Category: Outdated Web Software

Joomla Hack Cleanup Providers Don’t Care About the Security of Their Own Websites

We are frequently hired to clean up websites that another company was previously hired to clean up but then has been hacked again (or wasn’t actually cleaned up in the first place). In some cases we wouldn’t lay the blame on the company, sometimes hacks are well hidden and getting them cleaned up can take more than one cleanup (which you shouldn’t be charge extra for) and in other cases there are security issues that the company doing the cleanup can’t handle. For example, if your web host has a security issues then they are going to only ones who can fix that. What we find in most instances though is that company doing the hack cleanup has not done the basic elements of the hack cleanup.

When someone contact us about cleaning up a website that was previously cleaned the first question we asked is if the first company determined how the website was hacked. Determining how the website was hacked is important part of the cleanup as if you don’t know how it was hacked you won’t know if the security issue that allowed the website has been fixed. Considering that the websites have been hacked again it isn’t surprising that the answer we hear over and over is that they didn’t. But isn’t just that they didn’t determine how the website got hacked, the companies didn’t even try to determine how the website was hacked. Either these companies are knowingly cutting corners or they don’t care enough about the service they providing to know what work they should be doing. In either case what they are doing is highly unethical.

We don’t ask our clients who they previously hired, but they do bring it up from time to time. During recent cleanup of a Joomla website the previous company was mentioned and when we went to their website we noticed that they were running an outdated version of Joomla. Keeping the software running on a website is a basic security measure, so any company that doesn’t bother to do that really shouldn’t have anything to do with the security of other people’s website. We took a look around at companies advertising to clean up Joomla websites and we found that all of the companies were running out of date software. As warning to the public and as a reminder of how bad the current state of companies providing security services is we have highlighted them below:

Dean Marshall Consultancy (http://www.deanmarshall.co.uk/)

Dean Marshall Consultancy is Running Joomla 1.5Support for Joomla 1.5 ended in September 2012, so a websites shouldn’t be running it anymore (though many, including joomla.org, are still using it as we mentioned yesterday). As part of cleaning up a hacked website still running Joomla 1.5 you will eventually want to migrate it to a newer version, which doesn’t seem like a task for a company that still hasn’t done it for their own website.

Joomla Help Live (http://joomla.cmshelplive.com/)

Joomla Help Live is Running Joomla 1.7Joomla 1.7 is over two years out of date and more importantly it has a serious security vulnerability that we have seen being exploited.

PennZac (http://www.pennzac.com/)

PennZac is Running Joomla 3.0.3Joomla 3.0.3 is ten months out of date and there have been four subsequent versions with security updates.

US Joomla Force (http://www.usjoomlaforce.com/)

US Joomla Force is Running Joomla 2.5.11Joomla 2.5.11 is seven months out of date and there have been two subsequent versions with security updates.

itoctopus (http://www.itoctopus.com/)

itoctupus is Running WordPress 2.8.5WordPress 2.8.5 is over four years out of date and there have been 17 subsequent versions with security updates.

Joomla 1.5 Still Widely Used Despite Support Ending in September of 2012

When it comes to making sure websites are secure one of the basic things that needs to be done is to keep the software up to date. For Joomla that means that currently means running either the latest version of Joomla 2.5 or 3.2. We continue to clean up many hacked websites that are still running Joomla 1.5, for which support ended in September of 2012. While most of the hackings are due to security issues unrelated to the outdated version of Joomla, it is concern that so many are still running Joomla 1.5. To get a better understanding how wide spread use of Joomla 1.5 is we have compiled the data on what versions were found on the website checked with the online version of our Joomla Version Check tool (which is also available as web browser extension for Firefox and Chrome) during January.

As can be seen in the pie chart below 31 percent of the websites checked during the month were running Joomla 1.5 and 2 percent were still running Joomla 1.0, for which support ended in July of 2009.Joomla Version: 1.0: 2.15%, 1.5: 30.96%, 1.6: 0.99%, 1.7: 3.48%, 2.5: 50%, 3.0: 1.16%, 3.1: 5.30%, 3.2: 4.30%, 3.x: 1.66%

Some, if not most of the blame for this, should go to Joomla developers that didn’t provide an easy path to move to a newer version. Instead of being able to upgrade to a newer version of Joomla a more complicated migration needs to be done and curiously the developers did not provide a tool to do that, relying on third party tools to handle it. We have found that some of those tools provide rather poor results. The difficulty in moving to a newer version is probably best highlighted by the fact that portions of the Joomla website are still running Joomla 1.5, including the Extensions Directory:

Joomla Extensions Directory is Running Joomla 1.5

The other very concerning stat that shows up in the data is that 6 percent of the websites were running a Joomla version between 1.6 and 2.5.2. Last month we discussed that a serious vulnerability in those versions of Joomla is being exploited and people still running those versions need to upgrade as soon as possible. Unlike migrating from Joomla 1.5, upgrading those installations to the latest version of Joomla 2.5 is fairly easy and it shows that the handling of security of Joomla websites is in need of improvement.

For those looking for someone to handle keeping Joomla up to date we provide Joomla upgrade services on a one-time and yearly subscription basis.

AT&T Enterprise’s Security Blog Running on Outdated and Insecure Version of WordPress

What we see over and over when it comes to web security is that security providers don’t take basic security measures with their own websites, which doesn’t give much confidence that they will make sure their customer’s security is handled properly and goes a long way to showing why web security is so bad. We can now add AT&T’s Enterprise division to that group. They provide a variety of security services including security consulting, which they could probably use for their own website as their Security Blog is running an outdated version of WordPress:

AT&T Enterprise Security Blog is Running WordPress 3.5.2Keeping software running a website is a basic security measures as it insures that a known vulnerability in the software can be exploited. In AT&T’s case they have failed to update the software in nearly six months and more importantly they failed to update after WordPress 3.6.1 was released in September. WordPress 3.6.1 fixed three security issues including one that could “lead to remote code execution” and users were strongly encouraged to “update your sites immediately”. Considering how easy it is to update WordPress AT&T doesn’t have an excuse for not doing it.

More of Rackspace’s Bad Security

We previously touched on Rackspace’s bad security when it comes to their clients, but they also don’t feel the need to take a basic security measure with their own website. That basic security measure being that that you should keep software running on your website up date. By doing that you prevent your website from being able to exploited though a known vulnerability in older versions of the software.

Rackspace’s Knowledge Center website is still running Drupal 7.18:

Rackspace's Knowledge Center is Running Drupal 7.18

That version is now a year out of date and Rackspace has failed to apply four security updates (7.19, 7.20, 7.24, and 7.26). With each of those security updates it has been urged that “Sites are urged to upgrade immediately after reading the security announcement.”. Updating between versions of Drupal 7 is relatively easy, so there isn’t any excuse for them not to have updated it. It also raises the question if Rackspace is handling the rest of their security, much of which is not as visible, as poorly as they are with this.

Tech News Websites Not Taking Basic Security Measure With Their Websites

When it comes to improving the security websites one of the biggest problems we see is that there is so much bad information available on the Internet, especially the information coming from companies trying to sell security products and services. We would hope that news organizations would provide the public with a source for better information, but most of the security reporting we see in technology news websites is just as bad as anywhere else. Their lack of security knowledge also impacts their own websites as we see that they are not taking basic security measures with their websites and therefore leaving them vulnerable.

We found three prominent technology news websites that are running very out of date versions of the Drupal software. Keeping software up to date on a website prevents known vulnerability being exploited and we have found that when vulnerabilities in website software are exploited it almost always due to a vulnerability that has already been patched in a newer release of the software.

ITworld

ITworld is Running Drupal 6.19ITworld is running a version of Drupal that is nearly three years out of date – the next version was release in December of 2010 – and they have missed three security releases.

InfoWorld

InfoWorld is Running Drupal 6.16InfoWorld is running a version of Drupal that is nearly three and half years out of date – the next version was release in June of 2010 – and they have missed four security releases.

Network WorldNetwork World is Running Drupal 5.14

Network World is in much worse shape than the other two organizations as they are using Drupal 5, for which support ended back at the beginning of 2011. They haven’t even bothered to at least make sure they are running the most recent version of Drupal 5. In fact they haven’t updated it in over four and half years – the next version was released in January of 2009 – and they missed the last nine security releases for Drupal 5.

Secure This: A Website Security Company That Doesn’t Care About Security

One of the biggest problems we see with improving the security of websites is that while basic security measures are often not being taken, security companies are trying sell security services that are not actually needed for most websites. We often see the negative impact of this as people contact us about cleaning up websites and they think they need those types of services because those other companies are pushing the services, while they don’t want to make sure that basic security measures that will actually protect their website are done. A possible explanation of why the companies push those services is that many security companies don’t understand or don’t actually care about security.

Yet another example of this that we came across is Secure This, which is company that wants to sell you automated vulnerability scanning for various software, including Joomla. You average Joomla based website doesn’t need this because the software in use would have already been tested against these automated scanners and any security vulnerabilities that are going to be found would not be spotted by them. What you instead want to do is to make sure that you keep the software up to date so that when security vulnerabilities are found you are protected with the latest version of the software. The importance of keeping Joomla and extensions up to date isn’t just our advice; Joomla says that is keeping them updated is one of the “most important guidelines” for keeping your website secure. Secure This doesn’t feel they need to do that with their website though:

Secure THis is Running Joomla 3.1.1The latest version of Joomla 3.x, 3.1.5, included a fix for Critical Priority security vulnerability, so if Secure This cared about the security of their own website they would have made sure to upgrade promptly in August, when 3.1.5 was released.

If you don’t want to handle keeping Joomla updated you can hire us to do it for you.

Outbrain Website Running Outdated and Insecure Version of WordPress

Yesterday a number of major news websites were attacked due to a breach at Outbrain, a provider of widgets that display content recommendations. While the breach of Outbrain utilized social engineering, it is clear that Outbrain isn’t properly handling security of their systems, as they don’t even take basic security measures with their own website. One of the basic security measures is keeping software running a website up to date, which Outbrain hasn’t been doing:

Outbrain is Running WordPress 3.3.2

Not only is that version over a year out of date, but they have failed to apply four updates that included security fixes (3.4.1, 3.4.2, 3.5.1, and 3.5.2). The release announcement for 3.5.2 included the warning:

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

Considering how easy it is to update WordPress, their customers should be worrying about what other things they are also failing to do.

Acunetix Website Running Outdated and Insecure Version of WordPress

In our dealing with the security of websites one of the biggest obstacles to improving security is that basic security measures are often not taken, while there are lots of companies trying to push additional security measures that are not needed in most situations and in many cases are not going provide additional protection against threats. A major cause of this seems to be that many companies involved in providing security services are not actually concerned about security, whether for their own website or yours. Acunetix provides a good example of this. Acunetix is the maker of vulnerability scanner for websites and promotes themselves as the “worldwide leader in web application security”. Their scanner has a number of features specifically for looking at vulnerabilities in WordPress, including checking for outdated plugins. Based on all of that you would expect that they would be making sure to take the basic step of keeping the installation of WordPress running their website up to date, but surprisingly you would be wrong:

Acunetix is Running WordPress 3.5.1It has now been nearly two months since WordPress 3.5.2, which included several security fixes, was released. In the release announcement for that version users were warned:

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

When a company providing the tools to keep websites secure is failing to take care of basic security measures on their own website it doesn’t bode well for website security improving in the near term.

WPTemplate.com Spreads Bad on Information on Securing WordPress

When it comes the security of WordPress there are unfortunately a lot of people out there spreading bad information. We were on the receiving end of one of these in the past few days. We received an email from xpedientdigitalmedia.com trying to get us to promote an infographic on WordPress security from their website WPTemplate.com. You can tell how much they care about security when you see this:WPTablet.com is Running WordPress 3.5.1Keeping WordPress up to date is one the basic security measures that you need to doing to make sure your website is secure. If you are website about WordPress you have no excuse for not keeping it up to date, especially when the release notice for the new version, that was released last month, warns:

This is a security release for all previous versions and we strongly encourage you to update your sites immediately.

Amazingly their security advice includes making sure to keep WordPress up to date, but they don’t follow their own advice and you shouldn’t either.

It really isn’t worth going through all of the bad information they managed to pack in to their infographic, but here are a couple of really bad pieces of advice:

One of their security recommendations is “Do not install WordPress themes that are available for free.”.  Something being free doesn’t make it insecure and something costing money doesn’t make it secure. WordPress is free, would that make it insecure? Do they think that the free themes on the WordPress website are insecure?

The second one is doozy. They claim that one of the “most common ways that result in the site being hacked” is “approving comments that are non relevant”. This isn’t even a way to be hacked, much less a common one. If adding a comment could lead to your website being hacked that would be a huge security vulnerability and the solution wouldn’t be to not approve irrelevant comments. What would stop someone from exploiting the vulnerability with a relevant comment instead?

Unfortunately their bad advice isn’t just on their website. A lot of websites have taken up their offer to spread the thing, including noupe, WP Daily Themes, and WP Daily. Incidentally, WP Daily titled their post on WordPress 3.5.2 UH OH. WP 3.5.2 SECURITY UPDATE. DO THIS NOW. and yet they didn’t:

WP Daily Website is Running WordPress 3.5.1

A Step To Actually Improve WordPress Security

Currently if a plugin in the WordPress.org Plugin Directory is found to have a security vulnerability and it is not fixed the plugin is removed from the Plugin Directory. Unfortunately anyone who is already using the plugin is not provided any alert that the plugin is known to be insecure. We have been pushing for this situation to be handled properly for some time. Until an alert is added in WordPress itself, you can get a more limited version of this functionality using our No Longer in Directory plugin.

Checkmarx Website Running Outdated and Insecure Version of WordPress

In yet another sad sign of how bad internet security is these days, a security company named Checkmarx released findings on security vulnerabilities in WordPress plugins (PDF) while running their own website on an outdated an insecure version of WordPress:

Checkmarx Website is Running WordPress 3.4.1

Checkmarx has failed to apply the last two security update releases of WordPress. WordPress 3.4.1, which was release in September of 2012, and WordPress 3.5.1, which was released in January.

In their report one of their recommendations is keeping plugins up to date:

3. Ensure all your plugins are up to date
Do not ignore all those notification emails of an upgraded plugin version. You can even use a
purposeful WordPress plugin that notifies admins on updates to other installed plugins.
There are also third party services which provide a plugin update notification and
management offering.

How is it that security companies that seem to understand basic security practices fail to take them with their own websites?

Also, on Checkmarx’s website they tout they are a member of the Open Web Application Security Project (OWASP), which we recently noted also runs their website on outdated and insecure software.

Another Security Recommendation for WordPress Plugins

Checkmarx’s report is missing one important step that should be taken related to security of WordPress plugins. Currently if a plugin in the WordPress.org Plugin Directory is found to have a security vulnerability and it is not fixed the plugin is removed from the Plugin Directory. Unfortunately anyone who is already using the plugin is not provided any alert that the plugin is known to be insecure. We have been pushing for this situation to be handled properly for some time. Until an alert is added in WordPress itself, you can get a more limited version of this functionality using our No Longer in Directory plugin.