
Hacker Gains Access To WordPress.com Servers - gsharma
http://techcrunch.com/2011/04/13/hacker-gains-access-to-wordpress-com-servers/
======
iuguy
Well this is great. I'm doing a talk tomorrow at OWASP London[1] on Wordpress
Security. Interestingly while sorting out google dorks for the presentation I
found 27,000 references to PHP Shell backdoors. If you're going, I look
forward to seeing you there. Please don't laugh at me every time I mention
wordpress and security in the same sentence.

[1] - <https://www.owasp.org/index.php/London#Next_Meeting.2FEvent>

~~~
wewyor
Is your talk going to be recorded?

If so I would very much like to see it.

~~~
iuguy
As far as I know (hope?) it isn't. I can put the slides up afterwards though
if that helps.

~~~
wewyor
I wouldn't mind the slides but the talk is usually so much more useful.

~~~
iuguy
Are you UK based? If not I could probably redo it next month as a webex if
there's enough people interested.

~~~
wewyor
Not UK based or anywhere close, but I don't think you need to go through all
the trouble to redo it.

I will take you up on your offer of slides though, I only asked about the
recording because I remembered seeing that Samy Kamkar talk online (though it
might not have been at OWASP).

------
jacques_chester
As an off-topic request, I prefer links to the original source, not to
intermediate sources. Yesterday TechCrunch got love for an announcement made
on Google Blog; today for an announcement made at Wordpress. In neither case
did they add any value.

~~~
abraham
The original article was already submitted before this one was. It didn't get
as many votes though.

<http://news.ycombinator.com/item?id=2443165>

~~~
jacques_chester
Upvoted; but perhaps "Security Incident" was a slightly too generic title.

------
cookiecaper
Really sparse on the details. Were the servers accessed due to a vulnerability
in WordPress, other PHP or world-accessible code, a server misconfiguration,
an "inside job", or what? I think it's important to have a bit more
information about the nature of the attack, so that we know if independent
WordPress installations are vulnerable and if/when we should reset keys and
passwords.

------
jtchang
These days it isn't just about making sure you have good passwords and a
decent firewall.

If you run a site that has valuable information you will end up being a
target. That's just a fact. How you respond to these types of security
incidents is what will set you apart from the pack. Sadly most breaches are
covered up. They are bad for PR and most people don't understand them.

Always make sure you have a plan in place. Even if it is just shutting down a
list of servers incident response can go a long way.

------
dirtyaura
TechCrunch indicates that hacker got access to source code of WordPress.com
VIP sites and "only" Twitter and FB API keys are leaked.

Does anybody know how WordPress.com saves MySQL passwords? Does it differ from
Wordpress installations? Vanilla Wordpress installations have them among the
rest of the code and thus those might have leaked too.

~~~
skeltoac
Database access control is layers deep. Even if you had the MySQL passwords,
you wouldn't be able to connect to the database servers.

~~~
bradleyland
I'm not sure I follow. If you have root access on a machine that runs PHP web
apps that connect to a MySQL server, you have, at a minimum, access to the
databases those web apps relied upon. The web app MySQL credentials have to be
supplied somewhere in the code.

~~~
skeltoac
True. But the MySQL servers have layers of access control beyond passwords.
The unauthorized access has been closed. So even if the attacker saved the
passwords, they don't have the other factors for a MySQL connection.

~~~
jacques_chester
If they have root access on the PHP servers they still access all the data in
MySQL by writing code like this:

    
    
        <?php
    
        $pwnd = mysql_select_or_whatever_it_is('select * from sensitive_tables');
    
        ?>
    

Like most LAMP applications Wordpress uses only one connection with total
access to all tables. It's the same unavoidable design issue that causes
plugins and themes to be a security issue.

------
odiroot
Considering few recent cases of this kind, what's the best way to store
passwords/keys/other credentials? Can I avoid leaking sensitive information
even if an attacker gains root access to my app machine?

~~~
Joakal
For passwords, my method is individually salted and one way hash will
eliminate most attempts, pretty much leaving brute forcing the most efficient
way. However, it's known that people use common passwords like 'password1'.
For more paranoid security, read documentation, discussions and even black
discussions regarding the technology you use if you really want to lock down
everything. Eventually it'll be a performance/usability vs security compromise
in some cases.

I suggest a failure plan to prepare for security failures including several PR
messages depending on severity of failure even if you do not know if you're
compromised.

It's highly unlikely that you will be able to avoid potential leaks.

~~~
odiroot
Hashed password are pretty obvious, but what if your app needs to talk with
something that needs original password (database, external system of some
sort)?

I guess, as always, there is no silver bullet.

~~~
Joakal
If you are using something like app -> db calls to be done automatically on a
server, hashed passwords won't help since the script usually requires a stored
non-hashed key unless it accepts hashed keys. Even then, if the password or
hashed password is exposed, the hacker can still use it to access the database
via your app.

Maybe you want decentralised permissions of multiple database users? They
can't quite get or do most things.

Or centralised and/or put into a locked down file that can only be accessed by
the OS user for parsing scripts eg www-data.

More references:

[http://technet.microsoft.com/en-
us/library/cc722487.aspx#EIA...](http://technet.microsoft.com/en-
us/library/cc722487.aspx#EIAA)

<http://us.php.net/manual/en/security.php> (Or check your relevant manual)

[http://blogs.forbes.com/firewall/2010/12/13/the-lessons-
of-g...](http://blogs.forbes.com/firewall/2010/12/13/the-lessons-of-gawkers-
security-mess/)

[http://stackoverflow.com/questions/3173698/how-safe-is-
code-...](http://stackoverflow.com/questions/3173698/how-safe-is-code-hosted-
elsewhere)

------
dustingetz
[http://www.dustingetz.com/password-security-the-free--
easy-w...](http://www.dustingetz.com/password-security-the-free--easy-way)

~~~
Joakal
This has a vulnerability of single point of failure as well as home attack
(someone nicks computer/paper).

~~~
dustingetz
sure beats what i was doing before!

------
udoprog
Cracker, not hacker!

I can understand techcrunch getting it wrong, but we on HN should at least set
the record straight.

------
nikcub
> Automattic had a low-level (root) break-in to several of our servers

how is root access 'low-level' ?

~~~
nbpoole
Low-level as in <http://en.wikipedia.org/wiki/High-_and_low-level>, not as in
"very little access" (which I'm assuming is the impression you're getting:
correct me if I'm mistaken)

~~~
nikcub
I see that meaning but the way it was written you would think the context was
access

~~~
nbpoole
And low-level access (to me) means root access. The only lower level access I
can think of would be if someone broke into the datacenter and stole the
server ;)

~~~
trotsky
broke into the fab and altered the microcode ;)

~~~
zheng
Don't even need to do that, a simple BIOS update can update the microcode on
most semi-recent Intels.

EDIT: I'd assume other architectures as well, Intels are the only ones I know
about, however.

