The WP Builds podcast is brought to you this week by…
The home of Managed WordPress hosting that includes free domain, SSL, and 24/7 support. Bundle that with the Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases! Find out more at go.me/wpbuilds.
It’s like Black Friday, but every day of the year! Searchable, filterable list of WordPress products, with exclusive pricing for WP Builds listeners!
Check out the deals now…
We thanks them for their support of WP Builds.
Transcript (if available)
These transcripts are created using software, so apologies if there are errors in them.
[00:00:00] Nathan Wrigley: Welcome to the WP Builds podcast, bringing you the latest news from the WordPress community. Now, welcome your hosts, David Waumsley and Nathan Wrigley.
hello there and welcome to the WP Builds podcast. Once again, this is episode number 266. Entitled. Why do people hack websites with Robert Abella? It was published on Thursday, the 17th of February, 2022. My name's Nathan Wrigley and some very short housekeeping just before we begin, if you head over to WP Builds.com forward slash subscribe.
We would love to keep you in touch with all of the content that we produce. We've got our YouTube channel, Twitter feed, but also a couple of lists, which you can subscribe to. And we will keep you updated when we produce new content. Typically that is a podcast episode coming out on a Thursday. So what you're listening to now, and also we have our, this weekend WordPress content, which is a live show every Monday. If you'd like to join us for that, you can go to WP Builds.com forward slash live.
That's 2:00 PM UK time, and we're joined by some notable WordPress guests, but we also repurpose that and turn it into a podcast episode, which comes out on Tuesday morning. So once again, if you would like to subscribe. WP Builds.com. Forward slash subscribe. I'd also like to point out our deals page. We've got a load of coupon codes for loads and loads of WordPress products. They're there 24 7, 365 days of the year. And it's a bit like black Friday, but every single day of the year,
So WP Builds.com forward slash deals. And finally, if you fancy a bit of an alternative to Twitter, we've got our mustard on install. It's WP Builds.social. Yes. That's a URL. WP Builds, stopped social, and over there, you can join something which feels a bit like Twitter, but it's completely federated. It's an open source bit of software, which we've downloaded.
It's fairly quiet at the moment, but if you want to join in, I'd be most grateful. Okay. Let's get into the content of the podcast today. Today, I'm chatting with Robert Abella. Robert is a security expert, as you're about to find out. And it's a really interesting episode because today we're not really talking about a particular WordPress product or a particular WordPress theme or plugin, anything like that.
We're talking about why do people hack things what's in it for them? Can you be paid to be an ethical hacker? Why would you do this all in the first place and what can you do to mitigate things? Where can you go to find out information to keep yourself protected? Feels like every single week, there is a new major security incident on the internet and lots and lots of them to do with WordPress. So Robert's here to give us a helping hand about how to make your websites more secure. And what are the motives of the people who are trying to hack us? Goodness only knows. I hope that you enjoy it. Hello there. Welcome once again to the WP Builds podcast. Nice for you to be with us today. I have a Robert Abela. Hello, Robert.
[00:03:16] Robert Abela: Hello, Nathan, thank You for having me.
[00:03:18] Nathan Wrigley: You are very welcome. This is actually the second time Robert has been on the WP Builds podcast. It was a very long time ago. I think prior to actually clicking record of did we decide it was about three years.
[00:03:30] Robert Abela: Yeah, I think it's about three or four years ago. Yeah. And we talked about logs.
[00:03:33] Nathan Wrigley: That's right. Yeah, because at that time we were talking about WP security audit log, and this time we're just going to have a much more narrative conversation. Very often we do end up talking about particular plugins and themes and so on. And this time. Talking about security, but in a very general look at security, really just touching on the subject of why people do it when, what you need to be mindful of.
And th the concerns, how they're changing over time and so on, probably in order to do that, Robert, it would be good for everybody to get some kind of understanding as to why you are somebody we should pay attention to. When we talk about internet security, Would you mind just giving us a little bit of background about your credentials and what it is that you do and how you're into internet security specifically around WordPress.
[00:04:21] Robert Abela: thanks. Yes. So basically I started 13, 14. I got my first PC previously. I had an army GABA. It was mostly for gaming, but I had my first PC. I had my first internet connection back with the elephant modems and Yeah. And to some group of friends I've learned a bit about, as I was studying before basic hacking, basically back then it was done via FTP SSH and stuff.
Like the find, finding default passwords and stuff. Anyway, I've always shown interest in computers. So my first. After I dropped out from school, I dropped out before a job basically was as a software tester and software security software company. I was there for eight years. A different number of roles.
I started as a software tester, then it was into R and D systems engineering. So I was more on always on technical side. Then I had another three jobs over the years. I was always worked with security companies, security software companies and my last two jobs were. With companies which develop vulnerability scanners on replication, secretary Skinner.
So basically as I was really exposed in web application security and stuff like that. And for the last six years now I've started my own business. Originally we start this kind of as a security consultant company and cleaning those websites as a part-time hobby, but slowly as we developed a number of plugins Basically we develop right now.
We are a few years later, we are a team of six people full-time and to develop six different plugins, secretary plugins, one thing I'd like to point out is like many people when they think of security, people like to think of an all-rounder plugin, like where you have a firewall and everything under the umbrella.
What we do is we do things a bit differently. We always have a number of plugins switch to something very specific, like an activist or plugin or to a fake black Knight Jetstar. Yeah. so I. Now a 40 years old. So I've been here, technically speak. I've been around 20 years working in the secret software industry and the last 10 years of them, it was mostly focused on application security.
[00:06:30] Nathan Wrigley: Yeah. Yeah. So there we go. If anybody knows what they're on about, it would appear that Robert is the person. So you're the man for this conversation. The question that I always want to get an answer to, and I never seen. To get an answer and, it's more of a conversation.
I'm sure you don't have the answer, but I'm really curious as to why anything like this actually ever happens. And if we think about let's say viruses in the real world, and by that, things that can make human being sick. We don't really have an answer to that either. It's just part of life.
People get viruses and they get sick and they get passed to one another. You can't really blame anybody. It's just nature. But with computers, it's entirely different. There are people to blame. This stuff does not happen by accident, unless I'm very much mistaken. Somebody has to sit down and endeavor to create a problem that the rest of us then suffer from.
So I'm just curious, what is the motivation for somebody to, to begin creating problems for the rest of us? Why on earth are people doing.
[00:07:36] Robert Abela: Very good question. And no one has the answer, but usually. Even based on my experience and the experience of people, I know it always starts as an adventure for fun. You're a teenager, you get your F your first PC or first computer, you got on the internet. And if you have, if you show interest in, especially in development and you like to understand how things work naturally you'd have to break things, so you end up. Once we're not even trying to hide, but trying to break things, maybe you finding us, read fives, get some script from the internet right around the chest, just out of curiosity. So usually that's how it starts. And from once you start diving deep into it, and if you start, for example, I don't know, achieving some targets, I don't know.
Maybe you'll break into a website or into a portal and stuff like that. It gives you that th that natural higher and it's nice. And some people find that interesting. Usually that's how it starts. It starts by out of curiosity and effect. And it starts out because people are curious and would like to learn more about systems.
In fact, most notorious hackers in Dwight. Usually they are very smart people. It's not that they are bad people, just that they're patient, but then of course, To waste where you can go either to white hat hacking, which is like the legal way where we see penetration tests, there's people who provide this as a service, like you're developing a software, we do it ourselves, for example, with our plugins and hire someone.
So there's parts of. Test the security of your plugins to make sure that the code is secure address or your website or your network that you're building. That's the white hat avenue kind of thing. And there's the black hat avenue which is more like the underground scene where.
Whatever you do not. Let me say whatever you do, but you mostly, you do it with the intention. It's mostly illegal. You don't most, probably most people don't even realize that they sometimes somethings may lead to big and grave things. But yet when you go down to the black health, the underdogs route, that's where you go.
Basically. The motivation typically is always money. It's always monastery. Let's say We're still young or I don't know. It's I know it's the stereotypical, but it's very common. You just, you're always at home, you're experimenting, you'll break a software, you break something and yeah. And you said something that you broke and or some data and to earn some money.
And that, of course you keep on doing it into again, doing.
it. Most comments, most common is. Which is data theft. This is most people know about data theft. When people think of hackers, they do it for data, they have to steal, you have an online shop, you have user data. So Yeah. Hechos will steal your, the credit cards you have on your storage Jethro.
And usually this data is either sold. Or you use it to learn more about your customer base. Now, the thing is this. Since it's most cases, it's about data theft and people think of credit cards and stuff. So many people would say like this, I just have, I don't know their website. My reference website is just about a club.
We have, when you finished wherever you are about old cars, for example or stuff like that. So who would want to hack our website? However, he has the motive. Susie are much more than that. So yes. Many people that think that their website, just because they don't have an e-commerce solution or they don't have customer data or stuff is not the target.
However, your website is always the target and the reason why it's always a target because.
It's as I said, it's always, the more, the reason is always monastery, but there many other kind of like sub reasons why people heck they heck for vandalism to the face of websites, for example, political reasons, especially during the elections, you see a lot in Africa country, like for example someone hacking or deface.
Yeah, the hacktivism, someone facing the website of a political opponent or someone they don't agree with and stuff like that. There's also corporate espionage. It happens a lot more than we think, especially with bigger companies companies hire other companies to hack for espionage to learn more about their competition.
And in fact, a bit of a an interesting fact. If let's say you, Y you found a vulnerability in a APUSH, which is one of the most popular web servers in the world. If you find the fine, but in a place, you have quite a few different things that you can do. So we can either report to a patch, disclose it to a patch, they issue a patch, and you issue a you issue the report about it.
Or you can actually sell that. You can actually sell that. Vulnerability you to send the information about the vulnerability and the biggest buyer of these vulnerabilities. Usually our governments government is by these vulnerabilities so they can actually run espionage campaigns against different countries, which is quite interesting.
[00:13:01] Nathan Wrigley: Yeah. So the there's sort of two branches to this, the, but the, on the blackout side your thoughts are that on the whole purpose is financial. Now I'm just curious if there's a, if there's an industry on the white hat side, I'm guessing that those kind of careers will come on. Salaries and those salaries will be dictated by what the market can demand.
And you'll, you'll work for a company probably you might even start your own company, but you'll work and you will achieve whatever salary it is that you can achieve. Presumably based upon how ex how long you've been doing it and your level of expertise and so on. But there's always going to be a ceiling on that, but I feel.
[00:13:45] Robert Abela: Feel
[00:13:46] Nathan Wrigley: On the black cat side, potentially the sky is the limit. You really could with a fair wind and the right set of colleagues and, the right things happening in the right order. You could potentially stumble across something where there is an almost limitless payoff because you've managed to figure out a vulnerability.
Oh, I don't know. Let's say in. Apple's iPhone, or as you said in Apache or something where the damage that you can cause is so great that you can achieve great financial reward as a result.
[00:14:21] Robert Abela: Yes, it is. I think w we see this also in in the physical world, like you can get a job, you can be an executive, however, Most probably being a drug Lord peace pays better. I it's the same way with black attacking. In fact when you look like. Because do we because of the things you can achieve with like a hacking, for example, as I was mentioning before, like why are the reasons people hack people heck even for example, to change our website, to promote their own products, people heck to embed.
Lynx had the links for a seal. You don't have to have organic search of another website, people hack to redirect the traffic have an online store, for example, to their store or to someone's store, to distribute fights illegal fight, distribute, moderate, or illegal content.
And unfortunately, Some companies, the companies, of course, but we know how much companies let, just companies pay for a seal, how many people do you employ in your marketing team? To make sure like you are always on, on the first page, on Google, but yeah, you can either go that route or you can either go to the other room.
Indirectly like higher D black people from the black market. And Yeah.
and instead of doing the actual work, which is usually works th the results are the ROI. There's an investment. The return of investment is much quicker, but it's it's not long term. So you can actually hire companies underground that can hack other websites to embed links in them.
That's point to your website and Yeah.
You gain that organic reach basically. And it seems some people some companies are willing to pay much more because of course you need that instant. Like for example, we don't let's look at The, CEO as CEO. Everyone tells you that it's not something it's not a sprint.
It's a marathon. You don't, you start writing content. And slowly, if you write good content slowly, you start getting the drinking, You have to spend, I don't know. Let's say if you have a budget, but you have to spend X amount of dollars and wait at least to start seeing some benefits from it.
You need to wait 6, 8, 10 months. It depends how fast you go. But yeah, there's this longevity. However, if you've got, if you have a budget, I don't know. $10,000 and you can say, okay let's hire this underground company. They heck X amount of websites because most probably they already have a portfolio of factory websites, and yeah, they inject links there. They, they embed hidden links in these websites and yeah, within a week or two, we already have a big number. Of links pointing to your website now? Yeah. Some people might have. Yeah. But when you do it legitimately SEO, it's longterm. It will assignment years time when you do it via the illegal way.
Where do you embed links on websites? It's only working for four or five, six months, whatever, until Google finds out and they stop it. It's true. But maybe in those six months, I, and let's not forget that. It's us human nature's let's meet everyone human nature. We are agreed. So within those six months, most probably would have done much more money than indeed three, four or five guys who are working to achieve the same goal, it's always revolves around the money. And as long as people are, or businesses are willing to pay and fuel the fuel the underground industry, the under the counter industry will continue. And th they exist in fact because companies, and unfortunately, in some cases, although it's not clear, it's very even government sometimes or let's say more official agencies pay them.
They will continue to drive.
[00:18:20] Nathan Wrigley: The I'm curious as to know. Anything on a computer could actually ever be worth money. So F so for example, I can imagine if, if I, if somebody stole a Bitcoin wallet off a computer, okay. I can get that. There's actual value in having those bits taken from your computer. Taken to another computer and then somebody empties your Bitcoin wallet.
I could also imagine that if somebody were to, interceptor banking session or something like that, they could get at your bank account and so on and so forth. But in all of the other cases, the cases where I don't know the they're implanting things onto your computer or putting something on your server, how.
How does it actually end up getting money in their back pocket? Is it literally that the, like the criminal enterprises, or as you said, in some cases it may be it may be nation states that are promoting this kind of thing. Are they literally paying for these people to sit there almost like it's a job, are there instances where there are black cat people sitting in offices with computers and, travel expenses and all of this kind of stuff out of what's going on?
[00:19:33] Robert Abela: Yes. Th there's always value, first of all. When people heck and that's why I said every website is thought good, because some people would say, oh, my website is about some old cars. cars club in my town is interested in that, They might not be interested in your website, but they are interested in the fact that there is an online storage.
There is a server that they can control there's bandwidth, which is expensive. And there's a hope. For example, if I wanted to hack a website myself, I'm not going to get from my own home computer. Okay. And I'm not most probably I'll go and find a wifi, something, a public wifi somewhere. I'll have.
I use, of course StoreNet records, stuff like that. I heck another computer someone's his computer or someone's at server and use that as a stepping stone. So I launched the attack from this computer, not from my computer. So you like building layers before you actually attack the target.
So even just different that, that. Has a head computer in their control or a hacked server. That's already a value, maybe not direct that Darren done, but if someone then pays I'm listen, to An SEO campaign to embed some links, you can use this computer to check another website, or maybe that, that Hecht website that you already has that you already have.
Maybe you can embed links in that one, so it's not always direct one, two for you, but yes a Hecht website or a server or Hecht computer. Can be used either as a stepping stone to hack something else or to hide yourself behind it. Another common reason why servers are Hecht to store and distributed legal content, like correct software recording movies, unfortunate.
It's very common. With child pornography, no one wants to get caught with child pornography in their computer. So what they do you, you hack a computer, hack, another computer, and then you start fights there. And if someone wants those fights, you link to this computer. In fact, it's not the first time.
If you ever tried to, even for experimentation, if you are trying to download some sort of an illegal move yourself. Typically like 910 links. You click apart from being infected, switch moderators nine, nine of the 10 links that you click on. They don't even work because most of it was the hex websites, which now has been restored.
So that link is no longer working or this computer has been taken offline or stuff like that. Yeah. So when the heck. Unless, if you have data, which you can sell, like credit card numbers, for example, or customer data, like national insurance numbers and the stuff, social security numbers, and the stuff that is that has a direct monthly value, you can sell that.
But yeah, in most cases Yeah, you just have a property to work with. You're just like building your repertoire to work with, or you have to embed links on them or I'd have to use them as a stepping stone. Very common, for example for a DDoS attack for distributed denial of service.
And in most cases the person or the group who's launching the needles, they don't have millions of computers themselves. They just have. And again, but going a bit backwards. That's why there is spam and viruses and malware. If you had to build, let's say a network for to launch DDoS attacks, you start by sending emails to, to.
Too long, contacting these emails with smallwares and stuff, which usually have begged doors or some sort of backdoor, which you can control. And two, I clicked on that link run some executability. So all of a sudden, let's say you sent, I don't know, 20 million emails, let's say experts in each of them clicked on them.
All of a sudden you have 500,000 machines under your control. So just that technical thing. If they installed that model, where, or that backdoor that you wanted them to install by clicking on that link of data, it's a bank account or something or a lottery, or they won the lottery. And all of a sudden you have 500,000 computers in your department apart.
So if you wants to launch a DDoS attack against someone just at the click of a button, those computers, if they are switched on. Launched the attack. And of course that's how we start building, and you can, and usually, especially when it comes to modern viruses nowadays, it's not just distributing it via email, most viruses like Yeah.
they just propagate themselves automatically.
So if it's a one computer, it automatically transmits itself to what the computers on the network that can reach and keeps on propagating, propagates, propagating. So within FUD, What a few weeks, we're going to have a large network of computers. In fact, it is mentioned, we're talking about it before we started recording and the Lazarus heist, the BBC podcasts, where it talks about these things like how this whole virus in question grew, how they managed to grow whole virus and have X amount of computers at their control.
[00:24:43] Nathan Wrigley: Yeah. W the stories on that podcast, the Lazarus, I start quite odd. I will make sure I link to it in the show notes. It is quite an extraordinary presumably right? At the far end of the spectrum of the kind of things that are going on. This is a hack that was just breathtaking in its scale, and it has all the hallmarks of being done by.
Nation states with very deep pockets and a great deal of time and intent. But the, on the sort of the Seesaw, the balance of, on the one hand, we've got the people who are trying to break things. And on the other side, we've got the people who are trying to figure out how they're breaking things.
Do you have a sense of. Who's winning. It just feels almost like a jousting match. The presumably the white hack people are constantly reacting, not only trying to find fault themselves, trying to find things that are broken and then tell the software vendors about this, on that other thing and get it fixed before anybody else finds out about it.
But they must also be in a constant cat and mouse game with the black cat people who ingeniously figure something out that nobody had ever seen before. And I just wondered if you had a second. If you had to who's in the lead, who's winning the good guys or the bad.
[00:25:59] Robert Abela: I agree completely with what everything you say. It is a cat and mouse game that's for sure. And it seems since the internet started. Yeah.
I mean like the bad guys are running and there are a number of reasons why, first of all There isn't always, unless a person is creative and unless the person, maybe I use it on grades, but unless a person likes to break things, you wouldn't find a fault in something you like.
For example, I don't know. If you buy alarm an alarm at your house and you don't like, you're not, you don't like to just try it, let them start this, let them try this. Let me see if it breaks up with different, whatever I'm going to, people don't do that. It's just an issue of course. Cause you have your life, you have your job.
You're busy, like most people do. Most, probably most people leave. Don't have that curiosity, but nowadays, everyone, you have something to do. Even if you're young, you have to go to school, you have to do this. Everyone has their own errands to run. So Yeah. So if you're not trying to break the system, you will never find issues.
And when you are developing a system, I look at even our steps, like we, we have as a company, we have secretary background we develop secretary plugins and what we sit higher tariffs, party, people to. Check our code. Why? Because first of all, you are seeing your code everyday, and I'm sure everyone can relate to this.
Even when you write an article, when you write an article yourself, you can read the 10, 20 times when someone has reads it, they're going, oh, there's this mistake, because you'd be of like, oh, how come I didn't see that. Even something simple. It's normal. So when you are developing something software it's normal.
That's okay. Sometimes you forget about something or it's just, like you're seeing it everyday. So we don't even, it doesn't even collect that you should do a, B or C, and of course there are the best practices that every developer ideally should follow, but it doesn't happen. It doesn't happen naturally.
you just, and most people, when they build software, it's natural. You build the target. Is the functionality not how secure it is. Let's say you have the functionality first and then. Sometimes, unfortunately I've seen it happening with any type of stuff, not just in my purse, by the way, it happens all over the industry, the software industry you develop something, then someone finds a vulnerable in your software and that's usually that's a wake up call and you start, okay.
We should invest a bit more in security trainer with our developers, maybe hire a third party to analyze our code, check our code, and stuff like that. And you also have the F so this is one of the main reasons. So it's not, especially if you are a startup. The last thing you already struggling financially and not just financial in terms of resources, time and everything.
And you just want to put the product out there. I'm not saying people neglect things because they don't especially startup you make sure you pay attention to, for either by the first of all, not everyone is exposed to security. So I'm with everyone. Knows what is possible or not in terms of hacking.
So of course, if you cannot imagine what the heck I might do, you're not going to protect against it. In fact, some of the best developers they with especially security, it's like some of the best penetration testers had hacking experience themselves. Because daily.
Pen testing via courses, just because they were even younger breaking things and then they naturally grew into pen testing. So Yeah. so th that's one of the, one of the biggest problems, but you also have as well Heckers in general. If you are paid to do these things, of course, you're going to have more.
On your hands to break the thing rather than to be. So of course, while you are as a startup, struggling to build something and focusing mostly on functionality, there is someone who just earned, I don't know, X amount of dollars and he's comfortable. He, his job is purely to break down what you are building.
So of course unfortunately he might have the leading hand when it comes to security. And also let's not forget, like Heckers in general. I forgot who it was, but. If I find it, I send it to you. Maybe we can edit in the show notes. There was a Ted talk by someone, somebody say our chair and he was he brought up this argument that.
Governments, shouldn't put Heckers in jail because that's a waste of talent because actually the hackers are very smart. Some of them are smart people, we should use them to our advantage to help us like case in point, Kevin Mitnick. I don't know if you've heard, but he's one of the first, most popularized Hecker who was like a black hat hacker.
Who was arrested that cheddar and now has his own secretary from because Yeah. these people actually are very smart people. And so if you are very smart, you have enough money or enough resources let's say to, if you don't need a job, then of course, and you like to break things, why someone is strikes, so build a product, you are just sitting there waiting for him to build it.
So then you can break It because of the dynamics, how things are you will unfortunately, the bad guy or the, this way, the person who is task whose task is to find security issues. It seems they will always have the apprehend
[00:31:20] Nathan Wrigley: Yeah. Yeah. It seems like where we've got this new industry developing as well. Where on the one hand, you've got the black hat hackers who are everything's underground and you're in trouble with. Anything that you've been doing has, is discovered on the flip side, the opposite end of the spectrum.
You've got people who are doing white hat hacking, and they're doing it simply for the good of humanity. And as soon as they discover something, they turn it over to the vendor of the software and give them a decent amount of time to. To fix their software and amend it and patch it up. And what have you, and then in the middle somewhere, what I'm going to call gray, I think probably that's the right term gray hackers this new industry of people who are hacking in order to sell the exploits to, for example, companies like Zuora, rhodium, who, if you can hack a hack, an iPhone with no user interactions, My understanding is, you could almost retire of the, off the strength of that.
And so we've got this curious gray area where people are trying to figure out in advance, what problems are there are, and hack things, but they're not necessarily going out and perpetrating mischief for themselves. Selling it to the highest bidder. And at that point they don't care what those people are doing.
And those people presumably have quite a lot of money. And I know that companies like rhodium go out of their way to explain we only sell our software to this person, and this person. And we definitely don't sell to this government or these people over here, but who knows where it all ends up.
[00:32:59] Robert Abela: Yeah. In all fairness, especially right now, I'm sure all over the world, there's this hot topic, like the COVID government's trust and all this stuff. question is like, why would the government need and exploit need to find me, let's say. Yeah, as you said first of all, you, if you ever find an issue, a vulnerability, which gives you access to an iPhone without user interaction, I'm pretty sure you can retire
[00:33:26] Nathan Wrigley: Good,
[00:33:27] Robert Abela: sure. Exactly. Yeah.
But yeah, if you do, and if the government buys it, why are they buying it? Th the question is always this. It's not that there's no trust in the government. The question is always this even this is a common question as well, with surveillance. It's like surveillance.
Is good in an ideal world where everyone respects the rules and everyone does what they do. So our variance is good. However, all you need is one person. And that group assigned, for example, to monitor this data, to leak that data. And then it all goes bad, so yeah, yeah, there are companies like who are blank in a way. you don't want to blame the hackers, that's it like if you are.
I agree. It has already been quite frankly, the Whitehead and extra days gray has been, you find a vulnerability. You have to watch it. So you either report it. To that vendor, maybe you get, I dunno, a few dollars. It depends, of course how good the vulnerability is. Like how what's its impact can be, once exploited by, let's say we'll find a good one.
You can either report it, let's say to the vendor and you get a t-shirt and maybe a few thousand dollars. And, you said it as you said, like to a company and Yeah.
maybe you get a good amount of money. Yeah.
I think it's a difficult job. I think it's really the it's really depends on on your position because in all fairness, broke, and you need the money and your phone something, then most probably you will be leaning towards sending gets.
I just. Even if you sell it to these company or even if you, if, even if it's not even, let's say it's an underground company, I don't know it's an underground market. And I think it's difficult to imagine how this front about you are selling how bad this can be used, because if you start to someone is I think mentally you feel like, okay, that's off my shoulders responsibility.
I sold it. I've done my job. It's, someone's that's problem kind of thing, so probably. Unfortunately, it's very normal. Even in the physical world, the black market always pays better than the, as we were saying before, always pays better than the legitimate market. So I think a bit of ethical question.
I don't think it, it also depends on your position, if you are already comfortable, most probably. And you're typically, I don't know. And I think the person you'd like to just try things most sort of you set it to the right person, but Yeah, if you're, like it's.
broke or stuff like that most from you would be leaning towards sending it the other part,
you know, I think if you are interested in this.
[00:36:13] Nathan Wrigley: Albeit I think it would take a long time to get there. There is a career to be had in white hat hacking. And what I mean by that is you can go to these. I don't know if they've resurrected after COVID, things like poem to own where you can show up and they will basically put you in a contest and in this contest, they will.
Give you the some hardware and some software. And if you can achieve a certain milestone with, let's say you can escape the Chrome sandbox or something like that, you might achieve a certain amount, but if you can, I don't know, get into become route on Macko S or something like that. You'll obviously achieve a greater amount and it's quite extraordinary.
Some of the. Teams. And it seems to be teams, not individuals that, that go in and, a week later when the conference is over, they come out and they've made millions. It's extraordinary.
[00:37:09] Robert Abela: Yes. And it's not even if you go there are quite a few conferences like this, for example, even to go to black hat and black hat is very normal that you see like the, what you call the zero day exploits, where people. Demonstrate something that's not yet known to the public a few years ago, there was someone who had managed to hack an ATM, and just withdrew any amount of money he wanted to. Yeah.
exactly. Yeah. And yeah, basically. Yeah, it is a lucrative market. And however, even though I said We've said before, like usually the black market pays better than the legitimate market it seems. We are warming up to the idea that, listen, we need to pay these people.
Like if we want them to be on the good side and want them to help us really to pay these people, like if the black market is paying them $10, we cannot pay them $2 forever and we have to pay them $10, yeah. One might say, yeah, but it's not ethical to get under ours and sell it to the bathroom.
Like unfortunately money talks and most of the time. Yeah. there are, there are definitely a lot of platforms nowadays, a lot of conferences and a lot of even online sites and online courses and online setups where you can train and where it slowly. Like when I come, when I compare what I see today compared to 15, 20 years ago yes slowly, we are there's way more awareness.
There are way more platforms and very more opportunities for Heckers. By the way, when we say Hecker is not a bad thing, hacker is a hacker is just someone who likes to break things, so there are minimal opportunities good opportunities and we're paving the way to help them okay.
Stick to the kind of like good side, because listen, they pay as well.
[00:38:59] Nathan Wrigley: Yeah. If you're into all this stuff and you find yourself tinkering and you are sitting in the middle of the Seesaw thinking go left or go,
[00:39:07] Robert Abela: exactly.
[00:39:07] Nathan Wrigley: which
[00:39:07] Robert Abela: Yeah.
[00:39:07] Nathan Wrigley: there, there is increasingly a road to making a career out of it. And I suppose. Even if you don't make so much money, at least you won't live your life in fear of the law, knocking on your door and asking some questions, which you might not really have answers to.
So there's that as well, just flipping the switch of it, changing the direction a little bit. We're obviously a WordPress based podcast and WordPress is software. It sits on. Other software and they in turn, sit on computers, which sitting on the public internet and it's it really is a recipe for things to go wrong if you think of it.
What is it, how should a typical normal WordPress user? So let's say somebody who is when I say using WordPress, more the audience. Podcasts there's people who are either implementers of WordPress or they are building WordPress websites. So they've got an agency or something like that.
Where do you see the balance of being neurotic and being super protective and trying to install every conceivable way of preventing bad things happening and the opposite, doing nothing at all. And just hoping to God that nothing untoward happens. What do you see in. Towards the end of 2021 as a good position to, to be in what kind of things would you be implementing for a WordPress website?
[00:40:33] Robert Abela: Uh, First of all, where it extent. I see a mix of both. I see a mix of. Listen, I've installed through firewalls. How come I have to this text? First of all, it's telling 1 45 was moved to make a big difference. I'm like stick to one tooth, the first one that's enough, and yeah, there are people who don't do anything. Myself personally I think w what's one can like. Ahead of 90% of the people out there is, first of all, don't get me wrong. I, the plugins are good and are useful. Quite frankly, we developed some of our steps. However, I think when you look at why websites are, heck, so for example, I was looking for some numbers before this podcast.
Cause like just out of curiosity, I've seen some statistics from example from Forbes or . So there are at least 30 K websites hacked every day. Yeah, like reports from school from 2019, found that 47% of factor websites have begged to have a backdoor, which means that once this website is fixed, death can be hacked again very easily.
Did the heck I was the munchies Hecker will still retain access to that website. But when you look at regardless of how websites are hacked and regardless why websites are hacked the biggest the biggest problem I think is always this it's use our problems as in yes, one can say that.
reference has an emoticon release. Yes. But quite frankly, if you keep everything up to date you're already out of the curve. If you do the most basic tasks, like if you use a good solid password, if you have if you use HTTPS, at least for the admin area, when you're logging in if you.
If you don't use public wifi, or cannot do any, and at least make sure you have a pen if you use a strong password, if you use athletes, I don't know what to FFA. Don't check credentials, keep yourself up-to-date. If you start with debt especially the four D. Smaller websites.
Let's say if you don't, if you're an eCommerce store, if your website is growing, you have doesn't then of course you have, you should invest it with insecurity. And especially if you have a team working together on the same website, Def that's where secrets balance can come in, but if you have a small website if you take care of the basic user best practices, as I said, strong password use HTTPS, and don't share your password.
Don't use wifi even on your computer, because as we're saying, your computer can be used. As a stepping stone. So yes, you can have the most secure website. You're going to have any type of security plugin installed. But if you have, if you are, your computer is Hecht and I don't know if there's a back door that you have a key logger or whatever, and your everyday SSH or accessing your website YVP or accessing some files, it's your computer can be used as a stepping stone take care of websites.
It's about. Best practices, your strong passwords to make sure your software is up to date, not just your website, even your computer make sure, don't click on suspicious links or if you are suspicious check or for example if you're not sure why one simple trick, for example, some people say, oh, the may looked legitimate.
I didn't know if it was exactly from Royal bank or if you just Google at least from home the minute. Like a phishing email, like from HSPC for God or some bank, if it's, if you search the title of the president who signed the team, and if it's efficient most where you will find some information about what's on Google, be other people reporting it as a phishing email, so if you're not sure, but they're not click. If you're not, if you're not sure of a demon is from your bank or whatever, or from whoever it is called the organization listen, I got this email, is it yours or is it legitimate Arnold? So if you start with the best practice. You will, you can be out of the curve because we're pressed by default.
And most of the plugins you use and of plugins, the plugins you normally use, if you keep them up-to-date they would be fine. If there will be a security issue and if the vendor then of course, what plugins Do you use if the vendor. No software is a hundred percent secure, no software and direct every software.
Somehow, if there's enough time for people, they will find issues in them. So what's materials is this. When you choose a plugin, for example, make sure that if if we're choosing a plugin, if this plugin had secretary shoes in the past, there's nothing wrong with that. Every secretary every software will have vulnerabilities.
What matters is this? That if, when the vulnerability was reported, divider risks, You're not responded and they fixed it and they shoot a pitch. That's fine. There's probably a mismatch. Of course there were security issues reported and the vendor never reacted that I wouldn't use that pocket, but as long as you keep yourself up to date and be careful what software to use and double check things, or to click use a strong password, you'd be you do your website would do very well.
[00:45:36] Nathan Wrigley: Do you know, in terms of, again, WordPress, freelancers or implementers or people who are just building out websites. Do you know if, let's say, for example, I've built a website for a company, a local company, and I've deployed it to them and maybe I've taken on the job of hosting things and so on. A few weeks later, a few weeks after we've handed over and the money's been put into my bank account, their website is hacked and we don't quite know how that's happened, but it has happened.
There's clearly something wrong. The images have been swapped and there's texts that shouldn't be there. So something's up. Do you know. Are there any laws international or otherwise it may be completely unique in each individual country governing liability for this kind of thing, does anybody ultimately, does the buck stop with anybody or does that work? Obviously. I'm talking in a situation where a client isn't on any kind of retainer with you. They're not on some kind of maintenance plan where you promise to keep things up to date. It does. Does a client ever have any comeback and saying hang on a minute, you provided me with this thing, this product it's been broken.
[00:46:49] Robert Abela: I'm not a lawyer, but as far as I know, there are no laws. I know there have been talks, some governments about trying to better understand the dynamics of how these things work, but there are no rules. What I know is nowadays there are. Insurances for both vendors and the end user, as in like if, as you said, if you are an agency, there's insurances for agencies.
So just in case the, there's also insurances for secretary. So you don't like it. You can say, listen I tested your website and it's, according to me, as of today, it's a hundred percent secure and are the supplement insurances, but I don't think legally there is anything yet any framework for these type of things.
And in a way it's very difficult because. As first of all security is not something that kind of it's not a one time fix, so even if I gave you the website today, and let's say I'm the best secretary expert in the world, and I can confirm that your website is a hundred percent secure, but I can confirm that today it is a hundred percent security tomorrow.
Things might change.
[00:48:00] Nathan Wrigley: Yeah,
[00:48:01] Robert Abela: There's a then of course, on top of that, there's the other factor I gave you the website and you started using.
[00:48:06] Nathan Wrigley: that's
[00:48:06] Robert Abela: Like I do. I know if you gave your
or you sent it to some, I don't know, so I think it's a very, it's a very, it's a very difficult situation.
[00:48:21] Nathan Wrigley: Often make the analogy that it's a bit, like if you purchase a car from a garage, you can't really go back to the garage and say, look, you sold me this car. And somebody crashed into me. I'd really like you to repair my car. It's going well in a sense. Yeah. That would be lovely if we could do that, but we didn't actually have anything to do with the car getting crushed into.
Did you take out any insurance? No, I didn't. I'm afraid. There you go. So it feels like the insurance route is good. However, this links nicely to. T something that you guys actually do, which is your, your logging software, which will actually provide you a trail of evidence to see if actually the responsibility does lie with the client.
And I'm guessing that's something that you are, that you would advocate is stick something in there, which has got comprehensive logs to figure out and be able to rewind the history of the whole website and see where things began to go.
[00:49:20] Robert Abela: Yeah. In fairness, yeah. That's one of the most common questions we get in support and the reason like, sorry I hired this developer or I hired X or Y And yeah. He or she, or whatever they did again, X or Y, but we don't know who or whatever. So yes, logs are definitely one of the kinds of.
Holy grays for security. It's something where yeah. That's will help you a lot. Definitely that
[00:49:45] Nathan Wrigley: These days, and with plugins like yours, you literally. Log more or less everything that could ever be of importance. And have, whilst it might take you a while to sift through those logs and figure out who did what and when and where that could potentially save you.
[00:50:03] Robert Abela: Yes. In fact, one thing we always also recommend, by the way, when you talk about clocks there's for example, it's something like our plugin WP activity, which keeps a log of what's happening on repres over WordPress. It's important to keep in mind. WordPress is also running on a web server, and there's also where there's also
[00:50:20] Nathan Wrigley: Yeah.
[00:50:22] Robert Abela: Basis. So when you, when we talk about with blogs, you should take a holistic approach. And if something really happens something a little bit you can find, you can use the WP activity logs for what happened to the reference. However you should, if let's say your website was hacked and used as edit the gated server, you should also look at the, you should also look at the web server logs.
You should also look at the database, several logs. If you have other services, I don't know, like SSH SFTP and stuff. You should look at all the logs and try to build that. I tried to understand what happened. But yes, logs as they're like insurance.
[00:50:59] Nathan Wrigley: Yeah. Yeah.
[00:51:00] Robert Abela: Nobody likes them, but when you need them, you want them to be there.
[00:51:04] Nathan Wrigley: Yeah. It's like insurance is just one of those things. I'll tell you a true story. This is absolutely true. I've been with there's this motoring organization in the UK called the AA and the AA will come. If your car breaks down, they will come to the roadside within an hour or so. No matter where you are in the country and they'll base, basically fix your car.
I've been subscribing to the AA. Pretty close to 15 years I've never ever used them. Not one time. Did I phoned them up to say, I'm stuck, I've got a crisis. And I stopped using them. And exactly 12 days later, my car broke down.
[00:51:43] Robert Abela: Yeah. These things happen even with the insurances.
[00:51:45] Nathan Wrigley: ridiculous though. Mean you couldn't make it up. I remember just thinking, oh my car's fine.
There's no problem. And then the handbrake cable snapped and I was stuck. Like I couldn't get my car to come out of having the breakout. I just thought, do you know what? That it's costing me so much more than it would have done? Probably for four years worth of subscription to the AAC. I totally get the analogy.
Do you guys on the suite of plugins that you offer, which we'll link to in the show notes, by the way do you offer remediation services? Do you offer any sort of, okay, it's all gone wrong. The proverbial has hit the fan. Do you offer okay, we'll fix it for you, or is that out of your remit?
[00:52:26] Robert Abela: No, No out of order. We just develop and sell the plugins out. Having said that, if someone. As everyone knows. Every reference website is different because of the number of plugins and themes that you are using. Every website is different than the other. So you and you don't depends where it's hosted.
Depends what users. And that's why I said like you from, if it was purely. Yeah, approximately, I don't know a heck in WordPress itself, you can find out roughly from our plugin water, from the logs of our plugin, what happened? However, it was something good. I don't know. Maybe it was the upset. Wasn't a shared hosting.
Someone hacked another website, they got a privilege escalation and they have to do it is very difficult. You need to take a look at all the logs. However, if usually it's not the first time someone sends out a question like, listen, we're going to have your plugin. This has happened. Can you please tell us, we usually we do, it gives that, okay.
Check if you're seeing these types of events, or check if you're seeing these types of activity. So we do give points, but we do not because as I said It's a simple system, but when you look at it, technically it can be a very complex system because there are many, it runs on a number of components.
So you need to, when something is Hecht Yeah.
you need to find out exactly what happened in Fromer and it's quite frankly, some, most of the time it happens in WordPress, Quite often as well. It happens, I don't know, from upset or from another service that this tournament north saver or from a website, which is running on the same upset rate as yours.
So it's very difficult. And by the app, if someone else's, of course we're more than happy. We don't do the service ourselves, but if someone else listen, this happened, or listen, I'm suspecting this watch. I look for then of course. We give, we do give general tips and instructions like, okay, you should be looking for this or this, or you should expect that you are expected to see these type of locks and development and the activity log.
[00:54:22] Nathan Wrigley: If somebody has, cause we are closing in, on our allotted time here, the if somebody's interest has been paid. We've been talking about, you're just curious about how internet security works and why people are hacking things and how those things can be mitigated against them.
What kind of solutions you might want to implement in your own business to protect your clients as well as you, what were, what are your favorite resources online? Feel free to mention any of your own, if you've got your own blog that you want to talk about, but also any good resources that you find yourself frequently looking at that we can write down in our show.
[00:54:58] Robert Abela: Yeah. Of course we have our own blog and the reason why I mention our own blog, because are. Especially the last year or so we invest a lot in content, but we are writing a lot generic tips like security websites, security website, administration, website, and user management, like even for example, we even have posts about DNS, or about how to manage, use our houses to this.
Honestly like UNC of course. There will be our plugins, a shout out to our plugins on some posts, but we, when we are writing, we are purely like, we want this block to be an educational block. So we have our block, which is WP white, tummy.com. There are quite a few blogs, which are interesting and there were press there is this a quarter block was always interesting.
They have the normal articles, but they also have, if you are interested in more in the technical aspects how. A particular malware works or what happened at how the tech works? The squirrel blocks. Usually when they find a new headquarter, something they write about in technical detail. That is very interesting.
So you'd like to start learning a bit more about WordPress security is definitely a place you should keep an eye on. There is of course the WP scan.com website from Ryan new Hearst. They, apart from having the database of vulnerabilities, they do pose the occasional, like blog posts about these things as well, about what security, best practices and techs.
There's also pitch sec pristiq.com, which used to be just to be another security competencies. Yeah. Buy box. Yeah. They do also have. Some interesting on the technical side content as well. So th there are quite a few, actually, I don't have any particular favorite one. I just I follow quite a good number and I just sift through my mailbox.
In fact, to be honest I just subscribed mostly to, to be able to send, to receive an email when there are new blog posts. And then of course I just sifted through my mailbox and see what is interesting. But yeah, to me, those are like the top four in the industry.
[00:57:05] Nathan Wrigley: Okay that's really helpful. Thank you. And if people off the back of this podcast wanted to make contact with you personally, or indeed just reach out and look at your website. What's the best domain, Twitter handle, email address, whichever way you want to get people speaking to you, what works for you?
[00:57:22] Robert Abela: Yeah, their website is WP white security.com one word and yeah, two thirties Robert, and send him I'll bet. S a B E L they can. Yeah, they can always do them.
[00:57:34] Nathan Wrigley: So R O B E R T A B E L A. Is your at sign Twitter? Okay. That's been really fascinating. I honestly, I reckon I've probably gone through about a half of what I wanted to ask, but time has got the better of us. Maybe there's a. Maybe there's another episode in us in a few more years time, but for now, Robert really appreciate you talking to us today.
Hopefully that's been of interest and a, an educational to the listeners. I really appreciate you chatting to us.
[00:58:02] Robert Abela: Thank you. very much, Nathan. I really enjoyed it And yeah let's schedule another one, hopefully sometime next year.
[00:58:07] Nathan Wrigley: Thank you.
[00:58:09] Robert Abela: Thanks.
[00:58:09] Nathan Wrigley: Well, I hope that you enjoyed that. Very nice to chat with Robert Abella today. All about WordPress security and security more generally, if you have anything to add to that, any commentary, please head over to WP Builds.com and find the episode it's number 266. And give us a comment there. Alternatively, head over to our Facebook group.
WP Builds.com forward slash Facebook. And again, search for episode 266. And we'd love to hear your thoughts. We'll be back next Thursday when we'll be doing another podcast episode only that will be a conversation between David Walmsley and myself in our WordPress business bootcamp series. In a couple of weeks, we'll have another interview and don't forget every Monday, 2:00 PM. UK time. WP Builds.com forward slash live for our this weekend WordPress show.
Okay. That's it for this week, I'm going to fade in some cheesy music and say, Bye-bye for now.