Trend Micro's Own Cybersecurity Blog Gets Hacked

Mickeycaskill quotes Silicon: Just to illustrate that you can never be too careful, cybersecurity specialist Trend Micro has confirmed that one of the blogs it uses to communicate with customers was itself the victim of a content spoofing attack. The culprits exploited a vulnerability in WordPress to inject fake content onto the blog before it was removed by Trend Micro and the bug fixed... "Unfortunately there are many different URLs attackers can use to carry out the same attack, so a couple of fake 'articles' ended up posted on CounterMeasures," head of security research Rik Ferguson told Silicon. "We have responded and shut down the vulnerability completely to resolve the issue."
The chairman of Trend Micro claimed in 2011 that open source software was inherently less secure than closed source -- but instead of blaming Wordpress, Ferguson "said it goes to show how breaches are an unfortunate fact of life and that companies should be judged on how they respond... 'Of course technology and best practice can mitigate the vast majority of intrusion attempts, but when one is successful, even one as low-level as this, you are more defined by how you respond than you are by the fact that it happened.'"

Mitigation isn't as important as prevention.

[mmell]

It's important, don't get me wrong. However, I'm pretty sure most admins would agree it's far more important to keep the bad guys out than it is to fix the mistake after it happens.

For most enterprises (especially large ones) it's understandable that there is a lot of exposure to be checked on. It's also understandable if some edges of the network suffer exposure - as long as it's not core to the enterprise and doesn't result in large financial loss. We don't necessarily expect every employee at most large enterprises to be security conscious. When you're Trend Micro, however, every admin is more or less expected to eat, sleep and breathe security 24/7. If it were a large insurance company (for example), we might accept the explanation that "no customer data was lost, no critical services were impaired, it was just one of our blog sites and we've fixed it pronto".

With that complaint out of the way, certainly even a firm which specializes in security will occasionally get caught when somebody somewhere misses a trick and the bad guys find it first. Kudos for knowing how to react quickly and being able to mitigate the damage - but when you're selling your reputation as security experts, it's still embarrassing when mistakes like this happen. Doesn't matter who made the mistake, Trend Micro's name is at the top of the web page, and it's Trend Micro's reputation which did just take a hit. It's not unlike a stock broker misreading the market or a power company causing a brief localized blackout due to human error. It's bound to happen, but when that's your bread and butter you're pretty well expected to be perfect. Once more, kudos for fixing it fast and not immediately going to the "not our fault" party line, but their reputation did just take a (small) ding.

Blame

[trawg]

Article is a bit weird - he says "there are many different URLs attackers can use to carry out the same attack", like this somehow wasn't a direct result of them not updating WordPress to the latest version after the most recent exploit was announced.

WordPress is low hanging fruit for attackers because of its vast install base; if you use it for anything that you care about you need to be totally vigilant because the 0dayz will be in the hands of everyone immediately.

I also like how he tries to deflect blame from WordPress with a nice general statement, when the real blame should be on whoever was responsible for installing it and maintaining it in the first place :)

You almost have to go out of your way to stop WordPress from auto-updating itself these days; whoever configured it probably thought they were being clever or more secure by, say, setting the file system permissions to read only. That seems like a good idea (& is mentioned in WordPress hardening guides), but unfortunately it will generally block the auto-update from working.

I would say that you're definitely more at risk from an out-of-date WP install than you are with a writeable filesystem (subject to how many plugins you're running, themes, etc). (Requiring a web-process writeable filesystem for WordPress is arguably one of its scariest requirements even though it enables a large amount of functionality.)

Overall though, I'd say this is a fairly typical worst-case scenario for a lot of people running WP in this kind of capacity. Your blog gets hacked, you serve malware or spam or look stupid for a bit, but (as long as your blog isn't where your core data is, and of course it isn't because you're not crazy, right!) you just restore from backup, update, and you're back on track.

Wordpress did not care about security

[raymorris]

Writing secure software has a lot to do with a frame of mind. A group of programmers can be really smart, but if they aren't thinking defensively, they'll write a bunch of vulnerabilities into the code. On the other hand, I've been mentoring a guy who is just starting to learn PHP, and one of the first things he asked me to help him understand was prepared statements with bound variables. He's trying very hard to make sure his very first program doesn't get hacked, and he'll probably succeed.

When I've pointed out security flaws in Wordpress and suggested solutions, the project leaders haven't taken it seriously. 18 months *after* I pointed out one flaw, it was used in large scale attacks that were covered by the press. Only then did they do something about it.

They may have gotten into a more security-oriented mindset since then, I don't know. Even if they have, they're sitting on a huge amount of legacy code written without security in mind.