A large Reform congregation in Central Florida is exceptionally vulnerable to a cyber attack, though they don’t know it.
The synagogue’s website is running an outdated version of the Drupal web platform. According to a Drupal security advisory released on Oct. 15, Drupal 7 sites that did not update would be vulnerable to a so-called SQL Injective Attack, an offensive that allows a hacker to steal all data from a site, claim administrator privileges and install methods to return whenever they pleased. Drupal rated the security risk 25/25 — “highly critical.”
Drupal provided users with a solution: install the latest version of the platform. However, nearly three months after the security advisory, the synagogue’s website has not been upgraded.
The site is hosted by JVillage Network, a company that helps Jewish organizations “maximize” their online presence, according to its website. The congregation is not the only website hosted by JVillage Network that has not been upgraded to avoid this critical security risk. Others including in northern Westchester County, Massachusetts, and Broward County, Fla., are running outdated, vulnerable versions of the Drupal platform.
According to Russel Neiss, a technology consultant who has worked with Jewish organizations on digital strategy and app development, as of November, 43 out of the 105 sites hosted by JVillage Network were out of date. Since then, according to Neiss, the sites have not been updated, though Jill Minkoff, the president of JVillage Network, assured Neiss in an email that “we are aware of this and have been working to deal with it quickly.” (The Jewish Week checked 11 of the 43 this week and none had been updated.)
This is not only JVillage Network’s problem. Many Jewish organizations, including nearly half of the organizations listed in the Slingshot 2014 Guide, a directory for top Jewish philanthropies, are running an outdated content management system or utilizing some web plugin that has known security vulnerabilities, according to Neiss.
“The Jewish community is unlike any other community with regard to cyber threats,” said Paul Goldenberg, cofounder of the Secure Community Network, or SCN, a nonprofit created in 2004 to beef up security at U.S. Jewish institutions. He said that SCN has tracked threats from nation states, including Lebanon, Pakistan and Iran, as well as non-state actors, including Palestinian and neo-Nazi groups.
According to Goldenberg, a cyber attack could have the greatest long-term impact on the credibility and resiliency of any organization. “Senior administrators need to understand that if systems go down, the names of children in their camps or the financial information of their donors could get into the hands of those seeking to do harm.”
Neiss personally contacted JVillage Network in November to inform them of the Drupal security advisory, and the subsequent vulnerability of their sites.
Jill Minkoff, president of JVillage Network, said they are aware of the security threat. “Security is a top priority for us,” she said. “We have retained some additional resources to help us fix this.” She couldn’t say when the current crop of outdated sites would be updated.
A synagogue representative from the Central Florida congregation said she had “no idea” that the site was at risk. The Jewish Week subsequently sent them a link to the Drupal security advisory.
“The problem really is that people don’t know better,” said Neiss. “The developer created a website that’s terribly insecure, and the client, who has chosen to outsource the problem, has no idea.”
Goldenberg agreed that the trend within Jewish organizations to outsource digital development is at the problem’s core.
“There’s a major disconnect between the top executives in organizations and those responsible for cyber security,” he said. “They’re operating as separate entities within the same enterprise; there needs to be a convergence between the two.”
The risks of lax standards of cybersecurity go beyond putting a website out of commission. Sharing his computer screen with a Jewish Week reporter, Neiss demonstrated how a hacker could break into the Simon Wiesenthal Center’s new CombatHateU App, which allows college students to report incidents of anti-Semitism on campus. The developers of the app did not encrypt two secret keys in the source code of the app, allowing a potential hacker to break in and access the phone numbers of anyone who sent a text message through the app.
Neiss informed the Wiesenthal Center of this risk on Dec. 19. He also reached out to Hillel International, which announced a partnership with the Wiesenthal Center on CombatHateU.
Rick Eaton, co-director of the Wiesenthal Center’s Digital Terrorism and Hate project, told the Jewish Week, “We’ve looked into it.”
“We’re affirmatively saying that all the data is safe,” he said. According to Eaton, the Wiesenthal Center outsourced the production of their three apps (CombatHate, CombatHateU, and Digital Terrorism and Hate) to Emergent Apps, a digital development company. Eaton himself said that he doesn’t have a technological background.
Eaton also said that the Twillio account for the CombatHateU app, a program that sends and receives SMS test messages worldwide, had been disabled because of security concerns. As of Jan. 6, quick test trial proved this false. The Twillio account belonging to the CombatHateU app is still functioning and unprotected.
Demetrio Cuzzocrea, president and CEO of Emergent Apps, told the Jewish Week that API protocols, a set of routines for building software applications, were “followed to the letter” in the creation of the CombatHateU App.
Responding to Neiss’ concern that the two account keys were not encrypted in the code of the app, Cuzzocrea said, “Malicious hacking is different. Anyone can be hacked. But at no time was any personal information visible to the public or comprised in any way.” He said additional security measures are being implemented to bolster the app’s security.
“These folks seem much more interested in protecting the name of their organizations than actually seriously interested in fixing the problem,” said Neiss via email. “If they were interested in the latter they should discontinue the app until the issue is fixed, and release a statement to their users informing them of the problem.”
According to Goldenberg, keeping the bigger picture in mind when dealing with web security if key. “The long-term resilience of the Jewish community is at risk if senior executives don’t start to think about cybersecurity seriously right now,” he said. “There’s no room for excuses.”