Trend Micro's Own Cybersecurity Blog Gets Hacked (silicon.co.uk) 17
Mickeycaskill quotes Silicon:
Just to illustrate that you can never be too careful, cybersecurity specialist Trend Micro has confirmed that one of the blogs it uses to communicate with customers was itself the victim of a content spoofing attack. The culprits exploited a vulnerability in WordPress to inject fake content onto the blog before it was removed by Trend Micro and the bug fixed...
"Unfortunately there are many different URLs attackers can use to carry out the same attack, so a couple of fake 'articles' ended up posted on CounterMeasures," head of security research Rik Ferguson told Silicon. "We have responded and shut down the vulnerability completely to resolve the issue."
The chairman of Trend Micro claimed in 2011 that open source software was inherently less secure than closed source -- but instead of blaming Wordpress, Ferguson "said it goes to show how breaches are an unfortunate fact of life and that companies should be judged on how they respond... 'Of course technology and best practice can mitigate the vast majority of intrusion attempts, but when one is successful, even one as low-level as this, you are more defined by how you respond than you are by the fact that it happened.'"
The chairman of Trend Micro claimed in 2011 that open source software was inherently less secure than closed source -- but instead of blaming Wordpress, Ferguson "said it goes to show how breaches are an unfortunate fact of life and that companies should be judged on how they respond... 'Of course technology and best practice can mitigate the vast majority of intrusion attempts, but when one is successful, even one as low-level as this, you are more defined by how you respond than you are by the fact that it happened.'"
Lame (Score:2, Interesting)
3rd party service. Has nothing to do with Trend Micro.
Wordpress did not care about security (Score:4, Interesting)
Writing secure software has a lot to do with a frame of mind. A group of programmers can be really smart, but if they aren't thinking defensively, they'll write a bunch of vulnerabilities into the code. On the other hand, I've been mentoring a guy who is just starting to learn PHP, and one of the first things he asked me to help him understand was prepared statements with bound variables. He's trying very hard to make sure his very first program doesn't get hacked, and he'll probably succeed.
When I've pointed out security flaws in Wordpress and suggested solutions, the project leaders haven't taken it seriously. 18 months *after* I pointed out one flaw, it was used in large scale attacks that were covered by the press. Only then did they do something about it.
They may have gotten into a more security-oriented mindset since then, I don't know. Even if they have, they're sitting on a huge amount of legacy code written without security in mind.
Mitigation isn't as important as prevention. (Score:4, Interesting)
For most enterprises (especially large ones) it's understandable that there is a lot of exposure to be checked on. It's also understandable if some edges of the network suffer exposure - as long as it's not core to the enterprise and doesn't result in large financial loss. We don't necessarily expect every employee at most large enterprises to be security conscious. When you're Trend Micro, however, every admin is more or less expected to eat, sleep and breathe security 24/7. If it were a large insurance company (for example), we might accept the explanation that "no customer data was lost, no critical services were impaired, it was just one of our blog sites and we've fixed it pronto".
With that complaint out of the way, certainly even a firm which specializes in security will occasionally get caught when somebody somewhere misses a trick and the bad guys find it first. Kudos for knowing how to react quickly and being able to mitigate the damage - but when you're selling your reputation as security experts, it's still embarrassing when mistakes like this happen. Doesn't matter who made the mistake, Trend Micro's name is at the top of the web page, and it's Trend Micro's reputation which did just take a hit. It's not unlike a stock broker misreading the market or a power company causing a brief localized blackout due to human error. It's bound to happen, but when that's your bread and butter you're pretty well expected to be perfect. Once more, kudos for fixing it fast and not immediately going to the "not our fault" party line, but their reputation did just take a (small) ding.
Blame (Score:5, Insightful)
Article is a bit weird - he says "there are many different URLs attackers can use to carry out the same attack", like this somehow wasn't a direct result of them not updating WordPress to the latest version after the most recent exploit was announced.
WordPress is low hanging fruit for attackers because of its vast install base; if you use it for anything that you care about you need to be totally vigilant because the 0dayz will be in the hands of everyone immediately.
I also like how he tries to deflect blame from WordPress with a nice general statement, when the real blame should be on whoever was responsible for installing it and maintaining it in the first place :)
You almost have to go out of your way to stop WordPress from auto-updating itself these days; whoever configured it probably thought they were being clever or more secure by, say, setting the file system permissions to read only. That seems like a good idea (& is mentioned in WordPress hardening guides), but unfortunately it will generally block the auto-update from working.
I would say that you're definitely more at risk from an out-of-date WP install than you are with a writeable filesystem (subject to how many plugins you're running, themes, etc). (Requiring a web-process writeable filesystem for WordPress is arguably one of its scariest requirements even though it enables a large amount of functionality.)
Overall though, I'd say this is a fairly typical worst-case scenario for a lot of people running WP in this kind of capacity. Your blog gets hacked, you serve malware or spam or look stupid for a bit, but (as long as your blog isn't where your core data is, and of course it isn't because you're not crazy, right!) you just restore from backup, update, and you're back on track.
Trend micro and any AV is a security threat (Score:1)
How many techs and those reading this that fix PCs for friends, family, and small business see viruses that use exploits in Trend Micro to install themselves?
Lo and behold I have seen AV software that replaces SSL certificates with their own enabling mITM attacks via superfish Lenovo style and heard about Trend Micro not only being taken over by malware but rather malware reinstalling itself when you update trend micro! Basically the malware uses the AV to install itself and prevent itself from beinguninsta
Re: (Score:2)
How many techs and those reading this that fix PCs for friends, family, and small business see viruses that use exploits in Trend Micro to install themselves?
Lo and behold I have seen AV software that replaces SSL certificates with their own enabling mITM attacks via superfish Lenovo style and heard about Trend Micro not only being taken over by malware but rather malware reinstalling itself when you update trend micro! Basically the malware uses the AV to install itself and prevent itself from beinguninstalled. Perfect way to block competitors from adware companies too. The only solution from what I heard is a reimage as the AV software has super admin rights and embeds itself in the OS to prevent less successful malware from disabling it.
Who uses AV software in 2017? The only good I see is at work where an endpoint management solution can totally disable network ports and disable PCs off active directory when suspicious activity arises. Other than that it's useless
I am the parent. Here is my citation [theregister.co.uk]? My guess is this exploit was used to gain passwords on an employees PC. Just comes to show to avoid AV software if you don't want to be hacked
It's an improvement (Score:2)
More like "do it cheaper until it breaks" (Score:3)
Pathetic. Getting hacked by attackers on this level is not a fact of life, it is a sign of incompetence and arrogance.
Re: (Score:2)
Not a matter of open source vs closed source. (Score:2)
Open source can mean better security but if you take absurd risks, it will still bite you. History has proven that running PHP is very risky, not because it's open or closed but because it dynamically generates content based on poorly validated input. You can do things to eliminate these risks like not dynamically generating content or rigorously validating your inputs. PHP is highly dynamic and Wordpress isn't known for validating it's inputs, so you have taken a high level risk and like millions of oth
Good move, not blaming Wordpress (Score:3)
The chairman of Trend Micro claimed in 2011 that open source software was inherently less secure than closed source -- but instead of blaming Wordpress, Ferguson "said it goes to show how breaches are an unfortunate fact of life..."
Unless they'd written their own CMS, having an open-source platform was just about the only thing that allowed them to say they had "responded and shut down the vulnerability completely to resolve the issue" and actually mean it. Ferguson should be openly grateful that his team had free access to the source.