New School Blog Attacked with 0day
We were hacked again.
The vuln used was 0day, and has now been patched, thanks to David Mortman and Matt Johansen, and the theme has also been updated, thanks to Rodrigo Galindez. Since we believe in practicing the transparency we preach, I wanted to discuss what happened and some options we considered.
Let me dispense with the markety-speak.
Alun Jones found an XSS attack, and let us know about it discretely. It’s tempting to throw around words like 0day because it makes us seem less lame. Actually, it’s tempting because it makes me seem less lame.
As I’ve said before, we run this blog on the cheap as a way to share ideas. We don’t have any income here, and that means that we use free resources like WordPress and Modernist. We could take money out of our beer budget or time away from our families to run security scans, but haven’t.
This is much like many organizations. They have limited infosec budget. There’s always more you could be doing, and in hindsight, probably should have been doing, but identifying it advance is tough because we don’t know how compromises tend to happen.
I gave serious consideration to announcing the vuln before we fixed it, to enable people to make risk management decisions. I decided against that on two grounds. The first and more important was that we’d be exposing the other folks who use the theme to risk that they might not be set up to respond to. The second was that in our case, the impact seems relatively constrained. We work hard to ensure you don’t need to run code to read our blog, and I’d be shocked to discover that anyone making security choices with things like NoScript or Trusted Zones has this blog in such a whitelist.
If you’ve made the decision to let this blog run code, I recommend you fix that, because we are not investing in securing our site in line with that expectation. If you’re a security pro using Windows, I urge you to use EMET, and in any event to limit where your browser will run code to a carefully selected whitelist.
Anyway, back to the vuln. We’re a little disappointed to not be targeted by this Java 0day. We’d feel much better if this was “serious” 0day. But you know what? This blog could be pwned and used to distribute that Java stuff. And XSS is serious, even if it is common.
One option we gave serious consideration was “offensive security.” We have chosen to not hack back, but if we did, we do not believe we owe a duty of confidentiality to other “victims” of this hacking spree. (We don’t know how many victims Alun has, but we bet it’s a lot more than fit on a postcard.) We would believe that there’s a reasonable public interest served by naming those victims, so that their shareholders can assess if the breaches are material and should have been disclosed.