Using Insecure WordPress Plugins?Does your WordPress blog contain known insecure plugins? Check Now
Search This Blog
Web Software Updates
WordPress VersionWe are running WordPress 3.7.1 and despite what many supposed "security experts" claim letting you know what version we are running does not make us less secure.
Did We Make a Mistake?While it seems to be acceptable for blogs discussing web security to contain numerous factual mistakes, we hold ourselves to a higher standard. We only write about things that we actually understand and only after we have double checked the information. So if you see a mistake in one of our posts please leave a comment on the post or contact us so that we can add a correction.
Category Archives: Bad Security
In the recent past we have mentioned that the websites of the White House, Department of Homeland Security, and FEMA are failing to take the basic security step of keeping the software powering their websites up to date. It then should not come as too much surprise to see this:
CIO.gov is the website of the U.S. Chief Information Officer and the Federal CIO Council and on the website it is described as “serving as a central resource for information on Federal IT”and “identifying best practices”.
Since the website is running WordPress 3.4.2 they failed to update WordPress for seven months and more importantly they failed to update when a security release was put out back in January.
With the US government’s and CIO Council’s claimed focus on cybersecurity it is troubling that they are failing to do something so basic. It also begs the questions about one of the CIO Council’s areas of cybersecurity focus, “Continuous Monitoring“:
Continuous monitoring is a risk management approach to cybersecurity that maintains an accurate picture of an agency’s security risk posture, provides visibility into assets, and leverages use of automated data feeds to quantify risk, ensure effectiveness of security controls, and implement prioritized remedies. A well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status.
In today’s environment of widespread cyber-intrusions, advanced persistent threats, and insider threats, it is essential for agencies to have real-time accurate knowledge of their enterprise IT overall security posture. Agencies need to constantly know and remain aware of their enterprise security status so that responses to external and internal threats can be made swiftly.
If continuous monitoring is being used for their own website it isn’t working. If it isn’t being used, you have wonder why it is one of their focuses when they haven’t even started using it themselves.
Keeping software running on a website up to date is an important part of keeping it secure, but, as we have been focusing on a lot lately, organizations that you would expect to be up to task of handling their security are failing to do that. Whether it is web security companies, a web security organization, or major government websites (the DHS did finally get their website up to date, though) they are all failing to taking this easy security step. We can now add to this recent list, web security journalism.
Here is the WordPress version powering Wired’s Threat Level blog, which covers “Privacy, Crime and Security Online”:
Since they are running 3.4.2 they failed to update WordPress for seven months and more importantly they failed to update when a security release was put out back in January. If an important source of security information isn’t aware they need to keep their website up to date, it isn’t a good sign that others will be getting that information either.
NATO ministers meet last week and discussed improving their cybersecurity. A bad sign for their current handling of cybersecurity is the website of NATO’s Allied Command Transformation, which is running an outdated and unsupported version of Joomla:
Security updates for Joomla 1.5 ended in September of 2012, so the website should have been migrated to a supported version of Joomla – currently versions 2.5 and 3.1 – some time ago .
Keeping the software powering a website up to date is a basic measure needed to be taken to keep it secure and it is relativity easy in comparison to what NATO needs to do to fully secure all of their systems.
It might be reasonable to cut NATO some slack on their failure to keep up to date considering that Joomla is still running Joomla 1.5 on a number of their websites:
Impermium promotes itself as “Protecting the Web from Security Threats“, that they are “run by leading anti-spam and cybersecurity experts“, and that they have “a cutting-edge comment spam filter“; but a quick look shows that they can’t even handle web security and spam on their own website.
Keeping software running on a website up to date is one of the basic website security measures that should be taken, so a company run by “cybersecurity experts” is going to be doing that right? Wrong:
Not only have they failed to update WordPress for over six months, but they failed to update when a security release was put out back in January. WordPress makes it very easy to update, so there isn’t any excuse for not doing it. They are not alone in this; a few weeks ago we mentioned that that the web security company StopTheHacker also was running the same outdated version of WordPress. What does it say that web security companies either don’t know the basics of website security or don’t care about it?
As for spam, here is the Impermium Knowledge Base:
If you are an anti-spam company you shouldn’t miss spam entries like “Significant Bad Credit Loans for Debt Consolidation Loan” and “Know how different types of loans could benefit you” in your Knowledge Base.
They are many companies providing hack/malware cleanup services for websites that are based around providing detection that a website has been compromised. This isn’t really necessary as a properly secured website is very unlikely to be compromised. Unfortunately, from what we have seen of these services, when they do a cleanup they don’t actually determine how the website was hacked in the first place, fix that issue, and make sure the website is otherwise secured (including updating any software running on the website). Doing those things are fundamental components of a proper cleanup and they website will remain vulnerable if they are not done.
Too often we have clients that come to us after having hired one of these services and had their website continue to be hacked. The client ends up paying to have the website cleaned up twice (or more) and suffering additional costs related to the continued issue with their website instead having it fixed the first time.
Our experience has also been that these services are not good at actually detecting hacks, so your website is not only left vulnerable to being hacked again, but you may not even get alerted that it has been hacked again. Detecting that website has been hacked quickly instead of preventing it from being hacked is also of little use in some instances. For example, if your website is hacked and your customer’s information is compromised no matter how fast afterwards that it gets detected, the damage has already been done and the information is in the hands of the hacker.
This brings us to StopTheHacker, which based on their name you would assume would be focused on actually protecting websites from hackers. Unfortunately for their customers that isn’t the case. If you look at the features of their service they are mainly focused on detecting that a website has already been hacked instead of making it secure in the first place. That would be bad on its own, but if you are using our Meta Generator Version Check extension, which is available for Chrome and Firefox, and you visit their website you will find something even more surprising:
That’s right a website security company is failing to take the basic security measure of keeping software running their website up to date, which in the case of WordPress is very easy to do. Not only has StopTheHacker failed to update WordPress for over six months, but they failed to update when a security release was put out back in January.
If StopTheHacker actually did the “Vulnerability Assessments” they claim to do as part of their service, they would be aware that their own website is insecure. Or maybe they don’t use their own service? That would say a lot about what they think of it, wouldn’t it?
A company shouldn’t have anything to do with website security if they don’t care about the security of their own website like the StopTheHacker clearly does not, so we strongly recommend you avoid StopTheHacker and focus on doing the things that will actually protect your website instead of using services like theirs that will leave your website insecure.
Last week we mentioned that Department of Homeland of Security (DHS) is failing basic cybersecurity practices by not keeping the software running on their website up to date with security updates. It is probably not surprising that agencies under the DHS are also leaving their websites vulnerable to known security vulnerabilities because they are failing to keep the software running on them up to date. That includes the Federal Emergency Management Agency (FEMA), which if you visit their website with our Drupal Version Check extension installed in your web browser (available for Chrome and Firefox) you will see is also running an outdated version of Drupal:
Further checking shows that the website is running Drupal 7.17 or 7.18, so FEMA has failed to update the software for over three months, the next version was released back in January, and they have missed the last two security updates.
The Open Web Application Security Project (OWASP) promotes itself as being “focused on improving the security of software”, but unfortunately they don’t even bother to keep the software running their website up to date. If you visit their website with our Meta Generator Version Check extension installed in your web browser (available for Chrome and Firefox) you will see that they are running an outdated version of MediaWiki:
OWASP has failed to update their MediaWiki installation for over a year, the next version, 1.18.1, was released in January of 2012. They failed to apply any of the five security updates that were released for version 1.18.x. Support for version 1.18.x of MediaWiki ended back in November, so they also should have moved to a supported version some time ago.
Keeping software up to date is one the basic steps and easier steps to keep software running a website secure. The fact that a project dedicated to security is failing to do that highlights how bad the state of security is and raises the questions if the security community is in fact actually interested in security.
While “President Obama has declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cybersecurity.”“, the White House is failing to take a basic security measure with their website. If you visit the website with our Drupal Version Check extension installed in your web browser (available for Chrome and Firefox) you will see that they are running an outdated version of Drupal:
Further checking shows that the website is running Drupal 6.26 or 6.27, so the White House failed to apply one or two security updates. Keeping software up to date is one the basic steps and easier steps when it comes to cybersecurity and the White House is failing at that.
Updating between versions of Drupal 7 is relatively easy, so there isn’t any excuse for an organization with its resources to not be able to keep it up to date.
Ahead of a vote on the CISPA legislation the head of the Department of Homeland Security (DHS) will be briefing members of the House of Representatives today on cybersecurity. Maybe the briefing should be on how not to do cybersecurity as the DHS is failing to take a basic security measure with their website. If you visit their website with our Drupal Version Check extension installed in your web browser (available for Chrome and Firefox) you will see that they are running an outdated version of Drupal:
Keeping software up to date is one the basic steps and easier steps when it comes to cybersecurity and the DHS is failing at that. The larger question that this raises is what else they might be failing to do when it comes to cybersecurity, since they fail to do something so basic.
Further checking shows that the website is running Drupal 7.14, so the DHS has failed to update the software for over 8 months, the next version was released back in August of 2012, and they have missed the last 4 security updates.
When it comes to internet security one of the most basic steps is keeping your software up to date. In sign of how poor the state of internet security is, even security companies are not taking such a basic step. The US website of Kaspersky Lab, which the New York Times has described as “Europe’s largest antivirus company“, is running a very out of date version of Drupal:
Kaspersky Lab has failed to update the software for over two years, the next version Drupal 6.20 was released back in December of 2010, and they have missed the last 4 security updates. Updating between versions of Drupal 6 is relatively easy, so there isn’t any excuse for a tech company not being able to keep it up to date.
Kaspersky Lab is not alone in this, last year we posted about Panda Security’s failure to update software running their websites even after some of their websites had been hacked.