Known Vulnerability

Not all defacement are created equal. I have a second grader who has just started to use her school's web site so this defacement of 20 primary school web sites with porn hit me deep inside. We do so much to screen our young ones from the sleazy world outside, and getting it in the school's web site is just unimaginable. Just thinking about the questions I would be asked if my daughter would get such pages.

The incident also highlights the total breakup of cyber security. The incident is blamed on an unpatched version of Moodle, an open source on-line education software. The naive way ot thinking would be that schools don't have the budgets to protect their applications or even to upgrade them. However, as this incident shows, proper security is fundamental and a substantial part of the budget should be allocated to it, even it means we spend less on the application features. We need to move slower but ensure security. After all, what is the value of an educational system that shows porn?

Another insight is that real time controls for protecting web applications are essential. You need a WAF. While the specific vulnerability exploited is unknown, Installing ModSecurity would have probably prevented the exploit.

Symantec reported an active exploit of CSRF against residential ADSL routers in Mexico (WHID 2008-05). An e-mail with a malicious IMG tag was sent to victims. By accessing the image in the mail, the user initiated a router command to changethe DNS entry of a leading Mexican bank, making any subsequent access by a user to the bank go through the attacker's server.

Additional information:

Hackers exploited an unknown cPanel vulnerability to break into HostGator servers and plant malware on hosted sites.

Additional information:

• HostGator: cPanel Security Hole Exploited in Mass Hack [NetCraft, Sep 23 2007]
• Hacked HostGator Sites Distribute IE Exploit [NetCraft, Sep 22 2008]

The Washington Post ran a story about a large scale infiltration to IPower, a major hosting provider. According to the story and the following comments, it seems that the problem is plunging IPower for a long time without being resolved. Put in perspective the PlusNet incident which was serious but swiftly handled and publicly acknowledged by the company.

A known vulnerability in the helpdesk software used by hosting provider Layered Technologies resulted in leakage of information, including names, addresses, phone numbers and email addresses of up to 6,000 of the company's clients.

Additional information:

• Web host breach may have exposed passwords for 6,000 clients [The Register, Sep 19 2007]

In an incident very similar to the Al Gore Hack, the personal blog of IT journalist Tim Anderson was also hacked. Unlike Mr. Gore, Tim discusses the breach and its origins.

Additional information:

• The day my web site was hacked [IT Week, Dec 17 2007]

Whether comment spam by itself is an application failure or a necessary evil for site allowing rich comments is an open question. However it is reported that in this case vulnerability in WordPress allowed the spammers to actually penetrate the site and modify pages and not just abuse comments.

Additional information:

This story probably represents hundreds of similar stories. Many of us have come to rely on open source software, which is useful, feature reach and free. It enables us access to tools available to a few only a couple of years ago. The downside is that this easy availability means that many use the tools without having the time, resources and expertise to protect them. Systems such as phpBB and WordPress are good
examples of very popular open source systems that require constant
attention in order to maintain secure.

I am sure that the guys at Light Blue Touchpaper have the expertise to protect their WordPress installation, but they don’t have the time. They made the compromise between ease of management of their web site and its security. Actually my personal blog might be just as vulnerable, since as I write this I am very much not paying attention to its security.

Apart from, or actually because of  the fact that the victims are security experts, this story is noteworthy due to two additional twists in the plot:

• Zero day exploit in the wild - the attacker penetrated twice, once using a known SQL injection vulnerability, but the second time using a yet unknown vulnerability in WordPress, which was reverse engineered and published for the first time by the people at Light Blue Touchpaper.
• The researchers found that they can use Google to retrieve the hashed password of the hacker. Google has become so big that it actually allows efficient encrypted passwords lookup.

Additional information:

• Upgrade and new theme [Light Blue Touchpaper Blog, Oct 27 2007]
• Google as a password cracker [Light Blue Touchpaper Blog, Nov 16 2007]
• Forgotten your password? Google can find it for you. Unfortunately [Technology Guardian, Nov 23 2007]
• Wordpress cookie authentication vulnerability [Light Blue Touchpaper Blog, Nov 20 2007]

Defacements seem to dominate the list recently, probably because they reach everywhere. Two important conclusions from this particular one are that patch management is a key problem and that it is a problem mainly at government sites across the world.

Additional information:

• County's Web site hacked; no data lost [Journal Gazetter, Aug 28 2007]

A command injection vulnerability at 1&1, a large German hosting provider, lead to denial of service and possible home page modification at 30 servers and up to 1700 web sites.

Additional information:

• Server hacked through holes in Confixx management software [Heise Security, Aug 1 2007]