Dices on chess board

Security by Luck

Last week I saw the attack vectors of the most popular attack on
WordPress web sites at the moment.
Just two lines.

Was I prepared? Yep.

In my mail box I had a message, that my web site was updated. It was completely automatic.

I did not even have to press a button. Self service is nice, good service is better. I had the last version of WordPress running. All minor updates are automatically deployed.

Why did I choose WordPress? For one of my test assignments I had to test a WordPress web site. And I did not want to learn another tool to maintain a web site. Sheer luck.

Last year I got an insistent mail from my host provider, that I should upgrade my PHP. The advised version was a safer one.

I dutifully followed the instructions: pressing buttons instead of typing long commands after the prompt. There was nothing scary about.

How did I select my web site host?
I looked for a provider, who provided all kinds of handy services: e-mail, backup, and web site statistics.

“Sheer luck mate. “
“Really? “
“I compared several providers. The one I chose also focused on companies. If I ever would scale up, I had a company, who could help me. “

“Can you be more specific? “

“Sure. I looked for the information on the web site. It was written in a way that I could advise it to a company.

It had also enough tech background information. That was good for my inner nerd. “

“Wait a minute. “
“Yep. “
“You just told, which Content Management System you use for your web site. And that you are using PHP. Are you not exposing too much information? “

“A real hacker can determine this information within seconds. He looks at the source code or using some plug ins.
On my smartphone I have Dual HTML Viewer which is a similar tool. ”
“How did you find that mobile tool? “
“#30daysoftesting

You could call it luck. I prefer to bend it.“

No comments please
Seth Godin once gave the advise to turn off comments in a web site. If the blog post would be interesting enough, then they had to refer to it. Free publicity.

This time saver was a nice advice for me. Yes, I like good comments. Sorry, I focus on writing.

This year I started to test on XSS or Cross Site Scripting attacks. I basically added information to a web site, which changed the behaviour.

If I add html code to a comment, then the comment can be shown in bold or italic. Sometimes it is possible to add extra feature like a window. This can be used to distribute confidential information to other people. Without their permission.

No comment disabled the use of XSS. Luck? Not really.
Seth let me think in another way.

BTW Seth did advise to use comments in the very same blog post.
It is nice to read good things about my blog posts. But for me time is (my) precious.

Don’t be too infectious
One of the criteria to choose my own web site host was full control over the content of my blog. Even I had to pay for it.

There are web sites which provide free web sites, SSL and nice domain names. Their business model or their way to earn money is advertisements on my web site. Of course I can disable it by paying.

On a security conference a Finnish guy showed how advertisements can be misused. He contacted to a web page with a single bad pixel. His system was contaminated within milliseconds. Life on stage.

Reading the right stuff
During one of my visits I saw a familiar computer magazine on the table: “I read it also.”
“It is good.”, was the answer. He also works in the IT, so I valued his input.

Once I read about WordPress tools. There are a lot which are free. So I scheduled my backup and restricted the access with a special tool kit. Sometimes I feel lucky to find easy to use tools.

A Case of Bad Luck
Within two days after pushing my first piece of this blog post on the web I found two annoying items on the web.

Santosh Tuppad had considerable considerations about the use of WordPress by hospitals. And Santosh is a good security tester.

Kristine Corbus, another tester, blogged about the misuse of headers in WordPress.

Then I had a story of Troy Hunt lingering in my memory. He used another Software as a Service for his web site.

“You wrote Troy.”
“It is not a city in ancient Greece, which had the first bad encounter with a Trojan horse.”
“Who’s Troy?”
“It’s the guy who reported about the bleeding cloud and the eavesdropping teddy bears. Troy is a security expert I follow by luck.”

Was I lucky?