Most watch collectors know what the term hacking means when it comes to setting the time on their watches*. However, this article will not be about that sort of hacking. Instead, it will be more of a rant about malicious and destructive computer hackers, and it will be an apology to readers of the Watch Hunter blog.
Some of you might have noticed that the WatchHunter.org site was acting quite strangely in the middle weeks of March 2019. Instead of seeing the articles and reference materials that they were used to, users were forwarded to a variety of bogus web sites with ill intent. For this, I am truly sorry for anyone who was not able to access my site for about a 10-day period. Believe me, it was not fun on my end either. I probably spent a 40-hour work week trying to resurrect the web site with varying degrees of success.
I cannot explain how lost, anxious and frustrated I was during the time the WatchHunterย site was down. I have been publishing articles on my watch hobby site since 2015 and this project means a lot to me. From some of the emails that I have received from my readers, it means a lot to them too. I have been told that reader love that they can see old Seiko catalogs, identify an old Victorinox Swiss Army Watch or read a review about a timepiece that most people have forgotten about. I put massive amounts of time and effort into the Watch Hunter blog and for a while, I thought that I had literally lost about 4 year’s worth of articles and research. It was enough to make me feel like a mule had kicked me in the gut.
I first became aware of my hacked web site when a buddy of mine contacted me and said that he could not reach my home page. He was looking for a review of a local Atlanta watch event that I had just attended. His early warning was great as I probably would not have found out about it for a few days when I would have attempted to sign in to publish an article. Thanks, Ernest! What happened in the next week was a long and painful trek fixing the site. It was not easy.
You might assume that I was lazy and did not make backups of the site. You might also think that I never updated my software that ran the site. You might think that I did not have a firewall to protect the site from constant brute force attacks and complex hacking attempts. You might think that I did not use complex passwords and users names, or that my hosting was not secure. The truth is that I had all of these security protections in place. Regardless, my site still got attacked, and the defenses were successfully breached. However, the weak link was not what you might suspect… it was something out of left field and frankly worse caused by poor human judgment from someone who should know better.
WordPress web sites run on open source software. That means that a community of programmers contribute code that is free to use for anybody willing to create a web site. There is a base WordPress installation, a template theme and also plug-in apps that web designers can install on their sites for increased functionality. That could be anything from a gallery, analytics, commenting tools, e-commerce, etc. If you can imagine a function for a web site, then there is likely a plug-in that already exists. Most of the plug-ins are free and represent many hours of work by programmers. It is difficult to fault a plug-in creator who makes a mistake in the code that might be exploited by would-be hackers. Nobody is perfect, and even large fully funded companies make mistakes. I asm not throwing the creators under the bus.
To summarize what happened to me and hundreds of thousands of other web site owners is pretty straight forward. A plug-in creator updated his application. Users installed this new plug-in. Hackers discovered a serious problem in the plug-in code that could be exploited to completely take over a WordPress web site. All of this happened in the span of just a few days. This brings us to the most frustrating part of this whole story, and this is where poor human judgment comes into the timeline.
If you did not know, there are security professionals who follow malware threats and work tirelessly to plug security holes that they discover in web site applications and plug-ins. These people think like hackers to see how things can be exploited, broken into or destroyed. They likely have the skills to be malicious black hat hackers, but they are working for the good guys… at least that is the way that it is supposed to be. In the case of the WP Easy SMTP plug-in malware attack, a security professional became aware of the potential problem in the latest software version of this popular plug-in. WP Easy SMTP has been downloaded over 300,000 times and it can be assumed it is on a large number of web sites around the world.
Instead of the security professional informing the plug-in maker about the exploit and giving them time to fix the code, an article was published with a proof of concept for the malware exploits. In plain English, the security professional not only spelled out how the plug-in could be exploited but provided code that could be copied and used to create malware. In fact, it was later discovered that hackers around the world were using the same exact code from the security warning article to make their own malware campaigns.ย In my opinion, this is an unacceptable practice that is just like giving terrorists a cookbook on how to make explosive devices. There has to be a better way to warn people advertising giving a how-to-hack starter kit. That is simply irresponsible, and the results are predictable. Read more about this story on WordFence’s blog.
People defending the actions of the security professional who wrote the article might say that the bad guys already knew the code so there was no harm in publishing it. However, copying malicious code is easier than writing it from scratch and it put a powerful hack in the hands of lazy hackers. Less effort was needed by more people to use the exploit. Next time, whistleblowers should probably modify key parts of the code so it cannot be used verbatim.
Anyway, this is a watch web site and not a tech site. I will stop here. If you want to know more about protecting your WordPress site from hackers, make sure to check out security companies such as WordFence who can harden your site against attacks and clean your site if you ever get hacked. We need the good guys like this to protect against the seedy criminal elements of the net who work tirelessly to rob youย of your data, security money, and privacy.
*Watch hacking is a function that allows users to stop the running seconds so that they can synchronize their watches to a known reference time. For many of us, we use our phone or computer clocks since they usuallyย reference ultra-accurate atomic clocks (somewhere).ย
