Episode 121: Wordfence is Now a CVE Numbering Authority (CNA)

Wordfence is now a CVE Numbering Authority, or a CNA. As a CNA, Wordfence can now assign CVE IDs for new vulnerabilities in WordPress Core, WordPress Plugins and WordPress Themes. An outage at Fastly takes down major websites including Reddit, Twitch, Amazon, and many others. Microsoft patches numerous Windows 0-day vulnerabilities, and Google patches a RCE in Android phones. A FBI informant and a messaging app led to huge global crime sting, and Windows container malware targets Kubernetes clusters used by numerous data centers.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:15 Wordfence is now a CVE Numbering Authority (CNA)
5:50 Fastly internet outage explained, Fastly’s response, The Verge uses a writable Google Doc
8:55 Microsoft Patch Tuesday Fixes 6 In-The-Wild Exploits, 50 Flaws
10:44 Google Patches Critical Android RCE Bug
11:33 How an informant and a messaging app led to huge global crime sting
15:26 Windows Container Malware Targets Kubernetes Clusters
18:55 WordPress Incident Response: How to Recover from a Hack Before Anyone Else Knows
19:07 Upcoming Wordfence Office Hours

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 121 Transcript

Ram:
Welcome to Think Like a Hacker, the podcast about WordPress security and innovation. I am Ram Gall, Threat Analyst at Wordfence, and with me is Director of Marketing, Kathy Zant. Hi Kathy, I hear we have some exciting news today.

Kathy:
We do have some exciting news. Did you hear? Wordfence is now a CNA. Ooh, acronyms.

Ram:
I know. That means we’re a CVE Numbering Authority, and that means we can issue CVE IDs. Now what does CVE stand for? I’m glad you asked. CVE stands for Common Vulnerabilities and Exposures. And yes, it is acronyms all the way down, or wait is it turtles?

Kathy:
Keeping up, okay I know what a CVE is because I see this every time we publish a story on the blog that we found a vulnerability in a plugin or a theme, we get CVEs assigned. And those CVEs are very specific about that vulnerability and there’s also a scoring system that goes along. It tells basically how severe that vulnerability that was found and patched was. My question is… Well, first of all, what does this mean for Wordfence, and then what does this mean for WordPress users?

Ram:
This means we can directly issue identifiers. And the reason that’s important is that identifiers basically are our way of keeping track of what is vulnerable and how it’s vulnerable and where it’s vulnerable. So like, if you say, “That vulnerability in Slider Revolution.” “Which one?” “The one in versions blah through blah.” “Okay, there were like three different vulnerabilities, which one are you talking about?” This is a way of like identifying which one that was, and it’s really useful because if you have these, then in order to find out if something’s vulnerable, you can just look at what you have installed and what versions of it are installed and you can say, “Okay, this version of this has this CVE identifiers associated with it and that one’s super severe, that one’s not so severe,” and you can prioritize. And you can also, if you don’t have the option of updating directly, it also gives you an idea of what was vulnerable so that if you need to do a custom patch or something, then you can also do that.

Kathy:
Excellent. Okay. And this is something that is not just a WordPress security type of thing. This is like security across the board in any software, right?

Ram:
Correct. We are working with MITRE who is the organizing body for vulnerability identification and the entire community that does this. So, yeah.

Kathy:
Okay, cool.

Ram:
This is a big deal.

Kathy:
It is a big deal. And the reason why the security community does this and assigns identifiers to a particular vulnerability, you have to kind of put yourself into the shoes of someone who is in maybe a security operation center and dealing with thousands of installations of Microsoft Windows or just all of the different servers they have to manage, all of the different systems, the software that is on all of these systems. And when you have vulnerability reports coming in, you have to very quickly ascertain what needs to be addressed first, right? You have to say, “Okay, here are three 9.9 CVEs and here’s a 6.2 CVE,” and obviously you’re going to go handle the higher probability of getting hacked systems first with the higher vulnerability scores, right?

Ram:
Yeah. And I mean that even applies to WordPress systems. If at all possible, we always recommend keeping everything completely up to date. But there are going to be some installations where doing that immediately isn’t going to be possible where you’ve got like a hundred different plugins on an e-commerce installation and you might have one or two that are vulnerable to something or other. So once you have an idea of what the vulnerabilities are and how severe they are, how much testing can you afford to spend doing this? If something is going to lead to a site takeover that’s super easy to do, you may want to just test it, make sure that it doesn’t break everything, and then follow up after the fact.

Ram:
Whereas if it’s like a four severity where it’s like, “Oh yeah, they can find out what server you’re running on, or if you’re running a patch to your NGINX even though you hid that somewhere else,” then it’s like, “Yeah, we’ll run that through the full QA process before we update.” Or if there’s no updates available, then we don’t necessarily need to allocate dev time to fixing it. We’ll just wait.

Kathy:
Right, right. The ability to be able to prioritize and act quickly when necessary is a big part of security. It’s one of the reasons we have Wordfence Central, which is a completely free tool for anyone who’s managing a number of WordPress sites that are protected with Wordfence. You can authenticate them into Wordfence Central, and that also has a scoring system in there so that you can ascertain what needs to be dealt with immediately, what can wait, and helps you make good security decisions, and also create some policies and procedures so that your organization can make those kinds of decisions in a very measured and intended way I guess.

Ram:
Intentional?

Kathy:
Intentional. That’s the word I was looking for. Yes, exactly. And so being a CNA is just another step. I saw some of the other organizations that are on MITRE’s site and it’s kind of like we’re in the security big leagues here, huh?

Ram:
I know, right?

Kathy:
Yeah. Okay. Well, let’s talk about what happened on Tuesday morning with Fastly and their outage. What happened there?

Ram:
Oh boy. So, we actually covered this on Wordfence Live, which just happened to be about incident response. You should check it out.

Kathy:
Interesting. How serendipitous.

Ram:
It’s probably the best one that we’ve ever done, honestly. But some incidents are security incidents, but not all incidents are security incidents. This was not a security incident, though it did impact availability, which is one of the things that you do worry about with security incidents. Took down Twitch, Pinterest, Reddit, E-bay, and somehow, Amazon, even though they’ve got their own CDN. So I should probably back up a second because Fastly is basically a CDN provider. That’s a content distribution network.

Kathy:
Okay. And what is that exactly?

Ram:
Well, let’s say I want to grab a picture from a server in like Germany and if I ask that server in Germany, I mean like the speed of light is really fast, but it’s not instant, so it’ll still take I don’t know half a second to get here. Well, it turns out that people really don’t like waiting around for websites to load. Even half a second adds a lot to that. So if you can keep a copy of that image in like a data center in Nevada, that’ll show up on my side way faster. So Fastly makes things load fastly basically.

Kathy:
It does. It does. You wonder how your site’s performing and those milliseconds of latency that the globe can bring into things, like how is your site serving up to someone in Australia if your server is located in New York? If you wonder about those types of things, it might be interesting to look at FastorSlow.com. It’s our speed measurement tool that allows you to basically see how your site is performing all around the world, which is really important if you are a global based business. So definitely take a look at that.

Kathy:
But there were so many different organizations that were affected by this Fastly outage. I mean, even the New York Times, the Washington Post, so many different sites affected and even The Verge was affected. Did you see what they did with the home page?

Ram:
Yeah, they did some quick thinking. They replaced it with a Google Doc just to keep everyone updated, but they forgot to turn editing permissions off for everyone, so people were just writing little messages on the Google Doc of the Verge’s homepage.

Kathy:
You know, I thought, “Oh my gosh, you don’t want to ever do this,” because people were writing all kinds of things in there, but boy that got really shared around a lot, didn’t it?

Ram:
It was like surprisingly wholesome from what I could see, you know?

Kathy:
It was wholesome and interestingly, it got talked about a lot, which I’m starting to wonder if this was like a little PR stunt. You’ve got a bad situation happening, it’s completely beyond your control, you might as well have some fun with it and get maybe a little bit of Twitter traction, huh?

Ram:
Yep. As for bad situations that are not beyond control, if you use Windows, which I think most of us do some way or another, there are six zero days being actively exploited in Windows and also five critical bugs that have been patched in the most recent patch Tuesday. All of these have been patched in patch Tuesday. Some of them are been around since Windows 7. And two of the zero days are related to a recent Adobe patch in Acrobat and Acrobat Reader where attackers have been sending emails with specially crafted PDFs and if you open the PDF, then the attacker owns your computer.

Kathy:
Oh my gosh. That sounds very frightening.

Ram:
I know. There are no workarounds for these vulnerabilities, so most people were like, “Yeah, Windows update, bug me sometime next month.” No, patch everything, literally, update right now please. This is a patch all the things kind of day.

Kathy:
Oh boy. Yikes.

Ram:
And same if Adobe nags you about anything too.

Kathy:
Yeah, definitely. Oh my gosh. A lot of people don’t consider PDFs as any kind of intrusion vector for their computers because it’s just a PDF. It’s not even that you’re really… You’re not interacting with it much at all. It’s just something that typically you’re reading, so it seems like something that’s very innocuous, but in cases like this, it’s not.

Ram:
There have been tons of issues in the past with PDFs being malware vectors, so this is not the first time this has happened.

Kathy:
Ah, probably because it is so innocuous.

Ram:
Exactly. It’s like, “Ah PDF’s, totally safe.” And it looks like an actual PDF, so it’s not like it’s in a .pdf.exe or anything. No, it’s an actual PDF that’s just evil.

Kathy:
Ooh, scary. All right. Looks like we have a critical RCE in Android phones. What’s this all about?

Ram:
This one is kind of bad. It can be abused remotely and it looks like it’s in the network stack and it doesn’t require any social engineering. Looks like an attacker can just send a specially crafted transmission to a phone and execute arbitrary code within the context of a privileged process. Basically, that means they own your phone if they can send that transmission to it. So yeah, update that too. I just had an Android update on my phone and usually I have to wait like one or two months for it, so this was severe enough that like, check for updates on your phone. Not every phone provider is going to provide updates in a timely manner or ever, but it doesn’t hurt to check.

Kathy:
Excellent. Okay. Good deal.

Ram:
Speaking of phones, did you hear about that huge global crime sting?

Kathy:
The global crime sting. Now was this the one where you had all of these basically criminals using special phones that couldn’t get hacked that had just secure communication?

Ram:
Yeah. Yeah. So a couple of years ago, a company called Phantom Secure finally got shut down because they were selling specialized phones for sending encrypted messages to drug dealers. And that left a huge hole in the international drug trafficking need for encrypted devices market. So the FBI worked with someone who had done this sort of thing before. And in exchange for a reduced sentence, and he built a new company for phones that basically only did one thing and that was to send encrypted messages. And these phones cost a few grand a piece. Turns out that like literally everyone who bought one was an international drug trafficker or hit man or something. But the FBI had the encryption keys and forwarded all of the messages to separate servers. So, yeah.

Kathy:
Wow, this is crazy. So, just by attempting to be the most secure communications in the world, they basically sort of self-selected themselves into a place where they could then be compromised?

Ram:
Basically, yeah. Initially, the law enforcement divisions, they worked with Australian law enforcement and a couple other countries I want to say, but initially they were worried that they’d scoop up some privacy-minded individuals, like say you and I, in they’re dragnet. Nope. Literally everyone who bought these was a large-scale drug trafficker or hit man or something. It was nuts. It kind of pokes a hole in the whole argument that we’ve been hearing a lot that we need encryption back doors. Just use Signal or something because they don’t actually need to crack our Signal communications. They can just set out a giant honeypot network of the most secure thing and if you build it, they will come apparently.

Kathy:
And those who come are doing some fairly illegal things. This is a really fascinating story actually. I didn’t even know that some of these phones existed or that these networks existed. So it was kind of fascinating to see who was using them and how this whole story happened, how the whole sting came down. Very fascinating.

Ram:
Yeah. Yeah. No, I do recommend reading articles on it just because it’s actually a fairly long and in-depth story and we can’t really like get into it too much in the podcast.

Kathy:
Yeah.

Ram:
Yeah. I’m a big fan of end-to-end encryption honestly, but yeah.

Kathy:
Yeah. The big takeaway for me on this is the fact that by trying to hide something, by taking steps in order to be the most secure, the most encrypted, the most private-

Ram:
And willing to spend a lot of money on it is really I think the key identifier, because if you’re a dissident in an oppressive country, you’re not going to have two grand to drop on a specialized device for this. But if you’re trafficking 100,000 pounds of cocaine into the country, you might.

Kathy:
Right. And if you’re not rolling it yourself, to use a criminalish term, at least in some jurisdictions, if you’re not doing it yourself, if you’re not building the system yourself, if you’re not securing it yourself, you’re still putting yourself at risk if you’re contracting out and paying a lot of money for security. If you don’t understand how that network or those devices are being secured, you’re still putting yourself at risk. In fact, you’re putting yourself more at risk because you’re automatically self-selecting yourself into the market of this is obviously suspicious because they want it to be so secure.

Ram:
And they’re willing to spend a lot of money on it is really the other thing.

Kathy:
Right. Yeah, definitely. Interesting. Okay. What’s our next story?

Ram:
Speaking of not so secure, some researchers have found a variant of malware that targets Windows containers in Kubernetes clusters and can escape from those Windows containers and take over from there. It’s called silo escape and it’s apparently very bad because Microsoft’s advice is now to not use Windows containers as a security feature. Instead, Microsoft recommends using strictly Hyper-V containers for anything that relies on containerization as a security boundary.

Kathy:
And does Hyper-V work on Windows?

Ram:
Hyper-V does work on Windows. Kubernetes does not yet support Hyper-V, which is a problem because Kubernetes is super useful for things like data centers to orchestrate running a bunch of containers at once. So this might make life kind of difficult for hosting providers that specialize in Windows hosting. This is not to say that there is not configurations that can secure against something like this, but it’s not going to be the container that’s doing the securing.

Kathy:
Now Kubernetes on a Linux-based distro would probably be okay?

Ram:
Oh yes. I mean, you still have to configure it securely and that is not necessarily something that happens by default, depending on the version you’re running, but it’s not going to be impacted by this particular malware variant.

Kathy:
Okay. Interesting. All right. Well, it looks like some people in some data centers are going to be rather busy at least addressing this to ensure that there is no escaping of containers.

Ram:
Container escape vulnerabilities are just generally a bad time for everyone because if you can escape the container and then take over the system that the container is running on, then you can pivot to other places and take over more stuff elsewhere on the network and gain access to that stuff too. And it’s just a very bad time. It’s like if someone infecting your WordPress site let them say infect all the other WordPress sites on that server, even if they were separated by boundaries. But we do see that sort of thing happening and stay tuned for that.

Kathy:
Yes. Stay tuned for our horror stories around the campfire. Those will happen soon.

Ram:
Spooky.

Kathy:
Actually, yes very spooky. Great. Well, that’s all the stories that we have for you this week. Thanks for joining us here on Think Like a Hacker. If you have any stories you’d like us to take a look at, please send them to us feedback@wordfence.com. We can take those there. If you enjoy listening to Think Like a Hacker, we would love feedback about that as well. It feels like this one way conversation a lot of times in podcasting, because you’re sitting on a bus or a train or out for a walk, in your car, maybe. We don’t even know where you’re listening. And we’d like to hear from you and hear how does Think Like a Hacker help you do your job better, help you stay more secure with your WordPress sites. We would just love to hear from you. Hi, out there.

Ram:
Please give us feedback.

Kathy:
We love feedback. And we’ve got a couple of other things we wanted to highlight. First of all, obviously Wordfence Live. Every week we kind of take a security topic and dissect it. We really want you to take a look at the incident response one that we did earlier this week. We will put a link to that in the show notes, because this was an exceptional episode. I think it, you know we were talking earlier, it may have been our best Wordfence Live ever just because of all of the advice that’s in there that basically helps you prepare for an incident. It is up on YouTube, so we’ll have a link in the show notes.

Kathy:
The other thing we want to highlight is Wordfence Office Hours. Now, obviously you’re listening to this security podcast where we sometimes get rather technical, but you might know of someone who’s just getting started with WordPress, or maybe they’re just getting started with Wordfence and they might not be up on security as much as you are. Well, we’re doing a weekly office hours to help people understand WordPress security, help them get up to speed on Wordfence rather quickly. So we’re doing those every Thursday at noon eastern, 9:00 AM Pacific. If you want an invite for that, or if you know someone who could use some help getting Wordfence set up, this is a completely free office hours where we answer questions and kind of give a basic beginner overview of WordPress security just to get people up to speed. So this is just another way that we are giving back to the community and helping everybody to secure themselves. So look for those. We’ll put links in the show notes for upcoming Wordfence Live, as well as the office hours. That’s all we’ve got this week. Thanks for joining me, Ram.

Ram:
Always a pleasure. I’ll see you next week.

Kathy:
Sounds good. Take care. Bye.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.