How vulnerable is your website?

Recent hack attacks on high-profile websites, most notably PBS.org, have turned attention to the vulnerabilities of content management systems.

Open source systems in particular have come under scrutiny. The PBS.org hack late last month was attributed to a security flaw in the site’s Movable Type content management system (CMS). Movable Type’s developer, Six Apart, quickly launched an update to fix the flaw and “strongly” recommended that Movable Type customers upgrade to the new release as soon as possible.

Open source CMSs are attractive because of their low cost and flexible development environments compared to the proprietary systems that publishers have traditionally used in their production systems. Publications such as Field and Stream, The Nation, and Mother Jones have switched to Drupal. B2B publishers including Penton and Summit Business Media and consumer publishers such as Martha Stewart Living Omnimedia are also at various stages of Drupal adoption. (We use Drupal to run this site.) Publishers including The Washington Post and National Geographic are two of the bigger publisher brands that use Movable Type, the target of the PBS.org attack. (PR folks from the Post and National Geo did not respond to messages seeking comment on their use of Movable Type.)

The inherent risk of using any open source CMS is that, because the code is in the public domain, it presents an attractive target for malicious users who can probe it endlessly for vulnerabilities. "CMS systems have been notorious for poor security over the past few years and have resulted in many compromises," Chris Wysopal, a security researcher at Veracode, told InformationWeek in an email.  

A report from HP DVLabs in April cited the vulnerability of open source CMS applications – but noted that many of these vulnerabilities come from plug-ins, not the core system. Researchers found that plug-ins were responsible for 80 percent of WordPress vulnerabilities, and well over 90 percent of the risks for Joomla and Drupal installations (chart).

Chester Wisniewski, a senior security advisor at Sophos Canada, argues that security vulnerabilities in CMS software are not specific to open source systems. “The reality is that any one system is far from perfect,” Wisniewski said in a phone interview. “We see about 32,000 new websites being infected every day.”

The biggest problem is not the code itself; it’s that publishers don’t keep up with the steady stream of updates and patches designed to plug security holes in their CMS software. The longer that code exists on the Internet, the more likely that a hacker will find a way to exploit it. “These systems are constantly being looked at for flaws by the bad guys,” said Wisniewski. “You have to keep up to date with them.” HP DVLabs found that nearly 9 in 10 Joomla installations and more than 60 percent of Drupal deployments are vulnerable because of poorly patched systems.

So being disciplined about patches is one way to tighten up Web security. A second good practice is to keep a careful eye on the plug-ins you’re using. A third: Keep your access passwords strong. Obvious stuff, but frequently overlooked by harried Web teams.

Wisniewski wrote in the Sophos blog that the passwords compromised in the PBS hack were "embarrassingly predictable.” He added in our phone interview that administrators who use the same password for a master account as they do for their personal Gmail account are asking for trouble. “You have to keep separate passwords,” he said. “Compartmentalization is essential. Anyone who has authority to manipulate content on a site has to have strong passwords.”

And what if you’re already been hacked? Waking up to a “Tupac is alive” story on your homepage can paralyze even the savviest Web teams. To its credit, PBS got in front of the hack quickly and took aggressive steps to minimize the damage – and the negative fallout. With the battle wounds still fresh, MediaShift’s Teresa Gordon (part of the PBS family) offered a half-dozen tips for reacting to a hack, including wise advice to acknowledge the attack quickly via social media.

“Should your site suddenly become the news due to a hacking, you must respond as quickly as possible to minimize the harm,” Gordon wrote. “As a news organization, understand that you want to be the one quoted in the inevitable articles and the primary source that gets retweeted the most.”