In June 2016, news of a massive hack on the Canada-based forum hosting company VerticalScope spread swiftly around various security blogs and tech news websites. In this attack, hackers were able to steal and leak 45 million records from over 1,000 forums and websites that were included in the VerticalScope network. Amongst their biggest websites, were Motorcycle.com, Boat.com, Mothering.com and more. Read on to find out how the attackers were able to gain access to their database and content management system (CMS) and discover how you can keep your CMS secure.
LeakedSource.com, the popular search engine for over 1.9 billion leaked records, first added details of this leak to their database in April, however, only analyzed the hack in mid-June. Included in the leaked information of the VerticalScope forum and website users were their usernames, user IDs, email addresses and encrypted passwords.
Anatomy of the Hack
In order to access this vast amount of user data, the attackers would have had to exploit multiple weakness in both the VerticalScope security measures as well as in their content management systems (CMS).
Security Week notes that the attackers had most likely gained access to this vast amount of sensitive user information through an easily crackable version of vBulletin software that dated back to 2007 in addition to an unpatched WordPress version and vulnerable WordPress plugins which would have given the malicious party a broad attack vector.
Amongst the vulnerabilities found in WordPress version 4.2.4 are reflected XSS, server-side request forgery (SSRF), authentication issues, open redirects and more.
Other factors that allowed the hackers to access such a large amount of information include the fact that it appears that the user data was stored on either one server, or a series of connected servers rather than separate servers. Finally, a vast majority of the passwords were encrypted using methods that were very easy to break using MD5 with salting and less than a couple million of the 45 million passwords were sufficiently encrypted.
When looking at the top ten most popular leaked passwords in the image below, it becomes apparent that somewhere along the line, between the hack and the leak, some form of data inconsistencies occurred, something which security expert Troy Hunt attributes to, “data inconsistencies in the source, issues with how the hacker exported them or tampering by someone else who’s handled it downstream of them.”
By comparison, most of the most common passwords leaked from large-scale hacks usually revolve around variations of “123456,” “qwerty,” “password” and other similar takes on these common themes.
The Importance of Proper Encryption
VerticalScope attempted to hash their passwords using MD5 with salting which security minded developers agree is an “emphatically poor choice” when it comes to securing passwords. First designed in 1992, the MD5 algorithm is a hash function which produces a 128-bit hash value. As early as 1996, flaws were determined in the design of MD5 and in 2005 it became apparent that MD5 was not collision resistant, a key component for a secure encryption algorithm.
How to Ensure Proper Encryption
In addition to avoiding MD5 hashing as your method of choice, it’s important to also avoid SHA-0 since it has been conclusively broken, SHA-1 as well as DES as it can be broken by the average desktop computer’s GPU.
When choosing your encryption method, be sure to focus on using a symmetric algorithm key size that is at least 168 bit and if you’re dealing with financial transactions, use at least 256 bits. Ensuring that your application protects all cryptographic keys within the file system will also help ensure that your encrypted data is not exploited.
Common encryption security threats include:
- Missing Encryption of Sensitive Data
- Password Weak Encryption
- XS Unencrypted Data Transfer
- Insufficient Encryption Key Size
- Missing Encryption of Sensitive Data
- Inadequate Encryption Strength
Keeping your CMS and plugins patched and updated
In addition to weak encryption, the safety and security of VerticalScope’s user data was also threatened by the outdated and unpatched content management system being used by a number of the VerticalScope sites. Old and vulnerable WordPress versions and plugins have led to some of the most spectacular breaches and exploits of 2016 including the now infamous Panama Papers leak which involved the leaking of over 2.6 TB of data. In this case, experts suggest that it was a seemingly innocent WordPress image slider plugin that created the point of entry for the attackers.
In the VerticalScope case, it was an outdated and unpatched version of WordPress which possessed numerous security weaknesses that the hackers were able to exploit to access user data, while it was an outdated Drupal version that provided an attack vector to the hackers in the case of the Panama Papers leak.
Among the reasons why CMS platforms such as Drupal, Joomla, WordPress and other popular services are such a hot target for hackers is the fact that they are built on open source frameworks that leave no one accountable for when components are hacked. Often website administrators will mistake the popularity that comes along with these “brand name” platforms as a false sign of security when the opposite is often true. When Checkmarx examined the security state of the top 50 plugins on WordPress, over 20% were found to be vulnerable to common web attacks. This research also examined the top e-commerce, and 7 out of the 10 most popular contained vulnerabilities.
How to Protect Your CMS against Hackers
In order to ensure that your CMS is secure against hackers, the first step is ensuring that your platform is up to date. Work with your developers to schedule updates, or patching, at regular intervals to ensure that your site is using the most up-to-date and secure version. Additionally, regularly back up the CMS and its database and be sure to keep tabs on platform-specific security issues by staying up to date on their advisories and security threats.
Check for WordPress security updates here
Check for Drupal security updates here.
CMS plugin security should also be a major focus. Website administrators should be sure to only download plugins from reputable sources such as wordpress.org.
Additionally, plugins should also be regularly updated and patched if necessary. Both web admins and plugin developers should run their plugins through a source code analysis solution to scan for any vulnerabilities that could turn into irreparable damage to the business if exploited.