Poor Patch Management Makes CMSes Low-Hanging Fruit for Hackers

Content management systems like WordPress and Joombla have become popular targets for hackers in recent times because flaws in those systems can be leveraged for mischief across literally millions of websites.

WordPress is running on some 73 million websites and Joomla some 35 million, so if you’re a cybercriminal with a fresh vulnerability to one of those CMS systems in your satchel, you can do some serious damage.

“For the most part, hackers are not compromising WordPress websites simply to deface them, but rather as the first step of a larger attack,” Michael Sutton, vice president of security research at Zscaler, told TechnewsWorld.

“Compromised WordPress sites can serve as watering holes to serve up malware to unsuspecting users,” he explained. “Servers hosting WordPress can be leveraged by hackers, utilizing extra resources to host botnets for DDoS attacks and spam.”

Broadcasting Vulns

Poor patch management is a primary contributor to compromising websites running popular CMS software. “When a new WordPress vulnerability is identified, the question is not ‘are there any vulnerable sites?'” Sutton said. “The question is ‘which sites are vulnerable?'”

Automation tools make it much easier for hackers to launch these attacks on any site running a CMS. Finding a vulnerability can sometimes be as simple as using a search engine to find websites broadcasting their out-of-date weaknesses to the Web.

“The No. 1 most important WordPress security advice is to make sure to keep your patches up to date,” Sutton said.

“It is important not to use an obvious user name and password combination like ‘admin’ or ‘password,’ but that is a basic security principle for any website,” he added.

“The bigger issue,” continued Sutton, “is a lack of awareness — awareness that these vulnerabilities exist, awareness that patches exist, and awareness that users need to take the time and effort to patch these vulnerabilities themselves.”

BYOD’s Transient Headache

With employees increasingly accessing their boss’ networks with personal devices, security administrators can have difficulty keeping tabs on what’s generating traffic on their nets. That gap in knowledge can pose major security risks to a company’s data trove.

Even in environments with systems in place for monitoring mobile devices — so called mobile device management systems — transient mobile devices can pose a security threat.

One possible solution to that problem is to identify transient mobile devices by their activity on a network using a system such as the Passive Vulnerability Scanner offered by Tenable.

“If you ask any corporate IT administrator how many mobile devices they have on their network that are unmanaged, they’re not going to know,” Tenable CEO Ron Gula, a former NSA hand, told TechNewsWorld.

“What our PVS does,” he continued, “is it looks at network traffic and identifies those mobile devices.”

It does that through their user agent strings, their connections to online app stores, and certain network fingerprints they leave on the network.

“We can look at all the network traffic that goes in and out of an organization at the perimeter and identify them,” Gula added. “It’s the same thing as a network detection intrusion system, but instead of looking for intruders, you’re looking for fingerprints of mobile applications and devices.”

iPhone Fingerprint Scanner

Although it was discounted by several Internet sources last week, the rumor persists that the next iPhone will break ground in mobile authentication by embedding a fingerprint scanner in the handset.

While such a move could improve security on the mobile, it shouldn’t be considered the last word on authentication, maintained Brendon Wilson, director of product management at Nok Nok Labs.

“It’s an improvement because it combats a major source of security risk associated with passwords, namely password re-use,” Wilson told TechNewsWorld.

“Users routinely re-use passwords across multiple sites,” he explained, “which places them at increased risk when their password is compromised. Immediately, every account at other sites where they used that password is essentially compromised.”

What must be realized is that Black Hats are nimble adversaries. A new form of identity protection will just be another challenge for them.

“Attackers will attempt to figure out how to steal fingerprints off surfaces, off devices, or how to have malware attack the underlying hardware to steal credentials,” Wilson said.

“It would be a mistake to think fingerprint scanning is the final word in authentication,” he added.

The killer app for authentication is one that “just works” across devices — not only now, but as capabilities are added to those devices in the future.

“That’s the one advantage passwords have right now,” Wilson observed. “Everywhere you go, every device you use, there is some way to enter a password.”

Breach Diary

  • Aug. 5. Bank of Scotland fined Pounds 750,000 by UK Information Commissioner’s Office for faxing to members of the public mortgage claims and wills that should have been sent to the bank’s document scanning department. On some 22 occasions from 2009 to 2012, bank employees misdialed fax numbers and sent confidential documents to individuals in the UK.
  • Aug. 7. Experian Data Breach Resolution and the Ponemon Institute release study showing companies now rank cybersecurity risks as greater than natural disasters and other major business risks. Researchers also found that 31 percent of companies are insured against cyber-risks, but a growing number are exploring that avenue of protection.
  • Aug. 8. U.S. Veterans Administration reports that 98 percent of the agency’s data breaches involve paper. Misplaced, mishandled or improperly mailed paper records are at the root of its data breach problems, the agency said.
  • Aug. 8. U.S. Airways Group reports breach of Dividend Miles accounts. Some customers’ accrued mileage may have been deducted. The compromised accounts were deactivated, and the airline said it was working with law enforcement officials to investigate the incident. The company refused to say how many accounts were affected.
  • Aug. 8. LulzSec hacker Raynaldo Rivera sentenced to 366 days in prison, 13 months of house arrest, 1,000 hours of community service and ordered to pay US$605,663 in restitution for his role in a data breach of Sony Pictures Entertainment, which exposed the personal information of 138,000 people.

Upcoming Security Events

  • Aug. 12-14. AIAA Aviation 2013: Focus on Cyber Threats to Airline Industry. Hyatt Regency Century Plaza, Los Angeles. Sponsored by American Institute of Aeronautics and Astronautics. Registration: By July 26, $1,000 non-member; $840 members. July 27-Aug. 10, $1,100 non-member; $940, members.
  • Aug. 21. Vulnerability Management Challenges and Best Practices Revealed. 12 p.m. ET. Webinar by IBM Security Systems. Free with registration.
  • Sept. 10. AT&T Cyber Security Conference. New York Hilton Midtown Hotel, Avenue of the Americas, New York City. Free with registration.
  • Sept. 11-13. 4th Cybersecurity Framework Workshop. The University of Texas at Dallas, 800 West Campbell Road, Richardson, Texas. Free with registration.
  • Sept. 12. Inside the Mind of a Hacker, 9:30 a.m. ET. Webinar sponsored by WatchGuard. Free with registration.
  • Sept. 24-27. ASIS International 59th Annual Conference. McCormick Place, Chicago. Registration: Before Aug. 21, $895 member, $1,150 non-member. After Aug. 20, $995 member, $1,295 non-member.
  • Oct. 1-3. McAfee Focus 13 Security Conference. The Venetian /The Palazzo Resort-Hotel-Casino, 3325-3355 Las Vegas Blvd., South Las Vegas. Registration: Early Bird to July 31, $875/$775 government; Standard to Oct. 3, $995/$875 government.
  • Oct. 29-31. RSA Conference Europe. Amsterdam RAI. Registration: Early Bird to July 26, 895 euros+VAT delegate/495 euros+VAT one day pass; Discount from July 27 -Sept. 27, 995 euros+VAT delgate/595 euros+VAT one day pass; Standard from Sept. 27-Oct.27, 1,095 euros+VAT delegate/695 euros+VAT one day pass; Onsite from Oct. 28-31, 1,295 euros+VAT.
  • Nov. 18-20. Gartner Identity & Access Management Summit. JW Marriott at L.A. Live, 900 West Olympic Boulevard, Los Angeles, Calif. Registration: Early Bird to Sept. 27, $2,075; Standard, $2,375; Public Sector, $1,975.
  • Dec. 4-5. MENA Business Infrastructure Protection 2013 Summit (Risk Management and Security Intelligence for companies in the Middle East and North Africa). Dubai.
  • Dec. 9-13. Annual Computer Security Applications Conference (ACSAC). Hyatt French Quarter, New Orleans.

John Mello is a freelance technology writer and former special correspondent for Government Security News.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Hacking

Technewsworld Channels