Will The Drupal Flaw Be Catastrophic?

The Drupal web content management system has been exposed as having backdoor access that could deliver your site to hackers.

The problem is not particularly new. Drupal warned about it earlier this month, but it still needs tackling as millions of websites may be at risk.

Drupal said that sites running version 7 really ought to have upgraded to 7.32 by now, because not doing so leaves them as open as a torn tea bag.

Initially the alert was about the threat, but the firm has updated its earlier advice and is now warning of in-the-wild attacks.

That earlier advice was about a problem in a database API. “A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution,” warned Drupal in a security alert.

“Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.”

More recent information from the firm points users toward the released upgrade, and informs them that attacks started not long after the initial announcement.

“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is seven hours after the announcement,” it said, adding that, even when updated, sites will have some cleaning up to do.

“If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website,” it explains.

“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.”

Gavin Millard, EMEA technical director at Tenable Network Security, advised people to follow Drupal’s advice.

“The so-called ‘Drupageddon’ vulnerability could have easily led to exploitation of any systems running the vulnerable code. With such an easy to exploit flaw, the chance of exfiltration of data or further exploitation are high,” he said.

“For those who have good security controls, reviewing of logs and traffic directed at the sites following the vulnerability being announced and the patch applied is common sense and highly advisable, with appropriate action taken if indicators of compromise are found.

“For those who don’t have such a good level of security or visibility into the logs, the advice from the Drupal team should be heeded. If you don’t know if you were exploited you should assume that you have been.”

Source

USA In Danger Of Cyber Experts Shortage

Leading cyber experts warned of a shortage of talented computer security experts in the United States, making it extremely difficult to keep corporate and government networks safe at a time when attacks are on the rise.

Symantec Corp Chief Executive Enrique Salem told the Reuters Media and Technology Summit in New York that his company was working with the U.S. military, other government agencies and universities to help develop new programs to train security professionals.

“We don’t have enough security professionals and that’s a big issue. What I would tell you is it’s going to be a bigger issue from a national security perspective than people realize,” he said on Tuesday.

Jeff Moss, a prominent hacking expert who sits on the U.S. Department of Homeland Security Advisory Council, said that it was difficult to persuade talented people with technical skills to enter the field because it can be a thankless task.

“If you really look at security, it’s like trying to prove a negative. If you do security well, nobody comes and says ‘good job.’ You only get called when things go wrong.”

The warnings come at a time when the security industry is under fire for failing to detect increasingly sophisticated pieces of malicious software designed for financial fraud and espionage and failing to prevent the theft of valuable data.

Moss, who goes by the hacker name “Dark Tangent,” said that he sees no end to the labor shortage.

Source…

Did Hackers Attack Water System?

Federal investigators are investigating a report that hackers managed to remotely shut down a utility’s water pump in central Illinois last week, in what could be the first known foreign cyber attack on a U.S. industrial system.

The November 8 incident was described in a one-page report from the Illinois Statewide Terrorism and Intelligence Center, according to Joe Weiss, a prominent expert on protecting infrastructure from cyber attacks.

The attackers obtained access to the network of a water utility in a rural community west of the state capital Springfield with credentials stolen from a company that makes software used to control industrial systems, according to the account obtained by Weiss. It did not explain the motive of the attackers.

He said that the same group may have attacked other industrial targets or be planning strikes using credentials stolen from the same software maker.

The U.S. Department of Homeland Security and the Federal Bureau of Investigation are examining the matter, said DHS spokesman Peter Boogaard.

.

Source….