It was a hard decision sometimes, (as most boards gave only an hour so other people get a turn). Do I play Tradewars? LORD? What about downloading another half of disk 2 of UFO:Enemy Unknown? Maybe I should just stuff it all and go chat with the dude on line 2.
519 was an amazing and active BBS community. I still have friends that I see regularly. Some boards we used to chat all night or on occasion we'd insta-rush a bar, karaoke, or bownling alley at 3am just because we could. Some great memories, people etc. So far on the Interwebs I've found only dragons and monsters! lol
There's a number of things I disagree with in the article, but it does have a few good points.
Here's what I disagree with and why:
- Portknocking. I've found from experience that it's far better to allow SSH access (for example) from only known IP addresses. Portknocking is far too easy to beat and really doesn't impede much.
- Non-standard ports. Sure if you're only interested in blocking bulk network scanners that limit themselves to known ports. Any manual scan or a solid in-depth scan is going to map every one of the lower 1024 ports, and possibly the rest depending on how interesting the target is.
- The Tank camouflage example. It all sounds fine and dandy until a maintenance crew roam the desert for 10 days looking for a tank they can no longer see. Same with security and IT... obscurity leads to lots of wasted time when newer techs try to diagnose things that aren't as they seem, and are undocumented. Not only that, but the since the enemy know that the new armour requires a special ammunition to beat, they will just throw new ammo at everything that moves in case it is a tank. i.e. you're going to scan for hidden SSID's, your going to nmap every port, etc etc. Takes more time, but you still get in.
- If there's a 0-day SSH vector, it's getting owned no matter which port it's on unless your security team are on top of patching. What if the new-hire that's told to go patch all the SSH servers accidentally misses the undocumented one that's running on port 24? It also doesn't matter if there's 10x more hits on port 22 than 24. All it takes is 1. It's that simple.
I just don't think obscurity belongs in an environment where clarity matters so much.
> Portknocking is far too easy to beat and really doesn't impede much.
If you have to guess a random 3 port sequence in a 65k port space, how long will it take you to break? at 1 try of 3 ports per second I get almost 9 million years for exhaustive search.
Why guess when you can just sniff the network for the sequence?
Port knocking requires the network that you're using to knock is in fact as secure and trusted as the one you're knocking. So there's really no point as you could easily just limit SSH access to that network and save yourself all the bother and risk.
If you can't secure your email, why would you be surprised when your servers dissapop?
I understand that there should have been more layers beyond this and all, but really, what is the point if you're vulnerable across several OpSec levels?
While this helps *.wordpress.com users or custom domains using the wordpress.com back end, it's going to cause a ruckus with self hosted ones.
Neither WordPress or LetsEncrypt has any way to modify global server setting on any shared hosting environment. Slapping in an SSL certificate doesn't make a site secure, properly configuring the services that use the cert is what makes it secure.
GoDaddy isn't going to let Company Xyz rebuild Apache or configure cyphers server-wide...
In the end, while this is a move in the right direction, I fear it will give false confidence to many web providers that don't have enterprise experience with security fundamentals.
This won't affect self hosted sites, only those on WordPress.com's platform. A lot of the code for that service isn't present in the self hosted script.
At best, this article is amateur hour for WordFence. It's focused on the topmost layers of the OSI model in an ecosystem requiring attention at all layers, from the wire -> up. Don't sell your product as anything more than consumer grade snake oil.
At the top, whether WordPress is secure or not has zero impact on a properly designed network. If a company is dumb enough to use WordPress on internal hosts, they have bigger problems. Add to this, that a properly designed network should have mitigated the chance that a web server be compromised and at least segregate the network and provide access control to sensitive data.
In short, the network was doomed regardless if WordFence was in place or not and it's damned irresponsible for WordFence to suggest they could protect clients from the kind of attack which played out here.
WordFence are a typical WordPress development company, in that they're web developers first, security / network experts when they need to make a sale.... It's consumer grade crap, which is why this article needs to be treated as such.
I should also mention that just because a web server has an outside IP in the same subnet as the mail server pool, doesn't mean it's on the same physical network. It could be on it's own completely separate physical network or segmented via vlans with full access controls in place. If you understood network security you would know how NAT works.
These guys got hacked because they failed on every level of network best practice or even the fundamentals. Taking advantage of this to sell a product which is equally as naive, is as I said, irresponsible if not negligent.
Forgot to mention, the RevSlider exploit used on your demo video will not give full access to the system as you stated. It'll give only access which the web server is currently executing as; www-data has no access beyond the webroot.
So your engaging in FUD as well.
I'm not sure why you've decided that they had no firewall in place before. You're not offering any data to support this other than the clear change in hosting which recently took place. This shows a reaction which is perfectly normal, it shows nothing in terms of firewalls.
All I am seeing is speculation after speculation in your article, with absolutely zero forensic evidence of your claim. You're not even addressing the fact that their Exchange server running an older OWA was running an improperly configured SSL certificate which left SSLv3 enabled, leaving it wide open to DROWN.
I'm also seeing many thanks in your comments, and seeing folks mention buying into your product. What I don't see though is you setting these people straight that WordFence is only a tiny part of a much larger solution and that WordFence would have done absolutely nothing to prevent this breach. I'm also not seeing my comment either, but that's okay.
I think there's actually more web sites being built than ever, and that the problem is that company's expect more for less.
The WordPress pollution has brought about a revolution in pricing within our field. Companies actually expect full e-commerce for under $1k because they've been spoiled with these easy-peasy systems that can be slapped together in no time at all.
How do I market a team of high end devs, engineers and security consultans to develop a company web presence which Joe Nobody is offering them for $599? Here lies the elephant. Not the folks turning quick bucks at our expense, but the mere fact that it's darned near impossible to convince clients to spend wisely.
There are still companies who know better, but in a world where everyone wants to be a 'startup', it's becoming less and less.
519 was an amazing and active BBS community. I still have friends that I see regularly. Some boards we used to chat all night or on occasion we'd insta-rush a bar, karaoke, or bownling alley at 3am just because we could. Some great memories, people etc. So far on the Interwebs I've found only dragons and monsters! lol