walkah: Harvard Joomla site hacked: things to learn?
Harvard Joomla site hacked: things to learn?
There have been reports that Harvard recently had a Joomla! based website compromised, and the database contents have been made available via BitTorrent. Of interest - the compromise was apparently via the usage of an insecure password. From the Torrent Freak article:
A file included with the release labeled password.txt carries a message:
Thomas gatton….stupid people, you don’t use a secure password
While it's not entirely clear whether it was an insecure system password or an insecure Joomla! password used - it does highlight an important aspect of security.
Ensuring that you write secure code is only (a small) part of the security problem. With our recent Drupal 6.0 release, we have tried to incorporate several changes to help our users be more secure:
- Password strength checker: when selecting a password now in Drupal, users are advised when their passwords are "weak". Encouraging tougher to crack/guess passwords particularly for admin and privileged users.
- OpenID support: Even a strong (hard to guess / crack) password can be compromised by a clever attacker if you consistently log in without SSL (i.e. when you're at that internet cafe). Also, remembering several (hundreds!) of complicated, strong passwords can be daunting and frequently leads to poor password choices. By including OpenID authentication support, Drupal users and administrators no longer have to remember passwords to every site they administer. They can use their OpenID - which in turn can implement stronger authentication methods to limit potential vulnerabilities. Development Seed has a great article on how they use OpenID to avoid sharing passwords for admin accounts.
- Update module: One of the biggest security challenges is keeping you site up to date. Drupal sites tend to be a combination of Drupal core and several (10 - 50) contributed modules - keeping them all up to date is a complicated task. It's also a crucial security precaution.
The point being: writing secure code is one thing, but there is a much trickier, critical task in educating users and administrators. It's something we're working towards within the Drupal Security Team and within the community in general. We're not done yet, and welcome your feedback and suggestions!
James Walker
The trouble with OpenID...
The trouble with OpenID is of course, that if that one account is compromised, many of your other accounts can be compromised too. Luckily you can choose your OpenID provider, but there's a risk that common users won't have the skills and knowledge to choose well.
Ian
More OpenID education required
It's true - user-centric identity does place some significant onus on users. I think we'll see some 'best practices' emerge around usage of identifiers (work vs. personal, etc etc).
The nice thing is we're seeing OpenID providers begin to emerge that implement much stronger, more secure authentication methods - ones that make it much more difficult to compromise (myopenid.com and vidoop come to mind).
IMO (and it may not be universal) it's easier to teach people how to take really good care of a single identifier than to instill best practices around hundreds and hundreds of accounts.
Good points
You make some interesting points with regards to securing sites is more than just secure code, but also users being secure in their own practices. At my workplace, I spend about about two weeks every quarter certifying that "we are secure" via network scans and lots of paperwork. For half a decade I've been focused on security at work and it only dawned on me until recently that my personal password and security practices were actually tougher behind the firewall than outside of the firewall.
I use complex passwords on our servers at work, but when it comes to my own personal accounts spread across the Internet...I've been a fool. Luckily, I've been changing my ways the past few months before someone decided to "educate" me on just how weak my passwords were.
Captcha
Thanks for sharing this.
One can also add a captcha to the login form - this makes it harder to automatically test for random passwords.
And - for the record - the link to chx' post in reaction to this one: http://www.drupal4hu.com/node/127 - use SuperGenPass or similar tools for generating your passwords.
Alex
Harvard Joomla site hacked: things to learn?
OpenID is pretty much useless. The reasons for this are many: OpenID is highly vulnerable to phishing and other attacks, creates insurmountable privacy problems, is not a trust system, suffers from usability problems, and makes it unappealing to become an OpenID “consumer.”
Well, anytime you leave
Well, anytime you leave database backups for any website out in an accessible location, it's not a good thing.
This is a strange problem. In Joomla!, passwords are MD5 encrypted in the user table - have been for a long time. So, you can't get the password from the backup file.
In Joomla! v 1.0.13, and on, a salt was added to make it impossible to break those MD5 hashes using rainbow tables. Again, it should be impossible to retrieve those passwords, even if you did get a hold of that backup.
So, what happened then if they didn't get the usernames and passwords from the database backups?
Well, the unconfirmed story is that a text file entitled password.txt was added to the folder containing the backups. The contents of the file were consistent with the name of the file - it contained a list of IDs and passwords.
Would OpenID take care of this? I can't see how. It would be just as easy to document usernames and passwords for OpenID and store those values in the password.txt file.
And, if that were done, the broader vulnerabilities that OpenID introduces are apparent. Not only would the cracker expose access to a departmental website at a University, but it would also expose access to whatever other systems were linked to that OpenID profile.
Now, for the record, Joomla! v 1.0.x (with an extension) and v 1.5 (in native core), allow for OpenID access.
When these things happens, my heart sinks. I am glad there are so many others interested in hardening security. Free (liberty) software is held to strenuous standards and I think that is most appropriate! We are even held to account when usernames and passwords to systems created using our software were exposed -- in ways we could not possibly prevent.
Sadly - this attention, is what they seek.
Still, no response?
Still, no response? :P
Anyway, I have to say, when the FSF Drupal site was attacked recently, I am so relieved there wasn't a ton of "Drupal hacked" blogs rolling - even though that was a Drupal vulnerability.
This was not even a Joomla! vulnerability. The cracker obtained the System Admin password and username and walked on in, copied a Joomla! database backup taken the month before, along with a number of other files, and floated it out to the Internet.
Do you know, Walkah, that you have the number one search results on Google for Harvard Joomla!?
And, the entire premise of your article is incorrect. The Joomla! website was never compromised. And, yet you have yet to correct this misconception. Please do that! It would be so very appreciated.
Thanks,
Amy :)
Actually, this article wasn't really about Joomla! per se...
The fact is, security compromises like these are an important chance for people to learn. Note from my original post:
Joomla! password, Drupal password or system password - we all need to be aware all the various attack vectors possible. In fact, I never even suggested it was a Joomla vulnerability - and worse, Joomla was taking the heat. But, yeah, it happens to us Drupal folks too. Heck, it happened to me personally - see my post on it - and that was a Drupal vulnerability.
The thrust of my article, however, was and remains that insecure code is only part of the problem - insecure users are much more (potentially) dangerous and harder to "fix". It was something we, Drupal's security team (of which I a member), spent some energy on for the 6.x release but something all users (especially admins) of all systems need to understand.
I'll be honest (but I think
I'll be honest (but I think you get already), I am really disappointed and frankly surprised in your sensational treatment of this story.
The Harvard story wasn't a Joomla! crack. The story you are pointing me to for comparative purposes, was a Drupal vulnerability. So, already, I don't see the relationship.
But, even if it were, compare the headlines with this story - and the one you are pointing me to as "an equivalent" of you reporting on Drupal:
Which is more damaging to a free software project?
Now, not only did you post it on your personal blog, but you also evangelized the importance of security by using this sensational title and posted it to Jaiku and Twitter!
And, still, there is no clarification.
Walkah - the system administrator ID was inappropriately used to walk right into the server. (Note: not the Joomla! website - the Linux box the website and lots of other things sat on.) I hope they catch that bastard because he comprised personally identifiable data, too, and now literally thousands and thousands of Harvard applicants are being provided a free service to scrub their personal data, a job they will never be able to say is done since their social security numbers were very possibly obtained.
+++++
If the purpose of your blog is to emphasize the importance of using OpenID - then you need to follow through with an analyze understanding the facts in this case. Tell me, if this criminal had obtained the System Administrator's OpenID credentials, instead of simply the User name and password for this server, would things have been better or worse?
+++++
Free (liberty and cost) software is held to high standards - the very highest standards. We all break into a cold sweat when these things happen because we work hard to provide the very best software we can. We actually want to protect those who use our software.
I think next time, maybe it would be best to not be so quick to toss the name of another free software project into more suspicion. Offer to help. Dig into the story a bit more. If nothing else, thank your lucky stars it wasn't your project - or, heaven forbid, a website you built.
I see all of us working in free software as "in this together." That's why, for me, blowing Drupal's horn isn't taking a thing away from Joomla!. What's good for one is good for all!
We have lots to learn and many improvements to make in the area of security, along with many other areas. We learn from Drupal and I hope Drupal learns from us.
should i add something..or should i ask something..
Looking at the full post (i doubt if any of the posts have been missing)..i am still not sure if the password hack was just one-off just like it happens with any other business..or was it an open source issue.
my q. is: IS Amy from Joomla and IS Walkah from Drupal..well both open source i believe..& can anyone of you answer me if i can go ahead and use Joomla for my project..
cheers
V
u crazy woman u r everywhere :)
thx for that i dont know what joomla would do without u :)
cheerz