Episode 103: Wordfence Innovates with Machine Learning and Security for Schools

Wordfence opens the K-12 site audit and site cleaning service for publicly funded state schools worldwide. Machine learning is now a big part of our malware identification process, which will speed new malware signatures to deployment for WordPress sites protected by Wordfence. A bug in Sudo can let attackers with access to a local system to elevate their access to a root-level account, which has implications for WordPress sites, Mac users, and many Internet of Things devices. WordPress 5.7, the next major release, will make it much easier for users to migrate their sites from HTTP to HTTPS.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:57 Wordfence offers public/state-funded school site audits and site cleanings worldwide
2:49 Machine learning gives Wordfence an advantage
6:38 Recent root-giving Sudo bug also impacts macOS
10:24 WordPress 5.7 will make it easier to migrate from HTTP to HTTPS

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 103 Transcript

Ram Gall:
Hello, and welcome to the 103rd episode of Think Like a Hacker, the podcast about WordPress security and innovation and we actually have something that kind of nails all three today. But first I am Ram Gall, Threat Analyst and QA Engineer at Wordfence and with me is Director of Marketing,
Kathy Zant. Hey Kathy, how are things?

Kathy Zant:
Things are great. I’m excited to talk to you about some of the innovative things you’re doing with WordPress security today.

Ram:
I hear you’re doing some innovative things with WordPress security, yourself, though more in a sort of a social aspect.

Kathy:
Yes, we are doing some innovative things, helping the community, and specifically we want to help students and the younger generation become more security aware. And in order to do so, well we have to leverage what we have in terms of expertise. And that’s a team of security analysts who are pretty seasoned, and they are now helping schools around the world, audit their site security. If they’re using WordPress on their school sites, or if they have a hack or an intrusion or any kind of security issue, we are basically giving them free site cleaning and site audits.

This is just one of the ways that we’re giving back to the community. We launched this a couple of weeks ago and we started just with the United States, and it was so successful. We started receiving a lot of inquiries from people around the world, Canada, Norway, Italy, asking if they could participate. And we weren’t quite ready to do that, but we’ve been able to scale up and get to the place where we can. So we are offering this to any publicly funded or state-funded school, anywhere in the world now. Not just the United States, not just English speaking countries, anywhere in the world. If your school is publicly funded by the government or the state and it is educating students who are not in college, but younger kids, what we would call in America Kindergarten through 12th grade, we are offering that service.

We have a link in the show notes. If you know of a school that’s using WordPress that could benefit from this, please send them the information. Send them that blog post. All they have to do. They don’t have to provide a credit card or anything whatsoever. All they have to do is say, “Hey, we’re a school, and give us authorization,” and we’ll go through some vetting process to make sure that they fit those parameters and help them out. It’s kind of like educating the educators and making sure that schools will stay safe in this new world that we’re in where students are remote learning and pressure has been placed on a number of educational institutions in order to sort of ramp up and meet these needs of online learning. I’m pretty excited about that. That’s not the only innovative thing we’re doing here at Wordfence. What do we have going on with machine learning, Ram?

Ram:
I was going to say, it’d be kind of hard to upstage that, but on the Wordfence blog yesterday, we released a post about what we’re doing and what we’re doing involves machine learning, which is sometimes called artificial intelligence though it’s a very narrow type of artificial intelligence. But it’s something that can help. It’s basically a force multiplier for skilled analysts. In this case, we’re specifically using something called supervised learning, where we have a massive set of curated malware that our analysts have classified and tagged as malicious, as well as a very large set of known harmless or benign software that might be found on WordPress site or hosted on the same server as a WordPress site.

The algorithm we use, it breaks down the code we feed it and picks out interesting features in that code during training. And it learns to associate these different features or combinations of features with a classification label. In this case, because we’ve already got this huge curated set of files, we’ve got a classification for a malicious and a classification for benign, and the algorithm learns to associate sets of features with whether a sample is malicious or benign. Once it’s sufficiently trained on a set of samples, we can then use it to classify samples our analysts haven’t yet labeled. And what it can do is it can assign a score for each sample regarding how likely it is to be malicious. The thing that makes this important is that it can do this for a lot of samples very quickly. Some days we get tens of thousands of new samples coming in.

If you look at what the algorithm classifies as likely to be malicious or likely to be benign, it tends to pick out very similar features to what a human analyst might use to make a snap judgment. A certain arrangement of function, certain functions, but it might also pick out features that aren’t really obvious to a human at all, just weird patterns that it picks up that a person might not even spot. And while some of these features might be things you could safely write a detection for an individual feature, others they might only be indicators that a file is malicious when it’s found in combination with several other features. That’s where it really comes in handy when, instead of our analysts having to comb through tens of thousands of new samples, we can start looking at the ones that it picks out as likely to be malicious. And it has a really good hit rate on those. Then we can start from there and start writing signatures for those, it doesn’t tend to miss a lot. And realistically the biggest problem is occasional false positives, but again, those are about the same rate as a human analyst, making snap judgements or potentially better in some cases.

Kathy:
Wow, fascinating, so this is not going to replace the analysts that we have that are actively looking at all of the samples that are coming in and determining whether or not they’re malicious or not, but this is going to make that determination faster?

Ram:
Correct. It’s a way for an analyst to do a lot more in the same amount of time.

Kathy:
Great. Yeah, and I saw some of the statistics that were in that blog post about the number of malware files that we saw last year, well over a million, and all of the different malware signatures that our analysts were writing, and I imagine that we’ll probably keep pace with that, or even greater this year with all of the new machine learning that we’re implementing, huh?

Ram:
I’m sure hoping so. We do detect over 98% of the malware we have in our sample set already. But there’s always room for improvement and again, there’s always new malware that we don’t yet know we know about, but this’ll help us know.

Kathy:
Excellent, great. Well, we will look for more updates as the year commences to see what else happens with machine learning. Pretty exciting. What’s this story we have about a root giving Sudo bug impacting Mac OS?

Ram:
Okay, so I think it was last week, there was a bug found in Sudo, which is a program on Linux and Mac machines that lets certain users perform administrative tasks as root without actually logging in as root. It’s a useful safety feature because every time you try to run Sudo, it asks you for your password. And that’s only if you’re a user that’s allowed to run Sudo. Only allowed users can run as root and they have to put in their passwords. But this ended up being a thing where any user on a system, it doesn’t matter whether they had any permissions at all, could gain access to do things as root, without entering a password without being on the list of allowed people. And it was a buffer overflow as these things frequently are.

There’ve been a few issues in Sudo in the past, but in the past, they’ve mostly been issues that required very particular configurations. This was on a huge number of configurations, including as it turns out Mac OS. I actually installed the security patch on my Mac this morning.

Kathy:
Did you.

Ram:
Yeah. It was basically two different bugs leading to a buffer overflow where they found out that if you run Sudo edit, which is basically in order to edit something as root, if you ended a command with an escaped backslash character, that meant that you could feed additional data beyond the buffer allocated. Basically overwrite stuff that it wasn’t planning on letting you write and filling up extra regions of memory and corrupting that memory. Basically it was two different bugs, so there was a backslash bug, there was another one where Sudo edit wasn’t escaping backslash characters when it was fed for certain flags like it was supposed to, so you could end up ending that command with a backslash and then it would feed it more stuff. Anyways, this is kind of huge. I expect to see this in every Capture the Flag for the next year.

Kathy:
It does sound pretty scary because you definitely want to have, on any system whatsoever, if there are root level permissions, you want to make sure that those are locked down.

Ram:
If an attacker achieved code execution on a website, then they could potentially take over the whole server the site was hosted on. And that would include any other sites on that server. The good thing is most hosting companies are really good about applying critical security patches automatically, but still, just in the brief period, this was unaddressed, there may have been stragglers and embedded devices are really hard to update. There hasn’t been a ton of research into embedded devices, but Internet of Things stuff, some of them do run Sudo. And I don’t expect those will get fixed. We’ll be feeling the impact of this for a while.

Kathy:
Definitely something to watch. Internet of things applies to everything from refrigerators to doorbells to everything, huh?

Ram:
Everything. Well, not everything. I try to have a lot of things that aren’t internet enabled. That’s just me. I don’t have an Alexa or anything cause I’m paranoid.

Kathy:
Same. But I know many people who do and like the convenience of it. But I like that old joke of oh no-

Ram:
Wiretap. Can cats eat pancakes?

Kathy:
Exactly or “Hey, Wiretap?, can I have a recipe for pancakes?”

Ram:
Yes.

Kathy:
Yeah, exactly. I do not trust Alexa or Google Home. Any of those things. It’s bad enough, my cell phones right next to me while I’m sleeping and knows how much I snore.

Ram:
We’re in security, it’s job to be paranoid. The rest of you don’t have to be if you don’t want to be. I hear there’s good news though, finally in WordPress 5.7. Well, there’s more good news that was unexpected in WordPress 5.7.

Kathy:
Have you ever launched a site Ram, in WordPress and then later, “Oh yeah, I guess I should probably get that certificate on there since I’m ready to launch now,” and then you have to go from HTTP to HTTPS. Have you ever done it?

Ram:
Yes. Yes I have and seeing in hunting down those mixed content warnings everywhere and just going, why is it still not giving me the lock?

Kathy:
Yeah, exactly. The fun thing, I was helping a friend of mine troubleshoot, and they were using Elementor and you couldn’t actually just get HTTPS going on that site with Elementor. You had to rebuild the page because there were some like SVG somewhere that had to be rebuilt. Oh, that took hours to find.

Ram:
Realistically my solution is always to just do a search and replace in the database and all the theme files, but that could also go wrong sometimes because some XML things, they require being HTTP.

Kathy:
I think we both need therapy on it to go through these experiences of migrating a test site.

Ram:
People in the future won’t need to, because WordPress 5.7 is going to make it super easy. At least that’s what we hear.

Kathy:
Yes. This is all about the mental health of WordPress users who start a site and then realize, “Oh dear, I need that certificate on there.” So, in WordPress 5.7, it’ll make it easier to migrate from a site that is just HTTP to using an SSL certificate and going to HTTPS. So 5.7 is coming out very soon, I believe and it looks like it is going to be able to detect the user’s hosting environment to see if there is support for HTTPS and it’ll provide a one-click update process, handle those mixed content rewrites. Oh, my gosh. I wish I could-

Ram:
So awesome and connect that with Let’s Encrypt. Even for regular shared hosting companies are allowing you to use Let’s Encrypt these days. And I think it’s fantastic. It’s a really good way of making sure that the traffic between your site and anyone who visits it can’t be intercepted. No man in the middle attacks. No one can get their login password and sniff it out if they’re on a wifi cafe or something, not that anyone does that these days.

Kathy:
I can see in the future, maybe even very soon future, we will start to see people who look at a website and look at the location bar and anything without the lock is going to stand out and people are going to immediately respond “something’s not right here,” and technology is supporting that migration to HTTPS everywhere, so that’s pretty exciting.

Ram:
Encryption makes a whole lot of things safer on the internet and we’re actually going to talk about that aren’t we on next Wordfence Live?

Kathy:
Wordfence Live, next week, yes. We’re going to be talking about encryption and encryption everywhere and why I believe… Well, I’m not going to be on, I think it’s just you and Mark and Scott are going to talk about this very fun and important topic, but I think it’s an important topic because the security is becoming more important for everyone to be aware of. In the past, we’ve been able to just be lucky, reusing passwords or be lucky, not encrypting things and be lucky not having 2FA, and I think our luck is running out and everyone needs to start really taking security much more seriously. I’m looking forward to this episode and looking forward to learning from you, and Mark and Scott about this.

Ram:
Well, I know that you believe that everyone deserves pretty good privacy.

Kathy:
I do. PGP. I can’t wait to see what you guys have next week. This is going to be exciting. Well, thanks for joining me again, Ram. It was good to talk to you.

Ram:
Always is, and I will see you next week.

Kathy:
See you next week.

Ram:
Actually, I’ll see you Tuesday.

Kathy:
We talk all the time. Everybody who’s listening, you don’t know how much fun we actually do have at Wordfence. It is a great team. We are here for security and for jokes. That’s what I always say.

Ram:
That’s true.

Kathy:
It is true. Thanks for listening. If you have a topic you’d like us to cover either on live or on the podcast, you can always write in feedback@wordfence.com. Follow us on Twitter, of course, at the Wordfence account, as well as @RamuelGall and @KathyZant and make sure you’re subscribing to the podcast on your favorite podcasting or podcast catching app.

Ram:
Podcatcher app.

Kathy:
Pod catcher, that’s what they call them. These kids…

Ram:
I don’t know if they actually call it that or not, it just sounds right.

Kathy:
I’ve heard people call it that, so yeah, whatever you’re doing for podcasts, make sure we’re there and we will talk to you again next week.

Ram:
Bye.

Kathy:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!

Comments

No Comments