Monday, August 18, 2008

Hackers Welcome Joomla Security Fixes

On Thursday, Joomla announced the 1.5.6 upgrade of its popular web-based CMS (content management system), a release designed to fix several security issues.

However, within hours of the security-oriented release, the Joomla web site was defaced by a team of hackers calling themselves the Red Eye Crew, bent on spoiling the fun.

The fact that Joomla's site got defaced isn't the newsworthy piece, though. The newsworthy piece is the fact that Joomla's site was defaced in a similar way almost exactly a year ago - in 2007.

I recall this because at the time, we were looking at purchasing a new CMS system and I was wading through one of various "Beginning Joomla" guides recently purchased from Barnes and Noble. For various reasons, we didn't end up going the Joomla route.

On Thursday, the PR folks did a reasonable job of explaining to folks why, on the eve of a security release, they should take the view that the hack was meaningless. But I'm not sure they went far enough. Joomla is a community - and any web-based hack is worrying to the people that have chosen Joomla as their web-based CMS.

Worse, the accouncement did not even acknowledge the previous issues, choosing to speak as if this were a one-time event:

"Nothing but good will come of this experience. There's nothing like first hand experience to remind us of the trust our end user community places in us and the importance of working harder and smarter towards improving security."

Nothing but good will come from this? This kind of statement only works the first time. The fact that this morning's hack was a repeat effort requires the organization to "get serious" - and do more than offer an apology for "poor operating procedures" - you can only do that once. That card was played last year (and possibly earlier - but evidence for this is mainly anecdotal).

On the Joomla site, the organization is encouraging users to adopt the new release for security reasons, and signs off by saying "In retrospect, we wish we'd followed our own advice more diligently."

When attacks occur a second, or possibly third time, you need to win back trust by committing to look deeper, and you need to personalize it as well, and offer to look at the people involved as well as the systems.

No comments: