Skip to main content

PA websites hacked because of Joomla 1.5 and Wordpress 3.1.3

Communications and Information Minister Yaacob Ibrahim contributed the hacks to the "lapse of maintenance". A blog used the PA sites hacks as a case study and highlighted that they were using very old versions of popular content management software of Joomla 1.5 and Wordpress 3.1.3.

Wrote Knowledge Republic,


"Before i begin, pardon my lousy English, i am not here to teach you English. This page is not to teach you how do you hack other website, but to feed curiosity of those who wonder why or how did those Brazil HackTeam manage to hack Singapore Statutory Body site, when the impression that Singapore give was so high tech Country, the security should be pretty high due to the amount of years that IDA spend on cultivating Security Talent by subsidizing Course fee.

 These Are the Sites that are being Hacked by HighTech Brazil HackTeam
www.pa.gov.sg
southwestcdc.org.sg
yep.nyc.sg
servicelearning.nyc.sg
water-venture.org.sg
cdc.org.sg
app.yep.nyc.sg
ycm.nyc.sg
shine.nyc.sg
nycxtreme.nyc.sg
mesra.org.sg
northwestcdc.org.sg
northeastcdc.org.sg
southeastcdc.org.sg
ycmc.nyc.sg
nyf.nyc.sg"


How old were these version?

Joomla 1.5 was released in January 2008 and we are already now at Joomla 2.5 with Joomla 3.0 available for early adopters.

Wordpress 3.1.3. was released in May 2011 and Wordpress is now on version 3.5.

But what was rather surprising that the blog highlighted the hackers used the same Joomla 1.5 vulnerability that caused the NParks website to be hacked in June 2011.

Knowledge Republic also shared that the Joomla 1.5 was only to be supported till 01 Dec 2012.

As such, why didn't the IT team for the PA sites immediate take action when the NParks website was hacked? Why did it take so long for the IT team to look at updating the CMS versions?


Labels:

Comments

Ric said…
J! 1.5 is widely recognized as unsecure even within Joomla! circles. There been an explosion in the number of exploits for it in the last 6 months.

I think, for owners, one of the big issues with J! 1.5 sites is the cost of migrating to 2.5. There's no easy upgrade path, it's essentially a rebuild.

But, since 1.5 is no longer maintained and it is the subject of numerous well-known exploits, the owners need to suck it up and upgrade.

best,
ric
January 14, 2013 at 9:09 PM
Post a Comment

Popular posts from this blog

Singapore radio personality in "hot soup" for reporting train delays based on Tweets?

Update - Hossan Leong has commented on this post to say " I'm not in trouble pls don't blow this out of proportion. Let it rest. It's getting silly. Thank you for your love and concern and I apologize for any misunderstanding." ~  Hossan Leong. Hossan Leong, a Singapore radio personality for The Gold Breakfast Show on Gold 90.5, was censured today for reporting on train delays on the Circle Line because he based the information on Tweets, rather than waiting for the official reports from the Circle Line operator, SMRT.  It is, however, unknown if the "warning" came from Mediacorp producers or SMRT. Tweeted Hossan Leong ,  OK...I reported it on air and now I'm getting into trouble for it?? The CC line is DOWN rite? I did nothing wrong rite? The SMRT Circle Line was reported to be down this morning during peak hours and started as early as 7am. However, local news only received official statement was received by the mainstream media at about 9...
14 comments
Read more

DBS Bank – One Tweet too little too late.

(Updated post - DBS apologise with the 3Rs – Will social media bite? ) It was the bluest Monday for DBS/POS Bank in its entire banking history when more than 1000 of their ATM and online banking services were taken offline due to a software upgrade an outage (PR announced that it was down due to software upgrade, but the outsourcer, IBM, later claimed it was an outage). So on that Monday, DBS decided to sign up onto Twitter and post a 140 characters one-liner onto Twitter to post a one liner to inform the Twitterverse of the down time. Everybody knows that if you just create a new account on Twitter, you would start off with 0 friends. How would you be able to inform the Twitterverse if you start with 0 friends? DBS Bank did something smart to insert the #dbs and #posb and that probably drew some attention to this account. However, the effectiveness of the tweet was lacking as it drew only 28 retweets. As of this posting, DBS Bank attracted 274 followers. A letter to T...
9 comments
Read more

New field in SocialPR: Social Media Crisis Communications

I have been busy with family for the Lunar New Year week but it seem the Singapore blog-o-sphere was active, and is still is, about recently formed Association of Bloggers (Singapore), ABS for short. To cut a long story short, the announcement of ABS via mainstream media didn’t go down well with Singapore bloggers and in the end resulted in some speculation to why ABS was set-up in the first place. A post by the ABS president defending herself against a harsh criticism from a blogger added to the bad start and created even more speculation that ABS was set-up with an ulterior motive. A week later, some founding members of the pro-team started posting up notice of resignation on their blogs and this just added fuel to fire. Again, a story of ABS appeared in mainstream media and this lead to even more disgruntled bloggers asking why the president isn’t responding via her blog or the association’s blog. I also responded to a post about the ABS incident. You can catch a summary of...
6 comments
Read more