Don’t Trust And Verify

I know the gipper had the famous saying:

trustbutverify-ronaldreagan

But that is only for the soviet union arms control in the 1980’s.

In the 1990’s and early 2000’s we have the following:

trustbutverifyalwaysbackupyourwork

“Trust but verify” and always back up your work.

But I think it is not enough in the 2010’s specifically March 10th, 2016.

Now the motto in Cybersecurity should be the following:

DON’T TRUST AND VERIFY ALL PLUGINS!!!

donttrustandverifyallplugins

Why ???  Why do we have to verify all plugins?

Sucuri Blog¹ has an interesting post

Have you heard of the Wooranker account at WordPress Directory? Where all the plugins are located?

 

The WooRanker  Developer took over the Custom Content Type Manager (CCTM) plugin.  with more than 10,000 installs.

customcontenttypemanager

This Wooranker ‘developer’  took over the CCTM plugin and created a hacked version 0.9.8.8 and thus over 10,000 installations unwittingly updated their plugins thus causing the hacked or backdoored version to be installed.

Sucuri found an infected site with CCTM 0.9.8.8

backdoorinCCTM

 

And as SucuriBlog continues to point out that on Feb 18th, 2016  “wooranker” made a change and added  auto-update.php with the following message “small tweeks by new owner”

So the new owner made a new plugin update with the backdoor included.

So as a dutiful PCI compliant person you updated the plugin and are now hacked.

This is why we “can’t trust the plugin and verify it”. We need to know about our suppliers and vendors. We need to review patches and plugin updates. On certain plugins we need to go an extra mile and review who is really working on plugins and verify authenticity. Otherwise a hacker will get into your site through the front door with you installing it. It looks like PCI needs another update to it’s standard, because one cannot install a patch that has a backdoor???

 

Since hackers are human and programmers and administrators are human new attacks will take us to places we did not suspect before.

You know OSI’s (open Source Interconnection) 7 layers network model.

The 8th layer (the human element) will always be a problem.

Even safeguards can fail if humans don’t pay attention.

Having safeguards for the safeguards does not make sense – it is better to have  principles that are simple to follow yet easy to remember.

Contact Me to discuss these “simple principles”

If you do have the CCTM plugin and 0.9.8.8 version you are infected – go here betanews.com² to fix  (it is not as simple as uninstalling)

  1. https://blog.sucuri.net/2016/03/when-wordpress-plugin-goes-bad.html
  2. http://betanews.com/2016/03/05/wordpress-plug-password-backdoor/