As I am sure many of you know already there have been many breaches of online newspapers and other media entities recently. Over the last few months the likes of the New York Times and the Washington Post have both had their web sites hacked and organisations such as the Syrian Electronic Army show no signs of letting up in their assault of the media.
It would stand to reason then that companies in this sector would be taking security extremely seriously right now wouldn’t it?
Well, according to Infosecurity Magazine who spoke to Ilia Kolochenko, the CEO of information security company High-Tech Bridge, that does not appear to be the case at all.
Kolochenko says that he has discovered several high profile media sites that are still vulnerable to being hacked including Forbes, the Financial Times, Bloomberg, the Independent and the Times. Alarmingly, he also claimed that the aforementioned New York Times and Washington Post were still vulnerable having not fixed their websites despite the attacks previously leveled at them.
The majority of the vulnerabilities were discovered back in July and were properly disclosed to the media organisations at the time. The Wall Street Journal confirmed the existence of a security hole but has yet to fix it. The Financial Times also confirmed the issue that was identified to them and even attempted to patch it, albeit unsuccessfully it seems. Other media outlets either responded to High-Tech Bridge by means of automated response emails or failed to reply altogether.
High-Tech Bridge were unable to use their pen testing service ImmuniWeb to demonstrate a full analysis of the weaknesses in the sites in question due to requiring consent from the web site owner in order to stay on the right side of the law. Kolochenko did, however, use a laptop and Google search to highlight each of the security holes with each vulnerability being discovered in around 15 minutes.
Kolochenko told Infosecurity Magazine that, “A hacker could inject arbitrary content on a website page, and post fake news or just ‘deface’ the webpage. He could steal users’ cookies and sessions. The vulnerability could be used to perform various types of phishing and scam attacks, or set up the site for drive-by attacks to infect visitors.”
I think the above raises a few important questions:
- Given the attacks against various media web sites lately why are several of them still vulnerable?
- Why have the New York Times and Washington Post not fixed their sites when they have already been previously targeted?
- How can large organisations fail to respond when presented with a list of vulnerabilities?
- If a simple fifteen minute Google search can unearth security holes then just how hard would it be for a determined hacker to find a way in?
Have you assessed the security of your organisation and corporate web site recently? And, if so, have you taken action based upon your findings?