabilities patched in MapPress Maps plugin
2:00 iOS zero-days allegedly being actively used against high-profile targets
3:41 Cautionary tale of sophisticated phone scams and bank fraud
7:39 Google saw more than 18 million daily malware and phishing emails related to COVID-19 last week
9:27 Nearly 25,000 email addresses and passwords allegedly from NIH, WHO, Gates Foundation and others are dumped online
11:38 Frontity Raises €1M with Automattic and K Fund

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 74 Transcript

Hello my WordPress friends, welcome to Think Like a Hacker, episode 74. This is the podcast about WordPress, security and innovation. It’s nearing the end of April. How are you holding up? We’re doing fine over here, but looking forward to getting back to whatever the new normal is supposed to look like. We have some news for you today, both in the security world as well as the WordPress news, so let’s get started.

First story was published on April 23rd on the Wordfence blog. This was related to critical vulnerabilities that were patched in the MapPress Maps plugin. This was discovered by one of our security researchers, Ram Gall. He found these two vulnerabilities in this plugin that affected over 80,000 WordPress installations. Both of them were authenticated, meaning they could only be exploited by someone who had an account within WordPress. But of course this is problematic if you have your site set up to allow subscribers because even a subscriber level user is authenticated.

So we reached out to that plugin’s author and they released a patch that same day. We’ll have a link in the show notes so you can take a look at what these vulnerabilities actually entail. What you need to know now is if you’re using MapPress Maps for WordPress on any of your sites, you need to update immediately. Wordfence free customers will not receive those rules until May. Obviously premium customers were protected as soon as we found these vulnerabilities. The free version has a less severe vulnerability than the pro version. The pro version has an extremely critical vulnerability. Obviously links in the show notes if you want to look deeper.

Our next story was reported by Bleeping Computer on April 22nd as well as numerous other sources including The Verge. They are reporting that a new iOS zero-day has been discovered that is allegedly being actively used against high profile targets. These two zero-day vulnerabilities affecting iPhone and iPad devices were found by cybersecurity startup ZecOps after the discovery of a series of ongoing remote attacks targeting iOS users since January of 2018.

Now this flaw has existed for 10 years and had not been previously disclosed to Apple. Obviously, that makes it extremely valuable to a variety of bad actors and ZecOps says that they believe with high confidence that these vulnerabilities are widely exploited in the wild in targeted attacks by advanced threat operators. Now, ZecOps says that they have evidence of these exploits being used, but they say they’re not comfortable sharing that, which is leading some security researchers to question the validity of the claim that they are widely used in the wild.

That includes Jann Horn, a researcher for Google’s Project Zero cybersecurity project. What does this mean for you? If you are using the native mail app in iOS, don’t click on links in your phone’s mail. You might want to switch to Gmail or Outlook or another mail application for your iOS device until we’re sure that these zero-day vulnerabilities are patched.

Our next story comes from Krebs on Security published April 23rd and it’s a cautionary tale for those of us in security that no one is immune from being taken by a scam. This is a tale of a phone scam that escalated into a $9,800 wire transfer. It looks like it started with a credit card skimmer likely at a gas pump where this victim had used his debit card to buy gas.

Our victim, who received the name Mitch as a pseudonym, lived in California and he was a veteran of the tech industry. He had worked in security for several years at a major cloud-based service and he knew security protocols, but he received a call from what he thought was his financial institution warning him that fraud had been detected on his account and that the caller ID of that incoming call displayed the same phone number that was printed on the back of his debit card. Sounds legit, right?

Just to be sure he logged into his bank account while he had that person on the line and he saw a couple of transactions that he knew were fraudulent, which lended credence to the fact that he was talking to his financial institution, which he wasn’t. Now these attackers had gotten his debit card number and they had gotten his pin number and they could pull money out of his account at ATMs and go shopping at big box stores. They wanted obviously more than that. So they needed his help and they needed to escalate and get more complex in the attack, which they did.

And the fraud investigator said that the $9,800 that was wire transferred out had been sent to an account at an online only bank. And that bank was also in Mitch’s name. He didn’t open that account but this may have helped the fraudsters sidestep fraud flags for the unauthorized wire transfer. So what is our takeaway from this? If your bank calls you, hang up and call them back, initiate that conversation, watch your bank account fervently. Watch your credit card statements regularly. Look at your balances all the time and ensure that no fraud activity is happening. And if your bank is calling you, distrust that call.

Now, this is an important cautionary tale. You’re listening to a security podcast. I am talking in a security podcast. We are security professionals and we understand what fraudsters do and we can look for telltale signs of fraud when it’s happening. So was Mitch. So it just goes to show that to be extraordinarily distrustful of the things that are happening and question everything is incredibly important in security.

It also reminds us, and I say this a lot on the podcast, that as a security aware individual, think about your friends and family who are less up on security and what can you do in order to help them prevent these types of attacks from showing up in their life? How do you heighten their security awareness so that when your mom or your dad or your grandparents receive a call from a “bank” that they know to hang up and to call the bank themselves and to keep an eye on what’s happening with their financial institutions. When things get tough, scammers get more brazen and more sophisticated, and I expect that we will hear more tales like what Mitch went through. So protect yourself, protect your friends.

Our next story underscores those sentiments. This was published in The Verge on April 16th. Google saw more than 18 million daily malware and phishing emails related to COVID-19 last week alone. With these interesting times, scammers and hackers are using fears associated with COVID-19 in order to be relevant and to try to create a sense of urgency to prompt users to respond to these types of scams.

Now Google says that its artificial intelligence powered protections blocks more than 99.9% of spam, phishing and malware from reaching users. They also say that it has been working with the World Health Organization on implementing DMARC or domain based message authentication reporting and conformance to make it more difficult for scammers to impersonate the World Health Organization domain and prevent legitimate emails from the WHO being caught in spam filters.

Now even with Google blocking 99.9% of the malware and phishing campaigns that are targeting email inboxes, that still leaves about 20,000 emails that possibly might have gotten through. Obviously the fail safe is to ensure that people are educated and can recognize a scam when it comes into an inbox. That means educating our friends and family, making sure that they’re aware that hackers are as busy as ever in light of what’s going on.

Our next story comes from the Washington Post. They are reporting that nearly 25,000 email addresses and passwords, allegedly from the NIH, the World Health Organization and the Gates Foundation, were dumped online. These were ending up on Twitter and Twitter was actively removing those. The BBC also reported this. They said that they found about 9,900 emails and passwords from the NIH, 6,800 from the CDC, 5,100 from the World Bank, 2,700 from the World Health Organization, 269 from the Gates Foundation and 21 from the Wuhan Institute of Virology.

The NIH told the BBC it was investigating the leak, but none of the other organizations had responded to the requests for comment. Now it’s hard to say what exactly is going on here. Obviously we’re just hearing about it from various sources. I did do some investigation and found another security researcher talking about their analysis of some of these dumps and the biggest takeaway was people are using incredibly simplistic passwords even at some of these large organizations that you might assume know better.

So let this be a warning to us all. Use extraordinarily complex passwords. Use your password managers and please use two-factor authentication wherever you can and keep yourself safe. Obviously with a big dump like this, something else is going on. It’s not just one email account that’s being accessed. There apparently looks to be databases of usernames and passwords are being found by these hackers, so there’s obviously security concerns beyond that, but just some of these simplistic … there were password123s in there. So definitely make sure that your passwords are safer than the ones that they’re using at the World Health Organization and tighten up your email with two-factor authentication.

Our final story back in the WordPress world, Frontity raises one million euros with Automattic and K fund. This article was published on WP Tavern on April 22nd. What is Frontity? Frontity is a free, open source framework for building WordPress themes based on React. Now these React-based themes will be competing against PHP based themes. And React is a JavaScript library for building a user interface. It’s maintained by Facebook and a community of individual developers and companies and it can be used as a base in the development of a single page or mobile applications. Gatsby which is often talked about in the WordPress world with headless WordPress is also based on React.

Now this is interesting to me. Automattic is covering 22% of this funding round for a theme based in React. Now, over the last year or so, everybody’s been talking about Gatsby. It’s kind of been this shiny new object in the WordPress world because of headless WordPress because everybody wants the fastest site they could possibly develop and these JavaScript frameworks deliver that.

Now you can build a site in Gatsby, you don’t need WordPress. The reason it’s interesting to WordPress is so many of us have websites that are built in WordPress and so to have a Gatsby incredibly fast site talking to the WordPress database and pulling in information that has been stored there for 10 years and showing it in a new way, that is very interesting.

One of the reasons I got involved in WordPress to begin with was all of the information for a site, all of the content was stored in a database and I could theme it in different ways just by changing the theme, changing the look and feel of the site, but the content would remain the same. So it would give my site and me the freedom to grow with the internet because obviously what looked good in 2002 on the internet is not what looks good now. And one of the problems with Gatsby is that it has somewhat of a steep learning curve. You have to learn an entirely new framework and then figure out how to connect that to WordPress.

I haven’t played with Frontity yet, but I plan on doing so. Because it’s 100% focused on WordPress and the WordPress API’s, it’s within my realm of expertise and it has the same benefits of using a React-based framework within WordPress. Seems like an easier step, so I will report back once I play with it on a few sites and hopefully don’t break anything. This sounds like an interesting next step for WordPress. If you’ve played with Frontity, let me know how it works for you.

And with that, that is the news for this third week of April. Now on the 28th next Tuesday we are going to have another Wordfence office hours. I will put a link to register for that in the show notes if you’d like to join us. We’re trying to do this every week now. We’ll change up the content starting in May, but we’ve been kind of repeating the same content because we have new people coming in all the time. We’d love to see you there.

If you have any news stories you’d like me to cover or you have any feedback, please hit me up at kathy@wordfence.com, follow me at Twitter @kathyzant, follow the @Wordfence account of course, and follow the Wordfence account on Instagram and YouTube as well. We have a few new videos that will help you sort of get up to speed on some of the features in Wordfence and Wordfence Central on our YouTube channel, so follow us and give us thumbs up and comments and you know, begging for all of those social proofs in social media land. Thank you again for listening to Think Like a Hacker and we will talk to you next week.

The post Episode 74: Staying Safe When Hackers Use Sophisticated Attacks appeared first on Wordfence.

Read More

Wordfence Helping Our Friends in Australia Fight Bush Fires

Last fall as wildfires ravaged much of Australia, we were deeply affected by the stories of destruction coming out of numerous communities. As a global company with customers and friends in the region affected by these events, we looked for opportunities to help, much like we did with the WordCamp Asia Cancellation Fee Assistance program.

As you know, Defiant Inc is the company behind Wordfence. Like many of our customers, the Defiant team is distributed. One of our senior developers, Stephen Rees-Carter, is based in Brisbane with family in rural areas of Australia. Stephen’s wife Gen chatted to the Collector Rural Fire Brigade who identified a need for new GPS units for the brigade. Stephen and Gen organized the purchase and delivery of two units and Defiant covered the costs.

We recently received a letter of thanks from the Collector Rural Fire Brigade, along with some details describing how these GPS units are being used. When in a crisis situation, having accurate navigation in unfamiliar terrain can make a difference in saving lives and property.

We were deeply touched by the letter we received, which is reprinted below along with photographs of the heroes on the front lines of fighting bush fires in rural Australia.


8 April 2020

To the generous team at Defiant,

Firstly, on behalf of the Collector Rural Fire Brigade we would like to sincerely thank you for your kind generosity in purchasing 2 Hema navigational units for our Brigade. The support of the general public both in Australia and from around the world in our country’s time of need is extremely appreciated. Your donation shows us that our work is appreciated by not only the communities we try to protect but of those around the world that the story of the Australian 2019-20 Bush fire season has touched many hearts near and far. Your contribution to this cause has helped the effort in protecting the communities we live in and will continue to aid us to become more effective in our future efforts to protect life and assets.

Collector Rural Fire Brigade

Members from the Collector Rural Fire Brigade completing training on the Hema navigational units.

The small village of Collector is located in the state of New South Wales, 60km north east of Australia’s capital city Canberra, and 230km south west of Sydney. The village and surrounds have a population of approximately 300 people and is situated in a rural setting surrounded mainly by agriculture. The Collector Bushfire Brigade was formed in 1941, in 1995 the Collector Station was built to house tankers and equipment that had been previously housed and maintained by members. Around the same time the New South Wales Rural Fire Service was formed and from that the brigade started to receive funding from the service to upgrade equipment. Collector has 2 tankers, a category 1 tanker (heavy) and a category 7 tanker (light). The brigade has approximately 50 members, who are all volunteers, of which about 20 members are active fire fighters.

In the 2019-20 fire season the Collector brigade was called upon 20 times over a period of 55 days from 13th November 2019 to 8th February 2020 where 20 members crewed the tankers with countless hours spent on fire grounds within about 100kms from Collector. Usually in a busy fire season the Collector brigade might be called to 5 or so incidents, this season has re- written the history books and we hope that doesn’t ever have to happen again. Our main focus was on the Green Wattle Creek fire south west of Sydney which burnt through 278,700 hectares and took approximately 2 months to contain. In late November 2 members deployed to northern New South Wales on a task force to assist exhausted crews in the Grafton area after they had been dealing with massive blazes for weeks on end with no end in sight.

We were very fortunate to not have any major fires in our own area, while we did have local incidents, we were lucky enough to jump on them before they became major issues. The enthusiasm of our volunteer members and their willingness to drop everything and get on a tanker is a testament to their dedication to protect their local community and surrounds. On the 10th of February 2020, much needed rain fell across the south east of the state and the fire activity decreased and the land got a much needed soaking and all but extinguished the majority of the fires.

Currawan Bushfire on 7 December 2019

Collector Rural Fire Brigade attending the Currawan Bushfire on 7 December 2019

Your generous purchase of 2 Hema Navigation systems for our brigade has allowed us to bring up to date mapping and navigation into our tankers. We don’t always know where we are going and on any given day we could be sent into unfamiliar towns or areas to protect property and life. These units allow us to navigate using street addresses and locations as well as allowing us to locate ourselves on topographical maps where we can see terrain, bush tracks and property and assets all at the touch of a finger. These units have already proven their worth in making our job a little easier and straight forward especially relaying grid and Lat Long references back to incident commanders.

Once again, we would like to thank you for your generosity towards the Collector Rural Fire Brigade and wish you all the best in your future endeavours.

Regards,
Collector Rural Fire Brigade

Backburning on Green Wattle Creek Bushfire

Collector Rural Fire Brigade backburning at the Green Wattle Creek Bushfire on 22 December 2019

The post Wordfence Helping Our Friends in Australia Fight Bush Fires appeared first on Wordfence.

Read More

Episode 73: Security News and Success through Processes with Adam Silver

The FTC is reporting numerous scams targeting fears and uncertainty, with over $12 million lost to Coronavirus-related scams. We also cover BBB warnings against oversharing on social media, over 500,000 Zoom credentials found on the dark web, Google’s removal of malicious Chrome extensions, as well as recent plugin and theme vulnerabilities.

We also chatted with Adam Silver, host of the KitchenSinkWP podcast, currently celebrating 6 years of podcasting. We ask Adam about his consistent success, experiences with WordCamps, as well as the impact of Open | The Community Code, the film about the WordPress community, in which Adam participated.

Timestamps and links are below:
1:05 The U.S. Federal Trade Commission says that approximately $12 million were lost to Coronavirus-related scams.
2:51 Better Business Bureau warns against oversharing on social media, specifically with the senior photo meme.
5:24 Researchers found and bought more than 500,000 Zoom passwords on the dark web for less than a cent each.
6:25 Google removes 49 Chrome extensions caught stealing crypto-wallet keys.
7:25 Critical Vulnerabilities in the WP Lead Plus X WordPress Plugin.
9:00 Vulnerability Patched in Accordion Plugin.
9:43 Unpatched High-Severity Vulnerability in Widget Settings Importer/Exporter Plugin.
10:50 Unauthenticated stored XSS vulnerability in WordPress OneTone theme won’t be patched.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 73 Transcript

Adam Silver:
Having a process, having a consistency to your day is key for running a business and not having to recreate the wheel.

Kathy Zant:
Hi and welcome to episode 73 of Think Like a Hacker, the podcast about WordPress, security, and innovation. It’s the middle of April 2020, and we’re all still kind of under lockdown because of COVID-19 but we still have a number of security news items for you, along with an interview with one of my favorite people in WordPress, Adam Silver. Adam is a well-known contributor to the WordPress community. He runs an agency based in North Carolina, ConciergeWP. He’s also one of the longest running podcasters around in the WordPress space, maybe the longest running podcaster around. He has two notable podcasts, KitchenSinkWP and the Get Options podcast that he does with Kyle Maurer from Sandhills Development. But first the news.

So WordPress friends, are you staying busy during all of this COVID-19 craziness? Well hackers certainly are. According to an article in Bleeping Computer, they’re reporting that about $12 million has been lost to coronavirus related scams since January of 2020. According to the FTC, consumers reported over 16,000 fraud incidents so far, with most of these happening in California, Florida, New York, and Texas. These are coming through as phishing emails, text messages, and via social media. The IRS has also issued an additional warning with these economic impact payments showing up. Their warning that fraudsters may be requesting personal information with that economic impact payment as a lure. So imagine a phone call from someone pretending to be the IRS looking for your bank information, so that they can get that payment to you. That’s not going to happen. The IRS isn’t going to call you. They’re not going to text you, nor are they going to send you an email.

There are obviously directives on irs.gov that will tell you how to get those payments. It is not going to come at you. You’ll have to go seek that out yourself. Now most of you listening to this podcast are going to be aware of these types of scams. The thing is that our family members or our friends, who may not be as tech savvy as you, may not know. So it’s important to get the word out and share with them the scams that are happening and help people make better decisions about these types of requests.

The Better Business Bureau is now advising people to think twice before participating in the trend of sharing your old senior photo on social media. Now with many seniors not being able to have graduation, there’s this trend going on where people are sharing their old senior photographs and talking about what year they graduated, what high school they graduated from.

Now there’s a problem with that. That problem starts with your bank account. Think about all of the services that you use that uses secret questions as a method of two-factor authentication. What year did you graduate from high school? What was your high school mascot? In this case, we are providing that easily identifiable information to scammers who may be trolling social media accounts, looking for these answers to secret questions. And we’re providing that on our social media. The Better Business Bureau cites similar concerns about other types of trends on Facebook. For example, name the make and model years of all of the cars you’ve ever owned, your favorite athletes, the concerts that you’ve gone to, what your top shows are, who’s your favorite musician, what was the first musical instrument you ever learned? All of this personal information, when placed on social media, becomes a treasure trove. Especially when hackers have access to so many of our usernames and passwords on breached sites that have been dumped in areas such as the dark web or on torrents.

They may not be able to get into your bank account with your username and password, but if your bank account is asking for the first musical instrument you’ve ever played and you say that that was the guitar and you’re posting that on social media, they have all of the keys they need in order to get into your financial institution. So you have a couple of options. You can either use a password manager, provide fake information on your second factor secret questions on your bank accounts, or you can not provide that information on Facebook. Or maybe we just start lying to our friends. Either way we need to change how we’re sharing information and change how we are using two-factor authentication.

Our next story is about Zoom. Researchers have found and purchased over half a million Zoom passwords on the dark web and they’ve purchased them for less than a penny each. These are being used in credential stuffing attacks. There’s so many new people using Zoom with all of the COVID craziness, and they’re reusing passwords that they’ve used on other sites that have been affected by a breach. So Zoom hasn’t been hacked. These are just accounts that have been obtained using credential stuffing, where hackers are using passwords and emails leaked in previous data breaches. So make sure that if you are using Zoom, if you are using Amazon, if you are using any service whatsoever that you are using unique passwords everywhere. And two-factor authentication if you can. Leverage a password manager like LastPass or one password and keep your passwords safe.

Our next story is from ZDNet and this is about Google removing 49 different Chrome extensions from the web store that were all impersonating legitimate cryptocurrency and wallet apps, but they actually had malicious code that was stealing crypto wallet private keys. This was discovered by Harry Denley, Director of Security at MyCrypto, who shared those findings with ZDNet. And I’ve mentioned this story as a reminder, because we all need reminders, to go check your browser extensions, no matter what browser you’re using. If it’s Safari or Chrome or Firefox or Brave, go check your browser extensions right now. See if there’s anything you don’t recognize or that you’re not using. If you are not using it, delete your browser extensions the same way you would get rid of a WordPress plugin that you are no longer actively using. Keep your digital life safe and clean.

Which leads us to talking about WordPress plugins, and we have a few plugin vulnerability stories to cover. First off, we have the WP Lead Plus X WordPress plugin. This affected over 70,000 WordPress sites, which leads us to talk about some plugin vulnerabilities. The first was an authenticated stored cross site scripting vulnerability, meaning that it could only be exploited by somebody with an active account on that site, but a subscriber counts as an active account. The second vulnerability was actually not patched, so even the live plugin is still vulnerable to a cross-site request forgery attack. This just requires you to be very vigilant about the links that you click within your emails. So if you’re not actively using this plugin, we recommend deactivating it and removing it from your site.

If you do require this plugin’s functionality, we just ask you to be very careful with emails that are coming in and not clicking on links within emails. Because of that cross site request forgery, a firewall cannot actually protect against these types of attacks because the attack appears to come from your site. It appears to come as a legitimate entry into the site and so protecting against it is next to impossible. So you’ll just need to be very careful clicking on links and if that plugin does receive an update that protects against it, we will let you know. Our next plugin vulnerability is the Accordion plugin, Chloe Chamberlain found this one. It’s installed in over 30,000 sites and this was an unprotected Ajax action that worked towards a stored reflected cross site scripting vulnerability. The plugin team patched this very quickly within three hours of our disclosure. The fully patched version is 2.2.9 if you’re using this, make sure you upgrade to that version or later.

If you’re listening at a later date. And Wordfence, both free and premium customers are already protected against this. We’ll have a link to the technical details about this vulnerability in the show notes. And finally another interesting plugin vulnerability discovered by Ram Gall. This was the Widget Settings Importer/Exporter plugin and this vulnerability is high severity and is not going to be patched. This plugin is currently installed on over 40,000 sites. We have technical details about what’s happening with this. We did reach out to the developer and did not receive a response. It’s been over a month. Both free and Wordfence Premium users are protected against this exploit currently, but if you are using this plugin, we do recommend deactivating and removing it from your site. There is another plugin that does something similar. The Widget Importer and Exporter. We have a link to that particular plugin and the blog post for this vulnerability disclosure.

Our threat intelligence team continues to investigate plugins and themes, looking for possible vulnerabilities that could be exploited, and working with developers to keep you safe. And we talk so much about plugin vulnerabilities. It’s been a while since we’ve talked about a theme vulnerability, but those do in fact happen. NintecNet reported on April 3rd that the WordPress OneTone theme installed on over 20,000 sites is prone to an unauthenticated settings import vulnerability that could lead to multiple stored cross site scripting exploits. This is not being patched. This theme is no longer being maintained by the developers. So if you are using the WordPress OneTone theme, you’ll need to find a different theme and make sure that your site stays protected.

Thanks to the amazing work of our threat intelligence team, the Wordfence firewall does indeed have a rule to protect against exploits of this unauthenticated stored cross site scripting vulnerability. Wordfence premium customers already have this rule. Free customers will receive it the first week of May. We still recommend that you find another theme as this is no longer actively maintained and there could be other vulnerabilities that haven’t been discovered yet. And no sign of this being actively maintained, so stay safe out there. Now onto our interview with Adam Silver, we hope you enjoy.

Hi Adam. How are you doing?

Adam:
I’m good. How are you?

Kathy:
I am doing spectacularly. So I have a question about the fact that you’ve had a podcast for six years running. I mean, I’ve done things for many years and you probably have gone through that period of, eh, do I really want to do this? And you keep doing it, but you keep that consistency. You have to have some… What’s your secret sauce of staying consistent and also making sure that it doesn’t take up too much of your time and your life?

Adam:
So my show is relatively short. It’s about 10 to 12 minutes on average. If I do interviews, which is not that often, maybe six or seven times a year. Because interviews, scheduling becomes an issue for some people. People drop off, people cancel. That’s always stressful. I get asked a lot too for people who want to be on the show because they want access to my audience, and I’m very protective of my audience. I take sponsors, but I didn’t take sponsors for the first 100 episodes. Have to match the audience, has to make sense to them. Something that I believe in and use and have used myself, that kind of thing. Same thing with affiliates the same way. For me, it’s consistency. And it’s just commitment. People do ask me how to come up with ideas, and oftentimes I don’t know where it came from, but it always works out and I always have a show.

Adam:
And then I guess from my perspective, I use my agency, and I share a lot. I mean, I’m pretty transparent about how things are, what I’ve learned from running the WordPress agency and dealing with clients, dealing with my contracts team, et cetera. I may leave out names, of course, to protect the innocent or the guilty, but I just share. And when I went solo, back when I took ConciergeWP, which is the agency. When I took that full time, three and a half years ago. I documented it like I did it one month, three, six, nine, 12 months. And I was extremely transparent. I shared numbers and it wasn’t good. It wasn’t pretty at all for a while. It really wasn’t. And those episodes got probably the most downloads I’ve had at one time because it’s true, it’s authentic.

Adam:
And that’s how I am. I share completely freely. I’m not worried at all about competition. I used to be when I was a younger man, I would worry about why is this person working, I’m not? Like when I did photography work. I used to have an old Hotmail, I would send an email to another photographer when I lived in Colorado and get their pricing or something. How much do you charge for this? And all those things. And I would work from a place of scarcity versus abundance. And I changed that mindset years and years ago because there’s plenty of work in every industry. It’s just a matter of finding the work and doing the work and delivering the work. But it’s just a mindset shift. So I think I answered your question.

Kathy:
I think so. So abundant consistency. So mindset and consistency. And that’s your secret sauce?

Adam:
You’ve got to be consistent. Yeah, I mean I think so. And also I have a checklist. I think we talked about also. I do, I use a total checklist. I love the book, the Checklist Manifesto. One of my favorite books, I bought it for people. I’ve sent it to clients actually, that when they get checklists and processes in their place of work. So I use OmniFocus, but I have a checklist. Just every week. This is what happens for every show. I use that, I use Post Haste. It’s a free software tool. Gives me the folder structure for every episode. Exactly the same. So my shows are 12 minutes long, let’s say.

Adam:
Pre-production takes me no more than an hour. It depends on the episode. Let’s say an hour. Recording is real time. Let’s say it’s 12 minutes. Post production, less than a half an hour. But so you figure, I mean two hours for a 15 minute show. It’s a chunk of time, of my time. But I’m pretty quick at it. And the editing. I don’t do a ton of post production. I get it myself. I do my own show notes. I just have it down to a pretty good science.

Kathy:
Is that part of what makes your agency successful, too? Is just creating procedures and checklists?

Adam:
That’s a whole separate can of worms. So my old joke is, I run a non-profitable, not a nonprofit. No, I mean like anything else, success is just that. It’s about putting the time and the effort and the energy. I actually have processes in place. The problem is sometimes remembering to use that. But yeah, having a process, having a consistency to your day is key for running the business, not having to recreate the wheel, of course. I now have a new onboarding process. When someone signs a contract with us, what they get right after that. It’s actually written out to script that’s in my Pipedrive CRM. I can just copy paste. That way it’s the same thing. I change information like start date, end date, those things. But now it’s welcome to ConciergeWP, here’s the next steps, here’s what’s going to happen.

Adam:
Let us know. That way it’s just onboard. I also have a new process for onboarding new contractors. If they don’t want to have an email from ConciergeWP because they’re like, I don’t want another email address, well I guess you’re not going to be a contractor for us. You don’t want to be my Slack channel. I guess you’re not going to be a contractor. I need to have those two things in place. And being loosey goosey about it every time, making different rules, have to go track how to communicate with people in different places. So now across the board. And everyone who’s working with me right now, all my team, actually I’m trying to change the word from contractor to strategic partner. It’s across the board. It has to be consistent because, like I said, otherwise it’s too many different rules. Too many different places to touch points.

Kathy:
Those small things tend to be… They add up and the more small things that you can proceduralize of this is just the way we do things, then it makes the bigger things easier to handle. Right?

Adam:
Right, right. Yeah. And then the last thing on this little topic here I was going to mention was, I can’t control what I can’t control. Meaning things take time. With clients, our clients, they deserve to be taken care of respectfully. But I can’t assume I know what they’re thinking or how they will react to something. And if they don’t like it, it’s unfortunate, but the point of the story here is hours. I have a client that has 10 hours a month retainer and where the recording of this episode, it’s five days into the month. They’re already using half of their hours because last month they waited till the last week for us to do this project. They weren’t even ready to have it all done. So it led into the end of the month and then five hours started on the first, which was not Sunday because we take a couple of days off on the weekends.

Adam:
We try not to work weekends unless it’s an emergency. So Monday, my contractor developer did all his work, so be it. So when we get to eight and a half hours, I let the client know, “Hey, you’re close. We’re going to push past if we keep doing this project.” They’ll go to hourly or you’ll have to push till April. It’s up to them. And if they think, “Well, what happened? Why?” I explain it why. This is why. This is our business. We don’t work for free. So that’s that. So again, I just don’t assume, I try not to. When someone says something, I get an email from somebody. I don’t get upset. I don’t have a reaction to it anymore because so much is lost in text.

Adam:
For me to get stressed out about something that’s going to not change a thing until I have the facts, doesn’t change. When someone tells me my car needs X, Y, or Z done. $3,000 or even $500. I just get really upset. Oh my gosh, 500 bucks. Well, it’s cheaper than a new car. A, my cars are paid for, and B, it’s a number. So now I got to figure out how do I pay for that? Does it need to be done right now? Those things.

Kathy:
Yeah. How does the word-

Adam:
Process.

Kathy:
Process. Yes. How does the WordPress community, and being so involved as you are, how does that either inform or affect your business?

Adam:
I get hit up a lot. People seem to reach out to me in some capacity when there’s news, something new out there. “Hey, what do you think of this? What do you think’s going to happen here?” And it wasn’t like that initially. It just, it’s over time it’s happened that way. I mean there are people who have much bigger profiles than me. I pretty much kind of stay low on the radar, not high on the radar. People don’t need to know my political views. I don’t care about that stuff. I care to some extent. But again, it’s not in my purview at the moment. So people do reach out. People also like to share with me, knowing that I won’t say anything. They want to have a place they can go to for a trusted advisor if you will. Almost some coaching or something. I don’t say counseling but people share with me often. And I share with them. I’ll share with other people, too. I have my trusted people. I’ll share what’s going on, but people do trust with me. So I don’t spread rumors that way.

Adam:
I’m like, you know what, it’s here. I’ll know something ahead of time possibly on some things. I’ll say, “Hey, can I mention this on the podcast? It’s newsworthy.” He said, “Not yet.” I’m like, okay, I respect that. And it definitely affects the business. I mean, I’ve gotten business from the podcast and being in the community. I was at WordCamp, I think it was Chicago a couple years ago. Chicago or Ann Arbor, one of the two, maybe Ann Arbor actually. Yeah, it was Ann Arbor and I wasn’t speaking. I just went to go and surprise some friends. Just popped up there. And at the after party I was in line to get some food, and a woman comes up to me and she goes, “Hi, who are you?” It’s kind of funny. She’s like, “Who are you?” I’m like, “What do you mean? I’m Adam. What do you mean?” She goes, “Well, it seems like you know everybody here, and I just want to know who you were. Because you’re not on the list to speak. And I wondered why you know everybody and how everyone knows you.”

Adam:
I’m like, “Well I spoke here last couple of years, I’m from Los Angeles.” At the time I was living in LA I think. “And I run a small agency.” She’s, “I’m actually looking for a developer.” And I said I had a podcast, and I run an agency. So I gave her my card and then about two weeks later she emails me. She goes, “I love your podcast, I love your voice, I love your honesty. Can we talk about working on my project?” So, it’s a much longer play, if you will. It’s a long strategy, long play strategy. As far as putting myself out there, investing in the go. And I mean I’ve gone to a lot of WordCamps, self-funded.

Adam:
Your job was to go to WordCamp. So you go to more. Sure, I mean Mendel went to thousands, I’m sure. People go because it’s part of your job. My job isn’t to go to WordCamps. My job is to sell and make websites technically. Also to build, I want to be part of that community. So I would be out of pocket to go to 8 to 10 camps a year. It’s not cheap.

Kathy:
It’s not.

Adam:
The cheapest part is the ticket to WordCamp. If I’m paying for it. If it’s 40 to 50 bucks, that’s the cheapest part. So it would usually be covered because of meals and stuff. But hotel, airfare, car rentals, Uber’s, that stuff adds up.

Kathy:
It does, but it’s worth it to you, and it’s worth it to your business?

Adam:
Totally. Totally. It’s lonely working from home by yourself. And for me, getting out… WordCamps are the only place I go where I usually don’t wear WordPress t-shirts. I’ll actually wear a button down, I’ll wear a sweater, a pair of shoes. Not flip flops.

Kathy:
Okay. So the question everybody wants to know is what percentage of your wardrobe is WordPress t-shirts?

Adam:
75 easy. I mean, I think I can go and I’m in the 90 range of how many days in a row I can go wearing a WordPress related shirt. Without doing laundry or wearing the same shirt twice. I took a picture of it before I went to US. I shared it on Twitter. I’m like, which ones to bring? And that’s the thing also. Which one did you bring to a WordCamp? I’ve learned to bring three less shirts to WordCamp.

Kathy:
Have you?

Adam:
Because I bring home three more. Yeah.

Kathy:
At least.

Adam:
Because you don’t need them when you’re there. So yeah. I mean today, can I say who I’m wearing on your show?

Kathy:
Of course.

Adam:
So today I’m wearing LifterLMS, a great group of guys. And I’m also wearing a speaker hoodie, a thin hoodie which is perfect for inside the house from WordCamp Birmingham. It was a gift. Love this hoodie. So I’m wearing this. Yeah. I mean I have this one, I have WordCamp… I have so many hoodies now. I have the one you sent me.

Kathy:
Yeah, WordCamp Phoenix.

Adam:
I have two of those, you know that right?

Kathy:
You have two of those. Yes I know.

Adam:
Because you and Clancy didn’t talk. That’s awesome.

Kathy:
Yeah. There was an unfortunate situation that happened with that.

Adam:
Right.

Kathy:
You are the beneficiary of it.

Adam:
Right. I was like sweet. Yeah. So I have two from Phoenix. WordCamp Phoenix. And WordCamp Phoenix by the way, it was one of my favorite WordCamps years ago. A couple of years back when I spoke, I did a talk on podcasting to grow your business. It was a big room, big audience, very well engaged. It was one of my favorite camps, one of my favorite. I mean I use a photo of me on stage. That’s one of my photos I have on one of my websites. There’s a picture of me on stage speaking.

Kathy:
Oh excellent. Is there anything I haven’t asked you about that you want to talk about?

Adam:
What about Open, dot film?

Kathy:
Hey, aren’t you the star of that movie?

Adam:
Not quite. I can tell you though. I mean I was nervous when you told me I was in it. For those who don’t know, there’s a phone call. You’ve talked about it on the show.

Kathy:
Oh yeah, a few times.

Adam:
Okay. So I’m in it, and when you told me that I was in it, I was nervous and… Because it’s one of the things you kind of forget. What’d I say or do? The backstory is I know that I made the camera man and who was the director on it?

Kathy:
Sean and Andrew were the…

Adam:
Sean and Andrew. So Sean was behind camera, Andrew was asking the questions and I took a moment because I got emotional about it, about the issues that we have in the community in my opinion. And so I was curious to know what was used for the footage of that. And luckily when it came out I was happy with what was chosen. It was just fine. And that went out on Twitter, that day when that played at State of the Word, that made the rounds. That was pretty interesting.

Kathy:
It was pretty epic. Yeah. We made you look good though, didn’t we?

Adam:
It was very nice. Yeah.

Kathy:
And we kind of kept it under wraps that it was going to be shown at State of the Word because things can get bumped and we just wanted to wait and see. But I was sitting in the audience when it was happening. It was very surreal because we had spent so much time on it.

Adam:
And that’s the thing also, the feedback was amazing. People were like, when they realized I was in it and they go, “Wait, that was Adam.” It was kind of funny. My kids have seen it. I mean watching it, still thinking about, it still makes me slightly emotional. It’s still really impactful. It still means a lot to me. I am in a place, using WordPress for two years. First when the community existed, jumping in the community. No idea I’d ever be leading the camp in Los Angeles. I just didn’t think that was on my radar. And then be in the documentary about the project and about the community. Who knew? And then now, 10 years later, I’m coming up on 10 years doing this type of stuff. I don’t know what it is I even do. And six years of the podcast. It’s just weird. It’s just very surreal. Same thing, right?

Kathy:
Yeah. Well it is. It’s very surreal, but it’s your efforts and the support you have given to so many members of the community, makes WordPress very much what it is. I mean, WordPress wouldn’t be what it is without the community. And that was what we were trying to show. And you’re a huge part of that. So I was…

Adam:
Thanks.

Kathy:
You are.

Adam:
On the flip side of the same coin, I’m a firm believer that there are, obviously Matt said it at State of the Word, where more people have not gone to a WordCamp than have. Because you can’t, you can’t have all the people that use WordPress go to a camp, it’s just not feasible. At the same token from a business perspective, I’m confident that there are, I’m not sure what the number would be, a large number of people, companies who use WordPress who have nothing to do with and don’t want anything to do with the community. It’s not their thing. They use WordPress as a platform. They run their business and they move on and that’s fine. [inaudible 00:28:05] them. We’re not a cult, the joke is it’s WordPress cult. It’s not Capital P. Dang it, those things. It’s fun. I just find that I have some of my closest friends in my life are in the community. Simple as that. I have I think over 12,000 photos on my iPhone. Guarantee you 6,000 of them are WordCamp related. WordPress related.

Kathy:
Yeah.

Adam:
The other half are actually my family and friends that aren’t-

Kathy:
Those people.

Adam:
The people I live with. People I put through college.

Kathy:
Your offspring.

Adam:
My offspring, the dog.

Kathy:
Your life partner.

Adam:
Right.

Kathy:
Nice of you to squeeze them in.

Adam:
Yeah. Yeah. I mean, yeah, it’s just interesting that way. But again, I didn’t see it coming. I didn’t see it coming at first and then we made the conscious decision that I would put in the time. My wife and I made that decision to invest the time and the money to do this, from a perspective that it makes me happy, that I enjoy doing it. I love solving problems, helping people and people trust me. And apparently that helps with business.

Kathy:
It helps with business and it helps just in terms of the personal growth of everybody that comes in contact with you. I knew who you were before I met you and I was relatively new. I’m not new to WordPress. I had been using WordPress for… I was one of those people that Matt referenced of people who use WordPress who never come to WordCamps. And it just started happening that, okay, let’s do this. Let’s see what this is about. And when I met Thomas in Los Angeles and he was the one that basically showed me the wonder, the wizardry of Adam Silver. And then I’m like, I have to meet this individual.

Adam:
That’s right, I forgot about that. Thomas is one of the people who credits me, for better or for worse, for bringing him into the community, to the fold. And Thomas is behind LifterLMS ironically.

Kathy:
Yes.

Adam:
He’s one of their partners, one of the owners and he’s the lead developer there. When I met him and Chris Badgett at CaboPress and all those things. If you just look all the way back in the CaboPress, I almost didn’t go because I had a different job at the time. I was actually working for the man. I was doing this on the side and I was literally trying to save a marriage. I got a job-job because I got laid off from a big numbers job. A big director position. And I was torn between buying an Apple watch at the time or going to CaboPress, couldn’t do both. And CaboPress being middle of the week was like, how do I take that time off? I had no vacation time left with the old job. So I remember Chris Lema and myself and Jeff, Matt, we were all this Friday night Facebook group. Or not a Facebook group, a Google hangout back in the day, having a beer and stuff.

Adam:
And I popped in and then Chris was saying, “Hey Adam, what are you doing here?” Because I was asking some questions back and forth about was it refundable for the deposit, apply to go. All those little rules that he had at the time. And four years ago, five years ago. And I was nervous about all those elements of paying $200 for a deposit if I couldn’t get the time off.

Adam:
So I popped in, asked him a question. He’s like, “Wait, you have time to ask questions. But not time to fill out the application at least? It’s refundable, go do it.” And my wife walked by right at that time. She says, “You haven’t applied yet?” I said, “Hey Ellen.” My wife’s name, I said, “Ellen, Apple watch or CaboPress?” She’s like, “CaboPress.” So I applied right then, literally. And then I got it, I got approved and I got it. And then I told my boss at the time and said, “Hey, I was asked to…” He knew I spoke at conferences. I’d gone I believe early Fridays and fly away and fly back Sunday nights. So he kind of knew what I did outside of there. Because I did some website work for that company as well.

Adam:
But I pitched him like, “Hey, I was asked to participate in this conference but it’s Tuesday through Friday. Is it okay to take some time off? It’s an off week for us.” We were a live auction company, and I’ll just go unpaid. He’s like, “Okay.” I didn’t tell him that I was paying to attend a business conference that would entail me to then leave working for him within a year. It’s all marketing. I was in marketing. I marketed it the way it benefited me, truth be told. Where I worked was pretty toxic. And then a year later I left, literally. I had to, I was done. They just didn’t value what I was trying to do for them and stuff. But it took me going to CaboPress. Again it’s where I met Chris Badgett and Patrick Thomas. Thomas Patrick Levy, and just all those things and just kind of who knew again?

Adam:
Yeah. So it’s interesting. But anyway, I don’t know how we got onto that. Oh, how we met. How you found out who I was in the community. Right. It’s crazy. And then you’d asked earlier real quick what keeps me going as far as the consistency or the podcast itself on my show. I wonder from time to time, who am I speaking to? And then randomly I’ll get an email, I’ll get a text, a tweet, something from somebody who I’ve never heard of saying thank you for the show, loved that episode.

Kathy:
That’s awesome.

Adam:
I have a couple of people in Dubai, Sri Lanka, in Jakarta, listen to my podcast.

Kathy:
That’s great. Global reach.

Adam:
Kind of weird. It’s a very, very, very long reach.

Kathy:
It’s awesome.

Adam:
Six years. It’s six years. It takes to nail pretty well.

Kathy:
Awesome. Well, I hope for six, 12, 18 more years. Who knows?

Adam:
Who knows? Who knows? I have no idea. I mean honestly I’ll do it until I don’t.

Kathy:
Well thank you for joining me today, Adam. With us not traveling this year, this has been a treat for me because I haven’t yet seen you since… And I barely got to talk to you at US because it was just constant chaos. But I’m so happy to just see your smiling face and catch up with you and see it for everybody that’s listening. We’re using a tool where we can see each other, but you guys can only hear us.

Adam:
It’s good to see you, too.

Kathy:
Yeah. So thanks for joining me and thanks for everybody who was listening and if you want to find Adam, it’s… What’s your Twitter handle again?

Adam:
@HeyAdamSilver.

Kathy:
HeyAdamSilver. Are you still doing-

Adam:
“Hey, Adam Silver!”

Kathy:
Are you still doing stand up?

Adam:
Only on podcasts.

Kathy:
Only on podcast so if you want the best podcast in WordPress, we are the best podcast over here in WordPress security, but the best podcast in WordPress, Adam Silver at the KitchenSinkWP. Right?

Adam:
That’s it, yeah.

Kathy:
Awesome. Thank you. We’ll talk to you soon.

Kathy:
We hope you enjoyed this episode 73 of Think like a Hacker. I am your host, Kathy Zant. You can follow me on Twitter @KathyZant. You can also follow me on Facebook and Instagram if you like looking at funny videos of dogs and cats, of which I have a couple. Check out our YouTube channel. We have some new videos that’ll help you get the most out of Wordfence. We’re also doing Wordfence office hours weekly now, every Tuesday at 9:00 AM Pacific, at noon on the East coast. If you need an invite link, I will have that in the show notes. We’re going to do it every week, answer some questions and help you get up to speed on all of the tools that Wordfence offers in order to keep your WordPress sites safe. And there are quite a few. Thanks again for listening and we will talk to you soon.

The post Episode 73: Security News and Success through Processes with Adam Silver appeared first on Wordfence.

Read More
Page 1 of 1112345»10...Last »