What Does WordPress, iThemes, Goodwill, Home Depot, and Target Have in Common? Your Identity and Security.

We received a new credit card in the mail today to replace our old one AGAIN. An “unsuccessful attempt” to access our secure security data happened and this is a precaution the bank is taking to protect us. I have no other information so I’m left wondering.

Yesterday I received an email supposedly from Home Depot about the cyber attack compromise of their consumer records. The Home Depot security compromise is larger than Target’s security theft last year, yet only a blip on the news among redundant, critical news stories on the personal lives of US football players.

Long before we know about events like these, our credit card information is sold via sophisticated, easy-to-use carder sites and could result in $3 billion in illegal purchases in what is now being reported as part of an inside job. While I shop at Home Depot frequently (what homeowner doesn’t?), I don’t have a credit card, shopper’s card, or any other personal information registered with Home Depot to my knowledge, but somehow they found my personal email address to warn me, or someone did. I didn’t click the link. I’m that paranoid.

According to various news reports, Home Depot credit card purchases gives the company access to your information, thus access to my personal email. Still…I’m always nervous about unsolicited emails from branded services and companies. You never know if this is legit or a phishing scam, so I type in their direct site address and look for information on whether or not this is real and applicable to me.

The local Goodwill stores around the Portland, Oregon, area are some of the best in the country I’ve found. Clean, boutique-style with lovely items well displayed and sorted. Moving from an RV of 280 square feet into a huge house, most of our furniture and household items come from there as we are now among the house poor. A malware security breach this spring made me paranoid, but so far Goodwill stores in my state are not affected.

Two minutes after that, a spoof and phishing email came in from “Google Gmail” alerting me to an out-of-date Gmail service. It looked real, but a closer look revealed the spammy email and the embedded link was to a scam/spam/spoof/malware site not Google or Gmail.

This one was obvious. Gmail would not send out such an email. Still, I have to be on my guard and paranoid every time I access my email accounts.

Once again this is more time out of my busy day I have to spend checking to see if my privacy, security, online identity, and credit card information is at risk.

They estimate 7-8 pieces of information are necessary to establish an identity of an individual online, information we tend to be rather liberal sharing online. Even Wikipedia lists the identity theft techniques used for obtaining and exploiting personal data. The cost of identify theft has grown over 50% from 2005 to 2010 and increased that much again from then to today. While the number varies, it is estimated that there over one million malicious programs designed to steal your identity and data on the web at any time. In 2011, a Bloomberg news article reported hackers make USD $1 Billion a year in cybercrime, and that’s just in the United States.

PBS and Nova released a story on identify theft a couple years ago explaining the process of stealing one’s identity from online sources. Several details struck fear in my insecure heart.

• It’s too easy for hackers to get our information because we’ve become a sharing society.
• Hackers are lazy. They often exploit the unexpected, weakest link.
• Hacking is a big, serious, international business industry run by professionals.
• Sophisticated tools and techniques are available to protect consumers, but few companies are using them.
• Companies and individuals should not be complacent. It’s a full-time job for hackers, a part-time job for companies, and a rare thought for individuals.

The popular WordPress Plugin and Theme site, iThemes reported a security breach this week involving 60,000 customers.

The Privacy Rights Clearinghouse reports that from 2005 – 2014, there have been 930,642,074 records breached from 4,403 data breaches reported to them for unintended disclosure of sensitive information, hacking or malware, computer and data theft, and payment card fraud. Recent reports include hotels, universities, restaurants, online retailers, Healthcare.gov, Apple, JP Morgan Chase, fast food chains, research labs, the US Investigations Services that performs background checks for US employees, UPS Stores, health and medical systems and labs, grocery stores, dating clubs, insurance brokers, security companies…the list is extensive, and these US reports are just in the past two months.

Are you aware of how much of your private and personal information is available from the government? Do you know how to report identity theft? The Identity Theft Resource Center states that 330 hours are spent in average by victims of identity theft to resolve the issue, though few succeed at high personal and financial cost.

We often focus on the security risks associated with the online world, but did you know the information stored on your personal and office computers and mobile devices may be exposed and at risk. Find out how to deal with a security breach at home and office and how to protect your computer data.

There are over 4,000 sites offering instruction on how to hack a website to gain information that could risk your identity and give them access to personal and financial information. Hacking tutorials are available to anyone, and anyone or serious professionals doing a blanket attack of all vulnerable sites could come knocking at any minute on your door or your site.

Which raises the important question: What is sitting on your site and server that could put your identity, credit card, and self at risk?

WordPress Security

WordPress and its related third-party tools, services, scripts, and servers are under constant attack, along with Drupal, Joomla, and other web publishing platforms.

Remember, it is easy to blame WordPress. Most of these attacks target vulnerabilities in PHP, MySQL, Apache, JavaScript, and other web programming languages and programs WordPress and most online services are dependent upon. They are typically fixed and a security released pushed out by WordPress immediately, often before the security issue is announced publicly. Keep WordPress updated and on auto update for mandatory security releases and you don’t have to worry much.

Adobe Flash Player and Java suffer from extensive security vulnerabilities requiring frequent updates, as noticed by the alerts on most of our computers on a regular basis. The US Department of Homeland Security even recommends disabling Java in your web browser for your own protection.

Still, these things happen. Web designers and developers have to monitor the news to help their clients, past and present, update, a responsibility few take on, and site owners often ignore or don’t worry about it. When was the last time you asked your web host or web designer/developer if your site is updated and free of hacks and attacks? Only after the damage is done, rarely before. Do it now. Ask them to inspect your site.

In July, security threats against WordPress Plugins escalated, targeting popular or older WordPress Plugins such as MailPoet WordPress Plugin. Eweek said:

Security researcher Daniel Cid of security firm Sucuri is reporting that a vulnerable MailPoet Plugin is the entry point for malware that is infecting even sites that don’t have MailPoet installed.

The MailPoet vulnerability could enable an attacker to inject arbitrary code on a WordPress server. The security issue reported by Sucuri was fixed in MailPoet version 2.6.7, which was released on July 1.

“To be clear, the MailPoet vulnerability is the entry point, it doesn’t mean your website has to have it enabled or that you have it on the website; if it resides on the server, in a neighboring website, it can still affect your website,” Cid wrote in a blog post. “All the hacked sites were either using MailPoet or had it installed on another site within the same shared account (cross-contamination still matters).”

In fall of 2013, an investigation into why WordPress is a popular target for security and malicious hackers found the reasons are simple. The study was done during only a few days after the release of WordPress version 3.6.1 and confined to the top 42,000 WordPress sites from Alexa top 1 million websites, a mere taste test. WordPress is now at version 4.

• 74 different versions of WordPress were identified.
• 11 of these versions are invalid. For example version 6.6.6.
• 18 websites had an invalid non existing versions of WordPress.
• 769 websites (1.82%) are still running a subversion of WordPress 2.0.
• Only 7,814 websites (18.55%) upgraded to WordPress 3.6.1.
• 1,785 websites upgraded to version 3.6.1 between the 12th and the 15th of September.
• 13,034 websites (30.95%) are still running a vulnerable version of WordPress 3.6.

Lesson? Those who don’t update or upgrade are most vulnerable.

An ongoing WordPress brute force attack is evolving as the criminals learn and adapt. The attack currently leverages the SML-RCP pingback functionality in WordPress to launch DDoS attacks (Denial-of-Service).

Notice the key statement is that the criminals are learning and adapting to conditions, often faster than responders can react. It’s a constant battle, a virtual war between those with evil intent and those determined to stop them.

Kevin Casey of Dark Reading described this situation beautifully:

It’s not WordPress’s fault; it’s ours. We love our easy-to-use, readily available — and often low or no-cost — digital tools. They make it easier to launch a blog, start or run a business, stay in touch, or manage a virtual office. They apparently make it easier to be lazy about information security, too.

… This isn’t just a WordPress problem; it’s just a problem. The widespread use of Windows, Adobe and Java make them fat targets, too, and laggard users that don’t stay current put themselves at regular risk. The rise of social and mobile platforms have quickly thrust Facebook, Twitter, Android and others into the cross hairs as well.

The battle-tested IT pro might say: “Hey, I know all this. It’s not my fault. It’s the end users.” There’s some truth in that, especially in the bring-your-own age. It’s also a copout. Your users aren’t listening? Make them listen. Start with the whales: If your company publishes a WordPress site, is it running the current version?

But you’re right, it’s not necessarily IT’s fault. Lax security is our fault. We’ve grown complacent. “Online security” sounds like something that should be someone else’s job. It’s not. Security is everyone’s responsibility, yet we continue to use birthdates for passwords (and then reuse them across everything from email to banking to the corporate network).

He’s right. It is our problem, one we can fix if we pay attention, understand the risks, and take the simple steps to play safe on the web.

These things aren’t new. One of my best friends reminded me recently of the “floppy drive safe sex” rap she used when she worked at Boeing in the IT department back when hard drives were rare, there was no cloud, and all of our data was stored on 5.25 and 3.5 plastic disks.

I had to teach Boeing employees floppy safe sex. Our greatest risk was someone taking home their floppy and inserting it into their home computer after their teenagers and spouses had inserted their disks into the same slot. Infection was likely to spread back to the office like a sexually transmitted disease. You had to be careful where you stuck your floppy.

Laugh now, but remember, that was in the 1980s and early 90s. Like they say, everything old is new again. It’s a sad old song and we’ve become complacent.

How to Protect Your WordPress Site, Security, and Identity

The first step in this new culture of security vulnerabilities and risks is to educate yourself.

Sure, you don’t want to learn this stuff. I don’t want to learn this stuff. Like driving a car and reading our phone bills, we have to learn this stuff.

Naked Security offered tips on how to avoid your site becoming a statistic among the most vulnerable WordPress sites. It takes just a few simple steps to reinforce the efforts the WordPress security and development team is taking every day on your behalf.

• Use a Web Application Firewall on your server (discuss this with your web developer and web host)
• Always run the latest version of WordPress – and don’t delay updating. Just do it.
• Strong password. Strong password. Strong password. Strong password. Changed frequently. Do I have to say it again?
• Update WordPress Themes and Plugins immediately. Use a Child Theme to protect your design customization and not live in fear of updates.
• If you are not using a WordPress Theme or Plugin, deactivate and delete it.
• All site members must have their own login, and remove them when they are gone.
• Consider a dedicated and managed WordPress host like WPEngine. It may cost more, but consider the lost time, money, and energy if your site is hacked. Let them take care of the updating and security issues.

Don’t forget that I’ve been talking about these security issues and tips for years, and the WordPress Codex article, “Hardening WordPress,” continues to be the go-to article for securing your WordPress sites.

My advice to students and clients to protect themselves and their WordPress site is: don’t be stupid.

Here are some stupid things I’ve encountered that put your identity, site, financial state, and security at risk:

• Enter your legitimate birth date on online forms and memberships. Fake one you will remember. The web world thinks my birthday is January 1. Google+ and Facebook pop up with “Say Happy Birthday to Lorelle” on that date. Ignore it, and ask Google+, Facebook, and others to stop asking and sharing. None of their business. Those who need to know know.
• Use of your birth date, birth year, or graduation year in your email address.
• Use of your mother’s maiden name in any published information. Watch using it on family, family history and genealogy, and social media sites.
• Using the same password for every site and service.
• Using a simple password for every site and service such as “password” or “12345678.”
• Using the same password you used in 1999.
• Using the same password you used in 2013.
• Telling the world in a post or social media the name of your favorite pet, favorite teacher, elementary school, or where you were born. These are all security questions for banks, utility companies, and medical and insurance companies.
• Naming and sharing photographs with tagged faces of your children and other family members.
• Using face tagging services. The criminals know how to use those to link you to your data.
• Sharing your password and username information. We all do it. Stop it. A student published the information on our class Google+ Community thinking she was having a private discussion with a fellow classmate. If it touches the web, it’s accessible information.
• Using one username and password for everyone on a site.
• Use your middle name on registration and membership forms.
• Use your middle name in email addresses. Unless it is a critical part of your name, Sally Jesse, don’t use your middle name on the web.
• Using the web browser that came with your computer’s operating system.
• Installing a WordPress Plugin from outside of the WordPress Plugin Directory.
• Installing a WordPress Theme from any outside of the WordPress Theme Directory. While there are legitimate sources for Themes and Plugins outside of the official directories, be wary. Vet them thoroughly first.
• Not thinking before you hit publish or submit. If it is personal and private information, stop. Don’t do it. If it is information you would not mind seeing published on the front page of the New York Times or BBC, hit publish.
• Thinking that this happens to other people, not you.

You think this isn’t a fair list? These are the stupid things we do that put our security and safety at risk. Algorithms are collecting and analyzing data at a faster rate than ever, uncovering our lives through our social media identity, profiles, and interactions, medical records and doctor’s notes, where you live, dating, shopping, watching online movies and television shows, online retail price profiling and targeting, political parties and voting, web trackers and cookies, web browsing and searching, mobile devices (GPS and usage trackers), digital-savvy watches, devices (pedometers and health trackers), and clothing, mobile apps, and tools to help us remember. We voluntarily give up our privacy in support of these algorithms and big data collection.

Do you like the brain game, Lumosity? Did you know the data collected from players is used by researchers to study human cognitive performance and mental health, even though many believe it doesn’t work? Where you live, how you play games, how you access information, how you search, even your medical records, all are trackable data for researches and businesses trying to find a way to reach into your heads and wallets while governments try to figure out how to protect you from yourself.

If big business is using big data to use what they know about you for you, don’t you think evil big business is doing the same?

Neil Rubenking of PC Magazine’s Security Watch explains the downside of the Home Depot security breach and being stupid on the web, and the consequences of these security breaches happening everywhere.

As consumers, we are stuck after the breach because there is nothing we could have done to protect ourselves, yet we bear the brunt of the breach. It is our credit score that potentially gets dinged, and it’s our time we spend challenging fraudulent charges. When we get new cards, we have to notify other merchants using that number. And of course, the problem gets even worse when healthcare data, or Social Security numbers, are stolen, because then we are in full-blown identity theft territory. I can cancel my credit card number and the problem is somewhat dealt with. But Social Security card numbers are difficult to change, and you can’t really change your health records.

It’s our fault if our identity is stolen and our site violated by hackers, and we pay the price.

The first principle is that you must not fool yourself — and you are the easiest person to fool.
Cargo Cult Science from Caltech commencement address by Richard Feynman

We have to live in a world where trust comes first, backed up by intelligence, security, and safety by everyone.

This must change, and change fast.

---

Subscribe Copyright Lorelle VanFossen.