Online security, and in particular how to create strong passwords, has been discussed a lot lately. Many users create weak passwords in their systems, which is one factor in letting hackers in. As an added security measure, online service providers offer two-factor authentication.
What this means is that you have a username, a password and a one-time password that is generated by a gadget you control. This can be a dedicated gadget (like the ones many banks issue) or it can be an app on your smartphone (like Google Authenticator). These solutions normally give you a 6-digit one-time code that you can enter into the system.
There are also USB solutions that let you put the device into the computer, click a button and the device will enter a strong one-time password into the appropriate field on the computer. One of the larger providers of these USB devices are Yubico, with their USB stick Yubikey.
The Yubikey can be used with popular services like LastPass, to add an extra security layer onto your login. Now, we can have the same solution in Joomla.
About a week ago, I received an email from an anonymous hacker. He had sent the same email to around 350 people in the Joomla community. They were all registered in the same affiliate system for a well-known software developer, and attached to the email was an Excel sheet with all of their contact info and user names. The hacker said he had extracted the info from an insecure system and offered "security services" to protect from similar hacks.
Apparently, people had been talking about this for a couple of days already on Twitter. Still, I wanted to check a little more what this guy was after.
Today, the Joomla Production Leadership Team released Joomla version 1.7.1. This is the first patch upgrade of Joomla 1.7 and is recommended for all users. In addition to 3 security fixes, it also includes 96 tracker issues fixed in SVN.
Most of this release is about fixes, although there are some new features as well.
This is an important and urgent security advisory from CB Team: Upgrade all your Community Builder 1.0 and 1.1 installations to CB 1.2.1 as soon as possible.
They received a private report yesterday from a Joomlapolitan about a critical vulnerability of CB 1.1, that they could now reproduce and confirm.
The Joomla Project announces the immediate availability of Joomla 1.5.11 [Vea]. This is a security release and users are strongly encouraged to upgrade immediately.
This release contains 26 bug fixes, two moderate-level security fixes and one low-level security fix. It has been 11 weeks since Joomla 1.5.10 was released on March 28, 2009. The Development Working Group's goal is to continue to provide regular, frequent updates to the Joomla community.
I have written a post earlier about why you should keep your Joomla sites updated for safety reasons.
Phil Taylor published this Tweet today:
A lot of people getting old versions of #joomla 1.5 hacked today - been fixing sites all day for customers...
UPGRADE NOW to #Joomla (latest version)
I couldn't say it better myself. It's crucial that you upgrade to the latest version of Joomla.
Some people seem to think that updating their Joomla site to the latest version is a hassle and not something worth doing every time a new version comes around.
They couldn't be more wrong!
There's one major reason for always update to the latest version of Joomla: Security!