Webhosting Companies And Security Related Attacks

[chipbennett]

Your thinking on this issue is misguided. If the exploit vector is known, then it is best not released publicly until there is a viable patch for it. Putting information out there before there's a publicly available fix helps nobody.


That's just saying that an exploit exists, not saying what the exploit is. And actually, from reading that, it appears that they don't know what the actual attack vector is yet.

Which is true also for the information posted in this thread - and, presumably, at wordpress.org: the actual attack vector isn't known; ipso facto it isn't being disclosed.

You do have something to hide. The attack itself should be hidden until there's a fix. Every security professional in the world agrees with this.

When a black hat comes up with a new exploit, usually they exploit it, not tell the world about it. Telling the world about it cuts in on their territory as well as making it more likely that a patch will be created by a white hat.

But, if a white hat finds an exploit that is being actively exploited by some single black hat like this, then the worst thing he can do is to tell the world, because he's also telling all the black hats, who will now rush to exploit it as fast as possible, before a patch gets put out for it. Instead, he should tell people privately and get a patch developed. Public release of an exploit only makes sense once the patch exists and is being spread.

Agreed.

Like Otto says, until there's more information on actually stopping this flaw and being able to fix it, the worst thing to do is to run around telling everyone.

Which is exactly the point I was making above.

My only disagreement is that those who are being exploited - or who may potentially be exploited - have a right to know about what's going on, so that they can try to protect themselves. Given that the information thus far doesn't disclose the vulnerability, I think the right to know exceeds any risk to the white-hat types being able to find and fix the vulnerability, or risk of other black hats finding and exploiting the vulnerability. Just my opinion.

Of course, if and when the attack vector is known, then I certainly agree with you that it should be kept under wraps until a fix is released.

[Ryan]

I guess this goes back to the WordPress forums not really being up to scratch. Typically a forum moderator would just flip a poster a PM if they removed their post, but since there's no PM system on WordPress.org that is not possible. Lacking a PM system, then an email would have been nice.

It probably should be removed though. There's too many potential negatives in posting information about attack vectors for WordPress installations even if they're not explaining how to do the attack or it's specific to one host.

Attackers just knowing there is a vulnerability is bad as it encourages them to find it.

Sucks to be MT right now!

[mastermute]

You do have something to hide. The attack itself should be hidden until there's a fix. Every security professional in the world agrees with this.

Well, it seems that you have misunderstood what I mean; In this case the rabbit is already out of the hat and you can't put it back. In the light of that it's better, IMHO, to put the cards on the table (As MT is doing right now). What you suggest is true as long as an exploit isn't public knowledge.

But, if a white hat finds an exploit that is being actively exploited by some single black hat like this, then the worst thing he can do is to tell the world, because he's also telling all the black hats, who will now rush to exploit it as fast as possible, before a patch gets put out for it. Instead, he should tell people privately and get a patch developed. Public release of an exploit only makes sense once the patch exists and is being spread.

To contradict that is the fact that open source also means that more white hats can contribute to a patch if they knew about it. Arbitrarily suggesting that only a "core team" is best suited to provide a fix is also naive IMHO, it's not uncommon that there has been "community patches" available before "official patches".

My only disagreement is that those who are being exploited - or who may potentially be exploited - have a right to know about what's going on, so that they can try to protect themselves. Given that the information thus far doesn't disclose the vulnerability, I think the right to know exceeds any risk to the white-hat types being able to find and fix the vulnerability, or risk of other black hats finding and exploiting the vulnerability. Just my opinion.

Spot on!

[chipbennett]

I guess this goes back to the WordPress forums not really being up to scratch. Typically a forum moderator would just flip a poster a PM if they removed their post, but since there's no PM system on WordPress.org that is not possible. Lacking a PM system, then an email would have been nice.

It probably should be removed though. There's too many potential negatives in posting information about attack vectors for WordPress installations even if they're not explaining how to do the attack or it's specific to one host.

Attackers just knowing there is a vulnerability is bad as it encourages them to find it.

Sucks to be MT right now!

Sure, specific information could have been removed/censored, while leaving the post/thread itself, with a comment such as "Post edited by moderator to remove specific details of the vulnerability", along with the other information above, about sending information to security@...

That's all I intended - and, really, if they just remove such posts, they'll have more moderation work to do, as they very well may keep popping up as more and more people discover that their sites have been compromised.

[andrea_r]

... and as of right now, we have no confirmation of any kind that it's wordpress, a plugin or the server.

[PaulCunningham]

These types of unknown situations make me nervous so I hope its sorted out soon, whichever way it goes.

[frankfarmer]

... and as of right now, we have no confirmation of any kind that it's wordpress, a plugin or the server.

Yep. Notably, MT has rolled out a kernel update in response to this. Additionally, the vast majority of infected sites -- if not all of them -- are on MT's grid. But MT has stated that all infected grid instances are running Wordpress.

Vinh and I pretty much ruled out plugins: the only plugin he and I had in common was Akismet.

[andrea_r]

I am not sure this is related, but I got an email from a popular shared host I have an account on (long story) and they stated that last month one of their boxes was hacked & the cpanel passwords were lifted. The hacker then uploaded malware via ftp to some accounts. Which they've cleaned up.

So. Possibly not related but interesting nonetheless.

[Ipstenu]

It's a damned-if-you-do situation. If you leave the post, more people find out about it and more (evil) people abuse it. If you remove the post, people think there is no issue and don't take precautions. *sigh* You really can't win.

As for MT saying all the sites had WordPress, that may not mean anything. What's the percentage of their sites who use WordPress? Are they using a secured/hardened WP or are they loosey-goosey in permissions? Were the WP installs done via Fantastico or something similar?

They simply don't have enough datapoints to triangulate right now.

[chipbennett]

It's a damned-if-you-do situation. If you leave the post, more people find out about it and more (evil) people abuse it. If you remove the post, people think there is no issue and don't take precautions. *sigh* You really can't win.

Not necessarily. A moderator can censor any sensitive information, while leaving the thread intact.

As for MT saying all the sites had WordPress, that may not mean anything. What's the percentage of their sites who use WordPress? Are they using a secured/hardened WP or are they loosey-goosey in permissions? Were the WP installs done via Fantastico or something similar?

They simply don't have enough datapoints to triangulate right now.

For the unaffected, the whole thing is quite interesting (not so much, for those whose sites were hacked). I will be interested to find out what the root cause was.