I have posted out a new podcast today, how we address some key news topics, articles, and some of the associated risks around WordPress and Information Security for businesses.
Like all weeks there has been a lot going on in the WordPress Security arena and some key statistics have come out around WordPress that may surprise you!
In this podcast, we are going to be covering the following:
- [VULNERABILITY] Patch Magento if you are using it, thousands are being pwnd and their credit cards are going away!
- [NEWS] Ransomware taking out schools, this is just crazy! I know the school my kids go to and they struggle to keep up!
- [ARTICLE] Short post from @briankrebs on immutable truths about data breaches..bottomline – PREPARE!
- [ARTICLE] Best Practices for Secure Web Forms – WordPress by @wpwhitesecurity – Good post and a key one is the double-opt in.
- [ARTICLE] Ransomware is schwacking the department of education in the UK! Bugger!!
- [ARTICLE] A really good post from Johannes Ulrich at Sans on how important it is to ensure data is clean before sending to virus total! Didn’t see that one!
- [VULN] MongoDB vulnerability and peeps getting taken globally! Is there no honor with Thieves anymore!
- [ARTICLE] Using the Invisible reCAPTCHA
- [ARTICLE] Developers Guide – reCAPTCHA
Other associated links and resources mentioned in today’s show:
- [ARTICLE] Good Technical blow by blow on the methodology of injection of unwanted Google AdSense Ads
- [ARTICLE] Wordfence talks about a Gmail phishing technique that is currently in the wild
- [NEWS] If a Netflix user watch out for a phishing scheme to steal your credit card poo and other personal fluff
I hope you enjoyed the podcast and it provides you value securing your business and WordPress site!
Listen on iTunes, and don’t forget to subscribe to the show!
Lastly, check out our sponsor: Sucuri.net
I know you will enjoy this episode.
Thank you for listening!
“WordPress Security Daily”
BONUS – Don’t forget you can use the content in the podcast/training for Continuing Professional Education (CPE) credit!
Can’t listen right now – Read the transcript below.
SHON: It’s time now for WordPress Security Daily and there’s a lot to talk about including the patch for Magento. If you’re using it, thousands are being pawned and their credit cards are gone away. You better get it up, rent somewhere, taking out to schools. I can’t believe it. This is crazy. My kids go to school all time, not good. And there’s a short post from Brian Krebs in the Immutable Truths About Data Breaches. Best practices for securing web forms. It’s a really good post, and we’ll talk about that a little bit, and also, using the invisible recapture. There’s a whole lot more coming up at WordPress Security Daily is next.
Welcome to the WordPress Security Daily Podcast. We give you the tools to keep the evil hacker horde at bay from your WordPress website. Hi, my name is Shon Gerber, and I’m your host for this action pack informative podcast. Join me each week as I teach you the skills you need to protect you, your business, and your WordPress website from the evil hacker horde, attempting to make your life extremely painful. All right, let’s get started.
This is WordPress Security Daily with Shon Gerber, episode 33, recorded Tuesday, January 17th, 2017. WordPress Security Daily is brought you by Sucuri, Sucuri.net. All right, it’s time for WordPress Security Daily. How have you all been doing this wonderful week? Well, I hope you all had a great week. We’re in Kansas here. We had the ice apocalypse, and it actually didn’t come up to be quite that bad but it was supposed to be the end of [inaudible], but we’re fortunate for us here in the Midwest, in this part of the Midwest, it turned out okay. People in Western Kansas, not so lucky. They got about an inch of ice, so I’m not sure if you’re from here, if you’ve ever been around ice storms, but ice storms are bad. They just take everything out. I’ve lived through tornadoes, through hurricanes, and they rank up there with hurricanes, because hurricanes destroy whole states. Ice storms do part of that, half a state maybe. Ice storms is bad, bad juju. Everything other than that, is wonderful and good in Kansas. I couldn’t — I may ask for anything better than that, that’s for sure, but this week has been a wonderful week as far as for a row, WordPress security and for security in general. It’s pretty amazing, all the stuff that’s been hit in the streets lately, it just doesn’t ever stop, which I guess is good if you are a security person, but bad if you’re trying to secure everything, just as crazy. We’re going to get into some of those things today on different articles that had come out. The Magento patch, we’re going to get into that, as far as how many people are being pawned from it, their credit cards are being taken away, and how that’s actually occurring. There’s actually been a couple instances of Ransomware in public schools systems, and this is just crazy. My wife works in a public school system, we see it first hand, but bottom line is that, they don’t have a way to protect some of the stuff, and what’s happening is that. it’s forcing some of these schools to actually pay the ransom, so we’re going to get into that a little bit.
Brian Krebs is always, he just — he knocks it all the part. He’s got some really good mutable truths about data breaches and we’re going to go over those, along with some best practices for securing your web forms for WordPress. WP White Security, they’ve got some really stuff out there and it’s a lot of this stuff, if you’ve been around WordPress for period of time. It’s nothing super new but it’s really to the point and that’s the part I liked about it, was it basically it breaks it down to some really key aspects that we’re going to get into here just a minute. We are also going to be talking about using the invisible recapture. It’s really interesting, they got that coming out all through some coding that you can get for your site that we’ll go into the capture. We’ve talked about capture. We’lltalk about that a little bit here and some of the other articles that pulled up, but they have the invisible use of recapture, which I think is really cool. If you’re a developer and billing your side out, you’re really going to be interesting to see what they have to say about that. It’s pretty cool. Before we get roll into that, we’re just going to take a really quick time out about from some words from our sponsors. The sponsor today is Sucuri, it’s Sucuri.net.
If you’ve ever had your site hacked, or you felt this sinking feeling and you didn’t how to deal with security, and especially you’re dealing with WordPress? You’re trying to settle this stuff up? Are you totally confuse about security, in what to do to best protect your site? Get a hold to Sucuri.net, they’ll help you out. They offer a wide range of products and services that can clean, hack, and deface websites, providing you actual protection capabilities. The other thing is, that they provide malware clean up, web application firewalls, denial of service protection, and so much more. Check them out, Sucuri.net, that’s Sucuri.net.
All right, let’s get back to our podcast. One comment about having sponsors on the site and people that we support, one thing that’s interesting about all this, is that in recent news, I don’t know if you’ve all seen this, is that D-Link just got hit with a lawsuit from the FTC. With that lawsuit is, is that they are coming up in offering this wonderful practices from security standpoint on how to best protect your site. I don’t know if you’re heard of it or you’ve read it, it infuriates me on how the fact that this company took them out and say, You are protected by — What do they call it? Military grade encryption, 256 EES. They use these big fancy terms to try to confuse people to the point that they don’t even know what to do, and they think they’re getting something that potentially they may not be. Real quick on Sucuri, I really enjoy them. I like working with these guys. They do offer up great services. The point is, that from a person that’s listening to this podcast, she might be just totally overwhelmed with going, what the heck do I believe? There’s so much fluff. How do you know you’re picking the right thing? That’s what we hope to help you on here at WordPress Security Daily. We’re just going to go through some of those things for you, but bottom line is, you got to read through it and start realizing, what is actually just add copy, and what is something that will really would protect your site?
We’re going to roll into this. First one is talking about Magento. They say basically we need to patch it. If you’ve heard or using it, they’re saying thousands of people have been pawned and their credit cards have been gone away. This isn’t just in one country. It’s actually expanding from United States. It’s also in the UK as well. But real quick, what is Magento, other than the color? Magento is an open source e-commerce platform written in PHP. If you’re a developer on EON [?], okay I knew that. No big deal. Some of us didn’t really understand what even Magento was at first, and realize though that it’s been developed by Varien, V-A-R-I-E-N, Varien. Why do they have to call this crazy names? Just Varien. It’s a private company, its headquarters is in Culver City, California. If I’m not mistaken, it got purchased up by eBay a while back, or actually it was part of eBay and there was a breakup with it.
The thing is, it came out of this though. There’s a lot of big companies that use it, it’s basically employers of MySQL or a MariaDB Database. It’s used to take payment processing. It’s what’s its designed for. The Magento community, they basically have at this point, they have Burger King, Nestle, BevMo, and Coca-Cola. There’s other — there’s lots of organizations that are using the Magento platform per se. There’s a lot of online businesses using Magento as well. And what it’s saying is around — there’s around six thousand online stores that are running eBays, Magento platform. To me, that’s amazing, that there’s that many, but this recent hack. The expense of almost two years. This is in the German Federal Office of Information Security released something, but that was released back in, I want to say November of fifteen, they brought up this once before, about some Magento hacks that were occurring on — they were unpatched Magento shops. This comes back to the fact that you got to update your pooh [?]. You just have to do it. The German Office of Information Security says, there’s over a thousand stores in Germany that are affected by this, and that the sad part is that a lot of this could be fixed if people would just update their systems. The other thing that’s interesting with all of this, is that some of it was tied potentially to the MongoDB, ransom breaches that we’ll see, and we’ll talk about those here in just a little bit later and further on the podcast, but one thing I didn’t realized about this whole breaching with the Magento, was that U.S. National Republican Senatorial Committee, said that ten times, NRSC was basically a high profile site that was hacked using this same — the same thing that happened to the German part. That was done back in the early, in the 2015 area, the summer of 2015 or 2016 I should say.
The interesting part, Krebs wrote about that in his blog post. There’s about twenty one thousand credit cards that were stolen at that time. It’s online, you can go to the National Republican Senatorial Committee, NRSC, you can go there and you can buy all kinds of gee dunk[?]. Basically, you can buy you Go Trump shirt, your big foamy fingers that says number one, whatever you want to call it, but you can buy all that stuff there. Well, it’s online capability but their Magento platform was hacked because it didn’t update the stuff, and that many credit cards are stolen. The sad part is, that affects everybody. That affects the people that buy it, that affects the people that are operating on the store. The sad part is, so much of this can be done with just easy fixes, and people just don’t do it. They go throughout website, bada bung, bada bing [?], they’re good to go. In this case, you’re going to have to deal with, if you end up where your site is hacked because of fraudulent things that you did, IE not patching, it can make you liable. You’re in the situation where you might be dealing with, having to lawyer up to fight this, and or put your business, it put you out of business, make you go bankrupt, whatever it might be.
On that post out there, and we’ll have the links on the show notes, there’s an operator basically that has got a scanning, a free vulnerability scanning service that you can go to, and check it out. And then, you can find out real quick if your system is affected by this situation with Magento, but you know. It really comes down to, the number one problem is, just update your stuff. If you just update it, you’re going to be in much better position. If you have Magento, patch it. If you don’t have Magento, I guess in this situation is good, but guess what? Whatever platform you have, the news will come back around to you too at some point in time, just a matter of time. Done that, we’ll move on.
The next one is a Ransomware that’s been taken out schools, and this just blows my mind. When talking to a friend of mind that is one of the administrators of our local school system, they struggle with having the technical expertise to do many of these things. We’ve talked about, how do you protect the schools, and what can you do to help them? Well, this recent post, and this one here is about United States with the Los Angeles Community College District, and this isn’t a public school, it’s a community college but it doesn’t matter, if it’s any sort of collegiate kind of area of even just any educational space. They believe in having free access. When they do that, it causes some level of issues. While in this situation with Los Angeles Community College District, so it’s LACCD or acronym city here, agreed to pay a hefty ransom demand by the criminals who successfully injected a network of Los Angeles Valley community college, went in Ransomware on December 30th, 2016.
This is a post from [email protected] The part of this whole thing is that these guys got tracked by Ransomware. The interesting part about all of this is, is that if you are in the public education system, you’re dealing with all these data and they like to have it free and open, but you still got to have backup for your stuff. This doesn’t keep you from being a target by these people at all. If anything that makes it easier, because if you think you got this little skulls of mush that are walking around in this college that are basically– they don’t really know what they’re doing in most cases, they’re just trying to learn and they click on everything under the sun. They click on something that they shouldn’t click on and what happens? Then all of the sudden, you inject all those Ransomware into your environment. Because of that, they actually ended up paying $28,000 to basically receive the unlock and decryption key. The interesting part is the — here’s a quote from them. The district has a cyber-security insurance policy to address these specific types of cyber intrusions, and it was activated during this incident. While much time will pass before the matters is resolved, we have already availed ourselves of resources provided by the policy, including assistance of cyber security experts. Bottom line is, they cashed in their insurance policy because they got tracked. We’ve talked about this in the podcast to a back [?] is that insurance companies have been hit pretty hard recently. Well, here is another example of that.
The part of that is that, these insurance companies, at some point are going to start getting tighter on these things, but the part of their policies that they got people to come in and try to kick these guys out and try to bring them all. The cyber-security experts recommend, Hey, pay the bill because you didn’t get your pooh[?] back. The challenge with all of this is, the moment you start paying these people, what happens? It just continues, it gets worse and worse and worse. It’ll be interesting to see how this plays out, but I see more of this against nonprofits, against educational systems, churches, whatever it might be, depending upon the one they use. A lot of times, they use these tools when they target these Ransomware, to use them as a way of a testing ground, to learn, how do I go and attack these different areas. But if people are still willing to pay their ransom, they’re just going to keep doing. It’s easy money, right? We’ve talked about this in podcast, that being a hacker and being a bad guy, men, it’s much more lucrative than being a good guy, but the downsides, not so much. I don’t really want to go to prison and break big rocks and the little rocks, or live in a country I really don’t want to live in for the rest of my life, because if I live, I go to prison, so yeah, that’s not so good.
The bottom line with the whole Ransomware is having a really good backup system in place, still doesn’t 100% protect you but gosh, it’s going to help you way more than if you don’t have it. Recommendation, get yourself a backup system for a minimum of your critical systems that you got to have. If it gets nuked and you don’t’ have a backup for it, and it’ll put you out of business, back it up, make sure you think about it, back it up, because Ransomware is right on the corner.
Brian Krebs had a really short post. It’s not huge but we’ll elaborate on some of the things he talked about there on the Immutable Truths About Data Breaches. Here is my point, bottom line, prepare. If you haven’t listen to — we’ve got on my site, we’ve get the internet [?] response. There’s a prepare part of that of your ultimate hacker recovery guide and it’s going to check us on what you should do to– How far is being prepared for these kind of things. The thing that comes about with this, it says that here’s an exert request from this history that he had, if you connect it to the internet, someone will try to hack it, bada bing bada boom. This comes on to anything. This comes on to your computer, comes on to your lights bulbs, comes on to anything. If it’s out there, and they can touch it, they can see it, they will try to hack it. If you put something on the internet with values, someone will invest time and effort into stealing it, yes. Someone like me, if I put the pictures of my kids out there, they’re going to steal them, how great, you have pictures of my kids, right? So what? But, if you turn around and you go and your pictures are worth a gazillion dollars, that’s different, they wouldn’t target me because I don’t have a gazillion dollars. However, people that may have that kind of money, stars, whoever they might be, their reputation is everything to them, they will make sure that that kind of stuff doesn’t happen.
They put the pictures of them, posting with the naked man of David, in Las Vegas. Don’t want that to get up in public, so what do they do? They decide to pay whatever or they want to make sure that people aren’t trying to blackmail them on that. Again, if it’s worth any value, people will try to steal it, even if it was stolen and does not have immediate value to the thief, he can easily find buyers for it, yes, yes, they can. If they’re looking for something that, is say your social security numbers, your addresses and stuff, somebody is willing to pay for it, then you can probably find someone, it might not be pennies on the dollar but someone can find it. The price that you secure is most certainly will be a tiny slice of the truth worth of to the victim, and that’s no doubt. If you’re the victim and the guy gets twenty bucks for selling your social security number, is way more the worth to you than it is to him or her, they could care less. They just want the money, that’s all they want. Organizations and individuals unwilling to spend a small fraction of what those assets are worth, to secure them against cyber crooks can expect to eventually be relieve of said assets. Basically, comes down to, if you don’t protect your pooh, someone is going to steal your pooh. That’s a lot of pooh stealing, pooh, yeah.
Moving on, bottom line is if it’s worth anything, cyber crooks are going to go after it. That’s just what’s going to happen. Make sure you are prepared for them. That was interesting. they had a — he talks about particularly a model for cyber-criminal code of ethics, or the cyber crooks social contract which doesn’t always work, because we’ll talk about in some cases where they go, hey, pay me my description key, I’ll give you the money and they send the decryption key. And oh, didn’t work. We talked about last week. He basically imagined the cyber-criminal code of ethics that might looks something like this, and he goes, he goes again, use the voice of season criminal or crook. If you hook it to the internet, we’re going to hack into it. That sounds pretty familiar. If you put — what you put on internet is worth anything, and one of us is going to try to steal it, okay? That’s what’s pretty much going to happen. If we can’t use what we stole, no big deal, there’s no hard to sell it, and also we know people, so true. We can’t promise to get top dollar for what we took from you but hey, it’s a buyer’s market. Be glad we didn’t just publish it online. That would be even worse, right? To open it up to all their friends and everybody else. If you can’t or won’t invest a fraction of what your stuff is worth to protect it from the likes of us, don’t worry, you are our favorite type of customer, yeah. Bottom line, protect your pooh. If you don’t know what you’re doing, get a professional to help you. At least listen to a podcast and get some information because that will at least go, that will go a lot further than not doing anything at all.
Second one is, your web form should be available over HTTPS or TLS, Transport Layer Security, formerly known as prints [?], no, SSL, because he’s passed away, so it’s no longer prints. It’s worm food. Moving on. The web form should be made available over encrypted channel. We talk about TLS, SL, SSL. If you’re using — and now, if you haven’t seen it with Google, they are now putting out there where you — there’s nice little thing on the side of any webpage that you go says, not secure. If you see not secure, if you are a person who doesn’t really pay attention, you go, Well, that’s not good, I don’t want to go there. You definitely want to just put HTTPS. Does that protect you from the bad guys? No, but it does make sure that the person you’re talking to is someone you intended to talk to, and still doesn’t protect you from the bad guys. It’s really more or less about — its encryption is part of just the transport part of it, but it’s more about authentication and integrity of the traffic.
Next one is a double opt-in for your mailing list. Yes, this is very good. This keeps, actually keeps the spam box of data blacklisting and you don’t want to do that, because the double opt-in is you go, yes, I want to join WordPress Security Daily’s newsletter. Click. Are you sure you really want to join newsletter? Yes, I do. Click. Okay, now, you’re in. It’s just to keep people from– the bots, doing their thing. If you really don’t want to, then you don’t have to do it, works that well that way. Bottom line is there’s some really good — it’s a really good post by WP White Security but it talks about input validation, challenge response systems of the wonderful captcha, and make sure it’s SSL, then, use double opt-in for your mailing list. We’re going to roll right into a sponsor break real quick.
In this episode of WordPress Security Daily is sponsored by Sucuri, Sucuri.net. It’s S-U-C-U-R-I.net. As you know, all of WordPress is about security, and that’s what we do. We talk about security. With over ten thousand WordPress sites being hacked each days, and these are old number. That’s 2013, so it’s probably higher than that at this point because we keep growing. It’s important to get the security help you need. It’s only a podcast once a week and it’ll do so much for you. Sucuri is a company that will help you with you security needs, whether you’re a small company, whether you’re a startup, whether you’re a multinational company, they can help you, and they can help you stay secure. Bottom line, if you’re a developer, a person responsible for the installation of your stuff, do you? Are you’re concerned or overwhelmed with managing security or maybe, have you been hacked or have no idea who to turn to to clean your site? I’ve seen that happen more than once Do you have multiple platforms? WordPress, Joomla, Drupal, any of those, or even just one of them. Sucuri is a multi platform company that can help you all the time, 24/7, 365, pretty much globally, anywhere globally. These are the few of the main products they offer, Malware removal, security sands, [?] scans, for malware and hacking attempts, anything like that, blacklist monitoring, removal, web application firewalls, DDoS protection, and the wonderful PCI compliance if you’re in the states. If you’re not in the states, you have something too, or on the horizon, just talk to China, they got stuff coming.
One thing I think about is super important also is the end of analysis that in a fault leadership they do, they’ve had a lot of good post up there about what they provide. Bottom line is if you really want to get some really good insight, if you’re a developer, and you want to know how they’re doing some of the stuff. The blogs are super helpful, very, very helpful. They actually even got a hack recovery guide as well out there on how to un-hack your site. Last thing, I’ve spoken with Tony and Dray, the owners, they’re down to earth dudes. They really want to help the entire community while providing a super service creating value to entrepreneurs and businesses. Check them out, Sucuri.net. That’s Sucuri at Sucuri.net.
Let’s get back to our podcast. We talked about also Ransomware. I’m not going to get into this post the whole lot, other than to say there, it’s at the actionfraud.police.uk. There’s a Ransomware basically shwacking the dickens out of the department of education of the UK, its a bugger and that’s not good. I would love to say that it would be easy, but if we got large corporation, multinational corporations that deal with Ransomware, you’re going to have it in educations systems and we have protection systems. We can mitigate things really, really quick. You got a school education departments, they can’t mitigate things quick. That’s bad. That’s just sucky. Ransomware, I still think it’s a scourge of the internet, bad stuff.
It’s a really good post by [?] at sands on how important it is for — to ensure data is clean before sending it to VirusTotal. I don’t know if you know VirusTotal is, but basically, if you get a virus bug, and you then ship that signature to VirusTotal and they put it in their database, which then and turn, gets to pushed out to everybody, McAfee, all the trend, all those different ones. What he’s found is that there’s automated solutions out there that submits everything they see to VirusTotal, using the information to make a security decision, not good. Not good at all. The reason is, is that you could have sensitive data that’s getting shoved up to these guys that you don’t want shoved up there. they’ve got — they’ve seen this. This is why I’m saying that, they’ve seen sensitive documents that are being pushed up to VirusTotal because this autobot is sending it up — Well, Autobot, transformers — Okay, sorry, sorry about that. They’re exposing and sending sensitive information to these third parties which is bad. Be careful when you have something setup that’s if you’re a research developer and you’re looking for — Hey, if there’s virus comes in, just automatically ship it to VirusTotal. Good on you for automating it, but you better make sure the data you’re shipping up there is not something that’s sensitive because you could be getting yourself in a lot of different trouble in a lot of different ways, from one, if you have a compliance division, are you sending up things you shouldn’t? Are there different types of requirements about your data that you’re shipping up there and you shouldn’t do that? Who do you have to know to notify? All that. Be really, really careful about doing those things.
The MongoDB vulnerability. The peeps are getting taken globally, yes. There is no honor amongst the thieves at all. They need to have that new code of ethics that Krebs talked about earlier. Krebs is talking about this. This actually came out of the Graham Cluley as well, because Graham found it or found some stuff on it then ship it out to — and then, Krebs brought it up and talked about it. If you go to Shodan and you and type in MongoDB, it will tell you all the MongoDB databases that it can find on the web. They found tens of thousands of these things. There’s a lot of organizations that use it to store data but what they’re doing is they’re not configuring them right and they’re leaving the database exposed online, bad juju, really bad. So hey, if you’re business, go in there and type your name up too because you know what? That’s an interesting thing. If you type your name you may find some of these servers that are open to the internet that aren’t supposed to be. So, something to check out on that [?]. Don’t just check with MongoDB, look at everything else that’s out there, but he just had a really good post about this in kind of what, how you saw it, but it comes into where is it located? IP addresses, all those wonderful, beautiful things that if you’re a bad guy, you want to see. Basically, there are several stories of the years that are accidentally been published in the user data and correctly because of MongoDB databases. it puts in year March 2016, for example, they broke the news about the Varizon enterprise solutions, manage to leak the contact information with some 1.5 million customers because of a publicly accessible MongoDB installation. What it’s saying though, is you can go to Shodan, type in MongoDB and go, all right, now, I have targets of opportunity, what can I go after those? That’s basically what ends up happening. It just blows my mind that this is happening. However, I also realized that there are so many people that are putting things out on the web that really don’t look at it from the security standpoint of how to best do it.
He talks about in here, his query from Shodan, there’s more than 52,000 publicly accessible Mongo databases from the internet at the date that’s thing went out. I just sit there and go, all people’s information on this database. Some pretty cutting edge stuff could even be on these databases, if not, there’s personal data that’s on these things. What’s happened is, is that they found out all of these databases that are out there, and then, you start seeing — you start querying these database fields and they started getting like read me, read me now, encrypted, read please, well, come to find out that somebody found out that all these DB, these databases were out there and encrypted these rascals. In the process of encrypting them said, hey, yeah, if you want those data, you’re going to read me, after you read me, you go, hey, if you want this data, so you better pay up. If you don’t pay out that extra amount of money, well, what’s happen is, people have done that. They say, Okay, fine, I’ll pay you. The in turn of paying them, what happens is, when they get an encryption key and the encryption key isn’t the right one. You just got to be kidding me. What they’re saying is don’t pay these guys. Basically, if you’ve got a MongoDB database and you don’t have a backup, you are out of luck. You’re just done. It’s important for you to make sure you back up these database. What is important for you, don’t expose it to the internet. Databases honestly should not be exposable database period dot. Because especially what they’re tied to.
Second is you better make sure that you’ve got backups of these things. If you do have it on the internet and it gets hacked, you better lawyer up because you run really good risk of the fact that you’re going to have to pay out for all kinds of personal data lost, you name it. I highly recommend that if you have a MongoDB database, go to Shodan, see if you can find it. Bottom line also is, pull up your stuff and see if anything you can find is tied to your company name. Then, start working from there, but you don’t want to get extorted by these guys. if you got anything on a database, odds are high, it’s worth some level of value. You got to ask yourself, are you willing to deal with an encrypted drive or an encrypted database? Basically it comes knockdown to what Krebs had said, that the fact is that, if you put on the web, someone is going to try to hack it. If you put it out there of any value, someone is going to try to take their time to steal it. It’s just going to happen. Watch out for your stuff. Just don’t put it out there.
What’s the invisible ReCAPTCHA ? What exactly is that? Google.com has put out ReCAPTCHA and it’s basically going to be the — I put out code right now, that’s the task side of the house but it’s an invisible ReCAPTCHA and it uses your information. you log in under Gmail, you have your account,, you log in, it keeps the cookie, and it’s using that log in because it’s basically taking going, okay, well, you are Shon Gerber, you live in Kansas, you live here, you go to these sites extra amount of time. It uses all these information. It’s seeing how my computers working and go. Okay, well, based on the profile that we have of Shon, this is what he does. This is who he is, then, he’s allowed in. You can have it where you have an easy button. You just smash the button and say, hey, verify me. Then, it goes and compares what’s on your computer to what they have of you, what they’ve soaked in about you. Or you can actually have it so that it’s invisibly doing it. So as soon as you hit the site, it’s checking all those things and then it verifies you or not. It depends on how you want to do it but the cool part about this is, you don’t have to go through the fact of going, CSL, I don’t know what the crap that is, 1T5, sure. Why not? What is that a picture of? I have absolutely no idea. What is that a picture of? Don’t really know. Looks like a whale upside down. No, that’s not a whale upside down. You know what I’m saying? The point of this is that, it really looks good, they got the development code out right now that you can test with it, but it’s the invisible ReCAPTCHA and it’s easy. You can build the code in for an easy button. If you don’t have — you don’t use Google, for people who don’t use Google and then, or you can actually have it setup, so I’ll not use Google, that doesn’t make any sense, but don’t use their — that’s not tied to them. Under Gmail account, all that stuff tied to them. Then you can have an easy button for that, or you can have it, so it’s setup invisibly, so it just works that way.
That’s basically does it for this week. Lots of good stuff, I’m looking forward to next week. Going to have a lot of good things in that one as well, but as we close out this week show of WordPress Security Daily’s podcast, I wanted to express my appreciation once again to Sucuri at Sucuri.net. They’re the real deal, they really are. If you need any security service, they can help you out. No question about it. Wouldn’t recommend if I didn’t feel that they could meet or exceed your expectations. No doubt. All right, check them out at Sucuri.net. Stop by WordPress Security, is a free content. Write us on iTunes, share the love. We love it. We love when you guys are going out there on iTunes and have a blessed day and a wonderful rest of the week, see you.