cms security tips - feature graphic

Is Your Site Secure? CMS Security Tips from a Canadian Forum Hack

Sep 19, 2016 By Paul Curran

In June 2016, news of a massive hack on the Canada-based forum hosting company VerticalScope spread swiftly around various security blogs and tech news websites. In this attack, hackers were able to steal and leak 45 million records from over 1,000 forums and websites that were included in the VerticalScope network. Amongst their biggest websites, were Motorcycle.com, Boat.com, Mothering.com and more. Read on to find out how the attackers were able to gain access to their database and content management system (CMS) and discover how you can keep your CMS secure.

LeakedSource.com, the popular search engine for over 1.9 billion leaked records, first added details of this leak to their database in April, however, only analyzed the hack in mid-June. Included in the leaked information of the VerticalScope forum and website users were their usernames, user IDs, email addresses and encrypted passwords.

Anatomy of the Hack

In order to access this vast amount of user data, the attackers would have had to exploit multiple weakness in both the VerticalScope security measures as well as in their content management systems (CMS).

 

Security Week notes that the attackers had most likely gained access to this vast amount of sensitive user information through an easily crackable version of vBulletin software that dated back to 2007 in addition to an unpatched WordPress version and vulnerable WordPress plugins which would have given the malicious party a broad attack vector.

 

Amongst the vulnerabilities found in WordPress version 4.2.4 are reflected XSS, server-side request forgery (SSRF), authentication issues, open redirects and more.

 

Other factors that allowed the hackers to access such a large amount of information include the fact that it appears that the user data was stored on either one server, or a series of connected servers rather than separate servers. Finally, a vast majority of the passwords were encrypted using methods that were very easy to break using MD5 with salting and less than a couple million of the 45 million passwords were sufficiently encrypted.

 

When looking at the top ten most popular leaked passwords in the image below, it becomes apparent that somewhere along the line, between the hack and the leak, some form of data inconsistencies occurred, something which security expert Troy Hunt attributes to, “data inconsistencies in the source, issues with how the hacker exported them or tampering by someone else who’s handled it downstream of them.”

 

By comparison, most of the most common passwords leaked from large-scale hacks usually revolve around variations of “123456,” “qwerty,” “password” and other similar takes on these common themes.

leaked password comparison: twitter vs verticalscope

The Importance of Proper Encryption

VerticalScope attempted to hash their passwords using MD5 with salting which security minded developers agree is an “emphatically poor choice” when it comes to securing passwords. First designed in 1992, the MD5 algorithm is a hash function which produces a 128-bit hash value. As early as 1996, flaws were determined in the design of MD5 and in 2005 it became apparent that MD5 was not collision resistant, a key component for a secure encryption algorithm.

How to Ensure Proper Encryption

In addition to avoiding MD5 hashing as your method of choice, it’s important to also avoid SHA-0 since it has been conclusively broken, SHA-1 as well as DES as it can be broken by the average desktop computer’s GPU.

 

When choosing your encryption method, be sure to focus on using a symmetric algorithm key size that is at least 168 bit and if you’re dealing with financial transactions, use at least 256 bits. Ensuring that your application protects all cryptographic keys within the file system will also help ensure that your encrypted data is not exploited. 

Additionally, using a static code analysis solution to ensure that your application has sufficient encryption is also recommended as your developers will be able to mitigate any encryption issues at the earliest stages of the SDLC. Checkmarx’s CxSAST scans and for and identifies encryption security issues in multiple languages including Java, CPP, JavaScript, Objective C, C++ and Perl.

 

Common encryption security threats include:

 

  • Missing Encryption of Sensitive Data
  • Password Weak Encryption
  • XS Unencrypted Data Transfer
  • Insufficient Encryption Key Size
  • Missing Encryption of Sensitive Data
  • Inadequate Encryption Strength

 

Keeping your CMS and plugins patched and updated

In addition to weak encryption, the safety and security of VerticalScope’s user data was also threatened by the outdated and unpatched content management system being used by a number of the VerticalScope sites. Old and vulnerable WordPress versions and plugins have led to some of the most spectacular breaches and exploits of 2016 including the now infamous Panama Papers leak which involved the leaking of over 2.6 TB of data. In this case, experts suggest that it was a seemingly innocent WordPress image slider plugin that created the point of entry for the attackers.

 

In the VerticalScope case, it was an outdated and unpatched version of WordPress which possessed numerous security weaknesses that the hackers were able to exploit to access user data, while it was an outdated Drupal version that provided an attack vector to the hackers in the case of the Panama Papers leak.

 

Among the reasons why CMS platforms such as Drupal, Joomla, WordPress and other popular services are such a hot target for hackers is the fact that they are built on open source frameworks that leave no one accountable for when components are hacked. Often website administrators will mistake the popularity that comes along with these “brand name” platforms as a false sign of security when the opposite is often true. When Checkmarx examined the security state of the top 50 plugins on WordPress, over 20% were found to be vulnerable to common web attacks. This research also examined the top e-commerce, and 7 out of the 10 most popular contained vulnerabilities.

 

How to Protect Your CMS against Hackers

In order to ensure that your CMS is secure against hackers, the first step is ensuring that your platform is up to date. Work with your developers to schedule updates, or patching, at regular intervals to ensure that your site is using the most up-to-date and secure version. Additionally, regularly back up the CMS and its database and be sure to keep tabs on platform-specific security issues by staying up to date on their advisories and security threats.

 

Check for WordPress security updates here

Check for Drupal security updates here.

 

CMS plugin security should also be a major focus. Website administrators should be sure to only download plugins from reputable sources such as wordpress.org.

Additionally, plugins should also be regularly updated and patched if necessary. Both web admins and plugin developers should run their plugins through a source code analysis solution to scan for any vulnerabilities that could turn into irreparable damage to the business if exploited.

 

 

Free white paper: SANS 2016 State of Application Security

The following two tabs change content below.

Paul Curran

Content Specialist at Checkmarx
With a background in mobile applications, Paul brings a passion for creativity reporting on application security trends, news and security issues facing developers, organizations and end users to Checkmarx's content.

Latest posts by Paul Curran (see all)

Stay Connected

Sign up today & never miss an update from the Checkmarx blog

Get a Checkmarx Free Demo Now

Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.

Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.