ICYMI: Drupal flaw, Android Lollipop and security shortcomings
ICYMI: Drupal flaw, Android Lollipop and security shortcomings

Drupal hacked – but how many are affected?

Web content management system Drupal issued a security warning on Thursday telling its users about an SQL injection bug which could be exploited by hackers to take control of websites and exfiltrate data.

The issue relates specifically to a vulnerability in the API which allows an attacker to “send specially crafted requests resulting in arbitrary SQL injection”. According to the company, this can lead onto privilege escalation, arbitrary PHP execution and other attacks.

The bug was first noticed on October 15 with Drupal issuing a “highly critical” announcement on the matter on 29 October. In that message, the firm warned that anyone who did not take action to update their software within seven hours should assume that their website would be compromised.

According to Sophos, the number of infected websites could be as high as 12 million, given how around five percent of websites around the globe are thought to be running on Drupal 7. Fortunately however, there's not yet been any public evidence of wide-spread attacks.

Sophos' Mark Stockley urged Drupal to deploy an automated updater, especially as the news broke at night in the UK.

"Many site owners will never have received the announcement and many that did will have been asleep," he said in a blog post. "What Drupal badly needs but doesn't have is an automatic updater that rolls out security updates by default."

“Some might be outraged that Drupal has said that users should assume that they have been compromised if they haven't by now applied the patch, however this needs to be the default position for any cyber-security strategy,” Chris McIntosh, CEO of ViaSat, said in an email to journalists.

“If organisations are to have any hope of mitigating the risk that is escalating by the day then they need to work backwards from this assumption, for instance confirming that each point on the network is still intact and can be trusted and that any sensitive data such as customer financials has been encrypted.”

He added: “As previous cases like the PlayStation network have shown, we are moving to an age where a single vulnerability with one technology provider can affect millions of consumers and organisations simultaneously, and a robust and vigilant approach is needed to limit the damage caused.”

Android Lollipop boasts better security

Google this week took the wraps off Android Lollipop 5.0, which has several new and interesting features. In summary, it's faster and smarter, with better battery life, multiple user accounts and an improved face unlock authentication system.

And it's on security where the search giant has arguably made  the most improvements. Smart Lock gives users the option to log-in by pairing their device to another (via NFC or Bluetooth) – or simply by using their own face; Face Unlock has been tweaked to analyse the user's image continually (like a background security process).

“Rather than pretending to take a picture, and analyse it, it's analysing a user's face on an on-going basis,” explained Android security engineering lead Adrian Ludwig in a briefing call. “If a user's opted in and is using this method, at the moment it detects that a user isn't the one that it's expecting, it locks. That's very different from the previous model.”

In addition, Google's Android Lollipop is boosted by encryption by default for newly activated devices, Android for Work (essentially a skinned version of Samsung's Knox for mobile device management and app provisioning) and improved app sandboxing with Security Enhanced Linux, which makes it easier for the platform to audit and monitor potential attacks. 

To add to this, the SELinux Enforcing Mode is required on all devices and applications – news which might make enterprises feel more secure using Android.

A week of security reports/concerns

This week seemed to be a continual flow of research reports – here at SC we noted around a dozen on everything from DDoS and spam studies to reports on network security and consumer awareness of cyber-attacks.

What is clear from almost all of those though is that awareness remains a deep issue with the public and businesses alike. While the former may be ignorant of cyber-attacks (one in eight believe they don't exist according to a Kaspersky study released this week), the latter is still using outdated security controls, relying on the perimeter and facing a serious skills shortage. What's more, most appear uncertain how they manage personal data in the cloud.

EY and Ponemon Institute/SafeNet this week released reports examining information security in business and a potted review revealed the following, which makes for an eye-opening read:

  • 37 percent of firms have no real-time insight into cyber-risks
  • Outdated information security controls or architecture are the second bigger vulnerability after people
  • 67 percent admit say that are facing increasing cyber-threats, and yet almost half (43 percent) expect their information budgets to stay the same
  • 53 percent say a lack of skilled resources is one of the main obstacles challenging their information security programme, with only four percent having a threat intelligence team with dedicated analysts.