I wanted to mark the start of season 2 of the hit TV show Mr. Robot with this blog post. The show is a gripping drama following a young programmer named Elliot who works as a cyber-security engineer by day and a vigilante hacker by night. Aside from the many awards the show has won lately including Best Television Series at the Golden Globes, what has really impressed me is the level of realism of the hacking techniques used in the show. This is a fresh change from the usual inaccuracies you see in hacking and computer scenes in Hollywood, often painful to watch for a technical professional.
The show’s creator, Sam Esmail relies on security experts like Michael Bazzell who has spent 10 years working in the FBI’s cybercrime task force to ensure each technique used is plausible. So much so that the storyline gets altered if it’s not approved by a technical advisor, and hours are spent setting up windows of code that might only get a couple seconds of screen time.
The problem with the portrayal of hacking in Hollywood is how it’s often overcomplicated with super human typing skills and visuals sometimes resembling an acid trip. In the real world and as portrayed on Mr. Robot, hacking can be much simpler. Sometimes it’s as simple as tricking someone to hand over confidential information which can then be used to breach a system or simply exploiting common, weak passwords due to plain user incompetence.
With a high profile hack in the news almost every week in recent years, the show serves as a good wake up call for us to finally click that update now button on software we use or for us L&D professionals getting around to tightening our LMS security. As many of us use Moodle or a Moodle based LMS, I’ve gathered some simple tips on how you can make your Moodle site more secure right now!
Don’t delay, upgrade now!
As new vulnerabilities are discovered it becomes trivial for an attacker to use one of the known variabilities against the version of Moodle you’re running. This is why it’s essential to keep your Moodle site up to date with the latest security patches. Make sure your admins receive email notifications of new updates by configuring this in Site administration > Server > Update Notifications.
New Moodle versions are typically released every 6 months, in both May and November and security updates are then provided for 18 months. You can use the Moodle releases page as a guide for when to schedule upgrades of your site: https://docs.moodle.org/dev/Releases. It’s good practise to test upgrades in a test environment first, to make sure they behave with any plug-ins or other customisations you might have.
Use the security overview report as a guide!
Make sure to check out the security overview report in Site administration > Reports > Security overview. Use this to ensure your site passes the basic security checks. You can click on each issue to get more details on how to fix it.
Don’t forget your server environment!
Now that your Moodle site is secured, let’s look at the server environment where it’s hosted. You must keep your server environment up to date with the latest security patches. Failing to do so could mean your server is be susceptible to critical vulnerabilities such as Heartbleed and Shellsock. In particular, ensure the PHP version is up to date so the latest Moodle security features like bcrypt password hashing are being used internally. Use of a firewall is a must in order to block access for all but the essential services, this minimises entry points for attackers.
Encrypt confidential information and gain the trust of your users!
To help prevent an attacker getting a user’s login details, we can encrypt users’ login details using SSL. This involves the purchase of an SSL certificate from a trusted SSL provider and configuring this on the server. You can enable SSL for login pages of your site in Site administration > Security > HTTP security.But ensure you know what you are doing here as you can lock yourself out of your site if you setup incorrectly! Using a trusted SSL provider gives us that shiny green lock symbol in the address bar when logging in which builds-up trust with our users.
Always playing catch up?
With the nature of cyber security being a cat and mouse game of software vendors constantly trying to patch newly discovered vulnerabilities and hackers find more innovative methods of attack, we can never be completely safe. Following these guidelines can however minimise the chances of a potential breach of our training materials and employee data!