"Congressional Web Site Defacements Follow the State of the Union"
- Praetorian Prefect
An interesting problem that we as the US have is our denial of Cyberwar. While this post isn't exactly about that, it's close. Last Wednesday night during or after the President's State of the Union Address, several congressional websites were hacked by Red Eye Crew. Why is this of interest? According to Praetorian Prefect, they were all running Joomla!
One of the defaced sites. Source: Praetorian Prefect
A partial list of defaced sites (49 in total again, all Joomla) are:
- https://www.joewilson.house.gov/
- https://bachus.house.gov/
- https://www.baird.house.gov/
- https://www.barrow.house.gov/
- https://www.gonzalez.house.gov/
- https://mcnerney.house.gov/
- https://mikepence.house.gov/
- https://driehaus.house.gov/
- https://carson.house.gov/
- https://campbell.house.gov/
- https://doggett.house.gov/
- https://coffman.house.gov/
- https://www.kosmas.house.gov/
- https://hersethsandlin.house.gov/
- https://lujan.house.gov/
- https://www.mccollum.house.gov/
A number of committee sites were hit as well. Praetorian states that the 'source' of the hack (other than Joomla!) is not known. Joomla! and its host of 3rd party extensions have suffered from a very high number of vulnerabilities. What I want you to take away from this article is not that Joomla! is safe or unsafe, but rather, the chances are good, the IT staff of these Congressmen and Congress women did NOT patch. They DID NOT keep up with Vulnerabilities by using a service such as this.
I implore you today to check your extensions, check your Joomla! level - take a few minutes and make sure that you are running the latest and greatest. If in doubt on how to conduct a simple security audit, then purchase Joomla! Web security the book from Amazon.
The saga continued on 1/28/2010 with the sites being in various states of up or down or not at all. However once the "spin" started it really started to get interesting. According to several press releases, the site, handled by GovTrends, had been hit before in August 2009 by hackers. The statement that was put out by the office in charge of these at House.Gov, the vendor (GovTrends) was in 'maintenance' mode, and that's when the attackers struck.
First of all anyone with any level of experience with Joomla! should quite honestly recognize the nonsense of this statement. Joomla, while it has its share of problems, doesn't suddenly become "vulnerable" because it's in maintenance mode. Further, if they were maintaining a firewall or other intrusion layer, other portions of house.gov would have been impacted. It appears however forty-nine sites were hit. This is most likely (speculation on my part) poor administration and security practices by the people in charge of these sites. They should be fired from their jobs.
My second thought is the fur will be flying (eventually) on Joomla.org with certain people stating "Joomla is secure - its' the 3rd parties" - and others blaming the sites for not following the checklist. I would say that overall is the wrong response on all fronts. Here's why - no one yet knows what happened. What we do know is they were hacked identically, apparently all at once. Some of these Joomla Instances (according to Netcraft) were on Windows and some on Linux.
What Joomla.org should do is contact the house.gov folks AND GovTrends to work with them to clear their name. The way the press releases are being written, (in some cases) it appears Joomla is THE cause. So - OSM - if you read this, I would encourage you to get involved now! Starting with a press release is a good idea. Following up with the staff of House.Gov to work with them is next.
My personal bigger concern, is not the black-eye that OSM/Joomla is taking that is minor. The bigger concern is WHY didn't the House.Gov technical staff activate their Business Continuity Plan? These aren't little, community organized sites. These are American Senators. Agree or disagree with their politics - they and we as the American Constituents deserve a more robust system.
The concern is IF it took nearly 19 hours to restore these simple Joomla sites, what does that say for our CyberSecurity? What does that say for protecting the US and our critical infrastructures from attack by an enemy? I would say it's an "F" in response by the vendor, by the Chief Administrative Office and those in charge. House Speaker Nancy Pelosi - has called for a review of the vendor and the technologies.
There SHOULD be an investigation, then the vendor should be dismissed if found to be incompetent. In corporate America, we would not have a JOB if this happened on our watch! This incident should be taken MORE seriously than in Corporate America. Or any other corporate structure in the world.
However - I am in serious doubt that this is any more than Political posturing. We as the Joomla community and as Americans should expect House.Gov to start at a minimum by installing better measures such as SecureLive.net on their sites to prevent stuff like this.
Thus the end of this story is this. Don't blame Joomla (the code base). Don't blame the 3rd party extensions. DO write AND test your disaster Recovery Plan. DO stop today and check your site.
In light of this, JoomlaRescue.com will do an inspection of your Joomla! site for $129.00 - we want to do our part to prove that Joomla!, while having its issues, does not deserve this black eye. If you would like to take advantage of this SPECIAL OFFER, visit us at www.joomlarescue.com, select HEALTH CHECK ONE and at check out enter the code "HOUSE" to get this special offer.