In case you haven't noticed, the security landscape for the Internet has changed in the last few weeks.
The big news out there was about Claude Mythos, and if you've been paying attention to AI and Internet security in any way, this is now a "shit hitting the fan" kind of thing.
It doesn't take much imagination to realise that a tool like AI should be particularly excellent at finding code vulnerabilities. The open question has been: will this benefit more the bad actors or the heroic defenders? Bruce Schneier is one of my favourite security people, and at a talk of his that I attended last year, he was on the fence. Here's his latest take on Claude Mythos
So what does that mean from an actionable perspective? Read on, make sure you get to the end, it's short.
CiviCRM Security
CiviCRM does have a knowledgeable and active security team that handles an increasing number of reports of vulnerabilities. You may have noticed an increase in the number of security releases over the last year, and you can expect that to continue. If you're not already set up to handle security releases easily, get ready now. That means:
- Don't get too far behind in your version. It's a judgement call, but if you're too far behind, then the upgrade is more likely to disrupt your site (e.g. due to php version requirements or extension versions, etc.).
- Be ready to upgrade your civicrm version every third Wednesday of the month (that's the standard security window). Eg. avoid planning big mailouts or other events that will require your site to be responsive.
- Have a plan for emergency civicrm upgrades in case of security releases outside of that window. They haven't happened very often, but there's a reasonable chance that will change.
Non-CiviCRM Security
CiviCRM is part of an ecosystem of code, all of which is also impacted by these changes. Keeping your CiviCRM code secure is essential, but not enough. There's no checklist here for you, but if you administer a CiviCRM install, you should especially be asking questions now about two recently published vulnerabilities:
- CopyFail is a high severity Linux core vulnerability that was added to the Linux kernel 4.14 (introduced in 2017) and exposed publicly about a month ago.
- On Sunday, the Drupal security committee took the unusual step of warning Drupal sites of a highly critical security release today May 20 that they said could be exploited within hours.
I avoid the panic button, but if you haven't heard from your provider about CopyFail or the Drupal security release, then it might be time to hit that button, gently. Unless you're not using Drupal, in which case, just ask about CopyFail. If you're using Drupal and neither of these vulnerabilities are patched, you've got a big target on your back and you've done a great disservice to all the contacts in your CiviCRM. Not getting an answer? Might be time to hire an expert.
