If I Cant See It, It Isn't A Problem...
Here’s a (reconstructed from memory) transcript of a telphone call that I made earlier today to the owner of a hacked website. Please note: This is a business website. I’ve deliberately left out some portions of the conversation to protect… well, I really want to say “the innocent” here, but I’ll just go with “the naïve.” The overall gist of the conversation remains:
TL: Hi there… The receptionist put me through to you. There’s a problem with your company’s website… are you the person I should be speaking to about that?
Mr. X: I’m one of the partners in the firm. You can speak with me.
TL: Ok, good. Well, I’ve sent your company several emails trying to get someone to do something about your website. It’s been hacked.
Mr. X: Yes. I’ve seen your emails.
TL: You have? Oh, good… and…?
Mr. X: I’ve been unable to find any evidence that the site has been “hacked.”
Note: I could, literally, hear the quotes around “hacked” when he said it…
TL: Oh. Well… uh… did you do the Google search that I sent in the email? You’re not, actually, going to see anything just by looking at your site. The people who compromised it added new pages, but didn’t alter anything on your existing pages.
Mr. X: Well, if they didn’t change anything and I can’t see it on the site, it isn’t really a problem, is it?
TL: Ok. I’m not really sure how to answer that. You seem like you’re somewhat “put out” at me. Is there a problem?
Mr. X: I’m very busy, and you told me that my site is hacked. I spent time looking through the whole site, and I didn’t see anything wrong. Now you’re telling me that our site wasn’t hacked…
TL: Whoa… I didn’t say that…
Mr. X: You said that they didn’t change any of our content.
TL: Yes, but that doesn’t mean your site wasn’t hacked…
Mr. X: It hasn’t affected our site. I can’t see it. Please stop bothering us about this. Goodbye.
And there you have it. This is why we can’t have nice things.
The problem is, despite how much I want to be annoyed at “Mr. X,” I just can’t… The problem isn’t “Mr. X” - in fact he’s right. He really is too busy to be screwing around trying to fix some issue on his website that he can’t even see. “Mr. X” isn’t in the business of running his “business website” - he doesn’t know enough, and even more… he doesn’t have the time or the inclination to learn. He’s running his business and that’s his full-time job.
The real problem here is that someone, somewhere, convinced “Mr. X” that his business needed a website (I really question if it does…). They also convinced him that it would be EASY for him (or his kid, or his nephew, or his kid’s nephew) to set it up.
Out in my barn, I have a 16’ extension ladder, and the last time I counted, it had about 15 different warning labels stuck on pretty much every flat surface available. (Note: I said, “last time I counted,” because I wouldn’t put it past the manufacturer to sneak in and slap a couple more on every so often - given the overly-litigious society in which we live…) It’s a frickin’ ladder - a portable “tallness” device - not rocket science. Yet the manufacturer knows that every year, enough idiots take a header off of those things to keep him in court every day for the rest of his life unless he takes specific precautions to inform everyone “bad things happen if you fall off a ladder.” (Note: I walk with a rather pronounced limp. I am one of those idiots who failed at the “don’t fall off” stuff. My bad…)
So, given that a device so simple that it can be replaced by a sufficiently tall pile of “stuff” requires warning labels printed in three different languages - why do we allow CMS systems like WordPress, Joomla, and Drupal to continue to tell people that setting up and running a website is easy? IT ISN’T EASY. It is fraught with peril!
“Mr. X” doesn’t want to deal with his website being 0wned, and again, I can’t blame him. He was sold a bill of goods - he was promised easy. Even if I could convince him to look a little more deeply at his site, WordPress has, essentially, divorced their concept of “pages” so far from reality that I can’t even show him what’s been changed… all in the name of “making it easy.”
Seriously, if you don’t know nothin’ ‘bout makin’ websites, then don’t make one.
You have two options:
- Pay a professional to create and maintain a site for you.
- Learn how to do it yourself, without some hand-holding-CMS doing it for you.
If you can’t find a way to do either of those things, then you likely don’t really need a web site.
The big idea is this: the fine folks making WordPress, Joomla, and Drupal have lied to you. They’ve focused their message on the idea of “easy” instead of slapping warning labels on their code… It’s like they’ve turned back the clock to the 1950’s when ladders didn’t come coated in warning labels - because you were supposed to know, all on your own, that falling down and going “boom” hurts.
Back then, you didn’t blame someone else if you fell off of a ladder and today, legally, you can’t blame the makers of WordPress if your site gets 0wned and your name gets dragged through the digital mud. You should, the theory goes, have kept up with patching, monitored your site for signs of compromise, and done all sorts of other things that the CMS makers are too busy chanting the word easy to mention. The dirty little secret that the CMS makers don’t tell you is that they EXPECT that you already know what you’re doing… their products aren’t designed for web-ignoramuses, they’re actually designed to make doing the stuff you already know how to do… easy. They’re shortcuts for people who know what they’re doing (i.e. know how to keep the main install and plugins up-to-date… know to choose good passwords… know to monitor their site for signs of compromise…). They’re tools, designed for people who understand what they’re doing - not some sort of website knowledge surrogate for those who don’t.
If you don’t understand what the tools you’re using actually do, you’re no different than a monkey with a loaded gun.
And remember… pulling that trigger? So easy…
-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter (yes, I know… X): @tliston
May 12, 2016
Addendum: For those who have pointed it out, yes, I know I use a CMS on this site, but Hugo really isn’t so much a CMS as it is an offline site generation tool. Besides, I actually do know what I’m doing… most of the time.