DreamHost Also Distributing Outdated Web Software Through One-Click Installer

When it comes to improving the poor state of the security of websites, web hosts certainly could be doing things over and above what is their responsibility to help with that. But at this point we are finding that they are still failing to do some things that really are their responsibility. One of those being not offering to install software on websites that is outdated and insecure. In May we discussed an instance were a web host told the owner of a hacked website that the outdated version of Joomla they were using, 2.5.28, was a security weakness while still offering to install that through the MOJO Markeplace service. Support for that version of Joomla had ended almost two and half years before, so it should have long been removed from such a service. Earlier this week noted another similar service used by web hosts, Softaculous, was still also offering to install that version of Joomla as well.

While working on a website hosted with DreamHost we checked to see how they were doing in this regard. The good news they are not offering to install that version of Joomla. The bad news is that the version of Joomla they are installing is an outdated and insecure version, 3.6.4:

That version was superseded by 3.6.5 in the middle of December and that version was a security update. There have been three security updates released since then: 3.7, 3.7.1, and 3.7.3.

Of the other software that they offer that we deal with a regular basis most of it is also outdated and insecure.

They offer MediaWiki 1.26.3:

Version 1.26.4, which includes a security update, was released last August and version 1.26.x reach end of life in November.

They offer phpBB 3.0.13:

Version 3.0.14, which includes a security update, was released in May 2015 and version 3.0.x reached end of life in November of that year.

The offer Zen Cart 1.5.4:

That was superseded by version 1.5.5 in March of last year. If Dreamhost hadn’t added the security patches released for version 1.5.4, then that version would have been a security update over what they are offering as well.

Softaculous is Also Still Offering to Install Joomla 2.5 Despite Being EOL’d Two and Half Years Ago

Back in May we noted that service MOJO Marketplace, which is used by web hosts to provide their customers with quick installations of various web software, was still offering to install Joomla 2.5 despite support for that version having ended on December 31, 2014. We came across that while dealing with a hacked website where the web host that uses MOJO Marketplace’s service (and is also owned by the same company as them) and the web host’s security partner (whose owners also run the two other companies) both told a website’s owner that use of that version was a security weakness.

While working on a non-hack issue on another website we noticed that another service that does software installations, Softaculous, is still offering to install Joomla 2.5 as well. Not only are the offering to install it, but at this web host it is fairly prominently offered as this what you see in the last section when you log in to the web host’s cPanel control panel:
To confirm that wasn’t something where they still listed it as Joomla 2.5 despite really installing whatever is the current version you can see at the top of the page you get taken if you click the link that they are in fact still offering that version:

Seeing as they also keep track of the release date, you would think they might periodically review if they are offering software that hasn’t been updated in years to see if they should still be offering it, but they don’t seem to be considering Joomla 2.5 is still available.

Trend Micro Thinks Their Continued Failure to Take a Basic Security Measure Shouldn’t Define Them

Back in May of last year we noted that cyber security company Trend Micro was failing to keep the installation of WordPress on their blog up to date. What stuck out about this was that this shouldn’t have happened, as WordPress has an automatic background update feature that would normally have done the updates without requiring any interaction by someone at Trend Micro. So either there was some incompatibility between their hosting environment and that feature or they unwisely disabled the feature without making sure to promptly do the updates manually instead. If it was the former, then they could have probably helped not only themselves, but others by working with WordPress to fix the cause of those updates not occurring.

Fast forward to last week where it was reported that another one of their blogs was attacked due to a vulnerability in WordPress that would have not been possible to exploit on the website if they either had gotten automatic background updates working or if they had started promptly updating manually.

The response from the company’s “Global head of security research” makes it sound like the company has no idea what they are doing:

“We got reports from many researchers, regarding attacks using this vector and we deployed a custom policy to block the attacks,” he explained.

“Unfortunately there are many different URLs attackers can use to carry out the same attack, so a couple of fake ‘articles’ ended up posted on CounterMeasures. We have responded and shut down the vulnerability completely to resolve the issue

“Just serves to demonstrate something that I have often repeated in presentations, we are all a potential victim of digital attacks and we can’t afford to take our eyes off the ball at any time. The best way to respond to any attack of this nature is with honesty and alacrity, and that’s what we have endeavoured to do.

“Of course technology and best practice can mitigate the vast majority of intrusion attempts, but when one is successful, even one as low-level as this, you are more defined by how you respond than you are by the fact that it happened.”

The really simple solution to prevent this vulnerability from being exploited is to make sure you updated from WordPress 4.7.0 or 4.7.1 to 4.7.2, but there is no mention of that. Instead they make some mention of a “custom policy to block the attacks”, which is not necessary if you just updated to 4.7.2.

Amazingly as of this morning the blog is still running WordPress 4.7.1, as can easily be seen by viewing the source code any page on it:

The main Trend Micro blog doesn’t contain a meta generator tag, which makes it easy to spot what version is in use, but if you look at the CSS and JavaScript files being loaded on it you can see repeated use of “4.7.1” in the URLs, which tells you it is also on WordPress 4.7.1:

Defining Trend Micro by their response to getting attacked rather than their failure to take best practices doesn’t seem to make things better here, since they still have failed to properly respond to the situation by updating WordPress. Since they can’t handle the basics, you really would have to wonder about their handling of more serious things. Or you would if the wasn’t already evidence they can’t.

 

Rudy Giuliani Not the Only Trump Advisor With a Website Using Insecure and Very Out of Date Software

Last week we discussed that the website of Rudy Giuliani’s security company was running an outdated and insecure version of Joomla. Since then the website has been taken down. What we also mentioned in that post was that it wasn’t clear what his company actually did in terms of cybersecurity. Motherboard seems to have answered that question:

Since 2003, his consulting firm Giuliani Partners and its subsidiary Giuliani Security and Safety has at least nominally advised clients on cybersecurity, but people who have worked with his firm say the advice is focused more on liability mitigation for companies rather than implementing best security practices.

“If you hired them on a cyber engagement, they are going to tell you what your legal obligations are and how to manage the legal risk related to cyber,” a cybersecurity executive in New York who has experience with Giuliani Security and Safety and requested to remain anonymous told Motherboard. “Basically, not to prevent a Target [breach], but how to prevent a Target CEO being fired.”

Considering that from everything we have seen most security companies don’t seem to know and or care much about security, this isn’t as troubling to us as it should be for others not aware of what is going on in the industry.

In an interview Mr. Giuliani did with MarketWatch from a year ago, you get more of a sense of what the industry is all about:

MW: So Giuliani Partners began penetration-testing companies — attacking from the outside to find vulnerabilities hackers may exploit — back in 2003?

RG: 2004, 2005 by the time we got started.

MW: How many clients did you have back then?

RG: Maybe 30.

MW: Did you find that anyone cared about cybersecurity back then?

RG: These were all friends of mine, friends of his. They’d give me a nice meeting and they’d look at me, and they’d look at the bill. And the bill was high, but it wasn’t high for them — $10 million, $20 million, something like that. It wasn’t like the kind of money they’re spending now. (laughs)

From what we have seen of penetration testing we have a hard time believing the underlying cost of the work was a fraction of what was spent. A lot of it involves running automated tools over systems, which largely warn you about vulnerabilities that exist in outdated software (for which the money would be better served keeping the software up to date).

The next line in the article indicates that big dollars spent doesn’t necessarily produce results:

(Note: J.P. Morgan Chase had a $250 million cybersecurity budget when it was breached in 2014; CEO Jamie Dimon said after the breach that the bank would double cybersecurity spending.)

Newt Gingrich’s Outdated Website

Considering the prominence that cybersecurity has taken in US politics you might think that would lead to prominent players taking actions to make sure they are secured (by hiring someone, not doing themselves, obviously). That isn’t the case with the website of former House Speaker and Donald Trump advisor Newt Gingrich, gingrichproductions.com. The website is still running WordPress 3.7:

The Gingrich Productions Website is Running WordPress Version 3.7

The next version of WordPress, 3.7.1, was released in October of 2013.

Keeping the software running a website update is a basic security measure.

What makes this a bid odd is that WordPress introduced a new update system in WordPress 3.7, which automatically applies minor WordPress updates. Along side that WordPress started releasing security updates for older versions of WordPress, so normally the website would have been getting security updates without requiring any manual intervention since then (the latest version of WordPress is still the only one official supported, so websites should still be keeping WordPress up to date with the latest major release). Seeing as the updates didn’t happen, either that feature was disabled or it had some conflict with the website’s hosting environment.

Whatever the cause, 14 security updates for WordPress 3.7 have been missed: 3.7.2, 3.7.4, 3.7.5, 3.7.6, 3.7.8, 3.7.9, 3.7.10, 3.7.11, 3.7.12, 3.7.13, 3.7.14, 3.7.15, 3.7.16, 3.7.17

Unlike the website of Rudy Giuliani’s security company, which looks like it might not have been actively managed since 2014. This website is still very much active, seeing as the News section of Gingrich Productions has entries from just days ago.

The Website of Rudy Giuliani’s Security Company is Powered by an Outdated and Insecure Version of Joomla

When it comes to cyber security you don’t have to look far to see why things are currently in such bad shape, as we have often found that even security companies themselves are not doing the basic security step of keeping the software on their own website up to date. So looking to the private sector to improve the situation is a questionable call.

Incoming US President Donald Trump is going to be advised on the issue by former New York City Mayor Rudy Giuliani, who has a company that provides cyber security consulting of an unclear nature. ZDNet’s Zero Day blog reports they have been unable to find what the company actually does:

For the past few months while Giuliani’s name was floated for positions for the Republican’s presidential campaign, we’ve tried to find out exactly what his company does, or can do better than any other security firm — to no avail.

So is the website of Rudy Giuliani’s security company at least in better shape than other cyber security companies? No:

The Giuliani Security & Safety Website is Running Joomla Version 3.1.1

The next release of Joomla, 3.1.4, (3.1.2 and 3.1.3 were not officially released) was released in July of 2013. The next version after that, which was released in August of that year, included a security fix. There have been numerous updates since then, including many that included security fixes.

The copyright date on the website is 2014, so even it hasn’t been actively managed since then, their keeping the software up to date stopped before that happened.

Other evidence out there doesn’t exactly point to Rudy Giuliani really having a great grasp of technology matters. For example, back in September he claimed the software used to wipe Hillary’s Clinton’s emails was “expensive” and “very expensive”:

The servers containing the emails was not only erased by merely deleting the email, but expensive BleachBit software was used to do it. This software is very expensive and is used by criminals seeking to hide evidence from law enforcement.

That is despite the fact that the software is free, something you can easily find out if you do search and pull up the software’s home page or the Wikipedia page about it.

Another Cyber Security Company In The News Failing To Do Security Basic With Their Own Website

When it comes to security companies, whether it is web security or the wider field of cyber security, one thing that we found over the years is that most of them seem to know and or care little about security. We think that explains a lot of why that security is in such bad shape these days. One easy spot example of these companies either not knowing or caring about security is when their websites are running outdated software with security vulnerabilities, as keeping software up to date is really a security 101 item whether for websites or other systems.

The cyber security company PacketSled has been in the news recently after the founder and CEO of the company “resigned after election night posts on social media about assassinating President-elect Donald Trump“. Their website is currently running WordPress 4.4.2:

The PacketSled Website is Running WordPress Version 4.4.2

Like the last couple of instances we looked at with cyber security companies running outdated WordPress installations, it isn’t just that they are not running the latest major version, 4.6, but they have not kept up to date with new minor releases for the version they are one (the current version is 4.4.5). What makes that stand out is that back in WordPress 3.7 a new update system was introduced that would normally apply those minor updates automatically. So either these companies are disabling that and failing to manually update or there is some conflict with their systems and the automatic update system and they are not manually updating. If there was some conflict, then helping WordPress to fix that would help others in the same situation as well as them (since they can’t manage to do the manual updates either).

Whatever the cause, they missed three security updates, the earliest having been released six months ago.

Trend Micro Running Outdated and Insecure Version of WordPress on Their Blog

When it comes to the problems with cyber security one of the issues we see is that the wrong people are often getting the blame for its poor state.

WordPress frequently gets unfairly criticized in a security context, while in a lot of ways they are really at the forefront of improving security of web software. Take for example the automatic background updates feature that was released back in WordPress 3.7, which allows for security fixes to be applied million of websites quickly without requiring any user interaction.

On the other side are security companies that seem to in a lot of cases care little for security and in some cases seem to peddling false hoods to increase their profits. One such recent example where a security company didn’t seem care about security was with Trend Micro, which had a password manager included with their antivirus software that had incredibly severe security issues.

When bring these to two examples up because they come to together with something we noticed recently. Trend Micro’s blog recently is running an outdated and insecure version of WordPress:

The Trend Micro blog is running WordPress 4.5

WordPress 4.5.1 was released on April 26 and 4.5.2, which fixed two security issue, was released on May 6.

Seeing as those versions would normally have been applied automatically within hours of their release due to the automatic background updates feature, either Trend Micro unwisely disabled that feature or some bug is stopping that from happening in their case. If it is the later then Trend Micro could actually help to improve the security of WordPress websites by working the WordPress developers to resolve that, so that others impacted by the issue could also start getting updates.

Looking at the source code of the blog homepage’s you can see that at least one of their plugins is also not up to date:

<!– This site is optimized with the Yoast SEO plugin v3.2.3 – https://yoast.com/wordpress/plugins/seo/ –>

The latest version of the Yoast SEO plugin is 3.2.5 and that version fixed a very low severity security issue (the current version of that plugin has at least one other security issue that is fairly obvious if look into the vulnerability that was fixed).

Hacking Team Failed To Take Basic Security Measure With Their Website

Over the last day there has been lot of news coverage of the hacking a company called Hacking Team, which sells surveillance software to various governments. Beyond the issues raised by the documents released, there is the also the implications of a cybersecurity firm being able to be hacked. CNET put it this way:

The hack shows just how vulnerable we all are to data breaches. If anyone should have been able to prevent an intruder from compromising their files, you’d think it would be the people who sell spy software that steals other people’s files. Apparently they weren’t prepared, though. Of course, the company’s fraught status in the hacking world might have made them more of a target to attackers than a regular person would be.

Since we deal in the security of websites we interested to see if they were even taking basic security measures with their website (we have often found that security companies are not). While their website is currently down, taking a look at the Google cache of their homepage showed a glaring security issue. As can be seen by looking at the meta generator tag in the source code of the page they are still running Joomla 1.5:

hacking-team-homepage-source-code

That version of Joomla reached end of life nearly three years, in September of 2012, so they should have longed moved to a newer, supported version of the software.

It is possible that they were taking better care of the security of the rest of their systems, but the lax security of their website certainly could be an indication of larger issues.

Security Company with WordPress Security Plugin Doesn’t Keep Their Own WordPress Installation Up to Date

When it comes to trying to improve the security of websites, one of the problems that we see is that while many people are still not taking basic security measures with their websites there are plenty of companies pushing additional security products and services. In some cases we have seen that the inflated claims of some of those products and services lead people to not take basic measures, since those products and services claim that they will prevent them from being hacked, and because they haven’t taken the basics security measures they end up getting hacked. While we do don’t have much evidence, we are concerned that other people don’t take basic security steps since keeping seems so daunting when they are told they need to being using all of these different products and services to keep their website secure.

A question that underlies this is if these companies actually are all that concerned about security or if they just trying to make a quick buck peddling products and services whose security implications they have little understanding. One way quick check to get an idea of their concern for security is to see if they are keeping the software running their own websites up to date. The results we have seen in the past haven’t been good, like the time we found that all of the companies we looked that were advertising to clean up hacked Joomla websites were all running outdated software (mostly Joomla). This time around we happen to run across the website of a company name Centrora Security, you can see from the results of a Chrome extension we make that they are not keeping the WordPress installation running their website up to date:

The Centrora Security website is Running WordPress Version 4.0.1

Not only have they not updated it for ever over a year and not updated it for the two most recent major versions, 4.1 and 4.2, but they have missed three security updates for 4.0.x series: 4.0.2, 4.0.4, and 4.0.5. Since WordPress 3.7, minor version updates like those security updates would normally be applied automatically, so either Centrora Security unwisely disabled that feature or some bug is stopping that from happening in their case. If it is the later then Centrora Security could actually help to improve the security of WordPress websites by working the WordPress developers to resolve that, so that others impacted by the issue could also start getting updates.

While they don’t take the basic step of keeping WordPress up to date, they produce a WordPress security plugin that they claim is the “MOST POWERFUL WORDPRESS SECURITY PLUGIN”. Probably not all that surprisingly they are not running the latest version of their own plugin on the website (the readme.txt for the plugin on the websites is from version 4.8.4), even though keeping WordPress plugin update to date is also an important security measures.

Lack of Prompt Revive Adserver Upgrades Reminder That Basic Web Security Precautions Still Not Being Taken

When it comes to keeping websites secure, what we see is that companies are trying to sell people services of limited to no security value while important security practices go undone in many cases. One of the basic measures that needs to be taken to do that is to keep software running on websites up to date as that prevents known security vulnerabilities from being exploited, unfortunately that often doesn’t happen. In the past we looked at data showing this was true for the likes of Drupal, Joomla, and others. Yesterday, Revive Adserver put out a post showing what versions of their software are in use and they tell a similar story.

About 56 percent of the active installations of Revive Adserver are running either version 3.0.2 or 3.0.5:

Source: http://www.revive-adserver.com/blog/quick-adoption-of-revive-adserver-v3-2-0/

Version 3.0.5 contains two moderate severity security issues that were fixed in versions 3.0.6 and 3.1.0, which were released in December. Versions 3.0.2 contains an additional moderate severity security issue that was fixed version 3.0.5, which was released a year ago. We haven’t seen any major issues when upgrading from these versions so there isn’t any excuse not having done this by now.

If you haven’t been keeping Revive Adserver up to date now you should do that now (if need someone to do that for you, we can take care of that for you). For anyone who still hasn’t upgraded from OpenX you really need to do that now since that has more severe known security vulnerabilities in it at this point and the upgrade to Revive Adserver is relatively easy.