Trend Micro's Own Cybersecurity Blog Gets Hacked

Mickeycaskill quotes Silicon: Just to illustrate that you can never be too careful, cybersecurity specialist Trend Micro has confirmed that one of the blogs it uses to communicate with customers was itself the victim of a content spoofing attack. The culprits exploited a vulnerability in WordPress to inject fake content onto the blog before it was removed by Trend Micro and the bug fixed... "Unfortunately there are many different URLs attackers can use to carry out the same attack, so a couple of fake 'articles' ended up posted on CounterMeasures," head of security research Rik Ferguson told Silicon. "We have responded and shut down the vulnerability completely to resolve the issue."
The chairman of Trend Micro claimed in 2011 that open source software was inherently less secure than closed source -- but instead of blaming Wordpress, Ferguson "said it goes to show how breaches are an unfortunate fact of life and that companies should be judged on how they respond... 'Of course technology and best practice can mitigate the vast majority of intrusion attempts, but when one is successful, even one as low-level as this, you are more defined by how you respond than you are by the fact that it happened.'"

Lame

3rd party service. Has nothing to do with Trend Micro.

Mitigation isn't as important as prevention.

[mmell]

It's important, don't get me wrong. However, I'm pretty sure most admins would agree it's far more important to keep the bad guys out than it is to fix the mistake after it happens.

For most enterprises (especially large ones) it's understandable that there is a lot of exposure to be checked on. It's also understandable if some edges of the network suffer exposure - as long as it's not core to the enterprise and doesn't result in large financial loss. We don't necessarily expect every employee at most large enterprises to be security conscious. When you're Trend Micro, however, every admin is more or less expected to eat, sleep and breathe security 24/7. If it were a large insurance company (for example), we might accept the explanation that "no customer data was lost, no critical services were impaired, it was just one of our blog sites and we've fixed it pronto".

With that complaint out of the way, certainly even a firm which specializes in security will occasionally get caught when somebody somewhere misses a trick and the bad guys find it first. Kudos for knowing how to react quickly and being able to mitigate the damage - but when you're selling your reputation as security experts, it's still embarrassing when mistakes like this happen. Doesn't matter who made the mistake, Trend Micro's name is at the top of the web page, and it's Trend Micro's reputation which did just take a hit. It's not unlike a stock broker misreading the market or a power company causing a brief localized blackout due to human error. It's bound to happen, but when that's your bread and butter you're pretty well expected to be perfect. Once more, kudos for fixing it fast and not immediately going to the "not our fault" party line, but their reputation did just take a (small) ding.

Wordpress did not care about security

[raymorris]

Writing secure software has a lot to do with a frame of mind. A group of programmers can be really smart, but if they aren't thinking defensively, they'll write a bunch of vulnerabilities into the code. On the other hand, I've been mentoring a guy who is just starting to learn PHP, and one of the first things he asked me to help him understand was prepared statements with bound variables. He's trying very hard to make sure his very first program doesn't get hacked, and he'll probably succeed.

When I've pointed out security flaws in Wordpress and suggested solutions, the project leaders haven't taken it seriously. 18 months *after* I pointed out one flaw, it was used in large scale attacks that were covered by the press. Only then did they do something about it.

They may have gotten into a more security-oriented mindset since then, I don't know. Even if they have, they're sitting on a huge amount of legacy code written without security in mind.