Death By Joomla: Eden Prairie High School Site Gets Hacked

Looks like a local high school’s website was taken offline today due to “hackers”. I got a call from Fox 9 news this afternoon inviting me in for an interview regarding Eden Prairie High School’s website which was defaced with a video and images of a flag with a gun.

Defaced Eden Prairie High School Website

Death By Joomla: Eden Prairie High School Site

I’ll be on tonight at 9pm Central time on Fox 9 news to discuss the hack, how it happened, what data could have been compromised and what organizations and schools can do to keep their websites safe.

Fox 9 News Interview

More updates after the show tonight on how to secure your organization’s site online but for now…

4/11/2010 10:06pm – Back from completing the segment.  I got shut down before I had a chance to use my puppy analogy or mention PCI compliance and the SANS Institute.  Technology problems shouldn’t be about sensationalizing them but helping people and companies solve their problems.

Neglected Focus: Puppies and Websites

Ears
Creative Commons License photo credit: jimgrant

Think about it.  Everyone in the family wants a dog and they all promise to train it but once it’s home, no one remembers to walk it.  It has an accident and then the fingers are pointed.

It’s the same with a website.

Everyone wants a website for their business, school or organization.  Money is tight so they look for a low cost way to get it done.  They find an open source solution like Joomla, struggle and get it installed.

After that, no one thinks twice about maintenance or security.  Maybe they spend money on the design of the site but hey, the designer doesn’t bring up security so it must not be important…right?  The first hack is always hard.  It’s embarrassing, confusing and you’re not sure what has been compromised or how to fix it.  Then everyone is running around, pointing fingers and trying to do damage control.  Often, they put band aids on versus actually fixing the security issues.

Security Concerns For Students and Faculty

Passwords – Many people use the same passwords at multiple websites because passwords are hard to remember.  Anyone who signed into the site should change their passwords at any other sites where they used the same one (email, bank, travel)

Email addresses – If the Joomla site was compromised via a SQL injection, the email addresses of all site members could have been compromised which could now result in spam or phishing attacks

Back door – If the site was setup to remotely authenticate with another system (Active Directory, Google Apps, Moodle), the people who compromised the site could have already created a backdoor account so they can get back in later.

and the list goes on.  The Eden Prairie High School technology people responsible for the maintenance of the website should consult a website security professional for advice and guidance.

Are Content Management Systems Dangerous?

Since the Eden Prairie High School site was running on Joomla, the discussion of vulnerabilities come into play.  I’ve been using Joomla since 2005 and one of the biggest complaints has to do with security. With the low cost of website hosting and the ease in which someone can install a Content Management System like Joomla, there are always site getting “hacked”. I put that in quotes because often, the sites getting hacked have not taken basic steps to protect their installs.

Early reports on the Eden Prairie High School hack said that over 100 website were affected.  I suspect a script was used to locate vulnerable Joomla installs and away the bots went, injecting code.

Website Security Problem For College Brings Happy Ending

Oklahoma State University is a great example of finding a security problem and fixing it.  They had a data breech to the server that managed the parking passes and not only followed a good protocol but changed how and what they stored on the server to reduce future risks:

Personal information belonging to anybody who got a parking pass at Oklahoma State University (OSU) over the last five years has been compromised, university officials said Wednesday. Oklahoma State University has discovered that a server under the control of OSU Parking and Transit Services had been accessed from another country without authorization. The database contained confidential information, specifically the names, addresses and Social Security numbers of OSU faculty, staff and students who had purchased a parking permit between July 2002 and March 2008. The server is believed to have been compromised on November 23, 2007. OSU learned of the breech on March 20, 2008 and blocked access to the server.

Upon discovering this intrusion, the IT Information Security Office immediately removed the server from the network to evaluate server activity to ascertain if personal information had been accessed. The illegal access was limited to the parking and transit server and currently the confidential information has been removed from the database.

OSU contacted and worked with federal law enforcement authorities and as a result of its investigation, OSU believes the intruder’s purpose and only action was to use the OSU server for storage capacity and bandwidth to upload and distribute illegal or inappropriate content.

After evaluation of all available data related to this incident, OSU found no evidence which would indicate that the database was copied or viewed by the hacker. At this point, OSU cannot say with 100 percent certainty that the hacker did not access personally identifiable information.

The OSU Parking Department has altered their procedures for the collection of private information. Additionally, the server which was located at the OSU Parking Service’s office will be relocated to the IT Data Center for enhanced security. OSU is conducting a full review and will be taking additional steps to protect our network from unauthorized access.

Source: Cyberinsecure

That’s how a security breach should go.  Detection, remove access, assessment, research, notification, planning, implementation, policies, monitoring.  Unfortunately technology is an intimidating thing so securing technology is even more frightening.  Oklahoma State University took the additional steps to consider what sort of data was being stored on the server and from that research, adjusted what information they collected and where the server was stored.  Bravo!

Finding Website Security Help

One thing I sent over to Fox 9 is that when I Googled, “Website Security Consultant“, there were 23 million results.  Add your city onto the end of that search and you will start finding the help you need to evaluate and secure your organization’s website.  Feel free to ask them if they are certified by SANS or have taken training with SANS.  They will most likely start with an interview to better understand your website and then provide you with a proposal to do an audit or penetration test of your site.  Every company uses different technology so it’s not a cut and dried process like getting a car wash.

Three links to help businesses keep their sites safe:

Eden Prairie High School: Site Still Down

The site currently has a status page indicating the application is unavailable as of 4/11/2010 at 7:33pm Central.
Death By Joomla: Eden Prairie High School Site Down

Now there are login links to their Google Apps and Moodle site
Eden Prairie High School Site now has login links below

How To Clean Up After A Joomla Website Attack

update coming…

Preventing Future Hacks

update coming…

Links

Kare11 article on Eden Prairie High School Hack

Blog Widget by LinkWithin
This entry was posted in Adventures in Consulting, Television on by .

About Adria Richards

Adria Richards is a developer and entrepreneur focused on digital equality. She has been involved in more than 35 hackathon events in the Bay Area and abroad. Embracing her inner nerd, Adria moved moved to San Francisco in 2010 to pursue her passion for technology. Previously she has worked in technical and training roles for enterprise, nonprofits and startups; from Apple to Zendesk. Adria has been teaching technology and developing curriculum since 2007. Adria is a popular speaker at major tech conferences including SXSW, O’Reilly Web 2.0, Launch, The Lean Startup Conference and TEDx. She speaks at startups and coding boot camps about culture, communication and diversity. Adria has attended TED, LeWeb and MLOVE. In her free time, Adria enjoys snowboarding, yoga and bacon; not necessarily at that order. Her Twitter account is followed by President @BarackObama. She blogs at ButYoureAGirl.com and is a YouTube Content Creator.

4 thoughts on “Death By Joomla: Eden Prairie High School Site Gets Hacked

  1. adriarichards

    Amy,

    I don't know anything about the previous site except what I dug up in Google
    cache.

    I know you work with higher learning on implementation of CMS platforms
    including Joomla.

    I wonder how many high schools and universities even know they can get help
    with their open source websites…

  2. Dominik Klug

    index.php?option=com_user&view=reset&layout=confirm (components/com_user/…/reset.php)

    Most used security weakness in Joomla (1.5.17 still didn't fixed it) .

    One of my Sites has been “hacked” by some turkish scriptkids.
    They're just able to exchange the index.php files in admintemplates and frontend templates.

    This can be prevented by coding a filter in the reset.php which allows only normal users to reset their accounts. I guess resets for admins and superadmins can be easylie done in MySQL.

    For SQL injection(most extension exploits are based on em) i'd recomend to use jfirewall even the free version is highly effective against thus attacks.

    Well hope i could help

    In my case i dont need the reset function anyway so i deleted the whole code and replaced it by a nice message and an ip logger.

  3. Dominik Klug

    index.php?option=com_user&view=reset&layout=confirm (components/com_user/…/reset.php)

    Most used security weakness in Joomla (1.5.17 still didn't fixed it) .

    One of my Sites has been “hacked” by some turkish scriptkids.
    They're just able to exchange the index.php files in admintemplates and frontend templates.

    This can be prevented by coding a filter in the reset.php which allows only normal users to reset their accounts. I guess resets for admins and superadmins can be easylie done in MySQL.

    For SQL injection(most extension exploits are based on em) i'd recomend to use jfirewall even the free version is highly effective against thus attacks.

    Well hope i could help

    In my case i dont need the reset function anyway so i deleted the whole code and replaced it by a nice message and an ip logger.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>