Category: Drupal

Yesterday, as part our series of posts highlighting the fact that even high profile websites are not taking the basic security measure of keeping the software running them up to date, we highlighted the fact that ING US was using outdated and insecure versions of Drupal on their website. Today we have a few quick follow-ups.

First it was brought to our attention that the fact that ING was using Drupal was a big enough deal for the creator of Drupal to highlight it, saying in part

You know when a piece of software is mature when it starts being adopted by financial services organizations.

The fact that such high profile user isn’t keeping Drupal up to date in light of the security need of doing so either means that that Drupal is too hard to keep up to date, which we strongly disagree with based on keeping our own installation up to date and handling plenty of upgrades for clients, or there is more general problem with security practices for websites.

In the aforementioned post another ING US website was highlight as running Drupal and that website unfortunately has also not been kept up to date:

That version is over two years and they have failed to apply five security updates (6.23, 6.27, 6.28, 6.29, and 6.30).

At the bottom on that website is a link to a Web Site Security page, which in part advises keeping the software on your computer update:

Take care of your computer

• Update your computer by installing the latest software and patches to prevent hackers or viruses from exploiting any known weaknesses in your computer.

It would great if ING, as well as everyone else running a website, took that advice and applied it to their websites.

 

When it comes to keeping websites secure one of the basic things that needs to be done is to keep the software running the website up to date. This prevents the website from being exploited through a known vulnerability in old versions of the software that has been fixed in a subsequent release. We know that many websites are not doing this, which is troubling, but what is more troubling is that the major institutions are not even doing this with their websites. Last week we looked at major security software provider not doing it and if you go back in this blog, you can find other examples. Today let’s look at example of a major financial institution in the same boat. ING US, which in the process of rebranding as Voya Financial, reports having $511 billion of assets under management and administration and serving approximately 13 million customers. They use Drupal for main portion of the ING US website. Using our Drupal Version Check web browser extension, available for Firefox and Chrome, you can check if it is up to date:

You can see that they are not. With a little further checking we were able to determine they are using Drupal 6.19. That means they haven’t updated the software in over three years and they have failed to apply five six security updates (6.21, 6.23, 6.27, 6.28, 6.29, and 6.30). It is important to note that account access portions of their website are separate from the main website, so they are not directly impacted by this lax security. Though it does raise the question of how well they secure the other portions of their website if they are not doing something this basic. Also, if someone could exploit one of the vulnerabilities in the version of Drupal on the main website they could change the links directing people to the account access portion of the website to another location and use that to gather login credentials.

It isn’t just the ING US website that has an out of date version of Drupal in use. The website for their new name, Voya Financial, also is using an outdated Drupal version:

With a little further checking we were able to determine they are using a version no newer than Drupal 7.21. That means that they haven’t updated the software in nearly a year and they have missed at least two security updates (7.24 and 7.26).

When it comes to improving the security websites one of the biggest problems we see is that there is so much bad information available on the Internet, especially the information coming from companies trying to sell security products and services. We would hope that news organizations would provide the public with a source for better information, but most of the security reporting we see in technology news websites is just as bad as anywhere else. Their lack of security knowledge also impacts their own websites as we see that they are not taking basic security measures with their websites and therefore leaving them vulnerable.

We found three prominent technology news websites that are running very out of date versions of the Drupal software. Keeping software up to date on a website prevents known vulnerability being exploited and we have found that when vulnerabilities in website software are exploited it almost always due to a vulnerability that has already been patched in a newer release of the software.

ITworld

ITworld is running a version of Drupal that is nearly three years out of date – the next version was release in December of 2010 – and they have missed three security releases.

InfoWorld

InfoWorld is running a version of Drupal that is nearly three and half years out of date – the next version was release in June of 2010 – and they have missed four security releases.

Network World

Network World is in much worse shape than the other two organizations as they are using Drupal 5, for which support ended back at the beginning of 2011. They haven’t even bothered to at least make sure they are running the most recent version of Drupal 5. In fact they haven’t updated it in over four and half years – the next version was released in January of 2009 – and they missed the last nine security releases for Drupal 5.

Last week we mentioned that Department of Homeland of Security (DHS) is failing basic cybersecurity practices by not keeping the software running on their website up to date with security updates. It is probably not surprising that agencies under the DHS are also leaving their websites vulnerable to known security vulnerabilities because they are failing to keep the software running on them up to date. That includes the Federal Emergency Management Agency (FEMA), which if you visit their website with our Drupal Version Check extension installed in your web browser (available for Chrome and Firefox) you will see is also running an outdated version of Drupal:

Further checking shows that the website is running Drupal 7.17 or 7.18, so FEMA has failed to update the software for over three months, the next version was released back in January, and they have missed the last two security updates.

While “President Obama has declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cybersecurity.”“, the White House is failing to take a basic security measure with their website. If you visit the website with our Drupal Version Check extension installed in your web browser (available for Chrome and Firefox) you will see that they are running an outdated version of Drupal:

Further checking shows that the website is running Drupal 6.26 or 6.27, so the White House failed to apply one or two security updates. Keeping software up to date is one the basic steps and easier steps when it comes to cybersecurity and the White House is failing at that.

Updating between versions of Drupal 7 is relatively easy, so there isn’t any excuse for an organization with its resources to not be able to keep it up to date.

 

Ahead of a vote on the CISPA legislation the head of the Department of Homeland Security (DHS) will be briefing members of the House of Representatives today on cybersecurity. Maybe the briefing should be on how not to do cybersecurity as the DHS is failing to take a basic security measure with their website. If you visit their website with our Drupal Version Check extension installed in your web browser (available for Chrome and Firefox) you will see that they are running an outdated version of Drupal:

Keeping software up to date is one the basic steps and easier steps when it comes to cybersecurity and the DHS is failing at that. The larger question that this raises is what else they might be failing to do when it comes to cybersecurity, since they fail to do something so basic.

Further checking shows that the website is running Drupal 7.14, so the DHS has failed to update the software for over 8 months, the next version was released back in August of 2012, and they have missed the last 4 security updates.

When it comes to internet security one of the most basic steps is keeping your software up to date. In sign of how poor the state of internet security is, even security companies are not taking such a basic step. The US website of Kaspersky Lab, which the New York Times has described as “Europe’s largest antivirus company“, is running a very out of date version of Drupal:

Kaspersky Lab has failed to update the software for over two years, the next version Drupal 6.20 was released back in December of 2010, and they have missed the last 4 security updates. Updating between versions of Drupal 6 is relatively easy, so there isn’t any excuse for a tech company not being able to keep it up to date.

Kaspersky Lab is not alone in this, last year we posted about Panda Security’s failure to update software running their websites even after some of their websites had been hacked.

You can check if Drupal websites you visit are keeping the software up to date with our Drupal Version check extension for Chrome and Firefox.