Microsoft’s anti-surveillance site hacked by casino spammers
Thu 18 Jun 2015
The ‘Digital Constitution’ website that Microsoft established in Ireland to fight the U.S. government on issues of data sovereignty has been hacked by what appear to be non-political spammers looking to direct traffic to casino sites, who filled the front page with hyperlinks to gambling sites.
At the time of writing all search results from the site were returning blank pages, although PDFs linked to from search results could still be downloaded.
Digital Constitution was launched in 2013 amid increasing pressure from U.S. authorities for Redmond to cooperate regarding the release of data held in its Dublin data centres.
One of the key cases that inspired the Digital Constitution blog involved a drugs investigation where the U.S. government demanded Ireland-resident data without providing any context for the request. Microsoft responded that the company involved was protected under the Fourth Amendment of the U.S. constitution from unlawful searches and seizures. The tech giant was eventually found in contempt of court.
Digital Constitution uses the popular content management system WordPress, but when it was attacked today the CMS was only at 4.0.5, with the latest version 4.2.2. representing a series of important security updates, and so it seems likely that the site takeover was opportunistic work by the blackest of black-hat SEO crews simply using automated tools to scan thousands of websites for exploitable, non-updated CMS systems.
Version 4.0.5 of WordPress was released in May of 2015, an unusually long time for a prominent site to avoid crucial CMS updates. Nine updates, some of which closed security holes in WordPress, were released subsequently.
A crucial subsequent WordPress bug-fix, Version 4.1.2 (confusingly listed on the WordPress site as having been released prior to 4.0.5) alone fixed a ‘serious critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site’, as well as repairing plugins which were vulnerable to an SQL injection attack, and a capacity for the CMS to permit uploading of files with invalid or disruptive names. V4.2 was also a critical security release. Its successor, 4.2.1, fixed another crucial cross-scripting vulnerability.
Why do companies not update critical WordPress installations?
Opinion Out of the box, any vanilla install of the top three CMSes – WordPress, Joomla and Drupal – delivers a relatively low-powered, and often disappointing experience. Much of the functionality of dazzling WordPress-driven sites lies not just in the vast ecostructure of popular plugins, but in custom plugins and custom code created by developers for the company creating the site. A CMS update on any of the major platforms can, and very often does, break critical functionality provided by such third-party code. I personally know of a site running an even older version of WordPress than Digital Constitution, wherein the owners are faced with significant re-development costs to recreate third-party functionality which WordPress updates were destined to break. Plugins and themes are in themselves suitable attack vectors for hackers, allowing exploits to occur even when an installation is up to date. But ‘core’ CMS vulnerabilities cannot be deferred or ignored.