I noticed a post in the moodle.org forums today that grabbed my attention for a few reasons:
It is reporting yet another Moodle site being hacked…that’s about a bazillion and counting now
It’s not just any Moodle site…it’s actually a site set-up specifically for a Moodle Moot (a type of Moodle conference that typically attracts a hand full of Moodle evangelist)
It was hacked the same day the Moot was scheduled to take place — Ouch!
Here is an excerpt from the person making the post…
This is a very low traffic site. (www.XXXXXXXX.com) that is used for a Moot we held yesterday. I don’t know if someone decided to be cute by hacking the site on the day of the Moot or what but if that is the case I guess it is quite imperative to figure out how.
But what really caught my interest is that he has made several posts about this in the forums and not a single “expert” over there has pointed out that this PHM, who is hosting a Moodle Moot, of all things, is actually running Moodle version 1.9.4 on his site…a version that is around 18 months old. Someone needs to help this poor guy out and tell him he needs to upgrade…of course, that may not help prevent his site from being hacked, but at least the version won’t show in the footer of his Moodle site any longer. You see, Moodle HQ removed that info a few months ago when I pointed out that one of their largest official Moodle partners was hosting sites (and still is, by the way) that were even more out-of-date than this one
Moodle Security — An oxymoron if there ever was one!
As if BP didn’t have enough trouble to deal with at the moment, it seems they were running a Moodle LMS site that was hacked and private data (or data that was supposed to be private) was compromised. While this is pretty amusing and I’m sure it’s not on the top of anyone’s list at BP, it does point out one thing any organization running Moodle should be aware of…if someone really wants to hack your Moodle site, it’s typically not a difficult thing to do.
This hack was posted on moodle.org and the very first response, from a Moodle Business partner of course, was well, “They must have modified it (Moodle) and screwed it up.” That pretty much sums up the attitude of corporate Moodle toward security. There are several lessons here, but one of the biggest is, if you are a trillion dollar company, then why in the world would you go with web software that has been proven time and time again to have security holes large enough to drive an 18-wheeler trough just because you can get it “free”? Ever hear of Blackboard?
Actually, that is a very good question, but one that doesn’t really concern me. The person who emailed me (why he/she emailed me is a mystery) stated that Martin (you know, king of the disciples), stated at the recent UK moot that he has decreed Moodle 2.0 Stable will be out in July so all in the Northern Hemisphere will be able to upgrade before school starts in the fall.
Really?
I mean, REALLY?
1. It’s May and there is not even a beta,
2. Have you downloaded what is there now? I have and it’s not pretty, and
3. Anyone who upgrades their campus site to 2.0 this summer (alleged stable or not) should be fired for gross incompetence.
Given Moodle’s abysmal track record with security, privacy, and FERPA compliance the real question people should be asking is O 2.0, O 2.0, how secure art thou Moodle 2.0? The answer to that question remains to be seen…but then again, I may know someone willing to help answer that one
Moodle, the open source learning management system, has been plagued with major security and privacy vulnerabilities over the past couple of years with the severity of those issues seeming to be on a sharp upward trajectory. Information about another batch of very serious security and privacy issues was released yesterday (Saturday, 27 March 2010) with notice that everyone needed to upgrade.
Understand…these issues weren’t discovered yesterday…they have been in your codebase for a very long time…they were simply released yesterday to a select few people.
The details of those security and privacy vulnerabilities were sent out to a mailing list on Saturday to every hacker in the world who has bothered to subscribe to the list…subscription to this “advanced notice” list is as simple as pushing one button with no verification of identity required. Ironically, if you look at the release notice for Moodle 1.9.8, this is what you see about the security issues:
The irony?:
1. The details of these very serious issues have already been emailed out to every hacker subscribed to that list by the Moodle lead developer himself. On Monday morning, Moodle admins (who happen to be subscribed to this list) will discover what hackers have known since at least Saturday and probably much longer.
2. By Moodle’s own figures, only 0.001666% of its users are actually subscribed to this security list–of course, they have no way of knowing how many of those actual subscribers are not Moodle admins at all, but are would-be hackers waiting for their “advanced notice”.
“The software is used by 27 million people worldwide, but only 45,000 are officially registered, so it is difficult for Moodle.com to alert everyone.”
3. By Moodle’s own figures, that means over 99% of the users have not been notified by this “advanced” notification system.
4. The notice was send out yesterday and it is already posted all over the web–of course, none of the places where it is posted are places Moodle users would be visiting…one, of many: http://pastebin.com/gQyWEszM You can Google for others…
If you are using Moodle in any kind of real-world situation, then you should be very concerned not only about the recent flurry of major security issues plaguing the software, but also about the way official notice is being sent out to hackers while the user-base at large is kept in the dark.
As I’ve said before, it’s my belief that at the same time these issues are sent out to that list, they should also be plastered across the moodle.org homepage and posted to every moodle blog, website, twitter account, etc., to give everyone a fighting chance of defending their sites against would-be hackers.
Just the opinion of one informed user who is not affiliated with Moodle.
Moodle should make my life easier, not harder. I do appreciate what it allows me to do—post course content without having to fashion an entire course web page on my own, include RSS feeds from other sources, have one central location for grades and hand-ins and such—but I feel that sometimes it is more lacking for power users than for beginners. Good software should accomodate beginners, advanced beginners, power users, and experts equally well, and in this sense Moodle fails.
A very good summary. Moodle is good for beginners who really only need a place to upload some docs, have an online gradebook–if they can figure out how to use it–, and allow students to upload assignments. It does have those features and a few others–essentially the same features it had 5/6-years ago. Hard to believe? Download and install Moodle version 1.5 and look at what it had in 2004/2005 vs what it has today.
All the core features are pretty much the same…could explain a lot of the frustrations felt by power users. Yea, Moodle is cheaper than Blackboard, like a Mule is cheaper than a Mercedes. Until, of course, the vet bills (1, 2, 3, etc…) start coming in…then the cost of the Mercedes doesn’t seem so high and it’s a heck of a lot nicer ride without leaving a trail of manure behind it
Of course, Moodle 2.0 has been in the works for about 2 years now and promises to deliver a revolution to the LMS world once released. Moodle.com has opted out of the Google summer of code this year because 2.0 development demands all their time/energy. So, who knows, maybe 2.0 is what power users like the one quoted above have been waiting for…we’ll see.
It’s no secret that Moodle, the open-source learning management system, has suffered from some very serious security problems recently. And those security problems aren’t limited to individuals who simply buy a cheap, $5 hosting account, install Moodle using Fantastico, and try to set up an online class when they really don’t know what they’re doing.
In fact, some of the biggest Moodle security problems have impacted customers of some of the largest professional Moodle hosting providers–Moodle Partners–commercial companies endorsed and certified by Moodle to provide professional, enterprise-level services.
One example of this is the Moodle porn spam issue that impacted millions of Moodle sites all over the world–and still impacts an untold number of sites today. This issue received world-wide attention when Primary School Moodle sites, provided by a certified Moodle Partner, were found to be infested with vile pornography.
Another example is the huge security hole first reported here just a couple months ago demonstrating how any teacher on any Moodle site in the world could download the entire user database table and have access to all user information–usernames, passwords, e-mail addresses, phone numbers, etc., for every user on the Moodle site. Professional Moodle partners all over the world got caught sleeping at the wheel…again.
One would think that an open-source “community” with problems as serious as Moodle has had recently, would invite open and honest communication about its products and services, but you would be wrong.
I don’t know many things for sure, but one thing I do know is that Moodle has not seen the last of these types of problems. The closed, arrogant, intolerant, atmosphere that has been cultivated on moodle.org by the Moodle lead developer will continue to ensure that there is no shortage of people just waiting to expose the next big hole…it’s not a matter of “if” there is another big hole…it’s only a matter of “when” it will bite Moodle (ergo Moodle users) in the rear.
In addition, if you are among the tens of thousands of people using the 1.7 or 1.6 branches (which, as of today, are still being offered for download on moodle.org), it seems support has been discontinued for those branches and there is no fix for your sites. Upgrading is your only option.
Update: The following was posted to the web less than an hour after the “Advanced notice to admins” email was sent out.
Just three of several places where this is already posted on the web. By this weekend, it will be all over the web.
Advanced email notice to moodle admins is a myth! It’s a nice theory, but doesn’t translate into practice.
Advanced email notice to Moodle admins, that, by Moodle’s own figures reach 0.001666% of the user-base does not work. Additionally, it’s Thanksgiving day in the US. If an admin in the US does get that email, he/she will probably read it 5 days from now on Monday.
If Moodle wants to send these notices out to an email list, that anyone can sign-up on with no verification of their identity, then that’s great, but in addition, these notices should be plastered across the moodle.org homepage…a place where Moodle users frequent! And every Moodle blogger should be encouraged to post this information to their blogs…blogs Moodle users read! Shouldn’t Moodle users be given at least as much advanced notice as hackers who may be subscribed to that “advanced notice” list?
Important information like this could be posted on the moodle.org homepage, right above the Moodle Business Partner advertisements. This is just a friendly (common sense) suggestion to consider if Moodle really wants to get this kind of urgent information out to as many of their users as possible in a timely manner.
This video introduces you to the new user password salting feature in Moodle and demonstrates how to add this to your site. If your Moodle site is older than the date of this blog post, then chances are your passwords are not secure…this video shows you how to add password salting to significantly improve the security of your site.
If you are among the tens of thousands of people using the 1.7 or 1.6 branches (which, as of today, are still being offered for download on moodle.org), it seems support for those branches has been discontinued and there is no fix for your sites. Upgrading is your only option. End of edit on 25 Nov 09
——————————————————————–
The embeded video below is a short, to the point, demonstration of a very serious Moodle security/privacy vulnerability that impacts all versions of Moodle. This video is intended to simply demonstrate the exploit. For further detail on the potential extent of this exploit, read the post below this video and see the extended video linked at the bottom of this post. In my informed opinion, aside from the obvious Moodle site security and potential user identity theft issues, this exploit has significant implications on FERPA compliance for all US public education institutions using the Moodle LMS.
If you are a Moodle user at any level, but particularly if you are using Moodle in an educational institution in the US, after watching this video, you may want to have discussions with your network security, FERPA, and/or legal experts on your campus to determine how this may impact your institution and what action you may need to take.
If you are a Moodle administrator, teacher, student, or even if you have ever simply created an account on a Moodle Learning Management System (LMS) site, you need to read this post and watch the videos. It’s no secret that Moodle has suffered from some pretty serious security and user privacy issues over the past few years, but nothing before, that I am aware of comes close to the severity of the Moodle security/privacy vulnerability I discovered a few days ago. In the videos below I will demonstrate the problem and show you how you can verify the problem on your own Moodle site using nothing more than a normal teacher account. I’ll also show you how to patch the vulnerability and will discuss some important implications that you may need to consider after patching your site.
I stumbled across this problem after seeing the following exchange in the developer’s forum on moodle.org.
I spent 10 years in the 1980′s as a teletype/crypto maintenance technician and although I haven’t kept up with the field, that reply by a core Moodle developer caught my attention. Particularly the last two sentence that read:
“Something that has been encrypted can be decrypted. Something that has been hashed cannot be.”
I think most people know the first sentence is correct, but the last sentence is completely off the mark. The user passwords in Moodle are unsalted, MD5 hashes. MD5 has been proven to be breakable for years now–salted or not. A quick Google search on MD5 gives anyone all the information they need to know about the history of MD5 and its vulnerabilities. If you want to read up on it, you can start here (http://en.wikipedia.org/wiki/MD5) to get a good overview of the history and vulnerabilities and then follow dozens of other links for Brute Force MD5 cracking sites, like this one (http://gdataonline.com/seekhash.php) as well as more sophisticated methods for cracking MD5 hashes using Rainbow Tables and pre-computation methods…the later, I admit, I don’t fully understand.
So, bottom line…knowing that MD5 is no longer considered secure (and hasn’t been for a long time); and knowing that Moodle user passwords are stored in the Moodle database as simple, unsalted MD5 hashes; then seeing the post above from one of the Moodle core developers and “security experts”…I got curious. The videos below show what I found…you need to watch them.
@netbuoy: Sorry...I'm still trying to figure out the interworkings of twitter. Have my blog set to auto tweet, so forgot how to login :-) in reply to netbuoy2010-05-05
Recent Comments