Many Many more Joomla based sites are being hacked daily at the moment – and ITS NOT JOOMLA’s fault!
Firstly let me say the sites were NOT hacked through Joomla! They were all hacked through Joomla Custom Components!

If you are running Joomla 1.0.10 then there are no known security holes in that version!

If you want to stop hackers and do information security as a career, consider information assurance training.

I am moving house at the moment, and only have mobile broadband access and my main PC is in a box! I dont have all the tools I need to do my job and so therefore I cant

I’ll be up to full speed by next Monday again.

Thanks to those who are being patient

But this time here are some interesting statistics to put it in perspective.

In February 2007 I set up a gmail account and I forward a single copy of all incoming email to that account, gmail filters the spam so whats left in my inbox is all good mail.

So since 17 Feb 2007 I have received 159976 emails (recorded by gmail)  ! (Thats exact as of now.  the rest of these figures are slightly less as its not yet feb 2009)

Thats an average of:

• 79988 emails per year
• 6665 emails per month
• 222 emails per day

And I aim to reply to each and every one of these personally!!! Gulp

Lets say I reply to 222 emails a day and each takes me 2 mins to research and type a reply to – thats 444mins = 7.4 hours……

so after replying ot my emails everyday I have 0.1 hours to do other things – like go to the bathroom, eat and drink coffee – no wonder I struggle!

So as of today – I have Zero Emails in my Inbox. (I just deleted over 500!)

Question: Whoah there you might say… Why have you done that?
Answer: Well because the last 10 emails I replied to all replied back to me saying the problem was resolved or they don’t need assistance any more! – a waste of my time – some of these emails have built up over time as I have been out of the office, some of these emails can be answered by READING THE FAQ and some are just plain stupid.

Question: Does this mean you are not answering emails?
Answer: No it doesn’t – I will still answer any email sent me from now on, even if its a resend of an earlier email, by you resending it I know that its important and needs my attention rather than being one email in a big sea of emails…

Question: I sent you an email last week, am I going to get a reply?
Answer: Not unless you resend it !!!

Question: Why are you doing this!!!!
Answer: Simple – there are just not enough hours in a work week to reply to all the new emails and the historic ones built up over the last few weeks (months!) and why should I waste time researching, composing and replying to emails where my replies are no longer required…

Question: Ok then, so where else can I find help to save me emailing you?
Answer: to be honest I use a lot of quick replies to FAQ posts and Blog posts where 80% of all my email queries have already been answered, please try searching the blog, or visiting the products FAQ page (Especially Forms for Joomla, there are some articles in there I email people about all the time!!)

Question: So how long will it take for you to reply to my next email?
Answer: Don’t Know but a hell of a lot sooner than before I declared email bankruptcy!

(Ok I lied, I am keeping about 10 emails from the last few hours in my inbox as they are current and require my input )

The Future: Well its easy to “keep up” when I’m in the office, also this frees up more time for development, its been far tooooooo long since my latest releases and we have some exciting new features to roll out, including some bug fixes

So Thanks for your patience email me if you really need to

Our trip was a good break away – however VENICE IS A DUMP, we were highly disappointed with Venice.  The place is nothing like the TV or Books portray and is infact nothing more than a graffiti plastered, rubbish strewn, smelling island in the middle of a lagoon with a massive industrial plant on one side and water on the other.  I would never recommend you go to Venice, unless you are a real lover of history and art – and never take a baby or wheelchair, see those lovely little bridges? well each one is actually a stepladder up and down again! steps, steps and more steps!!!

The hotel was the only thing that stopped us returning after a few days! The hotel room was a mini-suite and was simply amazing! (As was the local internet cafe!)

So back to work now – all systems go – but we ask for your patience if you have contacted us over the last week – we will get to your emails – promise!

I advise you to read the full article, but to pad out my own blog post here is a short except:

However, I continue to believe that, the largest difference will be that Joomla will fail
because of their migration, whereas Apple executed a perfect migration.

First, “for those interested in migrating”… a product management failure right off the bat.
Joomla should be thinking that every site should upgrade, and they should be evangelizing

Joomla admins to start looking to making that transaction.
Second, saying that the migration process has issues completely ignores the fact that
migration should have been a paramount priority.

An interesting opinion from a regular Joomla user!….

Edit: I note that the Joomla Dev Blog now has a post on the migration procedure as well – I really should have a coffee before blog posting

The nature of the vulnerability means that your site cannot be hacked while you sleep (like many of the other types of 3rd party component issues), but requires you (the sites Super Admin) to be logged into Joomla Admin while at the same time surfing sites (maybe even your own) that contain links to [THINGS] that send [NAUGHTY] requests back to your Joomla Admin Console without you knowing. This can lead to complete disaster and even complete server compromise.

The Joomla Developers took only 4 days to fix this in Joomla 1.5 SVN and then shortly after released Joomla 1.5 RC4 stating they had fixed this category A5 Security [High] Vulnerability.

To date, no changes and no attempts by the core development team have been made to the Joomla 1.0.13+ SVN tree to fix this vulnerability in Joomla 1.0.13 Update: Changes are now in SVN for the next version of Joomla 1.0.x – about time!

In an effort to assist them we spent a few hours and backported code from Joomla 1.5 RC4 to Joomla 1.0.13 and made all the changes required to fix Joomla 1.0.13 and make it secure from this type of vulnerability.

Details of this can be found in the following forum thread:

http://forum.joomla.org/index.php/topic,248109.msg1136076.html#msg1136076

I personally emailed all three lead developers with the same information as I published there, including providing the diff/patch files to Joomla 1.0.13. I have been assured that once Joomla 1.5 stable is released time will be spent on fixing this issue in Joomla 1.0.13 (I object to this – why take 4 days to fix unreleased software and over 4 weeks to fix software running on millions of sites already?!?)

Here is my professional advice to help you stay safe from the known and publish vulnerability until the next version of Joomla 1.0.x is released.

The number one bit of advice I can give all site admins at the moment is to – LOGOUT OF YOUR JOOMLA ADMIN as soon as you finish using it, and do not surf around the internet in other tabs/browser windows while administrating your Joomla site, and if you allow users to modify your site’s frontend, be careful not to surf your frontend as well while logged in.

Do not install any 3rd party components/mambots/modules/AND TEMPLATES!!! from untrusted sources, if these components choose they can use this vulnerability to do[BAD] things…

In Joomla 1.0.13 (About time too!) this has changed.  The password is now “salted” and then md5 hashed with the salt, the salt and the password are both stored in the database.

This means that Joomla 1.0.13 breaks backwards compatibility with itself (you can’t downgrade to anything before joomla 1.0.13), and with some extensions like Community Builder and Forum bridges!!

Basically any 3rd Party Component that reads/writes/validates the password of an admin or user will now FAIL in Joomla 1.0.13 unless it is updated to know about the new changes.

The salting of passwords is a good security step – we praise the core team for doing it – HOWEVER no announcement has been made about this, no blog post has been made and users are now in the dark – remember, this means you can NEVER DOWNGRADE your site if you have problems so make sure you MAKE A BACKUP before upgrading to Joomla 1.0.13 – you have now been warned!

It has 13 anonymous votes – giving it 3stars out of 5

It has 5 (great) reviews all 5 star ratings.

Should the JED allow anonymous voting?! I dont believe so – I (any visitor) could quite happily vote down ANY extension on the JED without reason.

Maybe the votes should be linked to the reviews and not anonymous clicks? At least with good and bad reviews you can understand the reason for the current number of stars.

Surely a component such as our Joomla Tags, which has received 5 positive, 5 star reviews from real people (with joomla accounts – easily identified and traced if needed) should not have a 3star rating swayed by faceless anonymous people, who may or may not even used the component !?!?!?!?

This is not a commercial rant – but it can happen on any free component listing too.

Why allow the faceless to sway the rating?

DISCUSS in the Joomla Forum

Google Alerts:

The google alerts system allows anyone to subscribe to alerts for any keyword, We have several alerts set up with them, keywords for “Joomla”, all our product names and all our competitors names, along with some terms relevant to hacking and security in Joomla. When Google spots a blog post, news item or new web page containing these terms Google emails an update direct to my mailbox. Useful for finding new blogs too!

RSS:

I think most people know what RSS is by now, I’m not going to go too much into it, infact this blog post was more about Google than RSS – just know this, RSS is useful for looking for changes on a small number of websites, I have over 250 RSS feeds and I find filtering out the noise and finding keywords relavant to me and my company very difficult. (We use the sage plugin for firefox since we left behind our windows days and became 100% linux based. On windows we recommend FeedDemon)

No affiliate links in this post – just wanted to help you find relevant information about Joomla.