Bad Security

Trustwave is Untrustworthy

When it comes to IT security companies, what we see over and over is that they have little to no concern for security (and also often have little to no understanding of proper security practices). So it isn’t surprising that despite billions being spent on IT security, IT security continues to be in such poor shape. This leads to situation like the massive breach of Target’s systems last year. While that was big news, what didn’t get much attention was the company who declared Target compliant with standards for handling credit card transactions shortly before the breach, Trustwave. Trustwave has a history of declaring companies compliant shortly before they suffer major breaches and for being lax in their assessments.

We recently spotted another example of their highly questionable practices of Trustwave. We were contacted about doing a migration of a Joomla-based website still running version 1.5, for which support ended in September 2012. While taking a look at the website, we noticed a seal for Trustwave Trusted Commerce:

Considering that the website is running software that is no longer supported and therefore cannot be considered secure, we were curious to see if Trustwave was claiming it was secure. It would be quite easy for them to find that the website is running Joomla 1.5 if they wanted to as the source code of every page on the website the following line is included:

<meta name=”generator” content=”Joomla! 1.5 – Open Source Content Management” />

If you click on the seal you get this page:

Trustwave Trusted Commerce Statement

At the top of the page Trustwave proclaims that “Your credit card and identity information are secure.”, which they shouldn’t be saying for a website that is running unsupported software.

As we looked closer we noticed the small text disclaimer at the bottom of the page were they say “Trustwave Holdings, Inc. makes no representation or warranty as to whether [redacted] systems are secure from either an internal or external attack or whether cardholder data is at risk of being compromised.”. So they are basically telling you that despite saying “your credit card and identity information are secure”, there not actually saying that at all.

It is highly inappropriate for them to mislead the public like they are doing with this seal, but unfortunately our experience is that this kind of thing is considered acceptable in the security industry.

Major African Bank Running Outdated and Very Insecure Version of Joomla

Recently we have had a lot of blog posts highlighting major organizations running outdated and insecure versions of Drupal, but we don’t want to give the impression that it is only with Drupal based websites that major organizations are failing to keep the software up to date on. So we wanted to find an example of a website running Joomla to highlight as well and we quickly found a very concerning example. The third website listed on Joomla’s showcase of websites running Joomla is the website of Guaranty Trust bank, which is Nigeria’s largest bank and has assets of over 12 billion USD. As you can see with our Joomla Version Check web browser extension, available for Firefox and Chrome, their websites is running a fairly out of date version of Joomla:

That version is over two years out of date and there have been twelve subsequent updates with security fixes. One of the security vulnerabilities fixed in a subsequent version is of particular concern. The vulnerability, which we discussed before, allows a new user account to be created with “Administrator” privileges through privilege escalation. If user registration is disabled this will not work, but in this case it does appear that user registration is enabled. It is important to note that account access portions of Guaranty Trust Banks’ website are separate from the main website, so they are not directly impacted by the lax security of the main website. But it does raise the question of how well they secure the other portions of their website if they are not doing something this basic. Also, if someone could exploit one of the vulnerabilities in the version of Joomla on the main website they could change the links directing people to the account access portion of the website to another location and use that to gather login credentials.

Due to how potentially serious the security issue with their website is we attempted to contact Guaranty Trust Bank as soon as we saw the version they are running, but we were unable to get far. For one of their listed email addresses we got back message that the mail box was full. For the other we were told to “liaise with our Corporate Affairs Unit at the head office”, but our reply asking how to do that was met with a message that the email address we were replying to did not exist.

Another Major University is Running Outdated and Insecure Version of Drupal

Last week we spotlighted the fact that only a third of websites running Drupal 7 are up to date. As keeping the software running a website up to date being an important security measure and with the most recent version of Drupal 7 being a security update that obviously is a problem (though certainly not a problem limited to Drupal). What makes this more troubling is that it isn’t just small websites that are not keeping their software up to date, but large institutions that are more than capable of doing the upgrades. In gets worse when you see institutions that have departments focused on the technology security that are failing to keep their software up to date. Last month we looked at the fact that the University of Cambridge was running an outdated version of Drupal, while the blog of their Security Group was running on a very out of date version of WordPress. They unfortunately are not alone.

Using our Drupal Version Check web browser extension, available for Firefox and Chrome, we can see that the Rutgers University website is still running Drupal 7.21:

That version is now a year out of date and two security updates have been missed (7.24 and 7.26). Making sure the website is kept up to date is something that you would hope that Rutger’s University Information Protection and Security Division would be on top of, but they are not even keeping their website up to date:

That website is less out of date than the main Rutgers website as the current version of Drupal 6, 6.30, was released in January, but it was a security update so they should have gotten it upgraded by now.

For those reading this and realizing they need to get their Drupal installation up to date, you can find the upgrade instructions here.

Another ING US Website Running Outdated and Insecure Version of Drupal

Yesterday, as part our series of posts highlighting the fact that even high profile websites are not taking the basic security measure of keeping the software running them up to date, we highlighted the fact that ING US was using outdated and insecure versions of Drupal on their website. Today we have a few quick follow-ups.

First it was brought to our attention that the fact that ING was using Drupal was a big enough deal for the creator of Drupal to highlight it, saying in part

You know when a piece of software is mature when it starts being adopted by financial services organizations.

The fact that such high profile user isn’t keeping Drupal up to date in light of the security need of doing so either means that that Drupal is too hard to keep up to date, which we strongly disagree with based on keeping our own installation up to date and handling plenty of upgrades for clients, or there is more general problem with security practices for websites.

In the aforementioned post another ING US website was highlight as running Drupal and that website unfortunately has also not been kept up to date:

That version is over two years and they have failed to apply five security updates (6.23, 6.27, 6.28, 6.29, and 6.30).

At the bottom on that website is a link to a Web Site Security page, which in part advises keeping the software on your computer update:

Take care of your computer

Update your computer by installing the latest software and patches to prevent hackers or viruses from exploiting any known weaknesses in your computer.

It would great if ING, as well as everyone else running a website, took that advice and applied it to their websites.

ING US and Voya Financial Websites Running Outdated and Insecure Versions of Drupal

When it comes to keeping websites secure one of the basic things that needs to be done is to keep the software running the website up to date. This prevents the website from being exploited through a known vulnerability in old versions of the software that has been fixed in a subsequent release. We know that many websites are not doing this, which is troubling, but what is more troubling is that the major institutions are not even doing this with their websites. Last week we looked at major security software provider not doing it and if you go back in this blog, you can find other examples. Today let’s look at example of a major financial institution in the same boat. ING US, which in the process of rebranding as Voya Financial, reports having $511 billion of assets under management and administration and serving approximately 13 million customers. They use Drupal for main portion of the ING US website. Using our Drupal Version Check web browser extension, available for Firefox and Chrome, you can check if it is up to date:

You can see that they are not. With a little further checking we were able to determine they are using Drupal 6.19. That means they haven’t updated the software in over three years and they have failed to apply ~~five~~ six security updates (6.21, 6.23, 6.27, 6.28, 6.29, and 6.30). It is important to note that account access portions of their website are separate from the main website, so they are not directly impacted by this lax security. Though it does raise the question of how well they secure the other portions of their website if they are not doing something this basic. Also, if someone could exploit one of the vulnerabilities in the version of Drupal on the main website they could change the links directing people to the account access portion of the website to another location and use that to gather login credentials.

It isn’t just the ING US website that has an out of date version of Drupal in use. The website for their new name, Voya Financial, also is using an outdated Drupal version:

With a little further checking we were able to determine they are using a version no newer than Drupal 7.21. That means that they haven’t updated the software in nearly a year and they have missed at least two security updates (7.24 and 7.26).

Cisco’s Bad Research Should Be Wake-Up Call for Web Security Reporters

The Internet has lots of bad information on website security floating around. In dealing with many websites that have been hacked, we see the harmful impact this has due to it leading to bad security practices and making it harder to get people to take the measures that will actually keep websites secure. Much of the bad information comes from companies providing security tools and services, whom you would expect would know what they are talking about. We looked at an example of bad security research by Cisco on Friday that lead to bad security reporting by Ars Technica and by today they have both pulled back from their claims.

Cisco has struck through most of their post and included this update:

This post’s focus relates to a malicious redirection campaign driven by unauthorized access to thousands of websites. The observation of affected hosts running Linux kernel 2.6 is anecdotal and in no way reflects a universal condition among all of the compromised websites. Accordingly, we have adjusted the title for clarity. We have not identified the initial exploit vector for the stage zero URIs. It was not our intention to conflate our anecdotal observations with the technical facts provided in the listed URIs or other demonstrable data, and the below strike through annotations reflect that. We also want to thank the community for the timely feedback.

Ars Technica has added an update to their post, included below, which doesn’t explain why they went beyond the claims in Cisco’s post or why they repeated Cisco’s claim without doing basic research that would have shown the research was highly flawed.

The Cisco blog post has been updated to change a key finding Ars reported in the following post. Contrary to Cisco’s earlier reporting, the update says not all the servers compromised in the attack were running Linux version 2.6. “We have not identified the initial exploit vector for the stage zero URIs,” the update stated. “It was not our intention to conflate our anecdotal observations with the technical facts provided in the listed URIs or other demonstrable data, and the below strike through annotations reflect that. We also want to thank the community for the timely feedback.”

Considering how colossally bad Cisco’s findings were we want to expand on how they got it so wrong, so that it might point security reporters in the direction of better vetting security research before repeating its claims in the future.

One of their key findings was that all of the websites were running an old version of the Linux kernel:

All of the affected web servers that we have examined use the Linux 2.6 kernel. Many of the affected servers are using Linux kernel versions first released in 2007 or earlier.

They then raised the possibility that this was what allowed the hack.

It is possible that attackers have identified a vulnerability on the platform and have been able to take advantage of the fact that these are older systems that may not be continuously patched by administrators.

The original title of the post, Mass Compromise of the Obsolete, also implied that the hack was related to obsolete software.

What we brought up on Friday was that not all of the websites on their list of affected websites were even running Linux, much less the Linux 2.6 kernel. Cisco’s explanation for this discrepancy is that their claim that all of the examined websites were using the Linux 2.6 kernel was anecdotal. We don’t how you can square the claim you examined the websites, but your finding was anecdotal. It seems either they didn’t look at their whole list of websites or they used a faulty tool that determined websites not running Linux were using the Linux 2.6 kernel, neither of which we would describe as being anecdotal. Asking Cisco how they determined the website were all running the Linux 2.6 kernel and what there sample set was would have been something that should have been done before journalists repeated their claims. Incorrectly identifying a set of hacked websites as having a common software version is something that we have seen repeatedly from security companies (a couple of examples), so reporters should look carefully at the evidence and probably get a second opinion on the evidence.

While their original post doesn’t spell out what versions they are referring to by the “many of the affected servers are using Linux kernel versions first released in 2007 or earlier”, a comment by one of the authors of the post says that “version 2.6.18 appeared to be particularly prevalent”. If the Cisco researchers had look into why this version was rather prevalent they should have realized they were going down the wrong path. Why would Linux 2.6.18 be rather prevalent? Well for one thing, it happens to be the Linux kernel version used by Red Hat Enterprise Linux (RHEL) 5 and it derivatives, the most prominent being CentOS 5. A little further checking would have shown them that RHEL 5 will continue to be supported for some time, so servers using the Linux 2.6 kernel would not necessarily be obsolete or insecure. This is something that Cisco should be aware of since the server powering the Cisco Blog is using RHEL 5:

Because we often see people saying otherwise, it is important to note that just because there is a newer version of software available it doesn’t mean that an older version is not safe and secure, as long as the older version continues to receive security updates.

What ultimately would have prevented this mess is if Cisco had taken the basic step of determining how the websites were hacked instead of jumping to conclusions based on data that was not reliable. Security reporters should understand that determining how a website has been hacked is an integral to dealing with them and if somebody isn’t explaining that, it should be a huge red flag that the information being given might not reliable.

Ars Technica and Cisco Provide Another Example of Bad Security Reporting

On Tuesday we looked at example of the poor state of security journalism. In that case a hack was tied to a specific version of TYPO3, despite fact that websites not running that version of TYPO3 or running TYPO3 had been hacked. There was also the larger issue that no evidence was provided as to how the websites were hacked, which would have been what would be needed to actually tie the hack to a specific version of TYPO3 and would allow people to make sure the protected their websites against it. Just a few days later we have spotted another very similar example worth highlighting. Ars Technica today put out an article “Ancient Linux servers: The blighted slum houses of the Internet” that states:

Now comes word of a new mass compromise that preys on even more neglected Web severs, some running versions of the Linux operating system kernel first released in 2007. According to a blog post published late Thursday by researchers from Cisco, the people behind the attack appear to have identified a vulnerability that has since been patched in later Linux releases that allows them to dish malicious content to unsuspecting people who visit the site.

If you read Cisco’s blog though they only state “it is possible” that a “vulnerability that has since been patched in later Linux release” was the source of the hack, while Ars Technica says that it “appears” to be the case. Here is the relevant section of Cisco’s post:

Attackers compromised legitimate websites, inserting JavaScript that redirects visitors to other compromised websites. All of the affected web servers that we have examined use the Linux 2.6 kernel. Many of the affected servers are using Linux kernel versions first released in 2007 or earlier. It is possible that attackers have identified a vulnerability on the platform and have been able to take advantage of the fact that these are older systems that may not be continuously patched by administrators.

That turns out to be less of an issue then the fact that the websites are not even all running Linux, much less the Linux 2.6 Kernel. Some websites provide information on the software running the in HTTP headers served with the page. Our Server Details web browser extension, available for Chrome and Opera, can parse those HTTP headers to provide the details in them and warn for outdated software. Using those headers we started going through the Cisco’s list of compromised websites and second compromised websites. For each we have listed below the first five websites we found not running Linux and what operating system they are running:

Compromised Websites

archive.mrpools.co.uk Windows Server 2003
blueprintbowling.com Windows Server 2008 R2
hwy65mx.com Windows Server 2003
jandjpoolspa.com Windows Server 2003
mussotra.com Windows Server 2003
Second Compromised Websites

3d2print.eu FreeBSD
7va.cc Windows Server 2008 R2
babycaust.info Windows Server 2008
banderil.com.ar Windows Server 2008 R2
c2consultores.com.ar Windows Server 2008 R2

Cisco provides no evidence of how the websites were hacked, which is the really important thing to prevent more websites from being hacked. If they had actually determined how it was hacked before jumping to speculation then they wouldn’t have tried to connect this to Linux, which it seems pretty likely it doesn’t have anything to do with. Cisco also has provided no evidence this has anything to do with outdated software, if we were to make an educated guess based on the evidence provide so far we would say it is more likely due to compromised FTP credentials, which could easily be checked for by reviewing the FTP logs for the websites.

We should also note that the use of the Linux 2.6 kernel is does not indicate that website using obsolete software, as distributions including Debian, Ubuntu, and Red Hat still have supported releases that use that version of the Linux kernel.

ESET Claims to Live Security, but Fails to Take Basic Security Measure with Their Websites

Based on cleaning up many hacked websites we know what are the things that are likely to lead to a website being hacked and therefore what needs to be done to protect them from hackers. One of those in keeping the software running on the website up to date, as this prevents known vulnerabilities in older versions from being exploited (like the privilege escalation vulnerability in older versions of Joomla that we have been seeing exploited recently). Unfortunately, what we see is that many websites are not being kept up to date. What is more troubling is that security companies, which you would expect to lead when it comes to handling security, are not bothering to keep the software running their websites up to date. Last week we posted for the second time about a Kaspersky Lab website that was running outdated software, this time the website of their security news website Threatpost. They haven’t been alone, a couple of years we looked at the poor state of security of Panda Labs’ websites after they had been hacked. This week we can add ESET to the list of security companies who are taking the basic security measure of keeping the software on their websites up to date.

Let’s start with their news website, We Live Security, which they promote as being about “research and information”. If you are going to be providing others with information on security it doesn’t seem unreasonable to expect that you are taking basic security measures yourself. This doesn’t seem to something ESET believes in as the website is running on an outdated version of WordPress:

They haven’t missed any security updates yet so that isn’t as bad as it could be, but the version is five months out of date. In the source code of the website’s pages it can be seen that they are using version 1.4.7 of the Yoast WordPress SEO plugin, which is nine months out of date. The more recent version 1.5.0 “contains tons and tons of bugfixes and security improvements“, so the plugin definitely should have been updated by now.

More of a problem is the website for ESET Virus Radar. If you are using our Drupal Version Check web browser extension you can see they are running an outdated version of Drupal on the website:

Digging a bit further we were able to determine that the website is running Drupal 7.22. That version is seven months out of date are there have been two subsequent updates – 7.24 and 7.26 – with fixes for security vulnerabilities.

Claims of TYPO3 Hack Highlight Poor Web Security Journalism

With the state of web security being in such bad shape there is a need for good reporting on security issues. Unfortunately what we have seen is that the news organizations that exist are not doing a good job.

One indication of the poor job they are doing is that they are failing to take basic security measures on their own websites. In a previous post we looked at three major tech news websites that were running really out of date versions of Drupal, including one that is now over five years out of date. As of today they are still running the same out of date versions as they were then. In another cases we look at a news website specifically focused on security that was and still is running on an outdated and unsupported version of Plesk.

Another area of concern is that these news organizations have a habit of running stories based on information that rather simple research would show is false and on conjecture. In many cases this is due to reporters just repeating claims of security companies, which are often highly faulty. In a post from a couple of years ago we looked a couple of cases of this involving false claims about hacks of a version of WordPress. Today we have another example of this involving TYPO3. Recent reporting by heise Security claimed that there was a hack that only affects TYPO3 4.5 based websites due to an unknown vulnerability (German). We first spotted mention of this from claim from post on the TYPO3 blog calling in to question the reporting. Here what they said about the claim:

From our point of view this news coverage is not only incomplete – and therefore confusing to users – but also factually incorrect: According to our own analysis by the TYPO3 Security Team, none of the websites named by heise Security use the the current TYPO3 Version 4.5.32, for which there are no known security holes. In addition, several of the named websites do not use TYPO3 at all.

Because we clean up hacked TYPO3 websites we need to know what potential threats are out there, so that we can identify the source of hack in instances when we lack all of the evidence of how the hack occurred, we decided to do our own check into this to see if what TYPO3 was saying is accurate. To do this we looked what software the websites in the Google search result that heise Security reported showed the hacked websites were running. The first website in the search results was running Infopark CMS Fiona, so right there the claim that the hack only effects website is TYPO3 4.5 appears to be false. We then checked the rest of the websites listed on the first three pages of search results and found more that were not running TYPO3 4.5.

Here is what we found the website to be running:

Infopark CMS Fiona                1
IP.Board                                     1
Joomla                                        1
phpBB                                         1
TYPO3 4.1                                   1
TYPO3 4.2                                  2
TYPO3 4.4                                  3
TYPO3 4.5                                  16
TYPO3 4.6                                  1
Unidentified TYPO3 Version 1
Unknown                                    2

TYPO3 4.5 does make up the majority, 53%, of the websites in our sample, but that is far different from the hack only affecting websites running that specific software. The fact that 80% of the websites running TYPO3 might indicate that the issue is related to TYPO3 in some way or it might just be a coincidence. The fact that TYPO3 4.5 made up 67% of the TYPO3 websites doesn’t seem to important as data from W3Techs.com indicates 90.6% of TYPO3 based websites are using some 4.x version and that 4.5 makes up 54.9% of the websites running 4.x.

Normally the pages of a TYPO3 based website will include a meta generator tag like this:

<meta name=”generator” content=”TYPO3 4.1 CMS” />

that lists the version of TYPO3, so heise Security should have been able to see that the websites were not all running TYPO 4.5 as they claimed.

By checking for the existence of a directory that was added in TYPO3 4.5.32 it does appear that some of the website TYPO3 4.5 based websites were are probably running 4.5.32, so the claim to the contrary in the TYPO3 blog post appears to be false.

Where heise Security reporting really fails, and too often other similar reporting does as well, is there is not even a mention of any attempt to determine how the websites were hacked. Determining how a website is hacked, to the extent possible, is a critical component of cleaning up a hacked website. What we see on a regular basis is that companies are hired to clean up a hacked website, they don’t determine how it was hacked so that the vulnerability is fixed, and then the website gets hacked again. While we are sure that creating stories about the fact that a bunch of websites were hacked draws readers, it doesn’t do anything to prevent websites from being hacked in the future. It also can be misleading as this article emphasizes a TYPO3 connection despite a lack of evidence that this hack was due to something in TYPO3.

If this hack was due to a vulnerability in TYPO3 it would show up in the logs of HTTP activity, so reviewing that would be one of the first steps in determining how a website with this hack was hacked. You can see an example of how that is done in a previous post where we looked at a website that had been hacked by exploiting a vulnerability in outdated versions of Joomla.

Kaspersky Lab and Cambridge University Websites Highlight The Poor State of Security

While keeping the software running a website up to date is a basic security measure, as it prevents the website from being exploited due to a known vulnerability in outdated versions of the software, we continue to see that the software isn’t being kept up to date. Our recent look at the stats of our tools for checking web software versions showed that a large percentage of websites checked were running outdated versions of Joomla, WordPress, and MediaWiki. Even websites that you would expect would be taking security seriously are failing to keep the software up to date. We recently looked at companies offering to clean up hacked Joomla websites and found that they were not keeping the software running their websites up to date. All of those companies are rather small, so what about higher profile organizations? The examples below show that even they are failing to do this basic task.

Threatpost

Threatpost is a security news website run by Kaspersky Lab, a major provider of security software. If you visit their website with our Server Details web browser extension you will be warned that the website is using outdated software. Clicking on the icon for the extension will let you know that they are using an outdated version of the nginx web server software:

The next version in 0.7 series of nginx was released in June of 2010 and the last release in the series was released in July of 2011. There have been two security vulnerabilities discovered – and resolved in newer versions of nginx – that impact the version being used, the older one being disclosed in November of 2011.

This isn’t an isolated issue at Kaspersky, in April of last year we posted about the fact that their US website was running an outdated version of Drupal. They are still are running the same outdated version, which is now over four years out of date.

University of Cambridge

The website for the University of Cambridge is running an outdated version of Drupal, with at least one security update missed:

The university’s computer science department has a Security Group, which you would expect would want to make sure that the university’s websites is being kept secure, but at this point they are not even doing for their own blog. Their Light Blue Touchpaper research blog is running a very out of date version of WordPress:

That version of WordPress is over three and half years out of date and nine subsequent releases have included security updates.