Bad Security

Netfirms Running Over Seven Years Out of Date Version of phpMyAdmin

One of the most basic measures for keeping websites secure is to keep software running the website up to date, this is something that web hosts know and tell their customers. Unfortunately, many web hosts don’t seem to feel that they need to heed their own advice and run out of date software on their servers. This put their clients at risk of being hacked though exploitation of a known vulnerability in that software. Web hosts use of outdated software also a warning sign that they may not be handling the rest of the security properly as well.

When we do work on a client’s website we do a check of what version of some common software (PHP, MySQL, phpMyAdmin, etc.) is running of the server. This is partly so that we can see how well web hosts are doing at keeping that software up date and also so that we can alert the clients when severely out of date software is in use. We were recently doing work on a website hosted with Netfirms and we found that the server was using over seven years out of date version of phpMyAdmin, 2.8.0.1:

That version was released on March 8 of 2006 and the next version, 2.8.0.2, was released eight days later. phpMyAdmin provides a page that provides a listing of all security announcements for the software (something that other software developers should also be providing). Based on just the announcements for 2006 and 2007, the version of phpMyAdmin Netfirms is using probably contains 16 serious severity security issues and 1 considered “quite dangerous”.

If you want to check if web hosts you or your clients use are running an outdated version of phpMyAdmin you can check with our phpMyAdmin Version Check extension, which is available for Firefox and Chrome.

It is not just phpMyAdmin that Netfirms doesn’t keep up to date. They are using PHP 5.3.13, which is over a year out of date and also has known security vulnerabilities (including ones that were fixed in the very next release).

Amazingly the fact that they have some pretty obvious security problems hasn’t stop the security company SiteLock from declaring that Netfirms is secure, as can been seen in the footer of Netfirms website:

Secure This: A Website Security Company That Doesn’t Care About Security

One of the biggest problems we see with improving the security of websites is that while basic security measures are often not being taken, security companies are trying sell security services that are not actually needed for most websites. We often see the negative impact of this as people contact us about cleaning up websites and they think they need those types of services because those other companies are pushing the services, while they don’t want to make sure that basic security measures that will actually protect their website are done. A possible explanation of why the companies push those services is that many security companies don’t understand or don’t actually care about security.

Yet another example of this that we came across is Secure This, which is company that wants to sell you automated vulnerability scanning for various software, including Joomla. You average Joomla based website doesn’t need this because the software in use would have already been tested against these automated scanners and any security vulnerabilities that are going to be found would not be spotted by them. What you instead want to do is to make sure that you keep the software up to date so that when security vulnerabilities are found you are protected with the latest version of the software. The importance of keeping Joomla and extensions up to date isn’t just our advice; Joomla says that is keeping them updated is one of the “most important guidelines” for keeping your website secure. Secure This doesn’t feel they need to do that with their website though:

The latest version of Joomla 3.x, 3.1.5, included a fix for Critical Priority security vulnerability, so if Secure This cared about the security of their own website they would have made sure to upgrade promptly in August, when 3.1.5 was released.

If you don’t want to handle keeping Joomla updated you can hire us to do it for you.

MIT Website Running on Very Outdated Version of Apache HTTP Server

When it comes to website security even institutions that you would think would be among the best able to able to protect themselves get hacked. In January the Massachusetts Institute of Technology’s (MIT) website was hacked on multiple occasions. While that seems surprising itself, what is more surprising is that more than six months after that happened MIT is still not taking care of the security of their website.

With our Server Details web browser extension you can see that MIT is using an outdated version of the Apache HTTP Server to run their website:
MIT's Website is Running on Apache 1.3.41 The version they are using is not just a little out date. Support for Apache HTTP Server 1.3 ended back in February of 2010, so MIT should have upgraded to a newer version three and half years ago.

What does it say that even after getting hacked multiple times a major institution is not taking the security of their website seriously?

Outbrain Website Running Outdated and Insecure Version of WordPress

Yesterday a number of major news websites were attacked due to a breach at Outbrain, a provider of widgets that display content recommendations. While the breach of Outbrain utilized social engineering, it is clear that Outbrain isn’t properly handling security of their systems, as they don’t even take basic security measures with their own website. One of the basic security measures is keeping software running a website up to date, which Outbrain hasn’t been doing:

Not only is that version over a year out of date, but they have failed to apply four updates that included security fixes (3.4.1, 3.4.2, 3.5.1, and 3.5.2). The release announcement for 3.5.2 included the warning:

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

Considering how easy it is to update WordPress, their customers should be worrying about what other things they are also failing to do.

Acunetix Website Running Outdated and Insecure Version of WordPress

In our dealing with the security of websites one of the biggest obstacles to improving security is that basic security measures are often not taken, while there are lots of companies trying to push additional security measures that are not needed in most situations and in many cases are not going provide additional protection against threats. A major cause of this seems to be that many companies involved in providing security services are not actually concerned about security, whether for their own website or yours. Acunetix provides a good example of this. Acunetix is the maker of vulnerability scanner for websites and promotes themselves as the “worldwide leader in web application security”. Their scanner has a number of features specifically for looking at vulnerabilities in WordPress, including checking for outdated plugins. Based on all of that you would expect that they would be making sure to take the basic step of keeping the installation of WordPress running their website up to date, but surprisingly you would be wrong:

It has now been nearly two months since WordPress 3.5.2, which included several security fixes, was released. In the release announcement for that version users were warned:

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

When a company providing the tools to keep websites secure is failing to take care of basic security measures on their own website it doesn’t bode well for website security improving in the near term.

OpenX Doesn’t Take Security Seriously

Earlier this week it was discovered that the downloads of OpenX 2.8.10 had been modified at some point to include malicious code that allowed remote code execution. OpenX’s blog post about the incident starts with the claim that “OpenX takes security seriously.”. This isn’t the first time they have claimed that in a blog post (that previous blog post has the dubious distinction of being the third post named Security Matters on their blog). The claim that they take security seriously is hard to square with what happened in this instance, especially in light of previous events. Unlike the issues mentioned in those previous blog posts, which involved unintentional security vulnerabilities, in this case someone was able to gain access to OpenX’s website and modify files on the website to include malicious code without being detected by them. It only came to light that the files had been modified after the vulnerability added to the download was being actively exploited.

That isn’t something that should happen and it would be a big red flag that security isn’t taken seriously if it had only happened once. But this doesn’t seem to be the first time that OpenX’s website has been breached. It appears that their website was previously breached and used to exploit OpenX ad servers in April of last year. OpenX 2.8.10 wasn’t released until September of last year, so this most recent issue would have come either from a subsequent breach or from them not shutting off access after the first breach was detected.

Their post emphasizes that their other products were not impacted by the vulnerability in the downloads, but considering they were breached and didn’t detect it, it reasonable to be concerned that the breach may have reached other parts of their systems. Their post gives no indication that they made any check to insure that is the case.

The claim that they take security seriously is even harder to believe in light of the fact that they fail to take basic security measures with their website even after having their website breached at least twice. This can be seen by their use of an outdated version of WordPress on the very blog were they are claiming to take security seriously:

WordPress 3.4.1 is eleven months out of date and there have been three updates with security fixes released (3.4.2, 3.5.1, and 3.5.2). The announcement for 3.5.2, released on June 21, included this message, which OpenX has ignored:

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

WordPress is very easy to update, so if they can’t manage to do that it seems likely that they are failing to take other more complicated security measures that need to be taken when a website is being targeted, as theirs has been.

OpenX Ignores Security Issue

Back in July of last year we sent an email to OpenX’s security email address to inform that there was a vulnerability in the Zend Framework that ships with OpenX. We never heard anything back from them and the vulnerable file has not been updated in OpenX.

WPTemplate.com Spreads Bad on Information on Securing WordPress

When it comes the security of WordPress there are unfortunately a lot of people out there spreading bad information. We were on the receiving end of one of these in the past few days. We received an email from xpedientdigitalmedia.com trying to get us to promote an infographic on WordPress security from their website WPTemplate.com. You can tell how much they care about security when you see this:Keeping WordPress up to date is one the basic security measures that you need to doing to make sure your website is secure. If you are website about WordPress you have no excuse for not keeping it up to date, especially when the release notice for the new version, that was released last month, warns:

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

Amazingly their security advice includes making sure to keep WordPress up to date, but they don’t follow their own advice and you shouldn’t either.

It really isn’t worth going through all of the bad information they managed to pack in to their infographic, but here are a couple of really bad pieces of advice:

One of their security recommendations is “Do not install WordPress themes that are available for free.”. Something being free doesn’t make it insecure and something costing money doesn’t make it secure. WordPress is free, would that make it insecure? Do they think that the free themes on the WordPress website are insecure?

The second one is doozy. They claim that one of the “most common ways that result in the site being hacked” is “approving comments that are non relevant”. This isn’t even a way to be hacked, much less a common one. If adding a comment could lead to your website being hacked that would be a huge security vulnerability and the solution wouldn’t be to not approve irrelevant comments. What would stop someone from exploiting the vulnerability with a relevant comment instead?

Unfortunately their bad advice isn’t just on their website. A lot of websites have taken up their offer to spread the thing, including noupe, WP Daily Themes, and WP Daily. Incidentally, WP Daily titled their post on WordPress 3.5.2 UH OH. WP 3.5.2 SECURITY UPDATE. DO THIS NOW. and yet they didn’t:

A Step To Actually Improve WordPress Security

Currently if a plugin in the WordPress.org Plugin Directory is found to have a security vulnerability and it is not fixed the plugin is removed from the Plugin Directory. Unfortunately anyone who is already using the plugin is not provided any alert that the plugin is known to be insecure. We have been pushing for this situation to be handled properly for some time. Until an alert is added in WordPress itself, you can get a more limited version of this functionality using our No Longer in Directory plugin.

Checkmarx Website Running Outdated and Insecure Version of WordPress

In yet another sad sign of how bad internet security is these days, a security company named Checkmarx released findings on security vulnerabilities in WordPress plugins (PDF) while running their own website on an outdated an insecure version of WordPress:

Checkmarx has failed to apply the last two security update releases of WordPress. WordPress 3.4.1, which was release in September of 2012, and WordPress 3.5.1, which was released in January.

In their report one of their recommendations is keeping plugins up to date:

3. Ensure all your plugins are up to date
Do not ignore all those notification emails of an upgraded plugin version. You can even use a
purposeful WordPress plugin that notifies admins on updates to other installed plugins.
There are also third party services which provide a plugin update notification and
management offering.

How is it that security companies that seem to understand basic security practices fail to take them with their own websites?

Also, on Checkmarx’s website they tout they are a member of the Open Web Application Security Project (OWASP), which we recently noted also runs their website on outdated and insecure software.

Another Security Recommendation for WordPress Plugins

Checkmarx’s report is missing one important step that should be taken related to security of WordPress plugins. Currently if a plugin in the WordPress.org Plugin Directory is found to have a security vulnerability and it is not fixed the plugin is removed from the Plugin Directory. Unfortunately anyone who is already using the plugin is not provided any alert that the plugin is known to be insecure. We have been pushing for this situation to be handled properly for some time. Until an alert is added in WordPress itself, you can get a more limited version of this functionality using our No Longer in Directory plugin.

CIO.gov Running Outdated and Insecure Version of WordPress

In the recent past we have mentioned that the websites of the White House, Department of Homeland Security, and FEMA are failing to take the basic security step of keeping the software powering their websites up to date. It then should not come as too much surprise to see this:

CIO.gov is Running WordPress 3.4.2

CIO.gov is the website of the U.S. Chief Information Officer and the Federal CIO Council and on the website it is described as “serving as a central resource for information on Federal IT”and “identifying best practices”.

Since the website is running WordPress 3.4.2 they failed to update WordPress for seven months and more importantly they failed to update when a security release was put out back in January.

With the US government’s and CIO Council’s claimed focus on cybersecurity it is troubling that they are failing to do something so basic. It also begs the questions about one of the CIO Council’s areas of cybersecurity focus, “Continuous Monitoring“:

Continuous monitoring is a risk management approach to cybersecurity that maintains an accurate picture of an agency’s security risk posture, provides visibility into assets, and leverages use of automated data feeds to quantify risk, ensure effectiveness of security controls, and implement prioritized remedies. A well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status.

In today’s environment of widespread cyber-intrusions, advanced persistent threats, and insider threats, it is essential for agencies to have real-time accurate knowledge of their enterprise IT overall security posture. Agencies need to constantly know and remain aware of their enterprise security status so that responses to external and internal threats can be made swiftly.

If continuous monitoring is being used for their own website it isn’t working. If it isn’t being used, you have wonder why it is one of their focuses when they haven’t even started using it themselves.

Wired’s Threat Level Blog Running Outdated and Insecure Version of WordPress

Keeping software running on a website up to date is an important part of keeping it secure, but, as we have been focusing on a lot lately, organizations that you would expect to be up to task of handling their security are failing to do that. Whether it is web security companies, a web security organization, or major government websites (the DHS did finally get their website up to date, though) they are all failing to taking this easy security step. We can now add to this recent list, web security journalism.

Here is the WordPress version powering Wired’s Threat Level blog, which covers “Privacy, Crime and Security Online”:

Since they are running 3.4.2 they failed to update WordPress for seven months and more importantly they failed to update when a security release was put out back in January. If an important source of security information isn’t aware they need to keep their website up to date, it isn’t a good sign that others will be getting that information either.