Bad Security

NATO’s Allied Command Transformation Website Running Outdated and Unsupported Version of Joomla

NATO ministers meet last week and discussed improving their cybersecurity. A bad sign for their current handling of cybersecurity is the website of NATO’s Allied Command Transformation, which is running an outdated and unsupported version of Joomla:

Security updates for Joomla 1.5 ended in September of 2012, so the website should have been migrated to a supported version of Joomla – currently versions 2.5 and 3.1 – some time ago .

Keeping the software powering a website up to date is a basic measure needed to be taken to keep it secure and it is relativity easy in comparison to what NATO needs to do to fully secure all of their systems.

It might be reasonable to cut NATO some slack on their failure to keep up to date considering that Joomla is still running Joomla 1.5 on a number of their websites:

Joomla Extensions Directory is Running Joomla 1.5 Joomla Community Portal is Running Joomla 1.5 Joomla Resource Directory is Running Joomla 1.5

Impermium Has Web Security and Spam Issues of Their Own

Impermium promotes itself as “Protecting the Web from Security Threats“, that they are “run by leading anti-spam and cybersecurity experts“, and that they have “a cutting-edge comment spam filter“; but a quick look shows that they can’t even handle web security and spam on their own website.

Keeping software running on a website up to date is one of the basic website security measures that should be taken, so a company run by “cybersecurity experts” is going to be doing that right? Wrong:

Not only have they failed to update WordPress for over six months, but they failed to update when a security release was put out back in January. WordPress makes it very easy to update, so there isn’t any excuse for not doing it. They are not alone in this; a few weeks ago we mentioned that that the web security company StopTheHacker also was running the same outdated version of WordPress. What does it say that web security companies either don’t know the basics of website security or don’t care about it?

As for spam, here is the Impermium Knowledge Base:

If you are an anti-spam company you shouldn’t miss spam entries like “Significant Bad Credit Loans for Debt Consolidation Loan” and “Know how different types of loans could benefit you” in your Knowledge Base.

StopTheHacker: A Website Security Company That Doesn’t Care About Security

They are many companies providing hack/malware cleanup services for websites that are based around providing detection that a website has been compromised. This isn’t really necessary as a properly secured website is very unlikely to be compromised. Unfortunately, from what we have seen of these services, when they do a cleanup they don’t actually determine how the website was hacked in the first place, fix that issue, and make sure the website is otherwise secured (including updating any software running on the website). Doing those things are fundamental components of a proper cleanup and they website will remain vulnerable if they are not done.

Too often we have clients that come to us after having hired one of these services and had their website continue to be hacked. The client ends up paying to have the website cleaned up twice (or more) and suffering additional costs related to the continued issue with their website instead having it fixed the first time.

Our experience has also been that these services are not good at actually detecting hacks, so your website is not only left vulnerable to being hacked again, but you may not even get alerted that it has been hacked again. Detecting that website has been hacked quickly instead of preventing it from being hacked is also of little use in some instances. For example, if your website is hacked and your customer’s information is compromised no matter how fast afterwards that it gets detected, the damage has already been done and the information is in the hands of the hacker.

This brings us to StopTheHacker, which based on their name you would assume would be focused on actually protecting websites from hackers. Unfortunately for their customers that isn’t the case. If you look at the features of their service they are mainly focused on detecting that a website has already been hacked instead of making it secure in the first place. That would be bad on its own, but if you are using our Meta Generator Version Check extension, which is available for Chrome and Firefox, and you visit their website you will find something even more surprising:

That’s right a website security company is failing to take the basic security measure of keeping software running their website up to date, which in the case of WordPress is very easy to do. Not only has StopTheHacker failed to update WordPress for over six months, but they failed to update when a security release was put out back in January.

If StopTheHacker actually did the “Vulnerability Assessments” they claim to do as part of their service, they would be aware that their own website is insecure. Or maybe they don’t use their own service? That would say a lot about what they think of it, wouldn’t it?

A company shouldn’t have anything to do with website security if they don’t care about the security of their own website like the StopTheHacker clearly does not, so we strongly recommend you avoid StopTheHacker and focus on doing the things that will actually protect your website instead of using services like theirs that will leave your website insecure.

FEMA Website Running Outdated and Insecure Version of Drupal

Last week we mentioned that Department of Homeland of Security (DHS) is failing basic cybersecurity practices by not keeping the software running on their website up to date with security updates. It is probably not surprising that agencies under the DHS are also leaving their websites vulnerable to known security vulnerabilities because they are failing to keep the software running on them up to date. That includes the Federal Emergency Management Agency (FEMA), which if you visit their website with our Drupal Version Check extension installed in your web browser (available for Chrome and Firefox) you will see is also running an outdated version of Drupal:

Further checking shows that the website is running Drupal 7.17 or 7.18, so FEMA has failed to update the software for over three months, the next version was released back in January, and they have missed the last two security updates.

OWASP Website Running Outdated and Insecure Version of MediaWiki

The Open Web Application Security Project (OWASP) promotes itself as being “focused on improving the security of software”, but unfortunately they don’t even bother to keep the software running their website up to date. If you visit their website with our Meta Generator Version Check extension installed in your web browser (available for Chrome and Firefox) you will see that they are running an outdated version of MediaWiki:

OWASP has failed to update their MediaWiki installation for over a year, the next version, 1.18.1, was released in January of 2012. They failed to apply any of the five security updates that were released for version 1.18.x. Support for version 1.18.x of MediaWiki ended back in November, so they also should have moved to a supported version some time ago.

Keeping software up to date is one the basic steps and easier steps to keep software running a website secure. The fact that a project dedicated to security is failing to do that highlights how bad the state of security is and raises the questions if the security community is in fact actually interested in security.

White House Website Running Outdated and Insecure Version of Drupal

While “President Obama has declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cybersecurity.”“, the White House is failing to take a basic security measure with their website. If you visit the website with our Drupal Version Check extension installed in your web browser (available for Chrome and Firefox) you will see that they are running an outdated version of Drupal:

Further checking shows that the website is running Drupal 6.26 or 6.27, so the White House failed to apply one or two security updates. Keeping software up to date is one the basic steps and easier steps when it comes to cybersecurity and the White House is failing at that.

Updating between versions of Drupal 7 is relatively easy, so there isn’t any excuse for an organization with its resources to not be able to keep it up to date.

DHS Website Running Outdated and Insecure Version of Drupal

Ahead of a vote on the CISPA legislation the head of the Department of Homeland Security (DHS) will be briefing members of the House of Representatives today on cybersecurity. Maybe the briefing should be on how not to do cybersecurity as the DHS is failing to take a basic security measure with their website. If you visit their website with our Drupal Version Check extension installed in your web browser (available for Chrome and Firefox) you will see that they are running an outdated version of Drupal:

Keeping software up to date is one the basic steps and easier steps when it comes to cybersecurity and the DHS is failing at that. The larger question that this raises is what else they might be failing to do when it comes to cybersecurity, since they fail to do something so basic.

Further checking shows that the website is running Drupal 7.14, so the DHS has failed to update the software for over 8 months, the next version was released back in August of 2012, and they have missed the last 4 security updates.

Kaspersky Lab’s US Website Running Outdated and Insecure Version of Drupal

When it comes to internet security one of the most basic steps is keeping your software up to date. In sign of how poor the state of internet security is, even security companies are not taking such a basic step. The US website of Kaspersky Lab, which the New York Times has described as “Europe’s largest antivirus company“, is running a very out of date version of Drupal:

Kaspersky Lab has failed to update the software for over two years, the next version Drupal 6.20 was released back in December of 2010, and they have missed the last 4 security updates. Updating between versions of Drupal 6 is relatively easy, so there isn’t any excuse for a tech company not being able to keep it up to date.

Kaspersky Lab is not alone in this, last year we posted about Panda Security’s failure to update software running their websites even after some of their websites had been hacked.

You can check if Drupal websites you visit are keeping the software up to date with our Drupal Version check extension for Chrome and Firefox.

SC Magazine Australia Blames WordPress Plugins for Unrelated Hack

SC Magazine Australia’s recent article “50,000 sites compromised in sustained attack” incorrectly claims that WordPress was associated with a past malware campaign and tries to link general security issues to WordPress. As we continue to see the harmful impact of the bad security information, particularly when it involves WordPress, we want to clear up some of the claims in the article and fill in the critical missing information on actually protecting against security vulnerabilities in WordPress plugins.

The most blatant error in the article comes near the end of the article where it is stated that “Vulnerabilities in WordPress plugins have been long understood. Last year, large malware campaigns including the LizaMoon attacks exploited those holes” The LizaMoon attack was part of a frequently hyped multiyear campaign that targets ASP and ColdFusion based websites that have fairly basic SQL injection vulnerabilities. It had nothing to do with WordPress or any WordPress plugins. The link they provide about the LizaMoon attack makes no mention of WordPress and we are not aware of any source that ever claimed that it had a connection with WordPress. The rest of the article isn’t much better. Earlier it says:

Attackers targeted holes in a string of plug-ins for blogging software — such as WordPress— including timthumb, uploadify and phpmyadmin.

None of those things are themselves plugins for WordPress or other blogging software, nor is blogging software the only thing targeted by hackers. We probably deal with as many websites that are hacked due to outdated Joomla extensions as WordPress plugins, so there doesn’t appear to be a good reason to spotlight WordPress for special attention as the article did.

phpMyAdmin is web based administration tool for MySQL database. Several years ago there was WordPress plugin that added phpMyAdmin to WordPress which contained an exploitable vulnerability, but at this point it isn’t a major target of hackers as the plugin was removed back then. phpMyAdmin itself is frequently probed for on our website, so that is likely why phpMyAdmin would be listed as being targeted. That doesn’t explain why it be listed as a being a plugin for WordPress or other blogging software, though.

The TimThumb and Uploadify libraries are included in some WordPress plugins and those have been targeted (though since we last discussed recent serious security vulnerabilities in WordPress plugins we have seen attackers expand from targeting just the recent Uploadify based vulnerabilities to the other upload vulnerabilities recently identified).

Later in the article it claims then claims that Plesk is being targeted (web hosts are not always good about keeping that up to date), so it appears somebody involved in the article just threw together an incomplete list of software that gets targeted without any specific relation to the malware mentioned, while singling out WordPress.

Another worrisome aspect of the article is that it cites a “malware researcher” from Sucuri, the company that has a malware scanner that doesn’t actually bother to scan a website for malware before falsely flagging it.

Protecting Against WordPress Plugin Vulnerabilities

What the article lacks, as stories about hacks often do, is any information on protecting websites from the vulnerabilities they are warning about. For WordPress plugin vulnerabilities, you would hope the answer is to update your plugins, as by the time a vulnerability is being exploited it should have already been patched. Unfortunately, in an analysis of WordPress plugin vulnerabilities in the second quarter of 2012, that we just did, we found that a fourth of the plugins had not been fixed (we will have a post with the full details of the analysis in the next few days). What makes this even worse is that most of the vulnerabilities in those plugins were serious vulnerabilities that are the most likely to lead to website being hacked. So what happens when plugins are not fixed?

When the maintainers of the WordPress.org Plugin Directory are made of aware of a security vulnerability in a plugin they will remove the plugin from the directory until it is fixed. Unfortunately, when we started looking into this earlier this year we found that many plugins had never been reported and had remained in the directory including one in which hackers were attempting to exploit at the time. Since then we have been making sure that any plugins with reports of unresolved security vulnerabilities are reported and appropriate action is taken (we have also been warning them about security issues that impact plugins, including notifying them about the recent Zend Framework vulnerability that impacted several plugins). While removing the plugins until they are fixed prevents any additional websites from being exposed to the vulnerabilities, websites already using the plugins don’t receive any warning and remain vulnerable as we have discussed before. The process of adding alert in WordPress when plugins that have been removed from the Plugin Directory are installed has begun and you can help to make sure it is given a high priority by voting for implementing that change. Until an alert is added in WordPress itself, you can get a more limited version of this functionality using our No Longer in Directory plugin (we released update for the plugin, with new vulnerabilities, at the beginning of the week).

Panda Security Still Fails to Take Basic Security Measure Months After Being Hacked

Nearly four months ago a Panda Security web server was hacked into and about two dozen of their websites were defaced, including the PandaLabs Blog. It is probably reasonable to be concerned that a major computer security company isn’t able to keep their websites from being hacked, but once they have been hacked the more important issue is how they respond going forward. Do they promptly take actions to insure they are now following best security practices or do they do the least possible to resolve the issue?

When it comes to website security, the number one thing you are probably are going to hear is that you need to keep your software up to date. By doing this you prevent a known vulnerability in the software from being exploited (assuming the software’s developers promptly fix security issues). When it comes to keeping web software up to date WordPress is one of the best, if not the best, at making the update process easy, so we would expect that any WordPress installs Panda Security is running would be up to date now if they had taken the hacking seriously. Let’s take a look if they have done that:

The PandaLabs Blog:

The blog for their support forum:

The Panda Research Blog (which admittedly hasn’t been active for nearly a year):

All three WordPress installs we found were using a year and half old version of WordPress. There have been eight releases with security improvements since WordPress 3.0.4 was released.