Will The Drupal Flaw Be Catastrophic?

The Drupal web content management system has been exposed as having backdoor access that could deliver your site to hackers.

The problem is not particularly new. Drupal warned about it earlier this month, but it still needs tackling as millions of websites may be at risk.

Drupal said that sites running version 7 really ought to have upgraded to 7.32 by now, because not doing so leaves them as open as a torn tea bag.

Initially the alert was about the threat, but the firm has updated its earlier advice and is now warning of in-the-wild attacks.

That earlier advice was about a problem in a database API. “A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution,” warned Drupal in a security alert.

“Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks. This vulnerability can be exploited by anonymous users.”

More recent information from the firm points users toward the released upgrade, and informs them that attacks started not long after the initial announcement.

“You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is seven hours after the announcement,” it said, adding that, even when updated, sites will have some cleaning up to do.

“If you have not updated or applied this patch, do so immediately, then continue reading this announcement; updating to version 7.32 or applying the patch fixes the vulnerability but does not fix an already compromised website,” it explains.

“If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised – some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.”

Gavin Millard, EMEA technical director at Tenable Network Security, advised people to follow Drupal’s advice.

“The so-called ‘Drupageddon’ vulnerability could have easily led to exploitation of any systems running the vulnerable code. With such an easy to exploit flaw, the chance of exfiltration of data or further exploitation are high,” he said.

“For those who have good security controls, reviewing of logs and traffic directed at the sites following the vulnerability being announced and the patch applied is common sense and highly advisable, with appropriate action taken if indicators of compromise are found.

“For those who don’t have such a good level of security or visibility into the logs, the advice from the Drupal team should be heeded. If you don’t know if you were exploited you should assume that you have been.”

Source

Hackers Infiltrate Jimmy Johns

Sandwich restaurant chain Jimmy John’s said there was a potential data breach involving customers’ credit and debit card information at 216 of its stores and franchised locations on July 30.

An intruder stole log-in credentials from the company’s vendor and used the credentials to remotely access the point-of-sale systems at some corporate and franchised locations between June 16 and Sept. 5, the company said.

The chain is the latest victim in a series of security breaches among retailers such as Target Corp, Michaels Stores Inc and Neiman Marcus.

Home Depot Inc  said last week some 56 million payment cards were likely compromised in a cyberattack at its stores, suggesting the hacking attack at the home improvement chain was larger than the breach at Target Corp.

More than 12 of the affected Jimmy John’s stores are in Chicago area, according to a list disclosed by the company.

The breach has been contained and customers can use their cards at its stores, the privately held company said.

Jimmy John’s said it has hired forensic experts to assist with its investigation.

“Cards impacted by this event appear to be those swiped at the stores, and did not include those cards entered manually or online,” Jimmy John’s said.

The Champaign, Illinois-based company said stolen information may include the card number and in some cases the cardholder’s name, verification code, and/or the card’s expiration date.

Source

Twitter Security Lagging,Says Experts

The fast-growing microblogging site Twitter is lagging behind some other Internet services in using methods to help secure the accounts of users, security experts say.

Weaknesses in Twitter’s security became apparent on the U.S. July 4 Independence holiday as a still unidentified hacker took control of a Fox News Twitter account and tweeted falsely claiming that U.S. President Barack Obama was dead.

While the hijacking of Twitter accounts is not new, the false Tweets about Obama generated headlines around the world.

The Secret Service is investigating the matter. Fox News has said does not know how the attacker gained control of its account, but complained that it took Twitter more than five hours to return control of the account to Fox.

“What Twitter needs to do now is to commit to a thorough review of their security practices,” said Daniel Diermeier, a professor at Northwestern University’s Kellogg School of Management. “For Twitter this is a very serious problem.”

Security experts said the attack might have been prevented if Twitter had offered two-factor authentication technology to secure its accounts.

Read More….