Looks like a local high school’s website was taken offline today due to “hackers”. I got a call from Fox 9 news this afternoon inviting me in for an interview regarding Eden Prairie High School’s website which was defaced with a video and images of a flag with a gun.
Defaced Eden Prairie High School Website
I’ll be on tonight at 9pm Central time on Fox 9 news to discuss the hack, how it happened, what data could have been compromised and what organizations and schools can do to keep their websites safe.
Fox 9 News Interview
More updates after the show tonight on how to secure your organization’s site online but for now…
4/11/2010 10:06pm – Back from completing the segment. I got shut down before I had a chance to use my puppy analogy or mention PCI compliance and the SANS Institute. Technology problems shouldn’t be about sensationalizing them but helping people and companies solve their problems.
Neglected Focus: Puppies and Websites
Think about it. Everyone in the family wants a dog and they all promise to train it but once it’s home, no one remembers to walk it. It has an accident and then the fingers are pointed.
It’s the same with a website.
Everyone wants a website for their business, school or organization. Money is tight so they look for a low cost way to get it done. They find an open source solution like Joomla, struggle and get it installed.
After that, no one thinks twice about maintenance or security. Maybe they spend money on the design of the site but hey, the designer doesn’t bring up security so it must not be important…right? The first hack is always hard. It’s embarrassing, confusing and you’re not sure what has been compromised or how to fix it. Then everyone is running around, pointing fingers and trying to do damage control. Often, they put band aids on versus actually fixing the security issues.
Security Concerns For Students and Faculty
Passwords – Many people use the same passwords at multiple websites because passwords are hard to remember. Anyone who signed into the site should change their passwords at any other sites where they used the same one (email, bank, travel)
Email addresses – If the Joomla site was compromised via a SQL injection, the email addresses of all site members could have been compromised which could now result in spam or phishing attacks
Back door – If the site was setup to remotely authenticate with another system (Active Directory, Google Apps, Moodle), the people who compromised the site could have already created a backdoor account so they can get back in later.
and the list goes on. The Eden Prairie High School technology people responsible for the maintenance of the website should consult a website security professional for advice and guidance.
Are Content Management Systems Dangerous?
Since the Eden Prairie High School site was running on Joomla, the discussion of vulnerabilities come into play. I’ve been using Joomla since 2005 and one of the biggest complaints has to do with security. With the low cost of website hosting and the ease in which someone can install a Content Management System like Joomla, there are always site getting “hacked”. I put that in quotes because often, the sites getting hacked have not taken basic steps to protect their installs.
Early reports on the Eden Prairie High School hack said that over 100 website were affected. I suspect a script was used to locate vulnerable Joomla installs and away the bots went, injecting code.
Website Security Problem For College Brings Happy Ending
Oklahoma State University is a great example of finding a security problem and fixing it. They had a data breech to the server that managed the parking passes and not only followed a good protocol but changed how and what they stored on the server to reduce future risks:
Personal information belonging to anybody who got a parking pass at Oklahoma State University (OSU) over the last five years has been compromised, university officials said Wednesday. Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008. The server is believed to have been compromised on November 23, 2007. OSU learned of the breech on March 20, 2008 and blocked access to the server.
Upon discovering this intrusion, the IT Information Security Office immediately removed the server from the network to evaluate server activity to ascertain if personal information had been accessed. The illegal access was limited to the parking and transit server and currently the confidential information has been removed from the database.
OSU contacted and worked with federal law enforcement authorities and as a result of its investigation, OSU believes the intruder’s purpose and only action was to use the OSU server for storage capacity and bandwidth to upload and distribute illegal or inappropriate content.
After evaluation of all available data related to this incident, OSU found no evidence which would indicate that the database was copied or viewed by the hacker. At this point, OSU cannot say with 100 percent certainty that the hacker did not access personally identifiable information.
The OSU Parking Department has altered their procedures for the collection of private information. Additionally, the server which was located at the OSU Parking Service’s office will be relocated to the IT Data Center for enhanced security. OSU is conducting a full review and will be taking additional steps to protect our network from unauthorized access.
That’s how a security breach should go. Detection, remove access, assessment, research, notification, planning, implementation, policies, monitoring. Unfortunately technology is an intimidating thing so securing technology is even more frightening. Oklahoma State University took the additional steps to consider what sort of data was being stored on the server and from that research, adjusted what information they collected and where the server was stored. Bravo!
Finding Website Security Help
One thing I sent over to Fox 9 is that when I Googled, “Website Security Consultant“, there were 23 million results. Add your city onto the end of that search and you will start finding the help you need to evaluate and secure your organization’s website. Feel free to ask them if they are certified by SANS or have taken training with SANS. They will most likely start with an interview to better understand your website and then provide you with a proposal to do an audit or penetration test of your site. Every company uses different technology so it’s not a cut and dried process like getting a car wash.
Three links to help businesses keep their sites safe:
- 20 Critical Security Controls for Effective Cyber Defense – SANS
- Why You Should Scan Your Business Website For Vulnerabilities – Acunetix
- Joomla Security Checklist
Eden Prairie High School: Site Still Down
The site currently has a status page indicating the application is unavailable as of 4/11/2010 at 7:33pm Central.
How To Clean Up After A Joomla Website Attack
Preventing Future Hacks