[00:00:00] Nathan Wrigley: Hello there and welcome once again to the WP Builds podcast, you've reached episode number 403, entitled feeling insecure, with Tim Nash, episode two, risks and regulations. It was published on Thursday, the 19th of December, 2024.
My name's Nathan Wrigley and a few bits of housekeeping just before we begin the podcast and get onto the chat with Tim.
The first thing to say is that we are having a bit of a holiday at WP Builds. Hopefully if that's your thing, you are as well. We're going to take two weeks off. We call that a fortnight in the UK. It's two weeks off, which means that we're going to be having the next episode of the podcast on the 9th of January. That's Thursday, the 9th of January.
The This Week in WordPress show is also taking a bit of a hiatus just because of the holiday, and that will also be back in January as well. Keep your eyes on the WP Builds Bluesky account, Mastodon. You could also keep an eye on our YouTube account and possibly our X account as well. You can find all of the details about that over at our page, WP Builds.com forward slash subscribe.
Something else to mention is that we still have a Black Friday page. There is a dwindling, but still present number of deals. You never know, you might find just the thing that you're after. WP Builds.com forward slash black to find out more.
And the last thing to mention before the podcast is WP Builds.com forward slash advertise. If you have a product or service in the WordPress space, and would like to get it in front of a WordPress specific audience, we definitely have that as voted in a recent award ceremony. We came out as the number one podcast in the WordPress space, and I'd like to thank everybody who voted for us. Really deeply appreciated. Once more WP Builds.com forward slash advertise. If you would like to have your product or service in front of that audience. A bit like these three fine companies.
The WP Builds podcast is brought to you today by GoDaddy Pro. GoDaddy Pro the home of managed WordPress hosting that includes free domain, SSL, and 24/7 support. Bundle that with The Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases. Find out more at go.me/wpbuilds.
We're also helped out by Bluehost. Bluehost, redefine your web hosting experience with Bluehost Cloud. Managed WordPress hosting that comes with lightening fast websites, 100% network uptime, and 24 7 priority support. With Bluehost Cloud the possibilities out of this world. Experience it today at Bluehost.com/cloud.
And, we're also helped this week by Omnisend. Omnisend, do you sell your stuff online? Then meet Omnisend. Yes, that's Omnisend. The email and SMS tool that helps you make 73 bucks for every dollar spent. The one that's so good. It's almost boring. Hate the excitement of rollercoaster sales? Prefer a steady line going up? Try Omnisend today at omnisend.com.
And deep, sincere thanks go to GoDaddy Pro, Bluehost and Omnisend for their support of the WP Builds podcast. If you happen to come across their products or services, please mention WP Builds when you interact or purchase. It really would help support the WP Builds podcast.
Right, what have we got for you today? Well, it is episode two in the new security series that I'm doing with Tim Nash. You may be paying attention enough to notice that I'm also doing shows with Courtney Robertson. I'm doing them with Rae Morey. Obviously this one with Tim Nash, but I'm also doing them in the optimization space with Remkus de Vries. And there's another one planned in the very near future as well.
But what do we get into today? Well, episode two, we've entitled Risks and Regulations, and we're going to be exploring the security risks tied to the WordPress plugin ecosystem, highlighting instances where compromised plugins distributed malware to users. That's not good.
We get into the new UK Cyber Security and Resilience Bill, which mandates UK developers and those targeting EU UK markets to comply with stringent cyber security measures, including vulnerability testing and reporting.
There's also a bit of a foray into some practical actions that you can take, like installing two factor authentication and maintaining antivirus software.
And we also get into some real world security examples, discussing attacks by a group known as, well, wait for it, the pithy, MUT-1244. That's not easy to say. Who installed malware through phishing and fake exploits to steal credentials for mining cryptocurrency. And Tim underscores the evolving security threats affecting WordPress users.
We also discussed SSL adoption, catalyzed by plugins like Really Simple SSL. It's quite an interesting story there. And the importance of communication about plugin changes in the WordPress ecosystem.
Tim's expertise really shines through, including his advocacy for a balanced approach between security and usability. And this rounds off this pretty engaging conversation and informative chat.
I hope that you enjoy it. And I hope that you have a happy holiday.
I am joined on the podcast today by Tim Nash. Hello, Tim. We have, we've spent quite a long time figuring out the tech because, it always transpires that whenever I get on a call with Tim, there's some kind of weird audio problem. there's echoing or the headphones don't quite match up, so we're trying something new.
Hopefully it's gonna work. Tim.
[00:06:02] Tim Nash: Well, if it doesn't, then I'm just going come round to yours next time.
[00:06:07] Nathan Wrigley: Oh, nice. Yeah, you can drive around. in just a, short time. Tim lives not that far away from me in, English terms. He's, like the other side of the country, but in, if you are, for example, Canadian or American or Australian, he literally is next door.
[00:06:24] Tim Nash: live down the road.
[00:06:25] Nathan Wrigley: Down the road. Indeed. Tim joined us several months ago now because he is very kindly giving up his time to educate you, the listener, all about the WordPress security landscape, the security landscape on the internet in general.
And this is our second episode. You can listen to a previous one. I'll put a link to it in the show notes, but this is gonna be our second foray into that. So we're gonna cover off. Exciting stories, if you like. Things that Tim thinks over the last three months have been of interest in the security landscape.
However, we have to do the bio because in order to understand that you know what you're talking about, we have to know that you've got a heritage in this. I feel that security really does merit that. I think there's many, areas where it probably wouldn't matter quite so much, but we need to know that you know what you're talking about.
So just lay that out for us. Tim, tell us about yourself.
[00:07:17] Tim Nash: So I am Tim Nash. I'm a WordPress security consultant. I said that with a question mark. 'cause I'm, sometimes I'm like, am I, I I, I, I do WordPress security. my background is, mixed. but I started off life as I doing security and doing, physical penetration testing. So, that was like breaking into places, which was lots of fun. I got involved in this WordPress malarkey and, did some bits for a while, ran a dev agency, and then I, I briefly retired, which was fantastic until I got bored. also ran outta money and discovered that retirement, you actually have to have money to do. You can't
so, in fact, I feel I was probably would be called unemployed, but I was retired as far as I was concerned. I ended up working for a hosting company where I started. going, oh, I know all about security and, and particularly about WordPress security. And, then I had to start looking after hundreds of thousands of websites and realized I knew very little about WordPress security and had to learn very quickly. but I came out of that with a really good understanding. Not just, what is the best practice, but a lot about actually what you can do because all well and good you when someone says you should do this. But for most people, this is never going to be practical. This is normally take your computer or unplug your computer, dig a big hole and put your computer in it, then fill the hole in, and now your computer is wonderfully secure.
[00:08:53] Nathan Wrigley: Never plug anything in ever again. Yeah.
[00:08:55] Tim Nash: Yeah, absolutely. It is the most secure thing that you, terms of computing that you own, it's also in the hole, which is you've filled in. So absolutely useless. So, coming around to this idea of working in sort of pragmatic security. and so that's where I sort of try and emphasize. Pragmatism and let's just get you as good as possible. means I talk an awful lot about risk and threat actors and, what are your threats rather than necessarily what everybody's threats are, these days. I, I'm a secured consultant. I work with primarily agencies, but I also work directly with clients, and big and small. but I actually really like working with smaller clients 'cause in many ways they're the ones I feel like I can help.
The most because we're going from a potentially, a place where, I don't wanna say a lower level, but there is generally I can help with, with the smaller clients.
[00:09:53] Nathan Wrigley: I am gonna pick up on a couple of things. The first one is to say that. Go to Tim Nash's website. So it is the perfect URL really. It's tim nash.co.uk. So pause the podcast, go and check out what he's got on offer there. The second thing that I wanted to add to that is that it's always occurred to me, and I'm sure I've probably heard it somewhere 'cause I'm not as bright as the person that said it, no doubt was that, the, more secure you are, the more inconvenient it is.
So essentially if, you want something to be secure, it's probably not gonna be as easy for you as the end user. So it's interesting that you mentioned there, that you've you're addressing that balance within your own business, and you've worked out that there's a pragmatic line to take where you juggle that seesaw, if you like, on the one hand, security on the other hand, convenience and your, it sounds like the pragmatic approach is to try and get a happy medium between the two so that it's.
but usable.
[00:10:50] Tim Nash: Yeah, usability is the key and it is so often, and usability and to a certain extent, accessibility, clash a little bit with security, but they also have a lot in common. and often while we might clash on some of the technical aspects, we very rarely clash on like the wider philosophies. so if you were to talk to an accessibility expert. you were talk to a developer about accessibility, and they'll be talking about, aria elements and they'll be talking about X, Y, and Z, but if you talk to an accessibility expert themselves, they're more likely to be talking about things like keeping things really simple, keeping the structure easy to manage, doing all the, and, and when you talk to a security per sort of a developer, they might be going, oh, I need to put in this sanitization rules.
I need to be doing this. When you come and talk to a security consultant, they're gonna be talking about, well, we need to keep this as simple as possible, and we need to make sure that you are the, threat surface. So, what, bad act can get to on your website, IE what forms are on the front end of your website, we want to make them as, reduce that as much as possible.
We want to keep things nice and simple, so we, we do share a lot of grounds while at the same time, having differing opinions on things. I
to say that security was always simple and always a, a seamless experience, but, it can't always be. We can make it as much as possible.
[00:12:24] Nathan Wrigley: I suppose the good thing from your point of view, and I do literally mean from your point of view, is the, fact that the landscape is constantly moving does, I suppose it provides a certain. job stability for want of a better word. And I, know that's weird. It sounds the more chaos there is in the security world, the more employment you've got.
But in a sense, that is the case, isn't it? And if you were to think about WordPress websites and less, that software changed and unless the. Prerequisites for a website change as time moved on, we'd all be out of a job. We'd have built the website back in 2003 and nobody would need it updating or modifying in any way.
But the, fact that the security landscape is changing all the time, presumably the bad actors are getting better and the people who are chasing after them are trying to keep, abreast of what they're doing. keeps you in work, which is a, an interesting dichotomy. We're gonna, we're gonna touch on, I don't know, four or five different links today.
I will say that if you, don't. pause the, URL head to wp builds.com search for this episode and I'll put all of the links in there because basically all of the links that we're gonna touch on today are too long to read out. so we'll just mention the name of the article and you can either Google it or go to our show notes and crack on from there.
But we're gonna start, the summation of the last three or so months with, an article by. Bleeping computer. Now, this may not be a website that many people are familiar with if they're just WordPresses, but is that a, is that URLA, beeping computer? Is that a stalwart of the, the security landscape?
Is this somewhere where security people hang out?
[00:14:04] Tim Nash: I'm gonna be a little bit mean to them and say not really. What they are though is a really good, gateway. To the security landscape.
[00:14:12] Nathan Wrigley: Oh, nice.
[00:14:14] Tim Nash: they are, they, they often, take what would've been fairly complex stories, and make them a little bit more simpler and make them, almost a little bit more sexier than they actually are.
So you, they do suffer a little bit from super scary headlines. When you go into the body, you are going, I can't find the meat of this, but on the. Positive side. They really do make it, easy for the layperson to access.
[00:14:41] Nathan Wrigley: Okay, so it's human readable versions of difficult to understand stories.
[00:14:45] Tim Nash: Yeah.
[00:14:46] Nathan Wrigley: That feels like the sweet spot actually for this podcast in a way, because our intention here, and certainly I wouldn't understand it if you began speaking like that, but if you start throwing out all the acronyms and start describing everything in all of the detail that you could bring to bear, I I would quickly lose track of it and therefore I would lose interest. So things like this are great. Bleeping computer.com. So this one is called, and again, you said they make scary things outta something not so scary. Let's see how this one lands 390,000 WordPress accounts stolen from hackers in supply chain attack.
Okay, the sky's falling in. Tim, tell us what's going on.
[00:15:26] Tim Nash: So, I, I, I, while I was researching, I, I came across a comment on, Reddi. It from a Reddit user who went, oh my God, that must be like 10% of all WordPress counts must be compromised. It's like, so
that perhaps people don't truly understand the scale of how big WordPress is.
390,000 WordPress credentials is, that's a lot of accounts.
So a credential in this instance is a username and password.
[00:15:53] Nathan Wrigley: Okay, so it's one user, so it could be 20 on one site, 3000 on another, and so on.
[00:15:58] Tim Nash: and,
at no point does the article ever mention the word administrator.
[00:16:06] Nathan Wrigley: Oh, okay. Okay.
[00:16:07] Tim Nash: could in fact be 390,000 of the same user, which was a spam bot that got added onto a website,
[00:16:14] Nathan Wrigley: Okay. Okay. you're, already calming me down. You're walking me off the precipice already. This is great.
[00:16:20] Tim Nash: and this is a worthwhile exercise. Whenever you are reading these sort of, security things is to first ask yourself, well, what aren't they asking, saying? And really, when, when you people are talking about WordPress credentials, it is bad if, if a, a WordPress credentials get, leaked. we are really only interested in if they are administrators and the, the credentials were active, IE that you could actually log in a big dump.
so a dump is like where you get a CSB file and they literally have lots of content in there, and it's a dump of that content. if there was 390,000 WordPress logging credentials, if you were to go through and process those. If only 20% of that was of are still active. And if out that lot, there might only be like five, 10% that are actually administrators, still talking 50 to a hundred thousand credentials potentially.
[00:17:13] Nathan Wrigley: It's a lot.
[00:17:13] Tim Nash: the, this tax line seems, has shrunk down. Why this story was interesting to me how they got the credentials.
[00:17:22] Nathan Wrigley: This is always the interesting bit. This is the narrative bit, isn't it? The bit that you can turn into a story, and make it fun.
[00:17:30] Tim Nash: Yeah. And in this particular case, so, the, that was stolen, the credentials is a fairly well known group. They, you, if you, if you Google their name, which is m ut 1 2 4 4, they turn up in stories often, all over the place. they also have terrible names. I
[00:17:51] Nathan Wrigley: It's very pithy. Easy to remember that.
[00:17:56] Tim Nash: but so they, have done a couple of other exploits over the time, but they've got this, WordPress credentials and they got it through malware. So they basically added, a tro got Trojan Malware onto people's, windows machines. Windows users along and the Trojan is where it is taking data and transmitting it back.
So, often when we think of Trojans, we think of them as keystrokes.
[00:18:23] Nathan Wrigley: Yep.
[00:18:24] Tim Nash: and it's like, oh, it's, it's collecting keystrokes and sending it across. but it could be collecting any data, and in this case it's collecting. When you went to the person went to the WordPress website, they went, oh, I'm going to go and type in buly, blah, blah, blah.
So my login bubbly, blah, blah. My password hit gut. This is scary. 'cause obviously they've deliberately targeted WordPress in this, 'cause they needed to get, so they know that there, somebody went to the WordPress site to a WordPress website and they know they put in a username and password. mean, there also implies that this is an actual active user.
So, earlier where I was saying, well, of this 390,000, how many of these might be a spam account? Well, because of the way that the, malware was used. we are pretty convinced a human being logged in
[00:19:12] Nathan Wrigley: Yeah. Okay.
[00:19:13] Tim Nash: an administrator. It just means that they logged into a site.
I know from my own anecdotal experience, as much as I would like to downplay this as much as possible, I. Most people who log into WordPress sites, unless they're logging in via for something like WooCommerce or as a third party, if you are a primary user of the website. So by that I mean someone who has to edit content and add content or do anything on the website itself. people do not understand user roles, and they probably are an administrator because that seems to be like the default. Everybody puts themselves in. So you're gonna take something away from this story. don't have all your users as administrators. I think this is something we, we covered like last episode, and we'll cover every episode. At some point. We're gonna say that's bad. Just make your users be like editors and things.
But in this scenario, we've got the WordPress, credentials have been stolen and. This group has decided to, release them. Why This is interesting. Apart from the malware side its own, this being chosen, they've got credentials. And normally when you hear about these things, you hear like things like, where you've got session hijacking, which is where instead of them grabbing the. The username and password and PA putting it through. They get a session IED, which will basically give some temporary access. So they basically get, when you've logged into your website and said, I want to log in, and you've ticked the button, turn underneath that says, remember me. Well, that's put a session on you E, even if you didn't tick, remember me.
There's a session been applied and if you come up, go off the website and come back. remembers you and it logs you in. Now that session is normally stored on your, in your browser, in a cookie. and the bad actors come along and they grab the cookie and they go, oh, well I'll have that cookie and I will log in as that user. So we are seeing more and more those style attacks, but this, they actually have the username and password. And why that's useful to them is it's much easier to sell that. A
[00:21:30] Nathan Wrigley: Oh yeah, it doesn't,
[00:21:31] Tim Nash: have on it. So, you, you normally use a session. If you're gonna steal sessions, you're gonna want to use them really quickly.
So you're gonna
backdoor on, and you might sell the backdoor, but if you have the logging credentials, you can sell those. and so it's much easier to make a quick buck.
[00:21:51] Nathan Wrigley: Can I just quickly interrupt and ask what was the mechanism for. And I want to use the word exfiltrated and I dunno if that's the correct way of saying it. What was the mechanism for, acquiring at the WP login screen? how did that bit take place? Was this something in the browser or was it malware on the Mac or the OS level or what?
[00:22:15] Tim Nash: so it was, it was malware at the OS level. So somebody ca somebody had installed malware because it be this for a phishing attack. Be this through, them going to a dodgy website where it got downloaded, be it through an ad network that's been compromised, be it through another WordPress site that's been compromised and is serving malware. But the malware got installed on the computer. what? What particularly drew me to this story is the same group has been responsible for. Other, malware and they've been identified as them. The technique for how they got that malware was that they basically pretended to be, security researchers, and they said, oh, no, we, we, discovered these horrible vulnerabilities.
And here is the proof of concept. So a proof of concepts where you go, I'm going to show you how you can. See this vulnerability and abuse it so that you can like go, I found this problem. is the proof that I found this problem. Now, these proof of concepts didn't work. they did do was that when you went to execute the proof of concept to test it, it put malware on your computer.
[00:23:32] Nathan Wrigley: there's a special place in hell for these people, isn't there? I know on the one hand it's quite ingenious, isn't it? You can imagine in a, James Bond film, they are the villain in the, in that big chair that swivels around and they're stroking their cat. This is, that is quite the leap, isn't it?
you go online, you're trying to fix a problem. You're, you are trying to ostensibly prevent malware. All the while you're actually enabling it. That is something, gosh.
[00:24:03] Tim Nash: This, occurs, more often than not. And there was a, a story, another story that I didn't link to, but came up in the same sort of time where this was around we of a, a well known. Supplier of, back doors and ways into, hack sites themselves got hacked because they downloaded a cheat to stop an anti cheat device in the computer game
[00:24:34] Nathan Wrigley: Oh gosh, it's so many levels.
[00:24:37] Tim Nash: Was malware and compromised their computer, and that compromised computer was then caught up in a dragnet by law enforcement who.
[00:24:48] Nathan Wrigley: Oh my word. There's so many levels to this. can I just ask something else that's just occurred to me? It feels like this, this gang for want of a better word, and you use MUT dash 1 2 4 4, these, per the perpetrators of this. I'm guessing that WordPress wasn't the only thing that got installed.
As the target of this malware, did it come I don't know, looking for other things as well? One, one of the things happens to be the WordPress login screen, but also it was, I don't know, other CMSs, other, accounts like maybe they're after your Amazon credentials or something like that as well. Yeah.
[00:25:24] Tim Nash: much exactly that they, so given that we know that this, the, the, the way that they targeted quite a lot of this was via things like the, the proof of concept. They were looking for technical users and because technical users often, Have the keys to the castles. And so they were looking for those credentials.
They were looking for SSH keys. So that's a way
[00:25:46] Nathan Wrigley: Oh, okay.
[00:25:47] Tim Nash: to communicate backwards and forwards with a server. they were looking at AWS credentials and other hosting environments. they were looking. Specific directories. They were looking for GitHub credentials to be able to log into GitHub so that they could then utilize the, developer's own credentials to put more malware and more places through. And after all of this, are thinking, well, surely they're, they've got some horrible malicious ma, really terrible plan. No, no, they've done all this. And then they basically mine Bitcoin.
[00:26:22] Nathan Wrigley: Oh my goodness. So all of this is to
[00:26:25] Tim Nash: they're actually using Monero, but it is effectively, they
[00:26:27] Nathan Wrigley: Yeah, some kind of cryptocurrency. Yeah, so that, so once they've got these credentials, they're using it to install things whereby they can, process CPU cycles or whatever, GPU cycles in order to mine cryptocurrency. Honestly, it's always the money, isn't it?
It always comes down to the money. Yeah.
[00:26:47] Tim Nash: And that they're doing, can be done on the CP also done in. So they
can then infect customers who come to the website. They can then u
some JavaScript on the front end, get their, and put that into web storage. It. So your browser lets websites store data in web storage, and it even allows, service workers to do processing on your, in your browser. This is how we're having this call. The,
[00:27:22] Nathan Wrigley: yeah.
[00:27:24] Tim Nash: is making use of exactly the same technology,
[00:27:28] Nathan Wrigley: Maybe we too are contributing to the account of the,
[00:27:35] Tim Nash: really slow and you are struggling to identify it. then you will find that you, you know, there is a potential if you're bin hacked and you are finding the site is slow and you can't see it in the CPU usage, it could be well that they've loaded extra JavaScript, which is now basically mining whenever you cut someone comes to your site. Yeah, I'm gonna.
[00:27:55] Nathan Wrigley: Gosh. So in the case of WordPress in this attack, a couple of questions. Firstly is the intention then primarily again, this attack in particular, this is so that they can deploy. These crypto mining, instances, let's call it that, so that the end users, the people that are consuming the website, and obviously if, if you get the White House what, website or you get TechCrunch or whatever with millions of users per day, that there's a big target there.
So firstly, is that the case? Is that why WordPress is in this is so that they can capture the CPU cycles of browsers who are reading the content on those websites.
[00:28:37] Tim Nash: So in this particular case, it looks like that that was at least part of the plan. The thing is that.
are nearly always multifaceted. once you have access, it's very rare actually for a, for the person who gained access to then immediately abuse it. They normally put in a another back door they can maintain assistance.
IE keep access. So they put in these back doors. they'll normally then wait to see if they've been spotted for a little while.
[00:29:04] Nathan Wrigley: Yeah.
[00:29:05] Tim Nash: at that stage, really they've got a choice of whether if they're gonna make a quick buck. They'll just sell the access. So they'll put you in a big data dump and then they'll sell it on, or they might it.
In this case they were abusing it with, crypto mining, but there isn't, there isn't any, evidence that they did anything else in terms for themselves, but there is evidence that they then shared these credentials onwards. And then other bad actors had access and they could do whatever they liked with it, whether that was sending out vast amounts of emails, improving Viagra usage across the world, or whether that was, that they were using them for DDoS attacks. All of a sudden, sites would find themselves be having that were were hacked and compromised. And they'll be compromised in multiple ways because there were multiple bad actors who had been given access. first of all, they'll have probably have just abused it with crypto
[00:29:59] Nathan Wrigley: I guess the, minor silver lining here is that in this case we're not, I could be wrong, but I'm reading that we're not actually dealing with a WordPress vulnerability. This is a vulnerability in os, which is just consuming, the, you are the unfortunate person who happens to visit the WordPress login screen, but it could be the Google login screen, it could be the Amazon login screen, anything you like, and it would be able to scrape that data.
It's just that, because on the, flip side, WordPress is as a publishing platform, will enable this Monero mining to be done in many instances. In this case, WordPress is more valuable. Then Amazon would be because, obviously Amazon's got credit cards attached to it, so ignore that.
if you could access, oh, I don't know, something that had no credit cards but was just, you would log into it something like Slack, say for example, because the publishing nature of WordPress will allow you to consume resources of multiple readers of those WordPress website pages.
Yeah. So no threat here for WordPress. You don't need to worry about that WordPress core team.
[00:31:09] Tim Nash: Yes and it, it is a good reminder that your own security of your devices be that your phone, be it your laptop, these things can ultimately compromise down the line. I did a tongue in cheek story, earlier in the year, which I published on YouTube about, when memes go back, which was basically this story about a guy who just found a, a meme generator, there was a browser extension and installed it, and then things went catastrophically wrong. For him, but also for his hosting company, which ultimately ended up with ransomware
[00:31:51] Nathan Wrigley: Oh gosh, I remember this. Yeah.
[00:31:53] Tim Nash: And so this, the story developed and there was some, artistic license, but everything in it had happened at one point or another And this, to this stage, you, Shane, happens. So if we. Before we even talk about securing a website, we need to talk about securing the people who are using the website
no point securing a website if Joe is just gonna have some malware installed on his browser and he can take complete control of it anyway.
[00:32:20] Nathan Wrigley: I'll link to that in the show notes, but, go onto Tim's website and search for when memes go bad. I've gotta say, Tim put an extraordinary amount of effort into that video
[00:32:29] Tim Nash: Which
[00:32:30] Nathan Wrigley: so Bravo. Yeah, bravo for, yeah. You suddenly realized the magnitude of actually doing YouTube. What was the solution for this one?
Two fa with two FA Would two FA have just obliterated this?
[00:32:41] Tim Nash: Yeah. in this particular scenario, if you were compromised, then two FA would've worked. Two FA would not have protected you if you were the developer and you had AWS credentials in your local folders or your
[00:32:55] Nathan Wrigley: Got it.
[00:32:56] Tim Nash: So, I mean, the, the real answer is don't get malware. is really easy
[00:33:00] Nathan Wrigley: So easy, to say. Yeah. Don't ever click on anything. Go, bury that computer in the garden right now and you'll be fine.
[00:33:10] Tim Nash: running, it's, you'd be surprised how many developers in particular do not think that they need. Antivirus and malware detection on their and they'll argue. The reason they don't need to do that is because they know better and they don't click dodgy links in emails. So we've trained a whole generation of people that, like comes from phishing scams.
Just don't click links in emails, which is great. Don't do that. Then they'll quite happily go and download something and just randomly click it.
[00:33:42] Nathan Wrigley: Yeah, that's right. Yeah.
[00:33:43] Tim Nash: an application you do not legitimately know the source and it, you know it, absolutely 100%, even then you're not check something, then there is a potential risk.
So why not run
[00:33:55] Nathan Wrigley: Oh.
[00:33:56] Tim Nash: software?
[00:33:57] Nathan Wrigley: So that was a fabulous story. So a again, we'll link to that, that, that came out, very recently, just a few days ago on bleeping computer. Now you linked to another story, and I don't know if we, I don't know if we wanna go to that one next, but it, you said that one thing, one story led in your mind to another.
but I'll just read out the title. Do you want to go there? Yep. Okay, perfect.
[00:34:24] Tim Nash: How a lot of these, a lot of these people got the malware was through this, website repository takeover. So basically, the bad actors managed to gain access to GitHub repositories and said, Hey, we found some malware, and here is proof of how you fix. how. Here's proof of how you can see if your sites are gonna be compromised or your software is gonna be compromised by this amount.
Decent malware. And when you installed the proof of concept, when you installed the thing that would show you how, whether your site, site or your software was vulnerable, you were in fact installing malware that put you through,
[00:35:14] Nathan Wrigley: Got it.
[00:35:14] Tim Nash: was, yeah, it did that. So the second article is basically listing and showing how this happened. And it is not just this one group, this is lots of them. look at it a full examination of like, all the repositories, what the malware was in there, what the malware was trying to do. And it was from this initial research. They then found the three 50, three 90,000, WordPress accounts listings. So it came from this original look where, some researchers were going. Yeah, that's very smart. But we can now reverse engineer everything from this to work our way backwards to find this second source.
[00:35:58] Nathan Wrigley: So that one was called thousands of GitHub repositories deliver fake POC exploits with malware, and that was much. Much longer ago. So that was a couple of years ago, October 22. But I will put both of those into the show notes. maybe read them in the order that Tim presented them the, the 390,001 first and then this GitHub one second.
And then also, like I said in the show notes, when, memes go bad, Tim's piece that then leads us to the. Fourth, I suppose thing that we're gonna cover today, maybe this is the second to last one, the penultimate one, and this is over on the, we're familiar with this one. This is in the WordPress space very definitively.
This is Wordfence, 400, no, I nearly said 400,000. It's got two commas. It's 4 million, 4 million WordPress sites using really simple security. Free and pro version. So they're plugins affected by critical authentication, bypass, vulnerability, anything starting with the number 4 million, Tim is freaky.
[00:36:57] Tim Nash: So, so you remember how the last one we were like 390,000? That's not very many.
Remember, that's not that was users. So I think this, this x sort of bumps up the scale.
[00:37:08] Nathan Wrigley: yeah. This is sites, right? 4 million sites.
[00:37:11] Tim Nash: 4 million sites
[00:37:13] Nathan Wrigley: Oh gosh.
[00:37:14] Tim Nash: 4 million sites running, a plugin called, really simple security. The thing is, quite a lot of people listening might have had this software installed and not recognize the name,
[00:37:28] Nathan Wrigley: Hello.
[00:37:28] Tim Nash: it's, good timing or bad timing. Relatively recently, they had gone through a name change. They were expanding their offering. So they were originally the plugin, that plugin that most of the 4 million people installed was a plugin called really simple SSL.
[00:37:48] Nathan Wrigley: Oh, so Tantalizingly close. You get the first couple of words and then it changes, right?
[00:37:54] Tim Nash: So, and most people would've installed this many, many years ago,
[00:37:59] Nathan Wrigley: Oh, like in the late nineties when it was all about the, was it even the late nineties? This feels like 2015 or something when SSLs were, yeah, so I dunno why I said nineties when, SSL was becoming all the rage and things like, let's encrypt, were suddenly making it plausible for any website to have a.
An SSL certificate. And so Google then pushed the ante a little bit, didn't they? And, Chrome started saying, SSL was the defacto. And I remember this plugin, really simple. SSL, it was kinda like the one click solution to take your site from non SSL to SSL in one hit.
[00:38:38] Tim Nash: Yeah, I mean, back then, the default standard was HT TP. so if you
website and you typed in Dub dub dub Tim Nash, it would take you to the HT TP version. It required a lot of effort and a lot of technical understanding, to get you, to automatically go to. H TTPs ww. Now, in reality, even back then, the hosting companies could have made this easier and done it in one click. it really, I, the, it really is very simple for web servers to do this, but for a long time. Hosts didn't default to HTPS. They offered both HTTP and HT PS
it to the browser or the software to decide where it wanted to go. So a really simple SSL. whenever you arrived on the HTP version of the WordPress site went, no.
All the assets are over here. Redirect and it put the redirect in and it did these bits now. Great. You never really, really needed it. If you, if you understood what you were doing, it was absolutely an unnecessary plugin. But for a lot of people, it just made migration From Htt P to Ht PS simple it. Good game. Really, really simple. SSL 'cause it really was install job done. But obviously over time, this plugin has left, been left on people's sites and sort of lingered the use case and the growth for that plugin has dropped off. So the developers, to be fair, probably wanted to get more out of this, started adding extra features.
And really we're trying to compete with people like, Wordfence, people like Patch Stack, people like solid WP and coming up with this sort of like. Big suite of security things and, and in doing so, put in a horrible, vulnerability into their
which is unfortunate. The, the actual vulnerability, I think is sort of almost irrelevant to the this 'cause it was more to do with the fact that, while it was super, super scary. The scarier thing was that people would see the super, super scary vulnerability and go, oh, that must be terrible for those people, and not realize that sitting on their site was that plugin because it had a completely different name and wasn't the thing that they actually originally stopped.
[00:41:08] Nathan Wrigley: Do you think then that there's, is, there a conversation to be had, in the WordPress space? About a couple of things. First one, change of ownership of a plugin. So let's say developer. Let's say we've got Brian over here and he's the developer, but Brian gets fed up of it and he decides he's going to sell the plugin on, and Susan takes it over and Susan now runs with it, and nobody needs to know about that, except they do because it turns out that Susan is up to no good.
So that's the first one. Do we need to know when plugins change hands? But in this case. Do we need to know when plugins change really what they do? So this really simple SSL, which did this one basic thing, suddenly decides to pivot and become something else. So it's changed its purpose, it's changed its name.
And like you said, most people won't care. They'll just do the updates. And so long as it's on the most updated version, I don't care. I remember at some point I must have installed it, so it's fine. Does they need to, do we need to have that conversation. The answer is, I think, yes, but how on earth do we begin that?
I don't know.
[00:42:16] Tim Nash: The answer is yes. And how on earth do we begin that?
[00:42:18] Nathan Wrigley: Yeah. I'm glad that you, I'm glad that you concur. That's great.
[00:42:23] Tim Nash: we still don't have a mechanism in the WordPress org repository to let you know if something has been deleted.
I've stopped, my, I, I, I've decided I've discontinuing my plugin and I've archived it. Well, you can now at least go on to wordpress.org and you go to my plugin and go, oh, there's a little banner that comes up and says, this hasn't been updated for x number of releases.
Or there's a banner that says, this has been archived. This plugin is no longer being supported. Now, if you go to your WordPress website, there's nothing
[00:42:59] Nathan Wrigley: Yeah, that's true, isn't it?
[00:43:01] Tim Nash: step, the information C could be potentially fed to your WordPress website. The owners is another really good example.
we've obviously had a case relatively recently where ownership was changed dramatically overnight, and one of the issues you had was for people who were doing automatic updates is it was like surprise. your, this is now changed without any indication, and even if you were manually updating, there was no way for you to know until you hit the manual update that you were now getting a new version with a new name and a new people running it. So maybe there is a case for actually automatic updates and manual updates. Should have some sort of, Hey, this is, this has changed. Do you really want us to proceed? And then maybe we can put some threshold bars in there. But where we reduce that, where we put friction in and round updates and
doing them.
[00:44:00] Nathan Wrigley: Yeah. But also.
[00:44:02] Tim Nash: I add a contributor and they've done all this amazing work to get us done, and then it goes to the updates and it comes up where a big saying, Nathan's been added as a contributor. And you are like, well, I dunno. This Nathan fella, I'm not trusting him. So you don't update.
[00:44:19] Nathan Wrigley: This is a good, baseline position. By the way, Tim, this is, this is healthy advice also, like who, who would even monitor this stuff. So I can imagine that if you've got a Shopify app, I. the Shopify marketplace is fairly well administ administered by the Shopify staff. I'm imagining that the code will be inspected by the Shopify staff and I'm imagining they've got bodies on the ground to do that, and so if an update comes through, they've probably got the time to, to check that.
I dunno how it works with the plugin review team. I know that at the beginning, upon first getting a plugin into the plugin repo, there's friction there. but we're quite proud at the moment of the fact that friction has been minimized by automating things, but still, there's a body of work to be done to get it in.
But I don't know if there's any work that's done after that. if I get in a basic simple, really simple SSL plugin and then I decide to change it overnight to really dark and sinister, nasty, I'm gonna hack you, plug in. Is there any check and balance to see if that's happening? I don't know if there is.
[00:45:21] Tim Nash: I don't believe that there is currently though there
of manual periodic where you can, be, where they can bring you back into the queue for review. So there is a mechanism in place, but whether or it's acted on very often, I don't know. but yeah, there's a really good examples. years ago. As, as a joke, I wrote a plugin called Minimum Viable Plugin and submitted it in, and then WI never, I never expanded on that and I cl killed it off before it was too far along. But as a proof of concept to prove exactly this, that I could just put in a plugin that did literally nothing passed all the guidelines technically had to be approved, then I could go and change that into Tim's evil malware. And nothing could. There was no mechanism in place to stop me,
[00:46:11] Nathan Wrigley: Okay.
[00:46:11] Tim Nash: the case, except now people would tell me off.
[00:46:15] Nathan Wrigley: Yeah, but I also, I presume then at some point you basically, you're relying on the community to, somebody falls foul of it, reports it, it quickly blows up. The plugin review team get wind of it, and so they, they, at that point it's a more manual process. Hopefully the damage hasn't been done too widely and too extensively.
Gosh. in the case of
[00:46:35] Tim Nash: WordPress.
[00:46:37] Nathan Wrigley: right.
[00:46:40] Tim Nash: imagine the scenario where you've paid for this.
[00:46:43] Nathan Wrigley: Yeah, there's no checks and balances. All bets are off, right? Yeah. Yeah. 'cause you're just downloading a zip file or, something equivalent or uploading that and there's no checks or balances in the repo. It'd be interesting as well, if, and I don't know if this has happened, maybe it has, maybe somebody has, I, I'm gonna say man in the middle or something like that on a, on an already very popular plugin.
and been able to turn it into some horrible malware. And just because the user base was already so big, being able to leverage that for the small period of time that it went undetected. I dunno if that's happened in the past or not.
[00:47:20] Tim Nash: We, we've had that happen with WordPress plugins where a WordPress plugin has been compromised and content has been pushed in. We've had it where WordPress plugins have been sold and then they've been reab abused. a, wider examples of this is, inside the, sort of the underlying o operating system, particularly for Linux is, filled with, libraries and sub libraries, and we've got some really good examples of where libraries have been compromised, taking completely over. And then the, being used to either xFi data or put malware on, and again, you outside of our community, but if you're looking towards the JavaScript community, you have NPM, which is its own humongous mess. And, there are many scenarios of malware being snuck in there, or just a library being removed and destroying the ecosystem. All of our package management, whether it's a plugin pack plugin, whether it's NPM, whether it's composer, all of these have ultimately on the trust of developers being nice. And again, we're back to the same thing.
[00:48:32] Nathan Wrigley: Yeah,
[00:48:33] Tim Nash: if the developer gets compromised, we screwed.
[00:48:38] Nathan Wrigley: yeah. Yeah. Yeah. It's, this is an interesting story then. So these 4 million websites, that wasn't really what we were talking about. It was more the fact that this plugin was a thing and then it became another thing, which may have just let people's guards down a little bit. There it is. I installed it in the past.
I must have meant to install it. And, and so this. Feature extension, of what it was gonna do, was the story there. again, I'll post the link to that in the show notes. I've got one more article, I dunno if that's where you wanna round it off, but let's go to this one. This is on, this is on Tim's website itself.
So he wrote an article, you're gonna have to forgive the British colloquialisms here. What the. What the heck is the UK Cybersecurity? I'm gonna read it. I'm gonna read it in Thick Yorkshire. Here we go. What the heck is the UK Cybersecurity and Resilience Bill? that was more lancastria, I think, than it was Yorkshire.
Sorry. what the heck is the UK's Security, cyber and Resilience bill?
[00:49:41] Tim Nash: I know. Isn't it exciting? You know, try coming up with a interesting. last time I was on, we briefly covered the EU Cyber Resilience Act, which was we, when we were referencing to do with Patch Stack and how they were developing, their vulnerability disclosure program. And one of the reasons that they were promoting it was because. Basically it would allow you to, comply with the European Cyber Resilience Act. Well, at the time, I know at least a couple of Brits who were like, well, we don't belong in the EU anymore. It doesn't affect us. now, a, they were wrong because if you're doing any interaction with anybody in the eu, that bill sort of affected you. But also the good news in the King's speech, because we, we have like antiquated. Ways the king makes, he sits on a big throne and says, my government are gonna do the following. And he read out, my government is going to create the UK cybersecurity resilience bill,
[00:50:46] Nathan Wrigley: And he didn't use a lancastrian accent.
[00:50:49] Tim Nash: a law, and, and it's same. So
[00:50:53] Nathan Wrigley: Is it literally verbatim? Is it more or less like copy paste, or are there some significant changes?
[00:50:59] Tim Nash: So the bill itself has not been fully published yet,
going to,
behind by about a couple of years, the idea is to make sure that it e even if the language is tweaked. It matches in turn, in tone and in sort of what obligations are EU so that they, they, what's the word that you use when you've got two parties that you wanna keep in sync? but yeah,
[00:51:25] Nathan Wrigley: Marry up.
[00:51:26] Tim Nash: sync. Yeah. so anything that was in the EU Cyber Resilience Act is probably going to be in the uk Cybersecurity Resilience bill. And it also includes, some interesting. cases around open source. and there is basically, if you are a developer of plugins, a developer of themes, or you build websites or you do website maintenance for people, there is a reasonable chance you are going to be affected. By this bill in the UK and that you are gonna have, find yourself obligated to do a bunch of stuff around, risk assessments and risk management and, long-term maintenance and support that you up until now have not been obligated to do, but you should have been doing anyway.
[00:52:16] Nathan Wrigley: So just to pause that quickly. So everything that you just said in the last minute refers to residents of the UK doing work online. So building websites, you weren't talking about, let's say, for example, French people building websites that are in every way connected with France, but also selling to the uk, or were you.
[00:52:37] Tim Nash: so anybody who is interacting with the UK or anybody who is interacting with the eu, if you have, so basically if an EU customer, if you have a customer, and this is based around mainly corporate stuff. So if you have a customer that is EU based, or a customer that is UK based, you will be affected by this.
If
in the UK going outwards, you'll be affected as well.
[00:53:01] Nathan Wrigley: Okay, great. That makes sense. what are the top line things then that, in, in ways that people, would necessarily expect or would expect? I'm scrolling to the bottom. You've got a, heading called Practically what does this mean? I dunno if that's where you'd end up, in order to sum it up, but what are the takeaway items?
The hot takes.
[00:53:21] Tim Nash: So the, the big things are you have to demonstrate that you are now paying attention to cybersecurity.
[00:53:30] Nathan Wrigley: Yeah, you can just, you can copy and paste that you listen to this podcast. That's enough. You'll
[00:53:35] Tim Nash: Not really, because you do have
[00:53:37] Nathan Wrigley: no, sadly no.
[00:53:38] Tim Nash: risk assessment. And if you, if you're building code, you are meant to be doing vulnerability testing of some sort. So you need to hire somebody or you need to internally have the framework and the tool set to your code and do security assessments.
That's like one. you
[00:53:57] Nathan Wrigley: As luck would have it, Tim, I, happen to know a chap who does that kinda work. yeah, He is, yeah. Yeah. He comes on, this comes on this podcast. Once in a while, I'll, link to his, website in the show notes. Carry on.
[00:54:12] Tim Nash: the second thing you need to do if you are running a, if you are, are selling plugins, themes, or code. If you sell code, you need to have a way that people can report vulnerabilities. Now, this is where Patch Stack had their vulnerability disclosure program we were talking about last month, but it doesn't need to be that complicated.
It really could be. Here's an email address. It goes into our support ticket system as long as you act on them. the, the thing that probably will be different from the UK version to the EU version is at the moment, the EU version says that you have to report vulnerabilities to their, to the European central body. You are probably gonna have to report security vulnerabilities to the UK equivalent. and by them, you as the vendor is the person who develops the stuff, I referred to as the, forgotten the words they use. They, they've got, they, they use funny language.
[00:55:08] Nathan Wrigley: can see the word vendor.
[00:55:10] Tim Nash: the person who's ven the vendor who's doing the work, you have to have, you have a responsibility to address vulnerabilities quickly, relevant parties within a very short timeframe. They are referring to that in hours, not, not in
or months.
[00:55:27] Nathan Wrigley: Okay.
[00:55:28] Tim Nash: a, a, a, a distinct and accessible security support process. So basically you have to, you can't just say security issues, go to ticketing system. You have to show that you've got a dedicated route for security vulnerabilities going through
[00:55:43] Nathan Wrigley: Okay, so this feels like your company has to have an SOP for this. you really, you, can't wait for it to happen. You have to be proactive and it, doesn't have to be the most complicated system in the world as you've just described, but you can't be googling this. In a year's time when something goes wrong, you probably need to be Googling it when this episode finishes so that you know the lay of the land and you've got the bits and pieces set up.
Okay. Wow.
[00:56:12] Tim Nash: That's that. We'll stick with that. There are
aspects that are related to stuff if you are specifically a plugin vendor. But, go read the article. Let's not spoil it for
[00:56:23] Nathan Wrigley: Yeah, so that one, as I said, what the F without the H, is the UK's Cybersecurity and Resilience bill, obviously written by Tim. on his website and again, links in the show notes, but, you can probably Google that as well. I would've thought that's everything that you've put in our little shared Google Doc, which was, which was nice.
Thank you for doing that. But was there anything else that you wanted to touch on anecdotally just before we end or are you happy?
[00:56:50] Tim Nash: I think, the takeaway from this episode. Originally, I, I planned the takeaway from this episode to be install two-factor authentication, which I still think is really important and should be a good, it's a good takeaway from any episode. We do, I think should be install two factor authentication. Much like, you know, you shouldn't, not everybody should be administrators, but maybe actually the takeaway from this episode should be, was the last time your antivirus software ran?
[00:57:18] Nathan Wrigley: Okay.
[00:57:19] Tim Nash: When did you last check if it was updating regularly? Because antivirus software needs to have regular updates because there are no more frats coming all the time. So not only do you need to have your antivirus software running, it needs to be up to date. So as you are listening to us and you're about to put on the next podcast. You think I've just gonna run the antivirus software in the background and obviously your computer's now churning so got nothing else better to do. You can make a cup of
listen episode of.
[00:57:54] Nathan Wrigley: Thank you. Thank you very much. Love it. Nice segue. we are gonna record the next episode in hopefully towards the middle, maybe the latter end of March. So no doubt. I'm sure there'll be plenty of bits and pieces that take place between now and then, but that was lovely summing up the last three months, of interesting stories going around in the security world, not just WordPress, but the wider security world as well.
One final plug. Where can we find you, Tim? What's the social network that you hang out on most? That kind of thing?
[00:58:22] Tim Nash: So these days you can nearly always find me on LinkedIn. I know it's very businessy. but if you're looking for me, that's a good place to find me. That's at linkedin.com/in/t Nash. but you can find me on all the other socials in various spaces. I've just joined Blue Sky 'cause I am a trailblazer and I don't in any, you know, always get there ahead of everybody else.
[00:58:45] Nathan Wrigley: Yeah, we're all there. any other, I'll tell you what, I'll link to the LinkedIn and then people can take it from there. so once again, thank you so much for giving us your wisdom, Tim Nash. Really appreciate it. Thank you.
[00:58:59] Tim Nash: Thank you.
[00:59:00] Nathan Wrigley: Well, I hope that you enjoyed that. An absolute pleasure chatting to Tim. If you have anything that you would like to say about that, please do it on our website. Go to WP Builds.com. Search for episode number 403. And leave us a comment there. We would really appreciate it.
The WP Builds podcast is brought to you today by GoDaddy Pro. GoDaddy Pro the home of managed WordPress hosting that includes free domain, SSL, and 24/7 support. Bundle that with The Hub by GoDaddy Pro to unlock more free benefits to manage multiple sites in one place, invoice clients, and get 30% off new purchases. Find out more at go.me/wpbuilds.
We're also helped out by Bluehost. Bluehost, redefine your web hosting experience with Bluehost Cloud. Managed WordPress hosting that comes with lightening fast websites, 100% network uptime, and 24 7 priority support. With Bluehost Cloud the possibilities out of this world. Experience it today at Bluehost.com/cloud.
And, we're also helped this week by Omnisend. Omnisend, do you sell your stuff online? Then meet Omnisend. Yes, that's Omnisend. The email and SMS tool that helps you make 73 bucks for every dollar spent. The one that's so good. It's almost boring. Hate the excitement of rollercoaster sales? Prefer a steady line going up? Try Omnisend today at omnisend.com.
And deep, sincere thanks go to GoDaddy Pro, Bluehost and Omnisend for their support of the WP Builds podcast.
Okay. That's all we've got time for this week. Just to reminder, wP Builds.com forward slash black for those straggling Black Friday deals. We're going to be having a couple of weeks off. And also WP Builds.com forward slash advertise, if you would like to get your product or service in front of a WordPress specific crowd.
Okay. I'm going to fade in some cheesy music and say stay safe, have a good holiday. Bye-bye for now.
