In my Scam of the day for for November 3rd I warned you about a major security flaw in Drupal software. Many of you may not be familiar with Drupal, but website developers certainly are. Drupal is a software company whose software is used by a billion websites to manage images, text and video on websites. On October 15th, Drupal announced that it had discovered a major security flaw that could be exploited by hackers to not only steal data from targeted websites, but also to set up a backdoor application that would permit the hacker to return to retrieve more data. All of this could be done without any indication that a hacking had occurred. Most companies responded to Drupal’s announcement and its security update, however, according to Drupal, any website that did not download the Drupal security patch within seven hours of its October 15th announcement should assume that they have been hacked and their sensitive information compromised. Drupal estimates that about 5% of the billion websites that use Dropal software did not install the necessary security patch in a timely fashion and although this number may seem small, this means that the number of affected websites that may have personal information on you and me is as high as twelve million websites. Among the websites that did not promptly update their security was the website of the Indiana Department of Education which was hacked twice after failing to update its Drupal software.
Part of the problem is that unlike many software companies that provide automatic updates for you to install, Drupal does not do so. Many companies, to their own detriment are slow to install important security updates and this delay puts them and their customers in serious danger of identity theft and being scammed. This is why here at Scamicide we provide security updates as they are announced. The Drupal security problem is also a warning again to us all that we are only as secure as the companies and governmental agencies with which we do business with the least effective security. Drupal has issued a new security warning with instructions as to how to correct security flaws in their software. Here is a link you can trust to Drupal’s security warning https://www.drupal.org/SA-CORE-2014-006