 Wyyddo ni, gweld y gallwch ar bobiwch gynnwys, a fydd ni yn gefnogi gwaith gan peninsulaon gyfer ddigon o ddweud yn fanlif ... Is e'n gwellaeth ydym. ... ac mae'n gwneud yng nghymru sy'n gweld gan y peth... ... ac mae'n gweld â hynny. Cyn ymddangos yn y rhan. Dwi'n gwybod i'n wneud hynny. Felly... ... am fyddeinodd am ddifnwysgwyd... ... yn ymweld i chi'n ffordd ymddangos. Rydyn ni wedi allan fod o'r stori. Mae'r ffordd yw'r rhan. Felly mae'n gwybod i'r llynigol. Mae'n gwybod i chi. Mae'n gwybod i chi. Mae'n gwybod i chi'n gwybod i chi. Mae'n mynd i gynnwys i chi yw'r amllunol, y cynghwil sy'n gweld ar y w exact. Um yr un oedd eu gwaith yma. Joe yn yng Nghymru. Heidiwyd yn ei hunain sy'n gweithio'r gael. So mae e'n oed y gwasanaeth yn y gwelio ardisad. Ac mae'n gweithio mynd i gael yn roi, a yn ymarfer hyn maen nhw. Joe yn y magwmiad. Mae'n ffordd ffrindlu. Mae'n ymdwyf yn ei ddweud. Mae'n ffordd yng ngenief. Mae'r gwealth, maen nhw mae 28 honno. Now Joe is on his own. He just has some freelance writers. Joe went fully digital a few years ago and uses WordPress, and we commerce with subscriptions to run his site, and his site is well trafficked. It's also his primary source of income for him and his family. You're going to feel very sorry for Joe by the end of this. I should just warn you now. So get your heartstrings ready for Joe. Joe doesn't believe he has a budget for anything, but he doesn't have a budget for security. He doesn't have a budget for development. So he relies on plugins from the repo. He relies on occasionally buying a plugin. At the heart of his site is this popular page builder, which we're not going to mention. It gives him the flexibility to do whatever he wants. Joe is a really great guy. He's a pretty normal person too, and one day he was on Twitter, as it was called back then. Just browsing around where he saw a funny gif, but there was a link to a website where he could sign up to get more info, and so he was like, oh, I want more funny gifs. That sounds amazing. Honestly, I don't know why he signed up that day, but people do really strange things, and you'll sign up to any old rubbish. Over the next few weeks, Joe got several emails from the site. One called his eye. A build your own meme generator. That sounds great. It's like this really cool website. It allows you to go along and remix memes. One of the features was a browser extension to allow you to quickly insert your memes onto your own website. Joe installed the extension, and then logged on to his website to try it. He was disappointed. It didn't work. Of course, something had happened. You see, as his browser made the way logged in, and he went to the AP login, the extension made its own request. Back to a server far, far away, probably in a different galaxy. And it just sent the following. A URL, a username, and a password. The browser extension clearly malware. Malware designed specifically aimed at site owners of WordPress, Joomla, and Drupal sites. All the extension would ever do is harvest credentials. It never did the thing it claimed it was going to do. Weeks pass. Joe had forgotten he even had the extension installed. Actually, weeks passed, sorry. Weeks passed. The extension installed. Even though it was not working, he just left it there. Like so many people do, it didn't work. He'd forgotten about it. He moved on. And so it carried on, harvesting the credentials. He logged into several WordPress websites each time. I'll have that for these. Off it goes. The original meme site was long gone. The extension no longer available to install. Yet, one day on a forum, in the deepest, darkest parts of the web, a new post appeared, offering a dump of 50,000 legitimate WordPress admin credentials. The cost? $1 per account. Now that might seem really expensive. But that's actually $1 exclusive 24-hour access to the account. After that 24-hour period's over, that whole batch of 50,000 emails will be sold off in what 401 lump sum. So, as part of the public facing part of that, the dump contained the domain names, but obviously not the credentials. Hacking is a business. And like a business, it has supply chains. The group that created the extension and harvested the credentials sold the list onto a middleman. That middleman posted it onto the forum. He or she were then working with the buyers and arranging all of this through. The person at the other end, who bought the list, goes on to exploit the site. But then, they're more than likely going to come back around in this circle and post it back on the same forum. Basically, once you're on one of these lists, you're screwed. Joe, for Joe, life carried on. He went to his login page, though, one day, and a strange thing happened. When he went to login, his password didn't work. He didn't really know what happened, so he just reset it. New password arrived. Carried on with life. It wasn't for another two weeks before things started to go truly wrong. Joe was updating WordPress Core, and it just wouldn't update some sort of permission error. File permissions just wouldn't work. Joe would tell you he is an un-technical person. An un-technical person with knowledge of FTP knows about file permissions, has a deep knowledge of how he uses WordPress, and occasionally he even remembers to download the backup plug-in to his local machine. When someone tells you they're technical or un-technical, it's based on what they assume is their baseline, which is no way the same as what you assume is your baseline. Someone who says they're technical might be the most un-technical person in the world to you, but equally, there are many people, including people in this room, who will tell you that they're un-technical when in reality they know an awful lot. Joe does know an awful lot. You should still feel really sorry for him. He wasn't getting anywhere, though, that day, so he contacted his web host. An email a little while later said, fixed it. Brilliant. He logged in. It was fine. They'd fixed it. Let's leave Joe now, and briefly visit that web host. The technician who got Joe's ticket was incredibly busy that day. Things had been going wrong. The local coffee shop was closed. Someone was off sick. When he got into the office, several of his colleagues were off sick. The technician had logged on to the server and to Joe's files, and he used API CLI to update it. So, like Joe, he got the file permission error. Same error. So, what did he do? He does whatever a good person does. He uses Pseudo. Pseudo, do you want to update? He gets a horrible error message. Well, that's annoying. We'll just skip that and put our route at the end of it. Problem solved. The site is updated. Brilliant. The technician moves on to the next ticket in his list. Something to do with emails. The weekend passed. Joe went to the seaside with his partner, and so it wasn't until Monday morning when he got his cup of tea that he goes to log in. His emails have been quiet. Indeed, if Joe had been paying closer attention, his emails have been quiet since 2am on Saturday morning. When he went to his website, he wasn't presented with the login screen. Instead, he was presented nothing. His site wouldn't load. Panicking? He went to log in to his host control panel. It wasn't working. It was gone. He tried using his phone, different IPs, asking friends no one could get on to either of them. He went through the call log on his phone and found the host's phone number, and it just rang and rang. Nothing. Let's go back a couple of days to Friday night. The late shift at the hosting company were having a quiet evening. Really, the only ticket item for them was one of the shared hosts had triggered some sort of alert about the backups failing, which is odd. They weren't meant to run for a couple of hours. The admin logged into the server, found the SSH connection between the host and the backup server. Wasn't working for some reason. They tested with their own credentials. Absolutely fine. Some fiddling and they realised a background service wasn't enabled, so they just restarted. We'll go forward just ever so slightly to 1am on Saturday morning when things start to go very wrong. The backup server was running. The backup server is really actually a cluster of servers and it backs up all sorts of things. It has connections to absolutely everything, to every one of their hosts, to every one of their servers, to their email servers, even the office PCs. Suddenly things were going offline. It started with the server connections being lost, then the office desktop machines, and soon the entire host was offline. They had become a victim of ransomware. Email gone, website gone, their own control systems gone, their PBX telephone system gone, their DNS gone. In their place a ransom note for a very, very large amount of Bitcoin. They worked through the weekend to try and restore things. They had no way to reach out to customers. Even their Twitter account had been compromised. Do they pay? Would you? A week passed. The host had made the technical press not a good thing. Web hosting, victim of ransomware, all client data potentially lost. It was nearly 10 days later, when Joe was reached out to on Twitter by an account offering to restore his site for a fee. The ransom group had failed to reach an agreement with the host so they went to the individual sites that were affected and was offering to give them the site data. For Joe, the offer was tempting. But his host being the domain registrar and where he had his DNS, the data was almost less important. It wouldn't get his site back. It wouldn't get his email back three weeks later. The host has partially restored DNS facilities. Joe has got his email back and his DNS. He used an old backup from his machine from a few weeks before. He finally tried to log into his site. His password wouldn't work. Oh, that's right. He needed to use the old password as this was an old backup. But once in, everything looked fine. So let's, with the power of hindsight, go through and see what went wrong. Joe installed a browser extension, perhaps without really understanding how much power these things have. A browser extension with the right privileges can steal any data that is passed through your browser, much like a WordPress plugin can do anything on your site. Knowing and trusting your sources, whether it be a browser extension, a plugin, a friend, all of this is imperative that you understand and you trust. Passwords don't stop working. It's a huge red flag. In this case, our bad actor had deliberately changed it. But they deliberately changed it not to stop Joe. They changed it to stop other bad actors because they knew that in less than 24 hours, that list was going to be resold again. And so they needed to stop other people getting into his site. They helped him, sort of. This, as I said, should be a huge red flag. By the time that that happened, the site had already been compromised. They'd already changed the file permissions to lock to the specific version of WordPress. They'd already placed malware and that malware was specifically designed to both give them a secondary backdoor so that if the password was changed, they could still log in. They could still do anything they wanted, but also had us checked for whether it ever got enhanced privileges, i.e. got root user. Because once you have root user to a server, you can do anything with it. You are the most important thing on the machine. How could this have been prevented? Joe could have installed a two-factor authentication plugin. Done. That's all he needed to do. Even if his password had been compromised, if he had a two-factor enabled, he'd have a second factor. If you want a recommendation, two-factor is the plugin I would recommend to do this. With a plugin like this installed, there would have been no chain. This would have prevented the whole thing. There are other solutions you could use single sign-on. You could use magic links. But for most people, the simple solution is two-FA. The malware will never know the payload, but it was designed to provide a backdoor and a trigger if it was ever run as a privilege, which leads to that poor technician. I don't think I need to tell people never run things as root. You probably get the hint that it's a bad idea. But no, we put a big warning in. Never run as root. Also, don't iron things while wearing them. Similar levels of... Once the bad actor got that root privileges, they were able to start probing and investigating. From there, they could quickly work out, hey, I can get to this backup server because I can send stuff across to it because it's bidirectional. It's not just one way. Once they've gone to the backup server, they realized they could go anywhere they liked. So they were able to pivot to full control. Almost certainly this was never the original intention. In fact, the person who probably went in initially might not have even been the person who put the ransomware on. As we said at the beginning, hacking is about business. They simply sold went, oh, I have the potential for this. So they sold it on to the ransomware to crew. For Joe, he was screwed because all of his eggs were in one basket. Had he had his domain registered somewhere else, he could have then been able to move it to a different host. Had he had his DNS managed somewhere else, he could just point the DNS somewhere else. Had he had his email, at least with somebody like Gmail, he might have had a chance of having his email restored at some point. Gmail for business or whatever we're calling it. So he would have been significantly less screwed. By consciously spreading the risk to multiple service providers, you potentially increase costs and complication. But if one part is affected by ransomware or technical error, you can work around it. Two simple mistakes by two separate people resulted in a catastrophic chain. We can always put technical solutions for each of the problems. We can install two factor to prevent WPCLi, and we can prevent WPCLi from running as root. But security isn't about technical solutions. It isn't about that side of things at all. It's about mindsets and humans. Everyone is responsible for security. In your heads you were already putting blame on people as part of that process. But neither of those people were to blame. The whole process was to blame. So everyone is responsible for security and we all need to develop those tingly danger senses. We need to be given the space to do that and also not be put into positions where we have to cut corners. But please, seriously, set two factor authentication up for you, your clients. And yes, that includes the MD who has an administrator account. Why? For those of you who don't know me, I'm Tim Nash. I'm a WordPress security consultant and professional doom speaker. I help organisations get better at their security, both the technical side and the human side. You'd be pleased to know that this tale was mostly fictitious, but was grounded in real events. There was a website name generator and a browser extension that grabbed WordPress credentials. More than once someone has accidentally run WPCLi as root at a hosting company. Warning signs normally have a history after all, and there has been more than one host who has become a victim of ransomware. I think we should let Joe get on with his day. It's been not a great few weeks for him. I guess we can just hope that he changes his password before one of the many buyers of that bulk buy list tries to log in again. Thank you very much. Wow, there we go. You don't have to ask questions. Yes? Yes. How I've seen it done at least once is that you can set a WPCLi.yaml file, which you can include a pre-execute file inside of that, where you say anytime you run this file, put it through. You could also put it in a pre-append file via php.ini. You could also just hide it in WP load, but you'd probably get spotted by someone doing some checksumming. You could put it in the WP config file. There's a load of ways you could do it. Probably the safest one that you wouldn't necessarily notice though is probably in the WPCLi.yaml file, because you'd not really think to ever look in there. Any other questions? No? You can always come and ask me your highly sensitive and scary questions afterwards.