When it comes to security companies we often say that they many of them don’t know and or care about security, which we think explains a lot of why security is in such bad shape these days. One example that we often find of this is that these companies are failing do the basics when it comes to the security of their own websites. We recently looked at one cyber security company that claims to have “clients in the intelligence community, DoD and nearly every cabinet agency” and isn’t bothering to keep the software running the various parts of their website up to date while telling the public they need to take advanced measure to protect their websites. They are not the only cyber security that has failed to that.
CrowdStrike was recently in the news due to their investigating the security breach at the Democratic National Committee (DNC) and placing the blame for it on the Russia government. They offer a variety of products and services intended prevent security breaches and respond after them. They also happen to be running an outdated and insecure version of WordPress on the main portion of their website:
The blog section of their website is running an even older version:
Like the previous case what makes is particularly troubling is that they are not just running an outdated major version of WordPress, version 4.6 was released in August, but they are not running the latest version of 4.5, 4.5.4. That isn’t normal, as back in WordPress 3.7 a new update system was introduced so that minor updates normally happen automatically. So either CrowdStrike disabled those automatic updates (which isn’t a good idea) and then failed to apply the updates manually or their is some incompatibility between their hosting environment and the update system and they also failed to apply the updates manually. If it was the later, then they could actually help improve security by working with the WordPress developers fix whatever is causing those automatic updates to no happen.
Whichever is the case, the end result is that they have multiple known vulnerabilities on their website, as WordPress 4.5.2, 4.5.3, and 4.5.4 all included security updates.
The next question is whether this an aberration or if this is indicative of larger problems with handling and understanding of security at the company, which is something that companies looking to use their products and services or journalist looking to cite them should probably find out.