This is a guest post from Mark Stanislav of Duo Security — At MNX we use Duo everywhere we can, and we think you should too. If your not using 2FA, talk to Duo and start securing all of your password logins!
The conversation always starts the same way, “I think my web site was hacked.” Recently, a friend of mine brought this topic up and I immediately went into incident response mode. After checking out his evidence of the alleged breach, I quickly noted multiple known vulnerabilities afflicting his various WordPress deployments hosted on his server. In his case, he had entrusted some of the administrative duties to the people running those sites. Unfortunately, they weren’t quite as vigilant as he was hoping for in terms of adequate and timely security patching.
This conversation is only becoming more common as friends and family start to host their own blogs and content management systems (CMS) to do run sites for family photos, create an eCommerce business, or promote a company online. One reason for the rapid acceleration of these types of deployments is because of the prevalence and ease of installation of various plugins. Simply running a blog is rarely enough for most when there are thousands of plugins to do everything from providing links to various social media sites to providing a photo gallery. The allure of these plugins is hard to turn down and most end-users will never second guess the security and safety of utilizing such clever features.
Unfortunately, as Checkmarx detailed in a recent report, vulnerabilities are very common in plugins on the WordPress platform. That’s not to say that it’s necessarily worse than other blogging platforms, but there is certainly a problem. In their research, Checkmarx found that 1 in 5 of the most popular plugins had at least one type of vulnerability within their codebase. While this might seem statistically insignificant, the volume at which this problem exists is really shocking. The collective breadth of these vulnerable plugins represent millions of downloads and potentially an equal amount of vulnerable web sites.
Beyond simply a compromised web site, the real fall-out can begin much later after the initial compromise. Access to the inner-workings of a web application can lead to exposure of database details such as the password hashes of customers from web application data. Collectively, a single web application being compromised could result in hundreds, if not thousands, of compromised external accounts between all affected parties. Due to this, action must be taken to lessen the potential risks of such vulnerable web sites.
The addition of two-factor authentication can dramatically lessen the fallout from a web application breach. The usage of passwords as a last line of defense crumbles quickly when an attacker has stolen your password and has months and sometimes years to capitalize on that knowledge. By utilizing Duo’s two-factor platform, all login transactions are added to a comprehensive audit trail. If failed two-factor attempts are noted after a successful password login, the assumption can be made that an attacker has a valid password for that account. With that knowledge, additional steps can be taken to both determine the source of the breach and help to identify attackers.
Proactively, Duo allows users of our two-factor platform to protect their WordPress and Drupal blogs with two-factor authentication. This may not prevent an attacker from breaching the site due to an insecure plugin you’ve installed, but it does prevent an attacker from brute-forcing a login or using a previously stolen password against a site you care about. Security is all about layering defenses and reducing the risks against your interests.
Have you had your blog breached? What was the damage and how did you recover? Let us know in the comments!