CMS

People continue to ask why there are so many data breaches happening in Trinidad and Tobago. I’m not someone who would call himself a security expert by a stretch, but it’s an intriguing enough question that I decided to look into it.

Commonalities in Website Technology?

First, I checked the websites of those that had been breached, which might reveal some commonalities. Bear in mind, it’s possible that the websites weren’t how the information was accessed.

TSTT, which had the most noteworthy breach, runs Wix – which was quite a surprise if only because of the vendor lock-in associated with it. I was expecting a more commonly used content management system but instead, Wix.

The Office of the Attorney General’s website, attacked earlier this year and probably the 2nd most important breach overall since it paralyzed the Judiciary is using WordPress. It also is actually not the first time; a teen was charged in 2007 for hacking into the Attorney General’s Office.

MassyStorestt.com also runs WordPress, but is substantially behind in upgrades. Pricesmart.com runs mostly BloomReach and a bit of Drupal. Their breach was reported yesterday.

It’s apparent that this isn’t an issue of common platforms being compromised. Yet there is a hint in here. MassyStoresTT.com being substantially behind in WordPress updates.

Maintenance.

When I was heavily into developing CMS websites, I tried doing that locally in Trinidad and Tobago and found that people thought they could just buy a website and it would simply be done and they could go about their business without maintenance contracts. It simply doesn’t work that way.

Maybe even after years, that hasn’t changed. Maybe these websites aren’t being maintained and kept up to date with technology, which includes patching for exploits that allow their data to be breached or otherwise attacked. Maybe.

Personally, with my experience in dealing with local companies and government offices, I don’t see them seeing maintenance as a priority. In fact, I didn’t do business with companies in Trinidad and Tobago for that same reason because… I didn’t want my name associated with poorly maintained sites.

Is this the only conclusion? Definitely not.

Who Has Access Anyway?

Everyone talks about the breaches, but the public always assumes that the people with access to the information had a reason to access the information. In the TSTT data breach, scanned copies of people’s identification were found and I have to wonder what TSTT’s information policy is. Who needs access to that level of information, and why?

I’d be surprised if it were available through the website because that would be just asking for trouble.

Assuming they themselves can be trusted with your personal information, there’s social engineering, which the video below explains.

We forget at times that the people with access to information themselves are open to attack to get to something bigger. Maybe their own computer systems they use to access the data are compromised, maybe they’ve been compromised.

Conclusions

Again, I’m no security expert. Some of the information available from these breaches and the way attacks happened on some websites was clearly associated with the websites themselves. TSTT’s data breach seems different in that regard because no sane company would have that information accessible through their website.

Altogether, it seems like a lack of maintenance for most of these breaches – and maybe there were deeper issues with all of them, but in particular the TSTT data breach.

What is most disturbing is that these are the breaches we’re worried about, which could be a fraction of the number of breaches that happened. The announced breaches we found out about because either someone showed evidence or it created an issue that impacted products and services.

The insidious breaches, the ones where people simply mine the information and don’t get caught or brag, we don’t know about. That’s what concerns me most.

We should be worried.

While I was interacting in the RealityFragments Facebook page (join in!) about the use case issue of allowing users to log in to interact with content on RealityFragments and here, it occurred to me that WordPress probably does allow for people with Google accounts to log in.

WordPress does have a plugin for allowing Google accounts to log in. It exists. So I went over to my administrative page, mentally slapping myself on the forehead about it, when I found out that even though my account is premium (paid), I would need to upgrade to a WordPress.com business account for what is now $25/month. What?

This should be the default, even for free sites on WordPress.com, because people interacting with content is how people with weblogs grow, and when they grow, they might consider the tiered pay accounts.

Instead, effectively, they’re screwing themselves over – and their users – to try to force people to pay more when their monetization plans are at best… blech, particularly if you live outside of the geographic areas Stripe supports.

Just one plugin would cause more interactivity on sites. It should be a default. How annoying is that?

Now I have to go compare options before I renew my sites on WordPress.com, which has been otherwise trouble free but annoyingly myopic regarding monetization and usability for the users of their users. The readers.

Or maybe they will read this, have an Eureka moment, and change the way that they do things.

For now, please use the RealityFragments Facebook page to interact with content here, to stop in and say hi, and to meet others who are doing the same.

KnowProSE.com

Where one line can make a difference.

Revisiting Interactivity on WordPress.com