Security Experts:

Misguided Security Through Obscurity - The Brownsburg Hack

As I wander the world of website security, I run across many reasons why most websites (over 70%) are open to hacks from amateur and professional hackers alike. These reasons range from poor development practices to aging websites built in a day when security was not a priority. And website security isn’t getting any better – new websites are just as insecure.

What I find just as depressing is that site owners seem to be OK with the possibility of being in this vulnerable group. Tossing around such phrases as, ‘Who would want to deface our site?’ ‘We can repair it in a day’ and ‘We’re too small for any hacker to even notice us’ show that they’re more than happy to believe they’re safe from an attack because they are a small fish in a huge ocean of tastier creatures.

SecurityWhile security through obscurity is a soothing excuse, it just doesn’t play well in the real world. The following account of a politically charged hack on the Brownsburg Community School Corp. (BCSC) website is a far too typical example of an obscure website that seemingly had no value to hackers, yet turned Brownsburg on its ear. 

The Hack

By many people’s standards, the sleepy town of Brownsburg, Indiana is a great place to live and raise kids. Band competitions and the local ice-cream shop rank high on the social calendar, with an occasional traffic accident to add excitement.

Much to the surprise and concern of Brownsburg’s small population, the BCSC school system’s website was hacked on September 12, 2012. By all accounts, the hack was minor: the insertion of a few politically charged web pages, possibly in response to recent attacks on the American Consulate in Libya and a controversial anti-Islam movie.

Of real concern to the town were pages that included this text:

I sacrificed my mother, father and myself for Allah. This breakthrough in response to the film and graphics depicting the master of the world may Allah bless him and grant him peace.

and

Coming, soon you will hear voices of our swords.

The reaction to these unprecedented actions and threats (unprecedented for quiet Brownsburg, that is) was substantial. More than 500 of the 7,700 students in the school corporation were absent the day after the hack. School administrators issued this statement:

Brownsburg Community School Corporation believes its website was hacked earlier this evening. District personnel and police are aggressively investigating how this happened and who is responsible. The site in its hacked state appears to have only been visible for approximately half an hour before staff was alerted and the site taken down. BCSC apologizes for any offensive language or information on the site and for the inconvenience of its unavailability.

While the community has now been assured that the hack was a random act (Brownsburg was not the target, just a vehicle of convenience), residents did not know for some time if the violence-spouting hacker lived in town or 10,000 miles away.

For those of us who in the Midwest, this is scary stuff. If radical foreign nationals can hack into our school system IT environment, what else is at risk? We definitely are not used to hearing or reading about personal sacrifice (suicide bombers?) and ‘voices of our swords.’

The Impact

I have no doubt that, even a week before the breach, any conversation with BCSC about web security would have ended up mired in the ‘security through obscurity’ argument.  

Looking back, we can see the problem was not that the BCSC website was important, but rather that the site was an easy target. The issue was not that information was available to the few hundred people looking for the football schedule, but rather that a threat of violence could be made against an entire community.

Without actual knowledge, I would be willing to bet that the Joomla Content Management System-based BCSC website was an easy target for hackers with even modest hacking skills. One only needs to do a YouTube search on “Joomla Hacking” and follow simple hacking 101 instructions. The radical hackers may have run a Google search for Joomla-based website and culled that list down to a few that would make a social impact.

While there was little or no financial impact, the cost in terms of time and energy was substantial – I would suggest hundreds, if not thousands, of hours were spent addressing the emotions of the community and associated PR nightmare. The FBI was called in, as were local and state school officials. There will probably be an inquiry as to how BCSC could have let this happen, and more than a few individuals will continue to believe Brownsburg was a specific target.

Brownsburg fell into the compliancy trap (no doubt complicated by budget contracts) of thinking obscurity would keep them safe. What they, and every other under budgeted school system across the nation, should focus on is security – one that would have moved them to a current, secure version of Joomla when it became available. 

The Lesson

The real story here is not about some small, sleepy community in the Midwest, but rather the security time bombs that school systems and small businesses across America are facing. The problem was not Joomla, but rather a security-obsolete CMS and poorly produced brochure website that could be hacked by almost anyone wanting to make a statement, pose a threat or slander a business.

Brownsburg has taught us the lesson that hacking a school system’s website can result in far more than the posting of inappropriate images or insults to the football team. It can evoke emotional responses of fear, anger and paranoia, which could lead to bad decisions.

Consider even a simple business site. A hack that seems to genuinely present the owner’s political or social viewpoint might be impossible to recover from after it becomes public knowledge. Think about the firestorm that surrounded the Chick-fil-A gay marriage statements.

Brownsburg will recover from its 30 minutes of local fame, but at substantial cost in time and emotion. Security through obscurity was obviously not the best option in this case.

Subscribe to the SecurityWeek Email Briefing
view counter
Alan Wlasuk is a managing partner of 403 Web Security, a full service, secure web application development company. A Bell Labs Fellow award-winner with 18+ years of experience building secure web applications, Wlasuk is an expert in web security - from evaluation to web development and remediation.
view counter