Started that'll take me just a moment and then we will begin
welcome everybody. Hey Doug from Toronto welcome Ken
Can you should be able to click the links there in the chat to open up all the things all right captions should be working for everyone. All right. So just about 30 seconds to go
Yeah, I will. Some some folks are having some issues with the copying from the chat. I will get those added as a question should be able to see those. Actually, I'm unable to ask a question. So I can't do that. Sorry. Sorry about that, folks. If you're having trouble copying the links, just click on the link and copy that URL out of your browser.
All right, it's three minutes after let me start the recording and we'll dive right in. Welcome, everyone. Good evening. Good morning. Good afternoon, wherever you happen to be around the world. Welcome to another solid Academy live stream My name is Nathan Ingram. I'm the host here at solid Academy. I'm joined today by David Johnson who is the product owner of solid WP and also Timothy Jacobs, the lead developer here at solid WP. We're talking all about this very important issue of trusted devices and how this feature of solid security helps to thwart the rising threat of the stolen session cookies attacks. So welcome, guys. Glad you're here.
Glad to be here. Yeah. Thanks for having us back. Nathan.
Thanks for having me. Yeah,
absolutely. So if you're just now joining us in zoom a couple of housekeeping notes. Once again, you'll find the link bundled there in the chat. You can download the slide deck. Also the replay this is being recorded. We'll have the replay up in about an hour after we finish. Also, a lot of this discussion comes from an issue that we began to discuss and unpack about a month ago with our friend Thomas ray from we watch your website, Thomas did some research that just shows the growing threat of the stolen session cookies attack, and there's a great live stream that unpacks that So David, once you get started, tell us a little bit about what we're going to be covering in the next hour. Yeah,
I appreciate that. So looking forward to diving in this is this is going to be fun. Because we're talking about some features of solid security Pro that tend to get overlooked. And in fact, there's some features that have been built into solid security Pro for about five years now. That actually protect you if you have them configured and enabled. They actually protect you against the kinds of threats that we're talking about today. And so we're going to do a we're going to do a dive, I just want to really take a moment and really zero in on this idea that your sites can be vulnerable to hackers, even if and this is this runs against some of the you know, sort of conventional wisdom and some of the things that we like to talk about in the WordPress security community. But even if you're doing all the right things, so did you realize that even if you have strong passwords that you enforce with all your admin users, let's say that you also enforce two factor authentication. You use past keys you keep your site updated, and you even have virtual patching enabled, which we can talk about later. I guess if we want to but let's say you have all these things. You could still be vulnerable to hackers, because of this issue that Nathan just mentioned that that actually research shows now this attack vector was responsible for 60% of successful words WordPress site compromises in 2023. And so even if you're doing all the sort of right things about security, you could still be vulnerable to this. And the solution that we want to talk about is trusted devices. And so today we're gonna we're gonna dive in, we're gonna do a quick origin story. So we'll talk about how this feature set came about. And then we're gonna do a couple of demos. And this is going to be really fun. We're going to show the demo from your point of view after you've just enabled trusted devices, let's say and then you just begin to use your site normally. And then David's going to help me with that Nathan's agreed to use my credentials to sign into one of my sites here. And so he's going to sign in pretending to be me. And then secondarily, we're going to do a second demo, where we have an evil hacker by the name of Timothy Jacobs, who is going to compromise my website in real time. And so this is, this is live on stage, folks right here, you're gonna witness so there may be some bumps along the way, just in case. You know, just prepare you for that. Because, hey, it's a live demo of someone hacking my website. What can we say you don't get? Yeah, every day, right? Absolutely.
We have a lot of fun things to do over here. The next hour. Let me invite everyone. If you have questions, please use the zoom q&a feature. It's helpful just to keep that open. Actually, you can pop that window out to the side if you'd like. It, ask a question there. As we're going, we'll stack those up for a good time of q&a at the end. And also, if you see a question appear that you also have you can click the thumbs up icon there under the question, and we'll take those questions in the order of up votes as we wrap up. So David, I'm going to disappear and let you get going here.
All right, awesome. So we've we've resorted teed up the reason one of the big reasons why you want to use trusted devices, there are actually a number of reasons. But before we get too much further, I want to I want to bring Timothy in and we'll talk a little bit about the origin story for trusted devices. And this goes back a few years ago, and correct me if I'm wrong, but I think it was around the time you were starting to implement to FA This was long before I joined the team, by the way. So Timothy has been around the longest here at
those of you who have been, I think security customers for a long time. You might have remembered a webinar that we did at this point almost like five years ago, when we first launched trusted devices. And at the time this feature came out of a part of their feature requests where hey, you enter in your two factor code. You don't want to enter your two factor code every single time that you log in, that feels a bit superfluous. So we added this feature called Hey, allow remembering my device and say that okay, if I'm on the same device, as I have been the last time I logged into two factor and it hasn't been, we chose 30 days as the time to make that refreshed and don't ask me for two factor again. And we were when we were thinking about that feature. We're like Well, I mentioned to things a couple of times they're the same device that I'm on what does that mean? And so as we were kind of exploring what is the same device, we started to think, Okay, we need we need something a little bit more than just, you know, a checkbox, we need to think about what it means for a device to be the same or for a device to change. And so we started sketching out the trusted devices module in solid security. And so this is a feature that gives you behavior where when you log into a new site from a new device, it will say, Hey, you're on an unrecognized login, but it also powers this really handy feature for two FA where you can say okay, don't prompt me for the two FA code I'm still on this device. It's been 30 days. But when we were building out that feature, we thought what else could we do besides just hey, this is an unrecognized login. Here's notification. And what's a way for us to keep you logged in without needing to do your to FA again, and we said, well, there's some attacks out there called session hijacking attacks, where your session actually gets stolen by a hacker. And so we added in this feature five years ago, and it was been a longtime feature in solid security. It's been listed as beta for a long time. And when Thomas came to us news publishing this new research that showed Wow, this session stealing attacks are responsible for 60% of hacked sites. We're like, Okay, we have this awesome feature and solid security that's been protecting folks for a very long time. But if I'm honest, I didn't love the user experience of that feature. You know, it was something that we built five years ago. We've learned a lot since then on how to build features that are more compelling for users and easy to understand. So we took the past month or two, I guess two months at this point to kind of re approach the user experience in solid security to make trusted devices a feature that we can take out of beta and say, Hey, we recommend that everyone should be using this and adding it to their tool belt.
Fantastic. So it's it's been around for a long time. And I love the fact that back five years ago when you're thinking about what does it mean to allow people to remember a device, you spotted an opportunity for you to protect through this feature? WordPress websites and site owners against an entirely different attack like you just didn't, you know, we're aware that this became this opportunity to build this thing out. And of course, it has been marked as beta. I will mention, you know, some great things have been in beta for a long time. Gmail was in beta for five years. So I feel like you know, this, this feature is in good company. And it did it did just in the latest releases here of solid security Pro, a lost its beta label. And so we'll talk about how this how this protects. As we do, we'll do our demos, as we talked about. So Timothy, we'll have you come back in a few minutes and be the hacker. I would invite you to please jump in though as we talk about the basics of the trusted devices feature at any point along the way. I'll begin
donning my hooded sweatshirt and you know, my hacker sunglasses and, and dark and you know, the lights, that's not really going to happen, but you
can I was really hoping for a Guy Fawkes mask myself, actually. But so let's talk about trusted devices and how it works. So the first thing to know is that you do need to enable trusted devices and there's a little bit of complexity around that we're not going to get into the Harry fine grained details of all the things that you need to know. But for starters, you'll find this in solid security Pro. This is by the way, not a feature that's available in solid security, basic, solid secure basic has a tremendous feature set, but this is a more advanced feature. And so this is something that you'll need a pro license for. And when you enable trusted devices, you'll find it in the login security section of solid security Pro. There are two checkboxes you'll see underneath one of them says restrict capabilities. And the other one says session hijacking protection. And so restrict capabilities is this very basic idea that if a device doesn't match the traits that we know to be true about the previous logins that that might otherwise match that you know, in other words, username, password, maybe, maybe even pass keys to a sign in or whatever. What should happen should we allow that user to just do anything until we have an opportunity to approve them or deny them or blocked them access to the site? And so if you turn this feature on, it allows you to say, You know what, I'm not going to allow that user to do things until we have a chance to vet whether that's actually a valid login or not. And then the second checkbox, of course protects against session hijacking. And we'll talk about that in great detail here in a few minutes. So the big thing to know is that you want to enable those, those items. And then again, the complexity gets into which users does this apply to which user groups and so forth? So there's some things here that I'm going to skip over for the purposes of time today, but we can certainly address them if there's time and q&a later if you have specific questions about how to get the setup. But once you get trusted devices enabled, let's talk about what happens next. Alright, so situation number one today we're going to call the happy path. So what this means is you've enabled the features and what happens next in your day to day experience of using WordPress. And so for the purposes of showing you this, I'm going to jump over to a website where I have solid security Pro running, and I'll just jump in real quickly and show that we have these features enabled so in solid security pro under Settings, I'll jump over to show you the features login security. And you'll see trusted devices as enabled here, as well as those two checkboxes. And so I've asked Nathan, to be me and so I want you to picture and then we're going to put my Rod Serling hat on now so picture, if you will. I have now been signed in on this website from my normal browser. Let's say I'm at my desktop now. But then I have a road trip coming up and I'm going to fly to Huntsville, Alabama. Is that right? Is that where I am Birmingham, Alabama. Oh, that's sorry. I have the city wrong and it was in the northern part of the state somewhere. Okay. So, so I'm, I now have opened my laptop. And Nathan, you're going to be me. And so what I'd like to do is I'm going to stop sharing my screen for a sec. And let's have you share yours if you don't mind. And I previously gave Nathan my username and password. And the two FA code by the way. And so what we're looking at can you tell us what you're seeing there? Nathan on your
screen? Yeah. So this is it just loading the WordPress admin dashboard just after I logged in. So we decided just for the purposes of this demo, not to have to go through the to FA code and all of that, but this is the very next thing I've just successfully logged in. And immediately I'm presented with this light box that says hey, you're logged on a new device, and it's showing location and all this information. And I have the option either to send a confirmation email which I'm assuming will validate this device, right. Or I can continue with a limited session. So what would you like me to do, David?
Let's have you tap continue with limited access for the moment. And I want everybody to get a quick look at this. So this is an administrator account this exact same administrator account that I'm signed into so I just showed you this the screen from a moment ago. GTD admin is up there. And you'll see it's got a yellow bar unrecognized login mode. So this flags you if you ever sign into a WordPress site with this feature enabled and you let's say you just weren't paying attention to this the modal and you just closed it like what's that? Hey, it's got a map you know, this will at least warn you that you're in unrecognized login mode. And you'll notice on the left, you don't have the normal admin capabilities. And so Nathan, you are completely restricted and a number of things get restricted here. So anything you can you can edit your own posts, but let's say that that somebody else has created content on the website or pages on the website. You know that that editing someone else's content on a WordPress site is actually an elevated privilege. So you're you're basically right now Nathan, you're essentially reduced to an Author mode, and I don't think you can even publish any content on the site. But the big thing of course, is you don't have admin capabilities. You don't have the settings menu and even if you jump over to security, you're going to be very limited in what you can see there. Alright, so this site, by the way, is on a very low horsepower server and it is a fresh WordPress site. As you can see, I've never even used the block editor capability before. But like, so what happens, what happens if if this were a hacker, of course, you wouldn't be able to get up too much. But Nathan, you also had the opportunity to send an email now I will say you didn't actually have to send the email. And this is where I think we can jump back to me sharing my screen if that's all right. And so I'll show what happens on my end. So this again, is the same screen we were just looking at a moment ago when I was sharing my screen. But now you'll see up to the top right I have a login alerts area up here, and it's got a little red indicator there and I and I've got this unrecognized log into your account. Do you recognize this login now this you'll see down here below was when we were testing earlier? This is the one that matches what we just saw. I don't know if you notice the city was named Helena. And now if I click View device details, I see basically the same information that Nathan just saw. Now I have a choice like if this was really me having this experience, then I would be Nathan on Nathan's end right. And I also will show real quickly that an email did already get sent. So Nathan, you didn't click the send confirmation email. You didn't actually need to I will jump over to a tool that we have that by the way, I just want to mention this is a tool that is separate from solid security pro This is not part of solid security Pro. This is a plugin written by a very infamous WordPress developer named Timothy Jacobs, and it's called WP male debugger you can find it in the wordpress.org plugins directory. And so it's grabbing emails just so that we don't have any need for me to jump over to an email client today. But you can see this email went to my my administrator account for this website. And it says this time and date someone logged in and it does actually even show that the two factor was used. And I can choose now Now if this were me, and I say hey, wow, this really was me. And so I am the recipient of the email and I was also Nathan, you know in a new location. Then I can click Yes, it was me. And what's going to happen here is it's going to prompt me just to make sure hey, are you sure this is you? Do you recognize this device? I say yes, it was me. Okay. So, again, this is the happy path. We want you to just have a sense of what happens when you are actually the user experiencing this situation in real time. All right, so I'm not sure that it got my click there. I think I'm having a little issue with clicks on in my browser at the moment. So in any case, that will have approved that device. And another thing that I can real quickly show is if I jump over let's see I want to go to my own trusted devices information. And so let's see, I think I do that at my profile. If I remember correctly. Let me double check. Where do I see yeah, here we go trusted devices. And then you can see the current status of any of these logins. So let me just switch this over to approve. That's what should have happened when I was clicking a second ago. But again, I'm having some weirdness in my browser at the moment. And I'm not even sure that there again it did it save that change. Okay, cool. So now actually, let's stop real quick. If you don't mind. Nathan, are you prepared to share your screen one more time and we can see what happened to your session. Over there?
Absolutely. Cool. So
I've stopped sharing mine. And so again, just to clarify, Nathan will have been me. He signed in from a new location, got the email approved himself because it was he said, Yes, it was me. Now if you would refresh your browser. We'll show you what happens next. So now, the yellow unrecognized login mode flag went away. And you'll see you have the settings menu over there. You also have the login alerts area. So this is very much exactly like the experience that I'm having in the sense that you're essentially just me on a different device. Right? And so this can happen as as Timothy mentioned earlier, this can happen whether or not you're actually on a different physical device. And this is one of the things we actually recently considered whether we should even rename the feature. Should we call it something other than trusted devices because the word device can be a little bit misleading. In reality, what's happened is we're looking at the browser version, the browser and the version number so you know, Chrome versus Firefox versus Safari, or whatever it might be and the version number. We're also looking at the operating system on the device and its version. We're looking at the IP address of the signed in user, and we're looking at geolocation information. Where that's been enabled. And in this case, I did enable I turned on a couple of extra things behind the scenes that allow us to have that little map and also to approximate the location physically of that IP address. So with all of those things, we have these various factors, if any of those changes so let's say that I actually traveled across the country but I was still on the same laptop and hadn't even signed out. If I open the laptop and now I'm in a new location, my IP address and my physical location will change. That can be enough for trusted devices to go you know what, let's make sure this is you. And so, when you see an email show up like the one that I showed a few moments ago, and I could jump back here to sharing my screen if that's all right, Nathan, when you see an email like that appear, that is this feature doing what it's supposed to do, and that is to inform you that something has happened. Someone has logged in using your account, but in a way that looks different from the login that we were expecting to see. And so this is a this is what we call the happy path. You know, this is this is the feature doing its job and you are going to get occasional notifications from the tool. When you are using trusted devices even in your day to day usage. Your IP address can change, other things can happen. And so just be aware that once you enable the feature and turn on the email notifications that we do recommend that you turn on the unrecognized login notification. Then you'll start to see emails like this come in. If something happens on your site, related to a login that turns out to not be recognized. So this is a quick look at trusted devices doing what it does without a hacker in the picture. So let's talk about what happens if in fact, there is something nefarious going on. And
if I could just jump in real quickly here. Just to remind folks this what we're looking at at this moment is this WP mail debugger tool. And we're just using this for the sake of convenience to show you what the content of the email would look like without actually having to open up an email app to show you that this this within WordPress shows you that email content
Yep, it snags any outbound emails from your website and allows you to look at them right there in your browser. So you don't have to. We use this a lot of times for as well as you might imagine from the name of the plug in for debugging, but also in a situation like this where this is a site that isn't actually I mean, although it is visible to the world. It's not being used. It's hidden from the search engines and so forth. So it's not a production site. And so I actually don't even know if the email is properly configured on it. So I wanted us to be able to show those emails so thank you for mentioning that. That is not a feature of solid security pro but it is built by the one and only Timothy Jacobs and it's available for free in the WordPress directory. So let's talk about session or situation number two, what happens if a session gets hijacked? In other words, like what happens if you or one of your site users is successfully attacked? Now for this part of our demo, I'm going to switch back here and show you the same site. And in this case, what I'm going to do is jump back into solid security and I am going to disable the trusted devices module completely. Alright, so I'm just using the hit the switch here, and we've turned that off and so trusted devices is now disabled. And Timothy, I would love for you to talk about what happens next.
Yeah, so one of the things to keep in mind of why this session hijacking can be a tricky little attack is that it kind of lets us bypass all of the security protections that we often put into place things like strong passwords, two factor, stuff like that. When you log into a site, WordPress generates a cookie and that cookie gets saved in your browser. And it's basically what identifies you to WordPress and says, Hey, this is a real user. They've got permissions to be on this site. They can do anything that they need to be able to do. And so you might be asking, how might I get compromised by a session stealing attack? This is something that we went over in a couple of the different webinars where we've talked about this both with Tomas in January. I also did a webinar in later January that kind of went over this attack vector. And one of the things that can happen is if you have malware on your device, let's say or let's say you go to an internet cafe and you use a shared device or a public device, and so late last night, I was way hacking at my computer and I built what we're calling an evil cookie stealing extension. And so this is a malicious Firefox or Chrome extension that we created. And what it does is it steals all of the session cookies from David's computer and it sends them over to a server that I control. And so what David is going to do is he's going to open up this extension menu and so if this was a real nefarious attacker, they wouldn't require any input. But what David is going to have to do is to click this the high button in his toolbar and say, Hey, attack me.
Alright, so I want everybody to just acknowledge that I'm a brave human being I did let an actual security expert send me a browser extension that is intentionally malicious. But we are using an in browser I don't use a lot. So I am trying to protect myself a little bit here. But now, this is the this is the evil extension here and I'm going to just tap it and when it pops up, he was nice enough to label it very clearly that if I want to get attacked that this is the button that I need to press so I am going to click the get attacked button right now. And again, this simulates what an info stealer might do or other nefarious tool and they can get onto your devices and let's let's not forget, it's not just your devices. It's anybody with sufficient privileges on your WordPress site that they could get up to no good if they were to have their user account information compromised. So I'm clicking it we talked
about, you know, hey, I hope all of us we're all friends here. We're all super careful about the stuff that we put on our computers. We know Hey, you shouldn't go logging into your site at an internet cafe and just browsing the web like that. But the real question is, are your clients always that safe? Are they always up to date? They have an antivirus installed. There's no local amount on their computer. Any administrator on your account, who might not be following the same best practices, best practices that you are in protecting their device? They are an attack vector. Yep. And it takes exactly Stacey.
It takes literally seconds for a good info stealer. To come in and grab all this data. And we could take time I don't think we have time for this now but we could show you it just lives in clear text in your browser. Your browser just stores cookie information in plain it it's not in the on the file system the way that it used to be used to be able to go look at the cookies on your on your disk. But okay, so I've clicked the get attack button. And what that means is if I'm not mistaken, Timothy, you are sharing my window. Okay, let me stop sharing mine.
So I am at ADHD things.com here and I also have this same malicious extension installed, but I'm going to use the attack menu and I'm gonna click attack and now Fingers crossed. This is the most demo UI part of our live demo, folks. So when I click this attack button, I should theoretically be refreshed and be logged in as David there we go do that. So I am now logged in as David I have stolen his session cookies, they've been transported up to my attack server by him clicking that attack button get attacked. And again, in the real world, you wouldn't have any interaction there. But I decided to be kind and let David opt into getting attacked. And so it's sent his session cookies all up into the cloud. And I've stolen them here on my computer. Now, most attackers when they're doing this kind of attack, they're not going in there in person to say, Hey, I'm going to use this. What they do is they send the cookies up into their command and control servers are things that we kind of talked to them and refer to them about them. And they'll have some scripts that start to automatically do things malicious, and you can learn about those in the webinar that Thomas did earlier this year to say, Hey, this is what attackers will do once they steal your credentials. But you can see here, I'm logged in as David I can do any of the things that David would need to do, and I didn't have to type in his password. I didn't have to type in the two FA codes. If he has passed us. None of that mattered. I'm now winning. And so what you may have been hearing over the past couple of weeks is so one of the things that you should do is when you stop using your site log out. So if David now logs out from his WordPress instance.
All right, and I'm not going to take time to switch screens and show that but I'm just for everybody's benefit. I am I have now hit the logout button and I am now back to a login screen on my on my end.
And so you can see my session has been killed. So that's the kind of protection when we're talking about, hey, if you stopped using your site, you know you go to an internet cafe. Please don't. But if you are going to log into your WordPress site that's super important logout after and what this means is that if any attacker was using that session cookie, it would be invalidated. Right? So here's some of the things is what Thomas was stealing is that attackers compromise and use those session cookies very quickly. They don't wait around and once they have your session cookies available to them, they can start installing their backdoors and installing their scripts. So what David is going to do now is David is going to re enable the feature trusted devices inside of solid security.
Yes, and I am just in the process of signing back in on my and so shall I do you want to stay on your screen I think we understand. Super. So I'm actually inputting my two FA code right now because I went ahead and decided to go ahead and get logged in. And so let me see I have an app that's generating the time based one time password token and one thing
David while you're doing that just to note you're gonna have to go through this process of adding your to FA code Timothy didn't have to do that because he was a logged in with a session cookie.
That's exactly right. The I got to bypass some of the best security protections which we have which are you know, hey, when you're typing in your password, give me the second factor, but because I just got the cookies and those cookies, right actually prove my identity to WordPress. I was able to skip all of that. Yep.
And then this can be done by the way regardless of the what kind of security solution whether using solid security or any of the other security solutions on the market. Doesn't matter how good their two FA or how strong your password is. If someone gets that cookie they're in.
Alright, so I have reenabled trusted devices. And now Timothy, am I re enabling both restrict capabilities and session hijacking protection right now? Yeah, we want to keep those enabled. So the fingerprinting module or the trusted devices module, those are optional settings. If you don't enable those, you'll just get the notifications when there was an unrecognized login. And you'll be able to say either block that device or login to approve that device. This is behavior mites. You see sometimes if you log into Gmail on a new device or you log into your bank on your new device, they'll let you log in, it'll send you an email notification. So if you want you can use trusted devices in that mode. But this particular feature we're demoing is specific to session hijacking protection. All right, very good. So I've reenabled that along with both of the sub choices. They're awesome. And so now David is going to opt into being attacked again. So when David clicks that, hey, attack me button, what it's doing is it is taking his session cookies currently and sending them out to my server. So because you logged in a new time, we have a new session, and I'm now going to attempt to use his session cookies a second time.
Okay, so I have just hit the get attacked button, and I feel like a very brave human.
Awesome. So now I'm going to select David again, trying to attack David. But now I'm getting blocked on a new device with limited access. Oh, so, David, this is why I wanted us to truncate the trusted devices table. Because when we were actually doing this demo earlier, this is no longer a new device to David servers. Because I've actually been here before when we're practicing to go Yeah. So what we're going to do is if you can David, truncate that table, and we'll do the same thing again. But you can see now here the same way that Nathan ran into it that I'm now in that unrecognized login mode. I've stolen his cookies, but I'm limited in the amount of things that I can do. But once we once we make this no longer a new device for me, we'll show you the kicking out process. All right, you have session hijacking protection. No,
I just need you to repeat the name of the table that I'm truncating
it's IPsec, underscore fingerprints and then whatever the database prefix that you have is
all right. So I'm just truncating that that table real quick. So I'm doing some command line wizardry at the moment.
And so while David is doing that, just a quick note, Timothy, this is not just a WordPress security issue with the stolen session. Cookies, right? This is it's not a an exclusively WordPress vulnerability. It's really any site that uses cookies for session authentication, is that these are sites.
That's most sites. Yeah. So almost all of the time these days. I would say it's basically 100% of when you go to a site and say hey, you want to log in, they're going to generate a cookie for you. Otherwise, you'd basically have to log in on every single page, you'd have to say, Okay, I'm gonna type in my username and password and I'm gonna type it in and again, I'm gonna have to type it in again. The web is kind of what we refer to as stateless. And so what that means is how we then sync the state up back together is we give you this cookie once and then that cookie follows you around and so you can see why people are like oh the privacy protections This is why you know cookies can be used for tracking is because they follow you everywhere. The beneficial part of cookies is that they keep you logged in everywhere. So whenever you are trying to log into a site and you don't need to enter in your username and password on every single page reload. What actually happens is you say, Okay, this is yet another login. This is the same person. We have their cookie that's identifying them, and they don't have to enter their password each time because this cookie is basically being exchanged for permission or representing my personhood to that site. And so yeah, this is this is an attack that you know, can be used anywhere. And so Thomas was seeing this used a lot in his research against WordPress sites because he is one of the experts on WordPress security, that's what he's monitoring. But you could also see attackers use this for other things against financial accounts to steal those cookies. And so different sites have different features enabled to help protect this. And so a trusted devices is doing under the hood, is it's protecting me by tying my particular device to my session. And so it knows that hey, this person is associated with this IP address. Okay, we know that's them. If that changes, though, then we're going to throw additional security protections in place. And you'll see this also sometimes with banks, it's very annoying, where it says, Hey, you haven't done anything for two minutes. We're going to kill your session. But this is another thing that you're trying to protect. They're trying to protect your session cookie if it does get stolen from being useful. for very long. And it's why you know, even even if the site is using HTTPS or something like that, and you're going to an internet cafe, if it's not your device that you're using, I wouldn't log into my bank on it. I wouldn't log into any sites that I care about, because someone could have installed a malicious extension like this one, or do more. You know, invasive malware that doesn't even live in the browser, but just infects and steals cookies, things like that. No, this is different from things like a keyboard logger. So if I went into a internet cafe and they only had a keyboard logger attached to FA could help protect me, right because I type in my username, I type in my password. And when I go to login, they'll be prompted for a two factor code and that two factor code can only be used once since for 30 seconds. So a keyboard logger is kind of able to do some of this stuff. And two factor protects it but again, the cookie stealing is what bypasses all of this because cookies are the only the only important part where they're they're proof of everything. We're looking David,
we're close it's the fingerprints table Correct? Yep. Okay, um, all almost there. I had to I had to do some shenanigans here. So I can essentially just delete all the records. Correct? Yeah, just
truncate that table. All right. All right. They
are gone.
All right. So David, if you want to hit that attack me button again for me.
I don't know if I do. Let's see. Here we go. Oh, you know what, I have to sign back in. Yes, yes, I do. So that did work. My session is destroyed too. So that's good. So the database little shenanigans that I just did resulted in my own session being destroyed. So one more time with the two FA code. This is this is WordPress security and solid security pro doing its job. So this is good news. All right. I am now in and hitting the get attacked button.
Okay, so one more time with feeling hopefully
feeling this time
and so yeah, so you can see I did the same thing basically that I did before. But solid security has detected that, hey, this session has suddenly changed from being downward. David is up to where I am in New York. And so it's now prompting me to log in again. And so if this was if I was really David and I knew David's username and password, I'd be able to continue using the site as normal. But since I'm an attacker, and the only thing that I had was David's session cookie, that session cookie is no longer valid. David will be forced to log in and I'll be forced to log in, but I won't be able to. So that's kind of an overview of how solid security helps protect against the session hijacking attack.
Right so I just got logged out on my own. So I got that modal that we're all familiar with that you've probably seen before. In fact, I can probably just share my screen real quick if that's all right. So we can show exactly what that looks like. I got prompted with this. So your session has expired even though I had just signed in seconds ago. I got I got hit with the same situation. So in other words, it didn't trust either session anymore. It's this site is set now because I have session hijacking protection enabled. This site is set to have me be as secure as I can be. So I got booted out now in the process. I'm back to this mail debugger plug in, which is the one that we talked about before is not part of solid security Pro. Now in this case, I didn't get a login notification because my login credentials were not used. Right my session cookie was stolen and my session was destroyed. I had to login again. But this is not a case where someone used my password information or otherwise my my password and so forth, were compromised, my session got compromised, and both the attacker and I got booted out. Alright, so it didn't have one other scenario we were going to describe here at this point.
I think we're ready to start taking folks questions.
Yeah, so I'm sure there are lots of questions and we were we were in the eighth we were able to hit the two demos. Those worked out pretty well. I didn't see any blue screens of death like the like the classic windows 95 scenario and into into when they demoed that product for the world. So I think that turned out pretty well.
Yeah, for sure. And let me just circle around to a question that Stacy just asked in the q&a. This whole process of truncating the table that was just because earlier during a run through Timothy's device was already recognized by solid security. So this, Timothy, would there be any reason that anybody would have to truncate that table?
No. So the reason why as David did truncate the table is because we also don't expose a UI to delete devices and sound security because you don't want to. But yes, this was an artifact of us replicating our entire test just minutes before the webinar.
And also a test of my ability to remember my SQL commands from the command line that I don't use every day. So well that was pretty impressive. I'm amazed honestly. Yeah.
All right, folks, so if you haven't done it yet, please pop up in the q&a window and just take a scroll down through all the questions that have been asked. If you like that question, or you'd like to hear an answer, just click the thumbs up button and we are going to start with questions in the order of uploads starting from Sherry How does trusted devices work? If you're using a VPN when you log in, is that going to require a new trust Timothy?
Yeah, so trusted devices, one of the biggest sources and most important sources is that IP address. So depending on what kind of VPN you use, some will give you a pretty stable IP address and so in that case, you'll need to the first time you use that new vocation from your VPN, and basically say, hey, get back to me and it will continue to remember you. But if you're using a VPN where you are constantly switching through IP addresses, then yes, you would see that pop up more often. Now that is an optional feature. So again, there are a couple of different features we have with trusted devices. There is the session hijacking protection, which is what we just demoed and restrict capabilities, which is what we demoed at the beginning. And so enabling all of them kind of gives you the most protection. But if you're someone who is on a new device all the time you're constantly moving, you can disable the Restrict capabilities feature. And what trusted devices will now do is just email you whenever there's a login from a new device, and if there is a LogMeIn device at that time, and it wasn't you, you can block it, it'll prompt you to change your passwords, etc. And yeah, exactly, Stacy is that a lot of VPNs will give you the capability of being able to say, hey, this IP address is more stable. It's something that you can kind of rely on permanently being from here. Yeah,
absolutely. So similar to that Deborah's question. Does trusted devices remember your IP address or your actual computer so if I'm traveling with my computer, in the IP address changes, am I going to have to reset recognize a new device?
Exactly. You're gonna have to record it's going to be a new device. So this is a really important distinction. And it was kind of one of the reasons why we're thinking do we want to rename trusted devices, because it is taking into signals but there is no way that we have and this is a good thing. When you connect to a website, there's no way of knowing for sure that one device is the same as another device. There's no just identifier that we get as a website that says, Oh, this is exactly that person. It'd be a tracking nightmare, because you wouldn't be able to now correlate on every single device you visit. Hey, we've got a permanent stable ID that was given to us from the operating system. That would suck. So instead, one of the reasons why we when we do get tracked we use cookies is because that's how people who want to track you across the web do this is they'll set cookies now, if you remember is the whole basis of this attack is session hijacking protection where cookies get stolen. So if we were to try and set a cookie on your device to say, Hey, this is that device, an attacker now they would have to steal something in addition to the WordPress session cookie, they'd have to steal solid security session cookie instead. But that's not too much trouble for them. They can they can take all the cookies very easily. That's what our malicious browser extension does. So that's why it is using your IP address because that is something that actually comes in every single time when you're connecting to a website. And you can change your IP address by using a VPN but you can't just remove your IP address or fake your IP address. Traffic is always coming from one computer to another computer and part of how the web works is we know from what computer it's coming from. So it is exactly that it is not a thing that when you are using your actual physical MacBook Pro or your Windows desktop computer or your iPhone and notice that it is exactly that iPhone. It is combining these different signals into a profile that we think is you.
Yeah, very good. And Sherry, I think that answers your question. That's next up in the list there. Let's move on to Jeffrey's question. When we activate trusted devices on client sites, will they all have to go through this process? Next time they sign in? Or what does it look like the first time somebody sets this up? Yeah.
So the first time you set up trusted devices, we basically trust the first device that you use. So if you have no devices associated with your account when you log in for the first time, you're all good. If you then log in from a second device is when you'll start getting those emails. And so it'll be something that will can happen periodically, if you are with an ISP that changes your IP address all the time. And it'll be something that you're wanting to tell your clients about that, Hey, there's this new thing. There's this new feature that's happening but the very first time you log in, you don't need to do anything to configure it. You'll just start getting those notifications when solid security notices a change.
Good couple of really good questions from Marcus here. Just trusted devices impact site speed in any way. I'm
not noticeably so this is one of the things that we always say about security measures is that any code that you run on your site takes CPU to run it takes memory to run. But trusted devices is pretty light. It only checks when it needs to check. Things like geolocation is cached. So we always keep in mind when we're building new features. Is how do we make sure that they don't negatively harm the performance of your site? It is more processing. But we are very careful to make it as fast as it could be to deliver that kind of feature. Yeah,
good. And another question from Marcus Can we turn off location tracking and will this data be shared with solid WP or any third parties
are a great question. So geolocation is an optional module in solid security. If you don't enable geolocation, the way the feature will work is just going to pair very strictly the IP address with a geolocation This is helpful. I'm over here in New York City if I go from my upper west side apartment over to the Starbucks, it's going to be the same location and it's not going to force me to log in when I'm on my phone and just traveling about the city. But if you either don't want to use a geolocation feature because you have privacy concerns, or you just want even stricter form of trusted devices, you don't have to enable it in the first place. The way that geolocation actually works is we offer a couple of different modules. So you can connect to the MaxMind API. And that is a paid service where you give MaxMind money like $25 and we give you 1000s and 1000s and 1000s of lookups or you can use maximize free service. And when you use maximize free service basically a database is downloaded to your site and is refreshed every two weeks. And user IP addresses are not sent to maximize all of the geolocation happens on your site. Regardless of what geolocation feature you use, and solid security, solid security never get that information. We don't transmit the IP addresses or your site visitors. We don't transmit the geolocation properties. We don't transmit the actual devices and nothing like that. If you enable telemetry in solid security will send that count of devices and the average count of devices and we use that to see how well is this product being used. But we never send any information like that to our servers. And there are details always. This was a feature you know when the GDPR thing came about back I guess in 2017, but we don't think about very often these days is there's a really handy privacy menu in WP admin and settings. And solid security tries to pretty hard to keep up to date with it. So any places where we're sending data, tracking data, logging data on your site or sending data to solid security servers, all of that is described in the privacy policy generator in WordPress.
Very cool. Okay, good question from Ben here. Is there a way to force a logout after being idle for so many minutes?
Yeah, so you can wait a solid security we don't offer that feature. It was something that we discussed is do we want to add a feature where it says, Hey, after 60 minutes after 30 minutes expired this session. Right now, this is something that you can pretty easily do with a filter. One of the things that Thomas has talked about is that a lot of attacks happen very very quickly. So making the time period in which you need to have activity should short enough to prevent attacks but not so short that it is as frustrating as using your banking website. It's very difficult. One of the things that people do most often with WordPress is you log in and you write a post and we don't want you to have to log back into WordPress 15 times while you're reading a post. So I think it is less beneficial of a feature because unlike your bank, where you can kind of tolerate having to do something every two minutes. I think in a WordPress environment. that's rarely the case if that is a feature that you would really like to see. Let us know. You can always hit up support and say, Hey, I would love to see this and we'll consider adding it to our roadmap. But that was the reason why we didn't offer a built in UI for it and solid security is coming up with the right trade off of protection and aggravation is difficult. With a feature like that.
It really is. It really is a balance. And there are other WordPress plugins that do this but like you're saying, Timothy, there's their code snippets out there that will let you change the default logged in time to a certain length. Exactly. Yeah. Oh really good question from Marcus. So earlier when we did the demo, and I was showing my screen and I was logged in, in the limited mode, there were certain things I could do and certain things I could not do. And Marcus is curious. Why are the content publishing options not turned off? Yeah.
So there's a long list of capabilities and it's like 15 or so. And when you open up the trusted devices, modal that yellow yellow icon, it'll kind of give you an explanation of what features we choose and choose not to. That is a configurable slash filterable list so you can add more to it if you want to. But again, this is kind of us trying to figure out what that balance is one of the things that we did is unrestricted HTML is turned off. So normally, as a site administrator, I can go into a page or a post and publish whatever JavaScript that I want. And WordPress restricts that for less privileged users, so an author on your site doesn't add in, you know, some key logger JavaScript to your checkout page, and suddenly, everyone's credit card information is getting harvested. So what we do is we remove that ability to use unfiltered HTML when you're in this mode, but I don't think publish posts is necessarily that a capabilities removed, but it's all basically configurable. And it's the same thing. What is the trade off point of hey, I want to log into my site, I want to still be able to do things that's I travel a lot, and that would be helpful, versus you know, locking everything down. So it's all you know, a series of trade offs, basically like all things just security, and that's kind of where we landed, but you can absolutely adjust it. There's a really simple filter to just add more capabilities. And again, if that's something that you'd like to see in the UI, let us know. That's basically our kind of like, first take out what we think is a reasonable set of capabilities, but it's something that is you know, in some ways, a personal decision.
I just want to clarify one item there and that is that it is a really simple filter, but that is a developer talking. And so that means you have to be able to use WordPress filters and have to know where those go. So it's a code snippet that you write. It's not it's not something that is already available in the UI. So just yet, it's not a you can just double clarify that that's that's something that you can adjust if you have the ability to write the code. Yeah,
very good. Good. Good. Good clarification. Okay, next question up. regards this stolen session, cookie. I have always had trouble saying this stolen session, Cookie attack in general, which is, is there anything we can do? About this on our computers to block the malware that creates stolen session cookies so
we've talked for years kind of about you know, how to protect your WordPress login and how to protect you know, Youthpass keys and use passwords authentication use two factor, but at the end of the day, keep your devices safe, right. So this is kind of an attack vector. That in some ways is almost entirely under your control. You can take Thomas's research, I think as good news, which is that 60% of sites got compromised because basically, they were using devices that were compromised or in some chain were compromised. And so we're doing a good job folks have you know, using strong passwords using two factor keeping vulnerable software intercepts down to a minimum. So it's about keeping your device safe, and that's things like using a trusted firewall tool. The ones that are built into Windows are great. The ones that are built into Mac OS are great, but there are tons of other options, keeping your software up to date, all of those kinds of best practices that we kind of haven't talked about a number of years because they're kind of boring, but your personal security hygiene is the most important thing. And so once an attacker has malware on your device, there's not much that you can do. So this is these are features that we're adding to solid security to help as much as we can. But the best thing the best protection is to not be in the position in which your device has malware on it. Or you were using some public computer that you came across in an internet cafe that says hey, use me for free. Just check your bank account information first. Apply good security practices and good security hygiene. Very
good. And just a note on that. One of the big misconceptions is that Mac computers don't need anti malware software of some sort. And that is a big mistake. So even Mac users need for sure to have some sort of software. I will folks we've got about four minutes left and there are 15 questions still open. So let's try to go for some some quick answers. Before we do actually, David, you want to talk about an event that we have coming up very soon here on solid Academy?
Yeah, you know, I grabbed this slide from your from your slide deck that you used previously, so it doesn't cover the entire event. But I just want to mention disaster Week is coming up. And it is March 19 and 20th. It's a very short week. It's only two days this year, but it's it's been a while since we did disaster week. And so I think we're going to do a shorter one this year and grow a little bit but we have some fantastic people I talked to Kathy just Friday of last week. She's really excited. She's going to join us to talk a lot about some of the some of the big picture items that we need to be aware of and 2024 when we when we look at security. And then we also have Thomas rave joining us who is the researcher that we've talked about today, and he's got a lot of useful information to share that goes far beyond just this research that he published. Also Timothy will be back and Nathan you're gonna host so we've got a lot of great security topics that we're going to be discussing and I just want to make sure you get that on your calendar. If you're an Academy member, of course, you'll have access to all of that, but just want to make sure you're aware of don't miss go ahead and block those times in your calendar. We got the times there one to 3pm Central every day two to 4pm. Eastern on March 19 and 20th.
Absolutely. That's two hours each day for two days and this is a free event open to the public. And that link to register I just dropped in the chat. So yeah, go and get registered for that. We'll be talking about the the WordPress security world in the big picture. We'll have a great security experts panel Timothy is going to be talking about details of solid security and in that last hour, I'll be talking about talking to clients about security. So it's going to be a really good for our set of security training next month are actually coming up in a couple of weeks. Two weeks, two weeks. Serious. All right. Let's see next up here. I'm going to scroll down through some of these questions are very similar. Yeah, so question from Manu. Can we just get rid of cookies altogether? And just not worry about this?
Yeah. So that that's the thing, right is that the web is stateless. And the way that we remember you from one page to the next is a cookie so you could disable cookies, but you'd have to type in your username and password on every single page.
Yeah, every page not just a per site, but you go from one page. Page. Yeah, it's
an even AJAX calls right could be within a page. Yeah, it would be very frustrating Web. Indeed.
Another question that's come up several times in the list of questions has to do with those of us that use a dashboard to manage client sites like for example, solid Central, how does trusted devices work with you know if you're using solid Central or one of the other dashboards that lets you log in to multiple sites? How does this come into play?
Yeah, so it highly depends on how the initial plugins are implemented. Some plugins just completely bypass user identification whatsoever. And in that case, trust devices won't come into play at all. Others like solid security actually impersonate a particular admin user. And so in that case, you'll end up approving, for instance, salad central as a device, and then you'll be good to go. But it is highly variable depending on how the actual service decided to implement its API calls. So I can't give you a universal answer unfortunately. So
if you're using a service like that may be the best option. Correct me if I'm wrong, Timothy, just log in. Expect to have some sort of challenge and then approve, perhaps whatever method that that dashboard is using to log into your site. Yeah,
you might have to end up doing something like that. It'll depend. So sometimes you'll see you'll just get the email that says, hey, there's an unrecognized login. And you can go in there and approve it. Sometimes you'll see a new device up here that you can approve. It'll depend exactly how the service works.
Yeah, great. One more question, and we'll call it a day from Thomas Thomas says I always uncheck the save this device on anything that I log into. So I always have to log in. Do I also need to clear cookies is this so
you don't need to clear cookies to solve, but you should quit your browser. So the big thing that changes when you say, Hey, don't save this device, is the cookies that get generated are what we called session cookies, and so they last as long as your session lasts. And what typically flushes these you can just go up into your browser and say, Hey, clear all these cookies. But quitting your browser is usually the indication that says okay, these cookies can expire. So you don't need to, you know, open developer tools and clear them or go into some advanced meaning to clear out all those cookies. You just need to quit your browser.
Very good. Well, guys, this has been an excellent tutorial demo of how trusted devices works and the real benefit it can have for thwarting this growing threat of stolen session cookies. Let's, let's wrap things up. David do any final words and Timothy, we'll go to you.
I just want to say I appreciate everybody being here and definitely if you have thoughts about how this product could be improved or any of the solid products I'm here, and so I definitely want to hear from you. And I've been in some office hours and whatever. So don't don't hesitate to reach out. And my email address is David at solid wp.com. So I want to hear from you if you have thoughts questions. And of course if you're using the feature run into any trouble, our support team is fantastic. So I'm not encouraging you to send me support questions. They will get to you a much faster, I promise you, but I certainly want to hear about your feedback about the the products and how we can make them more useful to you. Yeah,
very good. And a compliment in the chat for your beard there, David.
Oh, thank you appreciate it.
No, no, I mean, I compliment the hairstyle myself.
I like your hair, right? Yeah, yeah, for sure. Definitely.
Timothy, give us something to wrap up here.
Um, yeah, I am. We have unstressed devices a number of years ago at this point, and we haven't done a lot of content on it since I guess it's 2018 or something like that. But I would really love for everyone to give it a try. Let us know how you find the user experience but parts are confusing to you. We think this is a big feature. But it's really cool. And adds a lot of nice optional bits of protection for your site. So I'd encourage you to give it a try. And if you do find things confusing. Let us know we want to figure out a way to make it even easier to understand.
All right, very good. That's a great place to end thanks, everybody for being with us for the last hour. Hopefully this has been educational and entertaining in some parts as you seek to protect your sites and your client sites from this new stolen session cookies attack. That's going to wrap it up for us today. We'll have the replay up in about an hour at the link that I've shared throughout today's session and folks, so if you're a member of solid Academy, I'll see you back tomorrow for office hours at 1pm as usual. Thanks again for joining us today on solid Academy where we go further together.