A week ago, we highlighted a key detail of a recent hacking of the news outlet Fast Company, which other news outlets covering it were failing to discuss. That being that the hacker of Fast Company’s WordPress website claimed they gained access because the website’s Administrator account had the password “pizza123”. That is an important detail as it provides a reminder that a basic security practice, using strong passwords in that case, clearly isn’t always being done. That isn’t a lone example, as what we often see in our working with hacked websites, as well in coverage of other hacking incidents, is that many of these hacks involve failures to do the basics.

The security industry though continues to push more complicated security solutions before focusing on making sure that the basic are being done. As we will touch on in a few moments, that can actually create serious security risks that wouldn’t otherwise exist.

The quality of security coverage isn’t just poor in the covering of Fast Company’s hack. WordPress regularly gets unfairly maligned in security stories. While there are real security issues with WordPress, oftentimes news outlets run with misleading, at best, stories involving it. One news outlet with a track record of running misleading stories and not running stories that could actually help to address real problems is Ars Technica.

For whatever reason, Ars Technica doesn’t seem to be concerned, even with basic journalistic standards for its security coverage. The employment situation of Sean Gallagher would seem like an easy to understand example of that. He left Ars Technica to be a “senior threat researcher” at the security company Sophos in February 2020. Yet he has continued to write about security for the news outlet:

The conflict of interest there shouldn’t be difficult to understand.

What also seems odd there is what is the relevancy of a journalist is to being a threat researcher?

So what might Sophos need a threat researcher for? Well, it might be for their own security software. As in September, they disclosed a zero-day remote code execution (RCE) vulnerability was being exploited in Sophos Firewall. That was the second time that happened this year.

It isn’t uncommon for there to be serious security vulnerabilities in security software (including WordPress plugins) and hardware, so Sophos is hardly alone. That is a good reason to limit usage of those security products that actually are needed and provide effective protection. So understanding what are the real threats out there and how to address them is important. That brings us back to Fast Company and Sean Gallagher. Last week he wrote this in a tweet:

Wowzers, what really horrible WordPress security looks like and what it can expose in one easy lesson from @FastCompany #imnotblamingthevictimhere

Someone using a really weak password is not an issue with WordPress. But, WordPress both warns that it is “Very weak” password and requires you to check a box to “Confirm use of weak password”.

He followed that up with a tweet that seems to show, despite being a security journalist and threat researcher, he doesn’t have a great grasp of security:

Maybe don’t leave your AWS keys, Apple News API keys and all that accessible behind a simple uname/password.

What he is referring to there is the additional access details the hacker had once they had administrative access to the website. That is the equivalent access of what someone would have with the root account of a computer. The problem here isn’t that someone with administrative access has sensitive information or that it can be accessed with a username/password, but that a really weak password was used.

When journalists either can’t grasp what is going wrong in security at a basic level or are ignoring for some reason, it isn’t surprising that the problems don’t get addressed and security remains in a poor state. It remaining in a poor state is good for lots of security companies, which might explain there employing a security journalist as happened here or their undisclosed ownership of whole news outlets.