This week, we discuss active exploitation of a plugin vulnerability in the wild, an extortion scam hitting numerous website owners, exposure of Industrial Control Systems to attackers as well as a CBP breach affecting travelers in the United States. We also talk about an email server vulnerability and what to do in a SIM port attack.
Here are approximate timestamps in case you want to jump around:
0:35 User Submitted Posts Plugin Vulnerability Seeing Attacks
4:20 An extortion scam is threatening website owners & how to protect your site
10:10 CBP breach of license plates and facial recognition data affecting US travelers
16:54 WordPress accessibility proposal
25:25 Google Cloud outage affects numerous services
26:59 State of Industrial Control Systems in Poland and Switzerland
36:00 Severe RCE in Exim mail transfer agent
37:09 What to do when SIM swapping happens to you
You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant. Please feel free to post your feedback in the comments below.
Mark: Hey and welcome to Think Like A Hacker, Episode 21. We are now of legal drinking age, and of course, we are the podcast that explores WordPress innovation and security. We’ve got a busy news episode for you the beginning of this week, so let’s get started.
Mark: All right, diving straight in. Kathy, looks like we’ve got an arbitrary file upload vulnerability in WordPress, user-submitted post plugin, right?
Kathy: Yes, we do. This one was discovered by our friends over at Ninja Firewall. This was written about in early May, but we just started seeing active exploitation happening. This plugin has about 30,000 installations, and the vulnerability allows an unauthenticated user to upload and run a PHP script. Since there are lots of PHP scripts with malware and backdoors, this was obviously a very dangerous vulnerability.
Kathy: The plugin was patched. It was reported to the plugin team on April 27th and they wrote about it a few days later, but we’re just now starting to see some active exploitation, so we just wanted to do a quick public service announcement to everyone to watch out for these exploits, and if you are running this plugin, make sure that you have the latest version, which looks like it is a date stamp, 20190502, to make sure that you are protected.
Mark: Yeah, no, this is a good one. This was on Ninja Tech’s blog. Let me get their name right. It’s the Ninja Technologies Network and I believe they make a WordPress security product, nintechnet.com.
Mark: What I love about this report is that in his blog post, he actually looks at the PHP functions that the plugin author calls, one of them XF_image type, and the other is get image size. He actually goes and looks at the C source code of those PHP functions because of course, PHP itself is open source and it’s written in C.
Mark: He or she, I’m actually not sure who the author is, but someone at NinTech went and looked at this, and they discovered that these functions … The plugin author was using these functions to validate whether an upload is an image or not. This researcher looked at these functions, and the way they actually work, and what they look at in the image file, and realized that these functions look at the image header and not much beyond that. XF_image type and get image size both do the same thing. So by looking at the C source code of these PHP functions, this researcher was able to reverse engineer a way to upload a malicious payload, and pretend that it’s an image, and have it bypass these checks.
Mark: As the researcher points out, don’t use these functions to validate that something is an image. These functions are designed to give you data about an image, but they’re not very good at validating whether something is actually an image. It’s a really great blog post, we’ll include it in the show notes, but I thought that was quite impressive, Kathy.
Kathy: Yeah, definitely is very impressive. A lot of people, we get habituated into thinking that just because something has an extension on the file of .GIF that it’s an image file, but we’ve seen numerous pieces of malware hidden in ICO files. It doesn’t matter what that file extension is if they can get PHP to execute using that file on that server, right?
Mark: Yeah, exactly. If I recall correctly, the blog post explains how to actually do image validation properly, and also, there’s a function available that lets you create a safe filename when you’re storing an image so it won’t be executed as PHP by the web server. But yeah, that was a really good one, and we’ll definitely include a link there in the show notes to NinTech’s blog. Congrats to them.
Mark: Yeah, and then I guess there’s a new extortion scam that threatens to ruin a website’s reputation. This is via Bleeping Computer. Kathy, is this Catalin’s reporting again?
Kathy: No, this was, I believe, Lawrence Abrahams at Bleeping Computer.
Mark: Right, of course. Yeah.
Kathy: Catalin, I think-
Mark: I get confused because Lawrence, I guess, took over Catalin’s job. He now writes for ZDNet and he used to write for Bleeping Computer. Anyway, great article there from Lawrence. The story there is that one of our customer support engineers noticed that we’ve had this happen to a few customers, so that’s why we wanted to include in the newscast.
Mark: A few months ago, some spam emails started making the circuit. Actually, I think this was a couple years ago, Kathy. I remember a friend telling me about this where it’s this sextortion campaigns where someone says that they hacked your computer, and they’ve been watching you do naughty things on the internet, and they’re going to extort you. I guess this is similar in the sense that these folks are saying that if you don’t send them .3 bitcoin, which is approximately $2,400 at the time of recording, they will basically sully the name of your website by generating a ton of spam that seems to come from your domain name and so on. They give you specific numbers in their threat saying that they’re going to generate X-million numbers of spam that mention your domain name, and that spam house is going to blacklist you, and it’s going to significantly impact the functioning of your business and so on.
Mark: If your mail server is not configured securely, then they might actually be able to do some damage there, but I think the trick here is to basically use SPF to configure your mail server to say that only your server can send email from that domain. You can also use DKIM, which is another technique. I think I’ll just briefly touch on those two work.
Mark: It’s been a little while since I configured them, but an SPF record is basically a text record in DNS that says that the following IP addresses are allowed to send mail for the specific domain. If an attacker comes along and spoofs your domain name, they’re sending it from an IP that’s not on that list. The mail servers that are receiving it are just going to automatically bucket it into spam or just even black hole the email.
Mark: DKIM is similar. It’s actually a way of signing emails to authenticate that they came from the correct mail server. It works via digital signature. You have a private key that’s based on the mail server. There’s a public key that is in the … Kathy, is the public key stored in the DNS record? I forget.
Kathy: Yeah, it’s in the DNS information and that’s how they verify the signature.
Kathy: And a domain can have several DKIM public keys listed, but each matching private key is only on one mail server.
Mark: Right. Okay, cool. Yeah, like I said, it’s been a while. So DKIM is a way to authenticate yourself as the valid mail server as well. That will prevent this kind of extortion from affecting you. You can just laugh off this email extortion campaign. But if you haven’t figured SPF or DKIM, then you should probably sit up, pay attention, and go and set that up or talk to your ops team to get that done.
Kathy: Yeah, hosting providers are pretty good at assisting with setting this up. If your hosting provider is also providing your mail service, they’re pretty good at setting this up for you just to protect your site reputation.
Kathy: Also, in our site cleaning business, we have often had numerous customers come in and they’re literally freaking out that, “Oh my gosh, I’m on a spam blacklist.” It’s a relatively common problem, especially on shared hosting providers, because you can be on the same server as a site that has been hacked and is actively having a problem. Hosting providers usually take this into consideration and want to shut down sites that are sending spam or whatever, but IP addresses can get blacklisted fairly frequently, and a lot of site owners worry about this. This is something that it’s just routine maintenance of making sure that your site is secure, and that you’re not on any blacklists, and that you can adequately send emails. But people are afraid of this happening, and they’re afraid of what it’s going to mean for their domain, and that’s what, I think, this malicious attacker is preying off of.
Mark: Yeah, for sure. The paranoia and, “Oh my goodness, I better send .3 bitcoin or $2,400 to this address,” I guess until the next guy comes along and wants the same amount of money or more. But if I recall correctly, we checked to see if you have been blacklisted anywhere. Are we still doing that with Wordfence?
Kathy: Yes, we do. We have procedures and policies in place that, if a site is hacked … And Wordfence itself will actually check your IP address and see if you’re on any blacklists. And then part of our site cleaning process is to make sure that your site is clean because if your site has been hacked and has to get cleaned up, there’s a possibility that it might end up on a blacklist or have problems with Google. Our site cleaning team is really good at ensuring that the domain is cleaned up after an incident.
Mark: Cool. And then I think there’s some web-based tools where you can go and put your IP address in there and it will do a meta search and check around 60 different blacklists, so we’ll include that in the show notes as well.
Mark: But Kathy, this CBP story, I think maybe you should run with this because I’m going to end up going off on some rant that’s going to take at least half-an-hour.
Kathy: Gee, I can’t understand why. Okay. Well, this is kind of fresh, right? This just came out this afternoon. We’re recording this on the afternoon of June 10th. TechCrunch is where we first saw it, but it’s starting to hit other news sources as well.
Kathy: CBP learned that a subcontractor, in violation of the CBP policies, and without their authorization – sorry, being hypo-dramatic there – but they had actually taken copies of license plate image and traveler images collected by this subcontractor, and that subcontractor is Perceptics, and apparently, they were once a subsidiary of Northrop Grumman. They are apparently the only provider of license plate reading and facial recognition to CBP.
Mark: I just want to clarify something.
Mark: We’re inferring that it is Perceptics based on the fact that they’re the only provider of this technology, right? Or has it actually been announced that it is them?
Kathy: In the article from TechCrunch, it was announced that this breach came weeks after a report that Perceptics, who was the sole provider, was breached and that data was dumped on the dark web, but it’s not yet known if those two incidents are linked, but suspicious correlation there.
Mark: Yeah. I guess what really got me wound up is, in reading this article, you’ve got the usual ducking and diving. CBP, for our international listeners or viewers, is Customs & Border Protection in the United States. It’s one of the largest enforcement agencies, perhaps the largest, in the US if I recall correctly because we have, for example, a massive … I think it’s the biggest land border in the world between ourselves and Canada and so on. It’s a very big agency.
Mark: What really got me wound up about this is that in the reporting, CBP is responsible for this data, but they’re immediately pointing the finger at a subcontractor, and they transferred the data without authorization, and so on. I guess there’s this pattern when we have a data breach where accountability is never on the company that has actually had the breach; it’s an employee that did something bad, or a subcontractor, or something like that. Even with the Facebook issue with Cambridge Analytica, it was, “Well, it’s Cambridge Analytica. They’re the bad guy,” and Facebook pushes that message and stays on message. Here with CBP, you’ve got the same thing.
Mark: And then there’s other techniques that companies will use as well, which is immediately attributing it to an advanced persistent threat. In other words, some large country spy agency probably got in, so it’s not that we’re incompetent, it’s that they’re just very good. It really, really irritates me, and I think that the reason I think it’s problematic is because it shifts accountability from, in this case, CBP, onto this subcontractor. In the post-mortem, what they’re going to do, a lot of energy is going to be put into fixing, maybe firing the subcontractor, and by the way, they haven’t been fired, fixing how relationships work with subcontractors, and so on. But CBP, in my mind, is actually accountable in this case. That’s the one point I wanted to make.
Mark: And then the other is, you know, a few years ago, we had the OPM breach. If you don’t know what that is or you’ve forgotten, it’s the Office of Personnel Management. What was breached there is the files of everyone with secret or above clearance in the United States, and that included adjudication data, which is folks that have, under a polygraph, they’ve strapped on a polygraph and taken a lie detector test, and they have had to admit any issues that they have: alcoholism, an affair with someone, that kind of thing, so that can’t be used against them as blackmail when they’re in a top secret job. Some foreign spy agency can’t come in and try to blackmail them into giving them data because they’ve already been through this truth and reconciliation process, if you like, with a polygraph and with the agency that’s giving them their clearance.
Mark: That data was stored with OPM, and that data was breached. It is quite possibly the most sensitive data that the government holds that was breached a few years ago. That, to me, was just a very clear demonstrate that if they can’t protect that, then it’s not possible to protect just about anything else. Now we’ve got a breach with CBP data, and I think there’s more to come.
Mark: I guess I don’t want to get on my ideological soapbox here and try to say, “Well, you should vote for this person, or vote for that person, or you should support this policy.” I think the point that I’m trying to make here is simply that when thinking about these things, assume that data is going to be breached at some point, and even folks that seem like they’re mature, have gray hair, wear a nice suit, and so on, and pat you on the shoulder and say, “Don’t worry, son. We’ll take good care of this. We employ more mathematicians than anyone else on the planet,” bullshit. This proves that, the OPM proves that, and future breaches of very sensitive either government data or private data will prove that. It is very, very hard to protect data.
Mark: So I think it’s important to think about what data should be collected in the first place, and for example, what the deletion policies of data should be, and so on. Kathy, I will stop. I’ve been going on for a few minutes now, but this article just really irked me. And of course, it’s just come out, I think, two hours ago on TechCrunch. It looks like you’ve got a Vice link in here as well now, Kathy. I guess they’re covering it as well.
Kathy: Yeah. Nothing major new that came out in that Vice article, just some more background information of who Perceptics is, and what their business model is basically.
Mark: Cool. All right. Well, very interesting post here on a model for WordPress accessibility, don’t you think?
Kathy: Yeah. Obviously, with the new Gutenberg Editor in WordPress, people are talking about accessibility because you have a new editor and it’s just gone through an accessibility audit that was organized by WPCampus and funded by various people, including Matt Mullenweg.
Kathy: On May 27th, Adrian Roselli, who has been around for a while, posited a proposal of what should be done for WordPress accessibility. In this proposal, he outlined basically arguing that Automattic should take some leadership and fund accessibility for WordPress. What do you think about this, Mark?
Mark: Yeah. I guess I think Adrian has a lot of really great thoughts. I think it’s a well-written post, and it’s well-structured, and there’s a lot of good points in there.
Mark: I think that when it comes to accessibility, there’s a reality that I think a lot of people aren’t acknowledging, and that is that for companies, individuals who work on software products, and organizations, including volunteer organizations like the WordPress community, there’s a market size issue. This is a hard issue to discuss. I’m having to choose my words carefully when I talk about this, but the folks that need accessibility in software, they’re a minority. They’re a much smaller group than the folks who don’t need it. So when companies think about what they’re going to prioritize, they don’t put this at the top of their list. They’ll prioritize things that serve a much larger market segment. They will try to please most of the people most of the time.
Mark: I think that’s a reality that is not being acknowledged when it comes to accessibility. There’s a lot of really great intentions, and a lot of people write about this, but there isn’t the impetus to actually take action, to implement some of the things that Adrian writes about in his blog post. There isn’t the will, or if you’re in a private company, there isn’t the financial imperative to prioritize accessibility over the many, many other things that you want to build into your software.
Mark: Accessibility is hard because it impacts release schedules. Every new feature that you implement that has a user-facing element has to go by the accessibility team and they have to make sure that it’s accessible. Does it break accessibility? Is there something that we need to do to add accessibility to this?
Mark: That problem, I don’t know that it’s solvable by the entities that are affected by this. It’s one of those things that feels a little bit like air traffic control or lighthouses where a regulatory body, the government in those cases, has to step in and say, “Okay, we’re going to create the FAA, and they’re going to build air traffic control centers around the country, the system’s going to be standardized, and it’s going to interoperate well, and we’ll fund the whole thing.” This feels a little bit like one of those problems because you don’t have that will, that impetus, that momentum to solve accessibility.
Mark: With all of these great ideas, with all of these best of intentions, it still continues to fall by the wayside. If you need software to be accessible, it sucks. Big time. It really affects your quality of life. I think that what perhaps needs to happen here is that the leadership in WordPress, and maybe that’s Matt, Josepha, and the folks that are at the top, along with the support of the community, need to perhaps implement policies that create that will artificially, if necessary.
Mark: For example, saying, well, plugins that are accessible will rank higher in the plugin repo search algorithm where people go to find plugins than plugins that are not accessible. In other words, reward them. Create those incentives, and do it artificially, and do it with the buy-in of the community. Don’t just impose this on everyone, but understand that the problem that needs to be solved here is not necessarily what should we do, but why will all of those developers and companies want to do it? Let’s create the will.
Mark: I’m a free market guy. I’m not a, “Let’s have more government regulation” guy, but this really feels like one of those problems that is not going to be solved unless we have something like that happen to create that incentive for dev teams to add accessibility to their products and continually keep those products updated, and be excited about doing it because there’s some reward for them to do that, and maybe it’s their profile is elevated in the community or something like that. I guess we’re going to have to think that through.
Mark: But Kathy, what are your thoughts on this?
Kathy: Well, we do have some, although it’s sort of in a microcosm, some incentive to hit accessibility, and it’s beyond, “We’re good people and we want to make sure that the web is completely accessible.” But the government does have something called Section 508. If you are a university that receives government funding, or an organization that receives government funding, you are required to adhere to accessibility standards. Section508.gov has a number of helpful guides and tools that can help you determine if your accessible, but it’s such a small part of the overall, I guess, business industry that’s using the web. That incentive just is not big enough for it to, I guess … I don’t know the financial motivation for plugin developers, or for theme developers, or for WordPress as a whole. It’s an organization that wants to democratize publishing, and that is the mission of WordPress.org, and to democratize, you have to be inclusive and you have to include everyone.
Kathy: So I think these kinds of goals need to be integrated into that overarching mission as WordPress as a whole because the financial incentive, I know a lot of plugin developers who are not making bank, so to speak, with their plugins. They’re doing it for the good of the community, they’re doing it because they have passion for WordPress and for what can be done with it, and they had an idea and brought it to life and it serves a number of people, so they maintain plugins because of that, sort of this altruism. There’s no financial incentive for them to go through the rigorous testing that accessibility can require.
Mark: Yep. I don’t know that the incentive has to be financial. Those folks wrote those plugins and that software for a reason. Maybe it’s fame, raising one’s profile in the community, that kind of thing.
Mark: Doing more of that as a reward for adding and maintaining accessibility could work. But I think these rumble strips that you have as you approach a traffic light that alert the visually impaired to the fact that they’re approaching an intersection, and then the ramps that go down from sidewalks to level crossings and so on, I don’t know what the policy is there, how those get implemented, but I don’t think that a construction grew gets together and out of the goodness of their heart, they build these things.
Mark: It might be a good model, sort of an analog, to look at for the WordPress community to figure out, okay, well what incentives or regulatory powers are put in place or exercised to make that happen? Perhaps we can learn from that.
Mark: But anyway, great blog post from Adrian Roselli. You can find it on AdrianRoselli.com and we’ll definitely include that in the show notes. Nice job, Adrian.
Mark: Unless you were on the moon, you heard that Google had a huge outage. Did that affect you, Kathy?
Kathy: I was actually out in nature, enjoying. I think it was a nice day for a change in Phoenix, so I didn’t even know it was happening.
Kathy: I think it was happening on a Sunday afternoon or something and I was offline.
Mark: Yeah, yeah. Well-
Kathy: How about you? Did it affect you?
Mark: No, it actually didn’t. I was somewhere as well. Actually, I think I was working, but I think I might of been doing something local on my machine, so I don’t think it affected me, but it affected a lot of folks and services that Google provides, and a lot of companies that use Google services like YouTube and Snapchat. Of course, YouTube’s part of Google, but Snapchat, for example.
Mark: Apparently, they were making a routine configuration change and ended up in this kind of cascade of failures. The trouble became really bad because the management traffic on their intranet was throttled as part of this outage. They actually had a hard time accessing their own network when they were trying to fix this.
Mark: Yeah, story’s been around for a few days now. Wired’s got some good coverage on it. If you want to look at what a cascade of network failures look like, and perhaps feel a little bit of what the Google engineers felt when they realized they couldn’t access their own network to fix it, it’s definitely a good read. Check that out and we’ll include it in the show notes.
Mark: This story, I think the title of the blog post was State of Industrial Control Systems in Poland and Switzerland, which sounds kind of innocent, but this really caught my attention. Kathy, this illustrated to me how vulnerable huge spots of the internet still are, huh?
Kathy: Yeah. This reminded me a lot of intelligence and war because it was just showing you how vulnerable and how the tools exist now to do this kind of espionage research of where vulnerabilities can exist, and not just in a website like WordPress, but at your hospital. [crosstalk 00:27:55] to people’s life.
Mark: Yeah. So the story here is that there’s a tool called Kamerka and I think it’s been around for a little while. This tool is used to map parts of the internet and it uses Shodan, which if you don’t know what Shodan is, you can go to Shodan.io, S-H-O-D-A-N.io. Shodan is used by the information security community. It maps open ports on the internet, systems that are listening on certain network ports, and so on that perhaps should not be listening on those ports and should not be accessible to the public.
Mark: One of the things you can do with Shodan is you can find cameras, for example, that are accessible to the open internet. Some of those cameras don’t even have any authentication. They’re, I guess what you call, IOT devices or Internet of Things devices that have an internet interface. Shodan has traditionally been used to expose things like that, telnet ports, things like that, and Kamerka takes Shodan data and combines it with Google Maps and lets you see where these things are on a map. I think it combines a few other things like Twitter and so on.
Mark: Well, they did an update to Kamerka that really focused on industrial control system. Now, industrial control systems, or ICSs, are computers that manage things like factories, power stations, and so on, the really important infrastructure that a country relies on. There’s some very famous cyber attacks against ICSs. Stuxnet is of course one that’s super famous. That’s where allegedly the US and Israel used some malware to destroy centrifuges at the Natanz facility in Iran where they were purifying uranium for use in, potentially, a nuclear weapon of some kind. That was a successful attack against an ICS.
Mark: There’s also the black energy malware, which targeted power stations in the Ukraine back in 2015, and that was actually successful, and it took down … 30 substations were switched off. Folks lost electricity from one to six hours. The attribution there, you know attribution’s hard, but the word is that it was the Russian Federation that was targeting Ukraine with a cyber attack. So again, a cyber attack that successfully targeted an industrial control system and significantly affected the operations of a country.
Mark: This update to Kamerka looks at Shodan data, finds industrial control systems, lets you know that they are open to the internet, puts them on a map, and integrates it with Google street view so you can look at the facility that is running this open system, even do a kind of physical security audit because you have photos of it from Google street view. This is pretty scary.
Mark: As I think you were pointing out, Kathy, it is like an intelligence gathering tool that a military would use when preparing to target an attack on a country’s infrastructure, right?
Kathy: Yeah. The point was made in this article that these ICS systems should not be on the internet. They shouldn’t be accessible on any port, but they are, and just to be able to see what’s accessible and exactly where it’s at, and if you read the article and actually look at it, there’s a map. You can just like … Oh my gosh, this is crazy that so many industrial control systems, just in Poland right here, I don’t know, I feel like I’m in World War II and planning for invasion just looking at all of these juicy little targets. It’s kind of a crazy vibe you get when you really look at this.
Kathy: If you’re thinking like a hacker, and you’re looking at the vulnerability that may exist in some of these ICS systems, and what they are connected to, and this tool just underscores how fragile systems can be, and the people who are allowing these to be accessible via the internet, the vulnerabilities that they’re bringing forth, people need to secure these things and take them offline.
Mark: For sure. I guess I had two thoughts when it came to this. The one is that this kind of research where sunlight is considered the best disinfectant can be really, really scary sometimes. I guess there’s two parts here. The one is don’t tell anyone, or maybe just tell some of these industrial control systems, the owners of those ICSs, that their systems are online. But that’s incredibly labor intensive. There’s an individual, I assume it’s an individual researcher or an individual or a small group of developers that’s creating Kamerka, and they don’t have the resources to go and alert every single ICS worldwide, “Hey, your stuff’s online.” In a lot of cases, when you alert these big organizations, they don’t care.
Mark: Putting this out there really shines a very stark light on the issue here and we’ll no doubt get some action. But it is really, really scary, and it’s quite a visceral experience, as you said, looking at this map and going, “Oh wow, there’s a bunch of military targets for a military cyber attack team.” That’s the one thought that I had.
Mark: The other thought that I had is that it feels like large parts of the internet are still very insecure. It’s going to take time for that to be mitigated, for teams of cybersecurity professionals and government employees to actually secure systems like this. What bothers me is that I think, perhaps a couple decades from now, things are going to look vastly different. Cybersecurity is going to be a way of life. We would have incorporated it into our personal lives, into our business lives. Operations teams, probably half of the teams will be security professionals working around the clock to secure systems and so on.
Mark: You know, this might sound crazy, but the thought I had when I saw this was it feels like there’s an opportunity right now for an up and coming player who isn’t necessarily as well-funded as the large superpowers like the United States and China, but does have a kick-ass cyber military, I’m sorry I’m using the word cyber so much, but that has a kick-ass military operation outfitted with hackers to go in and actually do some serious damage that they wouldn’t have been able to do before or they won’t be able to do a few decades from now.
Mark: I guess we’ll see how this unfolds, but that’s a thought that I had, that when you see this stuff plotted on a map, and these are industrial controls systems that are connected to mission critical systems where, if those systems are damaged, or taken offline, or explode, or whatever, they significantly affect a country in a very bad way, same as a kinetic attack would if you shot a missile at these things. It just feels like we’re at a very special moment right now where, if you are a small country that wants to do some really bad damage, and you know how to attack these systems, you can do that. It leaves me deeply concerned.
Mark: But yeah, moving on. A quick note, and this is really to hosting providers and folks in operations teams, there’s a severe vulnerability in XM, which is a mail server or a mail gateway. It is actually an RCE, but it’s not a remote code execution vulnerability; it’s a remote command execution, although the command is executed as root. The versions that are affected are from 4.87 to 4.91 inclusive. This was fixed in version 4.92 on February 2019, but the fix was never announced as a security fix, so a lot of operating systems like Ubuntu that are bundled, that come with XM, have been bundled with a vulnerable version of XM.
Mark: Definitely check what version you’re running, and if you’re running a version prior to 4.92, especially if you’re running 4.87 to 4.91 inclusive, then you’re going to want to scramble to get this fixed. Yeah, we just wanted to clear that quick note for ops teams out there. Definitely check the version of XM you’re running in production and take a look at that.
Mark: SIM swapping. There was a really interesting article written, I guess it’s on Medium, and it’s written by someone in the crypto space, Kathy, on what to do when SIM swapping happens to you.
Kathy: Yeah. The person, they’re going under the name CipherBlade, wrote this article on Medium under the MyCrypto publication. They published it on June 5th. We’ve been talking a lot about SIM swapping or SIM attacks or SIM porting. It can be called port-out fraud, phone porting, SIM hijacking. There’s various terms for what happens here, but the actual event is all the same.
Kathy: The article is really helpful because it basically tells you what to look for when a SIM jacking or SIM port attack is happening, how you can prevent it. It’s a rather long read. Medium puts how long of a read, how much of a commitment you need to make to an article, and this is 50 minutes, so it’s a high school class basically in how to protect yourself-
Mark: For sure, yeah.
Kathy: With two-factor authentication. What struck you, Mark, in terms of the most important things from this article?
Mark: I guess again, and Kathy, I might be repeating a little of what you said here, but SIM swapping is when someone calls your cellphone provider, pretends that they’re you, and they get that provider to assign your SIM to their phone. They will then receive SMSs that are destined for you, and phone calls, and that kind of thing.
Mark: I think they spell this out in the article, but a great example of how this is exploited is with Google, if you’ve lost your password, you can say to Google, “Okay, well I want to authenticate some other way,” and it’ll ask you a secret question or it will take you through a series of steps, but eventually, if you keep saying, “I want to try another way, I want to try another way,” eventually they say, “Okay, great. Well, we’ll send a code to your phone and if you could tell us what the code is, then we know that you’ve got your phone and you’ve proved that you are you. We’ll then allow you into the account.” If someone has ported your SIM or swapped your SIM to their phone, they get that code. They can sign in as you. Now they’ve got access to your email account, and they can start mining that email account to see what services you use.
Mark: One of the first things that they do is they’ll look to see if you use any cryptocurrency services. They’ll figure out what those are, and then they’ll go to the lost password option on that site. They’ve already got access to your email, they’ve already got access to your phone by doing a SIM port, and they can do the forgot password thing. If you’ve got 2FA enabled, then it’s SMS-based. They will receive the code that’s sent to your code as well and they’ll sign in as you, and then they keep going through your various services and so on.
Mark: That’s how it works. As we mentioned on the previous episode, we recently launched a standalone plugin called Wordfence Login Security, which does not use SMS-based 2FA; it uses time-based one-time passwords, and of course Wordfence does the same thing now. We’ve moved away from SMS. We’re considering it legacy. We’re continually encouraging people to move away from it because of exactly this attack.
Mark: One of the things that really caught my eye in the article, and I think this is probably, in my humble opinion, the most useful piece of data that I saw here is how do you know if someone has just ported your SIM, if someone has just SIM swapped you? There’s a few signs here. And again, as Kathy mentioned, it’s a long article, it’s worth a read. Once you read the whole thing, you’ll be an expert and might need to sleep for a couple of days because it’s quite long. Some of the signs are you may receive a call or text from your phone carrier support agent if the attacker disconnects in order to try again.
Mark: The reason this might happen is because what an attacker will do is they’ll try to get a gullible, let’s say, AT&T or T-Mobile agent on the line, and if the agent doesn’t seem gullible enough, they’re like, “Hey well, I’m not sure that you are who you say they are,” they’ll just hang up and they’ll try the next one, and they’ll keep doing that until they get to the 15th agent where the agent’s like, “Oh cool, yeah, we can do that. I know you’re having a bad day. I’m sorry that your parent just died. Let me see what I can do here.” Because all of these agents will be hanging up on the individual who’s doing this, the attacker, you might get a call from an agent saying, “Hey, we got disconnected.” That’s one of the telltale signs.
Mark: The other is that you will suddenly and unexpectedly have no cellphone reception because, of course, your SIM has been ported to a different phone. Your phone is, as far as the cellphone network is concerned, your phone is dead. If you reboot your phone, it won’t help. Remember, you might have wifi enabled, you might be at home, so if your cellphone signal dies, it might still appear that your phone is online. So check that little signal indicator in the top right to see how many bars you’ve got, and if the AT&T logo appears there or whoever your provider is because if that disappears, that’s a sign that your SIM might have been ported.
Mark: You might also have notifications that came through before your phone lost service or if you’re still on wifi, you can see suspicious emails that came through from your phone carrier or password reset emails from various services. These are signs that folks are pinging your accounts trying to get in. That could happen. That might be a precursor to right before they actually successfully port your SIM.
Mark: You might also have a system notification stating that you can no longer access a phone level account and need to reenter your password. On Android, you might see something that says, “This account was added to a new device.” Of course, your SIM has been ported to a new phone. Security products including, I think, ourselves, have the ability to detect if a new device is signing in, and they’ll up the sensitivity and send alerts to users and that kind of thing. If you see an alert like that, that’s a potential sign.
Mark: On IOS or your Mac computer, you may have an, “Are you attempting to log in from Los Angeles, California,” or Ukraine or something like that appear. That could also be a sign that someone is about to port your SIM or has already ported your SIM. If you use any non-SMS 2FA that have push notifications set up, then you might get a thing that says, “Here’s your code that you requested,” even though you’re not trying to sign in anywhere.
Mark: The trick is to just have really good situational awareness when it comes to being online, being on your device. If you see things that are weird in your email inbox, on your device, push notifications that you didn’t expect, things popping up on your desktop saying, “Are you trying to sign in?” or, “You have just signed in from somewhere,” drop what you’re doing and react immediately because the modus operandi, the MO of these attackers is that they will get as much out of compromising your inbox as they possibly can.
Mark: For example, these folks that are stealing cryptocurrency, they don’t just go in and withdraw any cryptocurrency that you have in your, say, Coinbase account or something crypto service account; they’ll do that, and then if your bank account is linked to that service, they will withdraw as much money as they possibly can from your bank account, turn it into cryptocurrency, and then take that as well, then go back to your inbox and see what other services you’re using and keep going. It can be incredibly damaging if you are compromised in this way.
Mark: Unfortunately, the cellphone providers don’t seem to have beefed up their security so they’re impervious these social engineering attacks, so they’re a weak point. The trick is to up your own awareness of signs that you’re being targeted or being attacked, and react very quickly when it happens, and you might be able to limit the damage.
Mark: Kathy, how’s that sound? Anything you want to add?
Kathy: Yeah, that sounds really good. The thing that I really liked from this article is panic correctly. “Be like the duck: calm on the surface but paddling like hell underneath.” Obviously, if you start seeing signs Mark has just described, you’re going to freak out, right? That’s what happens in a difficult situation. Any kind of blindsided situation, whether it’s a car accident, or someone has fallen and can’t get up, or whatever stressful situation happens, it’s good to have a plan. I really liked this article because it gives you the plan. It tells you what to do first.
Kathy: I’m going to bookmark this because this is a good plan. Maybe I’ll even print it out or something because you have to be aware that you can’t call your phone provider if your phone’s not working, right? If your SIM card has been ported, if you’re under a SIM attack, your phone’s not going to work, right?
Kathy: So you have to have a plan in place, assume that this is happening, and what are the steps? What does your SIM port attack incident response plan look like? This walked me through, as I was reading it, making sure that your phone is turned off. First of all, making sure that you have an alternative phone available; ask that your phone number is turned off so that no SIM card is working for your phone number whatsoever; and then just do your investigation, figure out exactly what happened, make sure that your accounts are locked down.
Kathy: It walks through so many different things that you can do and the mindset that you adopt when you’re in an incidence response. I thought that was really fascinating.
Mark: Yeah. No, I think the key here really is to think like a hacker. We, internally, and I’ve mentioned this before, we do tabletop exercises where we wall game certain scenarios of folks attacking Wordfence in various ways. We have red team exercises where one of our team will try to attack us in various ways. That’s always fun.
Mark: I was watching … You ever see World War Z, Kathy?
Kathy: World War Z? No, I haven’t seen that one.
Mark: It’s that zombie flick where there’s-
Kathy: Oh, really?
Mark: Yeah. With Brad Pitt. But there’s this great scene in it where the whole world has been overrun, and Israel is the one country that built a wall before anyone else could to block the zombies. Brad Pitt is this investigator, used to work for the United Nations, and he goes in there and he’s trying to figure out how did they know?
Mark: He’s talking to this guy who’s an intelligence official and he says, “Well, based on previous experience, we came up with this concept called the Tenth Man. If we have this thing that we think is so absurd that it can’t possibly be true, it’s the tenth man’s duty on this committee to say, ‘Well, I’m going to assume it is true.'” And they did that with zombies because they heard something out of India or somewhere where the zombie thing started that the explanation was zombies, and everyone on the committee was like, “No, no. Of course it’s something else,” and the tenth man was like, “It’s zombies!”
Mark: So pretend that the zombies are coming for you, and beef up your security posture!
Mark: Anyway, it’s a great film. You should watch it.
Kathy: I should. I definitely should. I think it’s important. People, I think, I’ve talked to a few people in the WordPress community, I’ve been to a few meetups, and we’ve talked about this. They’re like, “Oh, well, I don’t invest in cryptocurrency or I don’t have that much,” and it’s the same type of thing as, “My website is too small to get hacked.” Right? People think, “Well, why would they come after just little old me? They’re after the big crypto investors.”
Kathy: Basically, the big crypto investors, as far as SIM porting attacks, they’re just the canary in the coal mine. We’re all using some kind of device for SMS, SMS is just inherently insecure, and watch those canaries because they’re going to tell you what’s coming for you next, right?
Mark: For sure, yeah. Definitely react very, very quickly if you see any of the signs that we mentioned.
Mark: Great article there. We’ll include that in the show notes as well. That is it for this week’s news. If you’re watching on YouTube, like and subscribe. If you’re listening on Apple Podcasts, give us a review, and we very much appreciate that.
Mark: Thanks very much for watching. Have a wonderful week. Bye everyone!