I was reading Trend Micro’s 2010 in Review: Most Dangerous List and I could not help scratch my head.
Majority of the items listed are hugely popular and anyone could argue that there is a correlation between the number of user-base (i.e. popularity) that makes any of these items an easier or more convenient target.
Here’s the top list summary:
- Hardware: German identification card reader
- Website software: WordPress
- Internet Protocol: IRC
- OS: Apple Max OS X
- Website: Google!
- Social Network: Facebook
- Top-level domain: .co.cc
- File format: PDF
- Runtime environment: Internet Explorer with scripting enabled
- Infection channel: browser
What caught my attention is the information written about WordPress:
Website software: The riskiest software used by websites in 2010 was the popular blogging platform WordPress. Tens of thousands of unpatched WordPress blogs were used by cybercriminals for various schemes, primarily as part of redirection chains that led to various malware attacks or other blackhat search engine optimization (SEO)-related schemes.
This is misleading on several levels.
First of all, this is like saying Toyota is the riskiest car manufacturer because they assemble the best selling sedan on earth, their owners do not maintain their cars in top condition, use 3rd-party parts and car-nappers use them for their crimes.
Anything outdated and left unmaintained will be susceptible to malware and the risk of server intrusion is more alarming than a specific software attack, which leads to the next point — a web host is a bigger target. What Trend Micro pointed out about redirection chains was primarily due to improper web server configuration and not by WordPress.
The pain point here is that WordPress along with the installed themes and plug-ins, just like any software available in the world, will be at risk if you neglect one portion of your security perimeter.
Blogging vague information is not the proper way to inform readers what is at stake here because a company that offers security products and services should know better that software security is not one dimensional.
Despite the risks, Trend Micro is still using WordPress blog. Ironic.