White House Website Running Outdated and Insecure Version of Drupal

While “President Obama has declared that the “cyber threat is one of the most serious economic and national security challenges we face as a nation” and that “America’s economic prosperity in the 21st century will depend on cybersecurity.”“, the White House is failing to take a basic security measure with their website. If you visit the website with our Drupal Version Check extension installed in your web browser (available for Chrome and Firefox) you will see that they are running an outdated version of Drupal:

White House Website is Running Outdated Drupal Version

Further checking shows that the website is running Drupal 6.26 or 6.27, so the White House failed to apply one or two security updates. Keeping software up to date is one the basic steps and easier steps when it comes to cybersecurity and the White House is failing at that.

Updating between versions of Drupal 7 is relatively easy, so there isn’t any excuse for an organization with its resources to not be able to keep it up to date.

 

Yes, “design flaw” in 1Password is a problem, just not for end users

Over the past 48 hours, Internet security forums have buzzed with news about a newly discovered technique that allows crackers to make an impressive 3 million guesses per second when trying to find the passcode that unlocks the contents of the widely used 1Password password manager.

The optimization, devised by the developer of the oclHashcat-plus password cracking tool, achieved guessing speeds that were, depending on whom you are asking, from two to four times faster than expected. Its discovery was surprising, mainly because it relies in part on a subtle design flaw that until now has been overlooked.

Cryptographers disagree about whether the weakness resides in the popular cryptographic hash function folded into 1Password or the specific implementation contained in 1Password. Either way, the designers of 1Password are smart people who do cryptography right, so the flaw has turned heads. And while even a four-fold reduction in the time it takes to exhaust a cracking attack isn't earth-shattering, it's still significant, considering how many people use 1Password to store the keys to their digital kingdoms.

Read 16 remaining paragraphs | Comments

Former Egyptian Prime Minister Featured in Phishing Attack

Contributor: Avdhoot Patil

Phishers have already shown interest in the violence that erupted recently in various parts of the Arab world. The phishing attack involving Syria is a good example. Phishers are now taking advantage of the political unrest in Egypt as protests in the country continue. In March 2013, phishers promoted former Egyptian Prime Minister Ahmed Shafik in a phishing site. The phishing site was hosted on servers based in North Carolina, USA. The name “Ahmed Shafik” was used in the domain name of the phishing site.

blurred_website_600px.png

Figure 1. Phishing site designed as a fake official website of Ahmed Shafik

The phishing site was designed to look like an official page of the politician. It contained a message in Arabic prompting users to choose from two brands in order to get news and updates of Ahmed Shafik. The brands belonged to social networking and information service sectors respectively. When the logo of either of these two brands is clicked, users are redirected to the phishing sites that pose as the login pages of the respective brands. The contents of the phishing pages were altered to promote the former Prime Minister. If users fell victim to the phishing site by entering their sensitive information, phishers would have successfully stolen their confidential information.

Users are advised to follow best practices to avoid phishing attacks:

  • Do not click on suspicious links in email messages
  • Do not provide any personal information when answering an email
  • Do not enter personal information in a pop-up page or screen
  • Ensure the website is encrypted with an SSL certificate by looking for the padlock, ‘https’, or the green address bar when entering personal or financial information
  • Update your security software (such as Norton Internet Security, which protects you from online phishing) frequently