DOTMAGAZINE: David, although well-known content management systems, such as WordPress and Joomla!, regularly release security updates, these critical updates are often installed too late by the end user. Why is that?
DAVID JARDIN: That's a good question. I’ve asked myself this question numerous times. I think that one of the main reasons is that, especially in the area of small and medium-sized businesses, people don't have enough awareness of the fact that those content management systems (CMSs) are applications which require updates too. They see the website as a static asset, which doesn't require any maintenance. So that is one of the reasons why they simply forget about the need to do something. The second main reason, in my opinion, is just fear. People are afraid to update their system because they assume that something is going to break, or that their website won't work anymore. So they really like the never-change-your-running-system approach. Of course, this is causing some huge issues on our side.
DOT: What can be the consequences, if such vulnerabilities have not been patched in time?
JARDIN: I think what is important to point out is what 'in time' means in this context. Our internal process, when we as a security team get notified about a security issue, is that we look at the exact details. We try to find out what the potential impact of the issue can be. Now, all of this happens in private because we receive those reports as confidential reports – nobody besides the initial reporter and us is aware of the details. Once the issue has been triaged and we have published a patch, some sort of race starts. As soon as the patch starts being published, it's also possible for the bad guys to reverse engineer what the initial issue has been and they try to develop cyber attacks for that exact vulnerability. What is interesting is the timeframe as I mentioned before – between us releasing the patch and the first automatic attacks, there is round about six to eight hours max. If you don't update your CMS within six to eight hours after the patch has been released, you can consider yourself hacked.
So it's a very narrow timeframe and that's a fact which is causing problems for most of our customers; if they don't update their CMSs and get hacked, they most likely see nothing happen in the first place, because it is a very common pattern in the attack industry to infect the website with a backdoor, and then wait for a couple of weeks or even months. If you wait, the client doesn't have any back-ups anymore, which belonged to the timeframe when the website hasn't been hacked. Back-up is the one topic. Now, it's also hard for people to draw the necessary conclusion that the missed update was the issue, so they don't have an idea how the infection has happened in the first place.
Once a backdoor website becomes actively exploited, you'll see all sorts of stuff happening, for example, spam being sent, your website is going to attack other websites with DDoS attacks. Often you can also see data breaches; for example, if you have an online shop, credit card data can be fetched and transferred. Yes, there are all sorts of bad things that can happen, when your website has been compromised.
DOT: How can the SIWECOS project support hosts to protect their customers, especially small and medium-size businesses?
JARDIN: As I mentioned before, most of those security reports happen in a responsible disclosure. We, as the security team, are in a unique position because of that. We can create a patch and we can also conclude if that specific issue can be filtered in a meaningful way on the server side, and that is actually what the SIWECOS web hoster service is all about. We cooperate with multiple open-source CMS security teams, especially with the major three CMSs which are Drupal, WordPress, and Joomla!, but also with a number of smaller ones or those which are more specific to the German market, like TYPO3 or Contao. So when those security teams get a report, they check if it makes sense to filter that specific issue on the server, and if it is possible, we work out examples for filtering rules for these issues.
Now, for web hosts, we are offering a mailing-list service, where they can subscribe, or more precisely, where they get an invite from a colleague of the web hosting industry. They'll receive an email by the security teams at the exact same moment as the patch is released. With regard to the filtering rules, they can apply those rules right away, and once in place, these filters protect the customer on the server side, regardless of whether the actual customer updates his system or not. So it’s very straightforward and very easy for the security teams and web hosts to do. This particular approach has a huge effect because we kind of eliminate the weakest part in the chain, which is the customer who fails to update his or her system.
DOT: In short, what are the benefits for hosts, when using the SIWECOS service?
JARDIN: The key advantage is that you're able to reduce the amount of support that's required after a major vulnerability has been detected. So when people don't update their system, they're likely to get hacked and that's causing various issues on both sides. At the end of the day, they'll need to block a customer's web hosting account. As soon as the account is blocked, the customer will reach out to the web host support and ask for help. This can only be a five-minute talk, but even a five-minute talk creates tremendous costs for the web host. The web hosting business itself has some rather low prices, so reducing support is one of the key things to achieve and that's what SIWECOS’ main advantage for web hosts is. We protect their clients from being hacked and the required support is being reduced quite dramatically.
DOT: How can web hosts get in touch with SIWECOS?
JARDIN: That's actually quite easy. We have a dedicated email address for web hosts that are interested in the service, which is 'firstname.lastname@example.org'. Just reach out to me and I'll get you in the mentioned mailing list. You'll get the information that you need from that point on and that also applies to any other questions that you might have about CMS security. Just reach out to me and I'm happy to help.
Born and living in Cologne, Germany, David first got in touch with web development in 2002 whilst still in school. He quickly became an active member of the German Joomla community, joining the board of the German Joomla association "J&Beyond e.V." in 2009. In 2012, he started contributing to the CMS code. Currently, he's the teamleader of the Joomla Security Strike Team.
Please note: The opinions expressed in Industry Insights published by dotmagazine are the author’s own and do not reflect the view of the publisher, eco – Association of the Internet Industry.