We are Never Going to Be Secure

I did not have to put 100% in the headline: i.e. “We are never going to be 100% Secure”

Whenever there is a device that is to be used for your purposes,  someone can find a way to use that purpose against you and fight you with it.

So it is my assertion: Do not state “We are secure”!, say “we are  ‘secure’  within our abilities and budget”.

The problem is that some tasks are so basic it is unbelievable when an attack is successful.  take a look at this informational message from a WordPress security company(Wordfence):

(and in text form):
XSS Vulnerability in Abandoned Cart Plugin Leads To WordPress Site Takeovers

Last month, a stored cross-site scripting (XSS)h, Vulnerabilities, WordPress Security on March 11, 2019 by Mikey Veenstra   0 Replies flaw was patched in version 5.2.0 of the popular WordPress “plugin Abandoned Cart Lite For WooCommerce”. The plugin, which we’ll be referring to by its slug woocommerce-abandoned-cart, allows the owners of WooCommerce sites to track abandoned shopping carts in order to recover those sales. A lack of sanitation on both input and output allows attackers to inject malicious JavaScript payloads into various data fields, which will execute when a logged-in user with administrator privileges views the list of abandoned carts from their WordPress dashboard.

 

 

So essentially what wordfence is suggestingwordfence is suggesting is to update WooCommerceAbandoned cart  Cart Lite for WooCommerce.

Wordfence is suggesting to update the plugin ASAP to 5.2.0 or higher to solve the sanitization checks that a bug introduced.

 

So now that we know a specific problem with a specific plugin, all we have to do is update. But this basic act of updating is not that easy sometimes.

This is typical of software and our security dilemma,  a new vulnerability is discovered, has to be fixed and patched/released. Then of course the administrators have to install the patch.

So this is why we will never be 100% secure there will always be a time when the vulnerability is discovered to the time it a patch is installed  when  we are not secure.

I wrote about this before(Dec 2017): From Vulnerability Found , to patched safe

The above image describes the journey from Vulnerability found to Patched better than

What are the  possible problems when patches are not applied? and hackers do their work first?

Here is a worst case scenario:

Onlineathens.com has the story of the  Ryunk Ransomware

Here is a notable quote:

Jackson County Sheriff Janis Mangum said Friday that experts are still cleaning their computers.

“We can book someone (in jail) without doing it on paper, but deputies are still doing paper reports,” she said.

Mangum said she received a telephone call last Saturday from the Information Technology staff “wanting to know if we had an FBI contact they could reach. That’s when I knew it was more serious than just being down,” she said.


This article does not go into the forensics investigation of how the ransomware software installed itself, and we will keep an eye out to the Internet as to how exactly this started.

But very likely something was not patched, the hacker software installed and then went from there to control the data and all the devices on the network it can.

Even if the initial infestation was unique (social engineering ) the additional attacks of infesting the rest of the computers usually requires some additional vulnerability which also can take advantage of unpatched devices.

The weaker you are with patching the more likely you will be attacked and hacked. In this case (Sheriffs computers in court house) somehow were infested and then later the encryption software download happened. After that the software tries to propagate and destroy the rest of the systems on the network.

Also an Auditor reviewing your patching is also advisable.

There are no guarantees, although one can reduce risk with enough safeguards and testing in place.

Like we can do  CISA certified contact us.

Advertisements

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.