Bad Security | White Fir Design Blog

Norton Secured Seal Service Doesn’t Do Basic Security Check

Three years ago we posted about the fact that trust marks shown on websites that claim to certify that the websites are secure cannot be trusted to identify if a website is actually secure for a number of reasons, including that in many cases they scan the websites from the outside so there are many things that they would never detect. What we recently noticed is that the Norton Secure Seal service fails to do a really basic security check that can be done from the outside. When it comes to the security of websites one of the basic security measures is to keep the software running the website up to date. This prevents the website from being hacked to the exploitation of a known vulnerability in the software that has been fixed in a subsequent release. As we have found the Norton Secure Seal service doesn’t check to make sure the software running the website they are claiming is secure is up to date.

As an example of this we will take a look at the website of an IT security company that carries the Norton Secure Seal as you can see here:

Norton Secure Seal

Using our Joomla Version Check web browser extension you can see that the website is running an outdated version of Joomla:

That version of Joomla, 3.1.1, is seven months out of date and more importantly subsequent versions have fixed four security vulnerabilities, including a vulnerability rated as having critical severity and a vulnerability rated as having high severity. A website with that level of security issue should not be labeled as being secure.

The technology our web browser extension uses to detect that Joomla is powering a web page and what version is in use is rather simple and there is no excuse for a major company such as Symantec, the maker of the Norton Secured Seal service, not being able to do the same. Providing more awareness that an outdated version of Joomla is in use is definitely needed as outdated versions of Joomla are widely used, including among companies that provide security services for Joomla websites, and some older versions contain a vulnerability that is being exploited by hackers.

It isn’t just Joomla that Norton Secured Seal service doesn’t check to make sure is up to date; the same website has a blog running an outdated and insecure version of WordPress as well:

Joomla Hack Cleanup Providers Don’t Care About the Security of Their Own Websites

We are frequently hired to clean up websites that another company was previously hired to clean up but then has been hacked again (or wasn’t actually cleaned up in the first place). In some cases we wouldn’t lay the blame on the company, sometimes hacks are well hidden and getting them cleaned up can take more than one cleanup (which you shouldn’t be charge extra for) and in other cases there are security issues that the company doing the cleanup can’t handle. For example, if your web host has a security issues then they are going to only ones who can fix that. What we find in most instances though is that company doing the hack cleanup has not done the basic elements of the hack cleanup.

When someone contact us about cleaning up a website that was previously cleaned the first question we asked is if the first company determined how the website was hacked. Determining how the website was hacked is important part of the cleanup as if you don’t know how it was hacked you won’t know if the security issue that allowed the website has been fixed. Considering that the websites have been hacked again it isn’t surprising that the answer we hear over and over is that they didn’t. But isn’t just that they didn’t determine how the website got hacked, the companies didn’t even try to determine how the website was hacked. Either these companies are knowingly cutting corners or they don’t care enough about the service they providing to know what work they should be doing. In either case what they are doing is highly unethical.

We don’t ask our clients who they previously hired, but they do bring it up from time to time. During recent cleanup of a Joomla website the previous company was mentioned and when we went to their website we noticed that they were running an outdated version of Joomla. Keeping the software running on a website is a basic security measure, so any company that doesn’t bother to do that really shouldn’t have anything to do with the security of other people’s website. We took a look around at companies advertising to clean up Joomla websites and we found that all of the companies were running out of date software. As warning to the public and as a reminder of how bad the current state of companies providing security services is we have highlighted them below:

Dean Marshall Consultancy (http://www.deanmarshall.co.uk/)

Support for Joomla 1.5 ended in September 2012, so a websites shouldn’t be running it anymore (though many, including joomla.org, are still using it as we mentioned yesterday). As part of cleaning up a hacked website still running Joomla 1.5 you will eventually want to migrate it to a newer version, which doesn’t seem like a task for a company that still hasn’t done it for their own website.

Joomla Help Live (http://joomla.cmshelplive.com/)

Joomla 1.7 is over two years out of date and more importantly it has a serious security vulnerability that we have seen being exploited.

PennZac (http://www.pennzac.com/)

Joomla 3.0.3 is ten months out of date and there have been four subsequent versions with security updates.

US Joomla Force (http://www.usjoomlaforce.com/)

Joomla 2.5.11 is seven months out of date and there have been two subsequent versions with security updates.

itoctopus (http://www.itoctopus.com/)

WordPress 2.8.5 is over four years out of date and there have been 17 subsequent versions with security updates.

Checking For Outdated Plesk Installations or InfoRiskToday’s Bad Security

One of the biggest obstacles we see to improving website security is that many of the organizations that should be leading on security are not even taking basic website security measures themselves. One type of organization we see that with is news organizations that cover web security. Previously we discussed several that were running very out of date and insecure versions of Drupal. This time we will use InfoRiskToday, which describes itself as providing “credible, timely information that security leaders can put to use as they craft comprehensive information security strategies”, to highlight a security risk and several tools that we provide that can make detecting it relatively easy.

Plesk is control panel software that runs under a website and permits management of the software on the server and configuring the server. It also has had serious security vulnerabilities that have lead to many websites being hacked (one example being a major hack at Media Temple). The way to remain relatively secure against that sort of thing is to keep Plesk up to date, as should be done with all software. Unfortunately what we have seen is that there are still servers using Plesk 9, for which extended support ended back in June of last year. Since it isn’t supported anymore, if a new security vulnerability was found it wouldn’t be fixed, so Plesk should be updated to a supported version as soon possible to keep it secure.

We have created a pair of web browser extensions available for Chrome that can make checking for such an outdated Plesk installation relatively easy. The first one, Control Panel Login, looks for HTTP headers that indicate that Plesk is in use and when found displays the Plesk logo in the URL bar. Here is how looks when you visit InfoRiskToday’s website:

Plesk Icon Shown When Visiting InfoRiskToday's Website

Clicking on the icon takes you to the standard URL for logging on to Plesk from the website. Our second extension then comes in to play. Control Panel Version Check will display an icon in the URL bar if it detects that a page with Plesk version information is being visited. Clicking on the icon will then display the version information and indicate if it is outdated. In InfoRiskToday’s case you can see that they are still using Plesk 9:

InfoRiskToday is running Plesk 9.5.4

HostGator Using Unsupported Version of cPanel

When it comes to the security of your website, your web host plays an important part but too often they are failing do what they need to do to keep your website secure. One of things they should be doing is keeping software on the server up to date as that prevents your website from being exploited due to a known vulnerability in the software.

To make it easier to spot when web hosts are using outdated control panel software we released the Control Panel Version Check extension, available for Firefox and Chrome, back in December. Using it you can see that HostGator is using an outdated version of cPanel:

The version of cPanel they are running, 11.36, has only been unsupported for a week now so the situation isn’t nearly as bad as many of the hosts we highlight for running years out of date software. But what makes it worth highlighting is that on HostGator’s website they say that they provide the “Latest cPanel Control Panel”:

The latest version at this point is 11.42, which was released a couple of weeks ago. If you are going to tout that you are using the latest version of cPanel then it is really unacceptable to not even be using a supported version.

In addition to the outdated cPanel, HostGator is using a year out of date version of phpMyAdmin:

There have been a number of serious security vulnerabilities fixed in subsequent versions of phpMyAdmin.

Most Hackers Won’t Bother Checking What Version of Software Is in Use On a Website

When it comes to bad security advice, one of the most prominent items is that hiding what version of software you are running will provide you with protection. The reality is that in most cases hackers won’t even bother checking if you are running the software before attempting to exploit a hack. Will show you an example of that in a second, but the important take away is that if you are running software with known vulnerabilities the solution is to to update the software instead of trying to hide what version you are running because if you are running a vulnerable version you are going to get hacked no matter how hard you try to hide the version.

When people promote hiding the version in use they are actually making website less secure because it makes it harder for people to see that someone is running an outdated version that needs to updated and warn them. Google’s Webmaster Tools provides alerts when outdated software is in use, but that only works when the version information is available. We have created a web browser extension that warns when various outdated software is in use according to the meta generator on the page, but that only works if that version information hasn’t been removed from the page.

BOT for JCE

Outdated versions of the Joomla extension JCE contain a very serious security vulnerability that allows a hacker to upload files to a website. Exploitation of this vulnerability has been a common cause of the hackings among the hacked Joomla websites we have cleaned up. This would seem to due in part due to ease that someone can exploit it due to the fact that the disclosure included PHP code that handles exploiting the vulnerability. It easy to spot if that code has been used as the user agent left in the log files is “BOT/0.1 (BOT for JCE)”. Our website doesn’t even run on Joomla, but we have had numerous attempts to exploit outdated versions of the JCE extensions anyway. Some of the attempts just appear to completely untargeted (probably someone trying the exploit on every website), while a lot of others appear to be based simply on the word joomla being in a URL on the website. Our recent logs show a significant spikes in attempts after we had a post on a security vulnerability in Joomla. The log entries for one of those attempts is shown below and the important element to note is that the hacker starts out by trying to exploit the vulnerability. They make no attempt to check if a vulnerable version of JCE is in use, that JCE is in use, or that Joomla is even in use first. Any attempt to hide what version of JCE or Joomla would have no impact of the vulnerability being exploited.

174.34.252.13 – – [03/Feb/2014:01:01:08 -0500] “POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1” 500 885 “-” “BOT/0.1 (BOT for JCE)”
174.34.252.13 – – [03/Feb/2014:01:01:08 -0500] “POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1” 404 5923 “-” “BOT/0.1 (BOT for JCE)”
174.34.252.13 – – [03/Feb/2014:01:01:08 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1” 500 885 “-” “BOT/0.1 (BOT for JCE)”
174.34.252.13 – – [03/Feb/2014:01:01:08 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1” 404 6290 “-” “BOT/0.1 (BOT for JCE)”
174.34.252.13 – – [03/Feb/2014:01:01:10 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1” 500 885 “-” “BOT/0.1 (BOT for JCE)”
174.34.252.13 – – [03/Feb/2014:01:01:10 -0500] “POST /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1” 404 6290 “-” “BOT/0.1 (BOT for JCE)”
174.34.252.13 – – [03/Feb/2014:01:01:11 -0500] “GET /blog/2014/01/14/vulnerability-in-joomla-1-6-1-7-and-2-5-0-2-5-2-being-exploited-now/images/stories/food.php?rf HTTP/1.1” 404 6237 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
174.34.252.13 – – [03/Feb/2014:01:01:09 -0500] “POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form&cid=20&6bc427c8a7981f4fe1f5ac65c1246b5f=cf6dd3cf1923c950586d0dd595c8e20b HTTP/1.1” 500 885 “-” “BOT/0.1 (BOT for JCE)”
174.34.252.13 – – [03/Feb/2014:01:01:19 -0500] “POST /index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&version=1576&cid=20 HTTP/1.1” 404 5923 “-” “BOT/0.1 (BOT for JCE)”
174.34.252.13 – – [03/Feb/2014:01:01:20 -0500] “GET /images/stories/food.php?rf HTTP/1.1” 404 5921 “-” “Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”

More of Rackspace’s Bad Security

We previously touched on Rackspace’s bad security when it comes to their clients, but they also don’t feel the need to take a basic security measure with their own website. That basic security measure being that that you should keep software running on your website up date. By doing that you prevent your website from being able to exploited though a known vulnerability in older versions of the software.

Rackspace’s Knowledge Center website is still running Drupal 7.18:

That version is now a year out of date and Rackspace has failed to apply four security updates (7.19, 7.20, 7.24, and 7.26). With each of those security updates it has been urged that “Sites are urged to upgrade immediately after reading the security announcement.”. Updating between versions of Drupal 7 is relatively easy, so there isn’t any excuse for them not to have updated it. It also raises the question if Rackspace is handling the rest of their security, much of which is not as visible, as poorly as they are with this.

Go Daddy Still Using phpMyAdmin Version That Hasn’t Been Supported for Two and Half Years

In the past we have mentioned a number of web hosts who were not keeping the MySQL administration software phpMyAdmin running on their servers up to date. In addition to the risk that directly poses to the websites hosted with them, due to the fact that the web host is running software with known vulnerabilities, it is indication that the web host might not be handling other parts of the security properly either.

Go Daddy is yet another web host who hasn’t kept phpMyAdmin up to date on their system. They are currently running phpMyAdmin 2.11.11.3. Support, including security updates, for the 2.11.x series ended on July 12, 2011. While running software that hasn’t been supported for two and half years is pretty bad, it pales in comparison to other web hosts who we have seen running up to seven years out of date versions. What makes Go Daddy worth mentioning is they promoted that they were using 2.11.11.3 after support had ended.

On the day after support for 2.11.x ended they put out notification about the need to update newer versions of phpMyAdmin to fix several vulnerabilities. The notification reads in part (the emphasis is theirs):

The developers of the popular browser-based MySQL tool, phpMyAdmin, recently released updates to patch multiple critical security vulnerabilities in phpMyAdmin 3.4.3 and earlier. The vulnerabilities could let attackers overwrite session information to bypass authentication, inject malicious code, or perform other actions.

Good news, though. The 2.11.x versions aren’t affected. We use phpMyAdmin version 2.11.11.3, so you don’t need to worry if you’re using our shared hosting. (But, it’s a good time to make sure all your other hosting apps are up to date. For more information, see Upgrading to a New Version of a Hosting Quick-Install Application.)

If you use phpMyAdmin 3.4.3 or earlier on a virtual or dedicated server, you must download and install the patch or latest version.

That shows that Go Daddy was aware that phpMyAdmin could contain security vulnerabilities and that it needs to be kept up to date. Yet they were touting that they were running a version that was no longer supported with security updates.

It does appear that Go Daddy made attempt to upgrade their phpMyAdmin installation around a year ago, as the phpMy Admin documentation on the server is for phpMyAdmin 3.5.5, which was released on December 20, 2012. Other web hosts are able to handle upgrading phpMyAdmin in timely manner, so it would appear Go Daddy has some serious problems if they are not even able to complete an upgrade.

HostMonster Doesn’t Do Basic Site Security

When it comes to the security of your website, your web host plays an important part but too often they are failing do what they need to do to keep your website secure. One of the areas we have see web hosts fail at is keeping the control panel software running under website’s up to date. With the Plesk control panel that has lead to large amounts of website being hacked due to vulnerabilities that existed in older versions of the software. In attempt to make it easier to spot when web hosts are failing to keep control panel software up to date we have just released a web browser extension Control Panel Version Check, available for Firefox and Chrome, that provides version information for cPanel and Plesk based control panels and warns when an outdated version is in use.

To show how the extension comes can highlight unsafe hosting let’s take a look at one host. HostMonster claims that “By design our servers are secure.” and that “The security level of your site depends on the code that is uploaded to HostMonster’s Servers.”. You would think when they make such a definite statement about their security and faulting customers for any security breach they would at least being doing basic security, but that isn’t the case. The second item on their basic security check list is to “Update all scripts/applications to the newest versions available.” and there reason for this is that “Old security holes are updated and remedied in new versions of software, so updating to the newest versions available ensures that you are running the most secure option available.”. That sounds like reasonable advice; unfortunately they don’t follow it, despite claiming they are secure by design:

Support for version 11.32 of cPanel ended in August. Since then cPanel has put out several security announcements for vulnerabilities in cPanel. With support ended for cPanel 11.32 none of those vulnerabilities would be fixed in that version.

It doesn’t end there, with our phpMyAdmin Version Check extension you can see that they are also running an outdated version of phpMyAdmin:

That version is over a year out of date and there have been numerous security fixes released in subsequent versions.

Tech News Websites Not Taking Basic Security Measure With Their Websites

When it comes to improving the security websites one of the biggest problems we see is that there is so much bad information available on the Internet, especially the information coming from companies trying to sell security products and services. We would hope that news organizations would provide the public with a source for better information, but most of the security reporting we see in technology news websites is just as bad as anywhere else. Their lack of security knowledge also impacts their own websites as we see that they are not taking basic security measures with their websites and therefore leaving them vulnerable.

We found three prominent technology news websites that are running very out of date versions of the Drupal software. Keeping software up to date on a website prevents known vulnerability being exploited and we have found that when vulnerabilities in website software are exploited it almost always due to a vulnerability that has already been patched in a newer release of the software.

ITworld

ITworld is running a version of Drupal that is nearly three years out of date – the next version was release in December of 2010 – and they have missed three security releases.

InfoWorld

InfoWorld is running a version of Drupal that is nearly three and half years out of date – the next version was release in June of 2010 – and they have missed four security releases.

Network World

Network World is in much worse shape than the other two organizations as they are using Drupal 5, for which support ended back at the beginning of 2011. They haven’t even bothered to at least make sure they are running the most recent version of Drupal 5. In fact they haven’t updated it in over four and half years – the next version was released in January of 2009 – and they missed the last nine security releases for Drupal 5.

Rackspace’s Bad Security

We have found that web hosts often prominently advertise their focus on security while not actually caring about security enough to even taking basic security measures. Lets take a quick look at Rackspace to see that in action. Rackspace has a whole section of their website dedicated to security. If you look over that you would probably be impressed. Though if look closely you might see warning signs. For example, they have a PDF about their “holistic approach to security” that was written by their Director of Product Marketing. Why is a product marketing person writing a security guide?

You don’t have to look hard to see that Rackspace don’t actually have much concern for security. A really basic security measure is keeping software running up to date. That way the software isn’t vulnerable to known security vulnerabilities that have been fixed in the software. An important component of many hosting services is phpMyAdmin, which allows administration of MySQL databases. If someone can exploit phpMyAdmin they can gain access to the database underlying a website. With that they could collect customer information stored in the database, they could create a new administrator account for a website to gain further access, or do other harmful things. If you believed Rackspace’s claims about their focus on security you would certainly expect they would be keeping their installation of phpMyAdmin up to date. Unfortunately for their customers they don’t:

The version they are running is over a year and half out of date (as the next version of phpMyAdmin was released in February of 2012). It gets even worse, Rackspace only upgraded to that version after a customer alerted them that they were running an outdated and insecure version of phpMyAdmin and took them six months after being alerted to that to do that upgrade.

According to the information on phpMyAdmin’s security page the version Rackspace is running contains a number of security vulnerabilities. The version they are using is so out of date that phpMyAdmin no longer lists if vulnerabilities impact that version, so it isn’t clear exactly how many there are.