Today a short piece on the importance of patching – mainly as we are seeing an increase in compromise activity. From this side of the fence it is a very different view from yours on the whole. You have one website maybe five, we have thousands. Statistically speaking – compromise – its not if but when – and keeping your code patched hugely reduces your profile as a target, especially against low focus low skill automated attacks.
I was prompted by being asked this:
“What is the worst that could happen?“
“You really do not want me to answer that.“
… followed by some stifled and short lived and misplaced laughter.
So what is patching, why does it matter to me, and why do I need to keep on top of this – what can happen?
/* What is patching
Patching is a jargon term – and it’s one that is going to be around for a while. Patching is the means by which you fix code, update or upgrade it – either by replacing all the code, or fragments of it, and possibly even making changes to the way that data is stored.
What we are talking about here is third party, popular, and really rather fantastic third party applications such as WordPress, Drupal, Joomla, Mambo, Prestashop, Gallery, Magento, the list goes on.
Patching is a great thing. It kind of has a negative wrap – maybe because of the inconvenience of certain OS updates – but realistically they are an opportunity. It is just a matter of changing your outlook.
Patches offer updates, upgrades, optimizations, new features, fixes, and most vitally security. The most common trigger for the need for a new point release is that a vulnerability has been discovered. Again – without pulling an NLP on you – this is not highlighting that there are issues – this is fixing something and making it stronger, more resilient, and improving.
Some software needs a LOT of patching. This is where the http server “A Patchey” server got its name from – as opposed to any Native American references adopted since – it is not a bad thing and shows active development and support. Some software does not. Some – when set up properly will automatically patch… for example WordPress.
Working with other providers we are seeing shockingly high numbers of third party code, with known vulnerabilities that can be exploited for nefarious needs. The wide eyes and slack jaw of seeing single shared hosts where over 1600 vulnerabilities are identified in an audit, and over 80% of CMS’ were out of date.
/* Why does this matter to me?
Lets start with the premise of it does, and work around to why.
We see quite a lot of “but I need my site up” or “but if I update my theme might not work“.
The long and the short of it is that your site being down is probably better than it being compromised. In fact, you can drop the probably.
Once compromised your only real option is to roll back to a backup that pre-dates the compromise assuming you know when that was, and how they got in. You then work this forward and patch the vulnerabilities including the one that they used to get in. Like a time machine when you get a second shot if you will – however obviously losing any content or changes that occurred over that period. This is probably something that needs its own article at some point to be fair.
/* What are the implications?
So what CAN go wrong. Well the list is as long and as varied as the sites that there are out there.
Defacement – while far far less common these days – its a favourite amongst those who are politically or religiously motivated;
Theft – what data does your site have? It’s far to assume that was fair game. If you have customer information stored here you may wish to read up a little on what the office of the Information Commissioner does –
Spoofing – suddenly someone is able to send as you, legitimately passing SPF filters and so on. They can try a spot of social engineering from your email address or…
Spamming – lots of it, and all in your nice clean email address. Either junk, illegal content, sales, or malware or maybe even phishing or spear phishing. Why rely on others to get that server blacklisted, and reputation through the floor when you can call the shots.
Phishing – ever wanted to be your own bank – well now is your chance! Maybe Dropbox a current favourite, or Apple, or Paypal, or Google, or maybe all of the above if you are lucky – the list is long and distinguished. Oh, except you are not ‘actually’ them, and now your service provider is forwarding on harshly worded overly formal emails are receiving emails from them asking why you are pretending to be them.
Spear Phishing – suddenly you are a site of interest and your new administrator is casting a less wide net as they are picking on individuals to attain access to something that they probably should not have.
Brute forcing – your website is now working its way through hundreds of password a second against other websites – it wants friends to play with!
Bot – your site is now part of a command and control network and is ready to attack, brute, and denial of service a third parties target of choice;
IRC – old school – but you can host a party for the nefarious types and all their friends – be the place they all hang out;
Something special – from time to time we get asked to hand over hardware to the authorities… this could be your golden opportunity to get your name in the papers.
…okay so that is all a bit tongue in cheek – but otherwise its a very dry topic… and to be fair can be very scary. None the less realistically these are just a few of the many outcomes we see day in day out.
Keeping patched up to date reduces your profile, why pick on your when they can have easier pickings elsewhere right? Right. This is the sermon for today.
/* Who is behind this?
Sure – you might see the traffic coming in from all over the place – but that is not necessarily indicative of the location of the perpetrator.
Using an exceptionally wide brush these are falling into three categories, all of which unpleasant, undesirable, and dangerous in their own ways:
Script kiddies – the somewhat old school term for people running other peoples code, learning a trade or skill, and generally standing on the shoulders of others – low on the Dunning Kruger Curve and thankfully more of an emotive threat than a technical one.
Established threat actors – with experience, tools, established methods, contacts for help, and an army of hosts to command, control, and hide themselves within – more than capable of writing their own code. Organised, methodical, experienced.
Organized crime – someone somewhere is peddling those tablets, those drugs, that content that something you are going to only buy from a somewhat more shady if not black market. The people selling these things have suppliers, those suppliers have people they lean on, and further up the tree the more unpleasant it gets. These are the people who will lean on the likes of Spamhaus, or Clean-MX with attacks and non hollow threats. The more Tin Foil Hatted would even suggest State Sponsored in some cases. Generally something you do not want to get involved with.
As ever – these are all credible threats to you and your site, your content, your visitors, your email list, you… and in turn us.
/* What are we doing?
Everything we can – including a little education here and there (takes a bow).
Some of you will have noticed that we have been sending out emails regarding vulnerabilities we have found – and equally – you may even have had an email saying that you should look into upgrading your CMS.
Now this may have been something that you had set to do automatically and it has not been happening, or it may have been something you didnt realise you needed to be doing… either way – NOW IS THE TIME – and hopefully a little wiser as to why now.
If you have any questions, need some advice, confused by the emails we are sending out – drop us an email and ask. Let us know the domain you are having issues with, and how we can help.
If at any time you believe that you may have been compromised – then drop us an email to firstname.lastname@example.org with as much information as you have, and try to preserve things as they are as best you can. Do not be tempted to click on links or open files.
It is important to keep in mind that these CMS’ are fantastic, amazing, and generally awesome. What we are seeing here is people not keeping them up to date – as opposed to them being at fault. So lets keep them alive, well, and working in the way you intended them : )
Please Note: As with all of these, they are intended as an introduction, a concept, and idea or overview. This is not intended as gospel or instruction – merely a simplified insight into reasons why you need to keep patched. No more, no less.