(Apr 2) An updated jenkins package that fixes one security issue is now available for Red Hat OpenShift Enterprise 1.1.3. The Red Hat Security Response Team has rated this update as having moderate [More…]
Over the last few months, the Platform team of maintainers and developers have been talking about future directions. One of our goals for this year is to introduce namespacing. This has been a very large undertaking and as work has progressed, it became obvious that backward compatibility was going to be a constant battle. One of the negative side-effects of this would be that the Joomla CMS wouldn’t be able to use the planned 13.1 release of the Platform for some time if we introduced namespacing in that version.
After a lot of discussion both internally and with other developers in the community, in order to address the problem, as well as to take advantage of some new opportunities, we’ve decided to make some changes to the Platform.
Bitcoin, a distributed digital currency that cryptographically verifies transactions, has recently seen a large increase in usage — the total amount of Bitcoins in circulation is now well over $1B US Dollars and each Bitcoin is today worth more than $100. By way of comparison, Gibraltar — a British Overseas Territory and a conventional tax haven — had an economy worth an estimated $1.275B in 2008.
Speculators, investors, and criminals alike have been drawn to the alternative currency in the hopes of exploiting its anonymity, its almost exponential rising exchange rate against conventional currencies, and its dominant position amongst non-governmental currencies. Its attraction to criminals is diverse: it has become the de facto equivalent of cash facilitating anonymous purchases of illegal goods, and the dramatic increase in the value of each Bitcoin has meant that Bitcoin wallets have become increasingly attractive targets for would-be phishers.
A recent phishing attack against the leading Bitcoin Exchange, Mt. Gox
Bitcoin users are no strangers to being targeted by criminals: last month, attackers were able to steal $12,000 worth of Bitcoins from Bitinstant, a Bitcoin transaction services company, by obtaining the credentials for a brokerage account after socially engineering access to their emails. Malware writers have also targeted Bitcoins: Infostealer.Coinbit is a Trojan horse that tries to steal Bitcoin wallets. Criminals have also been using networks of infected computers to mine Bitcoins for themselves.
Bitcoin exchanges, organisations converting between Bitcoins and conventional currencies, are an obvious target for fraudsters. Last Thursday Mt. Gox (the leading Bitcoin exchange) faced a “stronger than average” DDoS attack. In September 2012 Bitfloor (another Bitcoin exchange) suspended operations after the theft of ~24,000 BTC (worth $250,000 at the time), and the Bitcoin exchange, Bitcoinica, went out of business after also suffering from large thefts.
Despite the apparent risk of operating in this business, some organisations are promoting a laissez-faire attitude to security to the Bitcoin community: BitPay recommends that merchants “[..] can eliminate the need for PCI Compliance and expensive security measures” by replacing credit card transactions with Bitcoin-based solutions.
Netcraft can provide Phishing Site Takedown and Countermeasures services, PCI Approved Vulnerability Scanning and Penetration Testing to Bitcoin exchanges, merchants, and e-commerce sites. For more information, please contact [email protected]. Internet users can be protected against phishing sites, Bitcoin-related or otherwise, by Netcraft’s Anti-Phishing Extension. Help protect the internet community by reporting potential phishing sites to Netcraft by email to [email protected] or at http://toolbar.netcraft.com/report_url.
The April issue of the Joomla Community Magazine is here! Our stories this month:
Editors Introduction
Listen Up!, by Alice Grevet
Feature Stories
Interview with Community Development Manager David Hurley, by John Rampton
Joomla! is the People, by Helvecio da Silva
Interview with CMSExpo Founder John Coonen, by John Rampton
The X Factor and Women in Tech, by Dianne Henning
Events
JoomlaDay Boston, No Blarney!, by Dianne Henning
Project News
Leadership Highlights – April 2013, by Marijke Stuivenberg
Designers
Progressive Enhancement: Flip the Script on Your Responsive Ways, by Ryan Boog
Sitebuilders
Tips to Find a Joomla Developer, by Johans Empuerto
Business Matters
Creating Call-to-Actions that Will Actually Get Action, by Hannah Kaufman
Easy To Use Joomla Search Operator Commands, by John Rampton
Developers
Head in the Tag Clouds, by Elin Waring
4 Ways Joomla Developers Can Monetize Free Extensions, by Pravin Daryani
Joomla! 3.0 Extension Development Series: More Functionality, by David Hurley
Joomla! 3.1.0 Tag Field, by Roberto Segura
Administrators
CDNs for Joomla – A Beginners Guide, by Steven Johnson
Community Choice Extensions
Community Choice Extensions – UPDATE, by Dianne Henning
The Joomla! Haikus
Post your Haikus for April, by Dianne Henning
International Stories
Browse the international articles submitted this month.
In our next issue
We want to publish your Joomla! story in the next JCM issue! So take a look at our Author Resources content to get a better idea of what we are looking for, and then register to become a JCM author and submit your Joomla! story!
In the April 2013 survey we received responses from 649,072,682 sites, 17.6M more than last month.
This month, market leader Apache lost 9.9M sites, or 3 percentage points of market share. A major contributor to this loss was the movement of a large affiliate referral network consisting of around 8M sites now being served by nginx. Apache is now used by just over 51% of websites, which is still substantially more than its closest competitor Microsoft IIS. IIS gained 1.95 percentage points of market share this month (an increase of 15.8M hostnames) bringing its market share to almost 20%. Meanwhile, nginx saw an overall growth of 10.6M sites this month, with the largest nginx hosting company, Hetzner Online AG, contributing an additional 1.6M sites.
In terms of active sites the survey was less volatile. Apache still experienced an overall loss, however much smaller at just 288k active sites. The biggest increase came from nginx, and was unrelated to their large hostname gain described earlier, with Peer1 Networks gaining 1.5M nginx active sites.
North Korea’s drew the world’s attention to its web presence by accusing the United States and its allies of “intensive and persistent virus attacks” on servers operated by the North Korean regime. The Korean Central News Agency’s press release goes on to assert that:
“It is nobody’s secret that the U.S. and south Korean puppet regime are massively bolstering up cyber forces in a bid to intensify the subversive activities and sabotages against the DPRK [Democratic People’s Republic of Korea].”
There is only a very small number of North Korean sites accessible from outside of the country; however, these sites do make use of several modern and popular web technologies from around the globe.
The Rodong Sinmun newspaper’s site uses PHP and CentOS 5, and hosts an HTTPS service with an expired self-signed certificate. More controversially, The Korean Central News Agency’s official website uses Java, Flash and jQuery and is hosted using Apache 2.2.3 on a server running Red Hat Enterprise Linux 5, a commercial Linux distribution which is owned, distributed and supported by American multinational Red Hat, Inc. Red Hat Enterprise Linux is subject to U.S. export controls, which specifically prohibit its use in North Korea. As a result, this installation is likely unlicensed and so may not receive security updates.
Meanwhile in South Korea, the Government of Korea, an SSL certificate authority (CA) trusted by Microsoft has revoked the last of more than 100 unusual SSL certificates each of which could have allowed its owner to act as a trusted CA. With the ability conferred by the cA bit being set in the Basic Constraints extension, a forged certificate signed using the mis-issued certificate could be trusted for any site by users of some SSL implementations. Any such certificate could be used to perform man-in-the-middle attacks on users of third-party websites in order to view the contents of any intercepted encrypted traffic. There is an additional property which is usually required for a certificate to be considered a valid intermediate — ‘Certificate Signing’ should be set as a permissible Key Usage — but some implementations may ignore this extra requirement. None of the Korean certificates found had the necessary flags set in this additional extension, so most implementations would not trust such forged certificates.
The certificates found appear to have been issued to South Korean academic institutions without the intention of them being able to sign additional certificates. These certificates have been in the Netcraft SSL Server Survey for some time but no longer pose a risk: all of the certificates concerned have either been revoked or have expired. The most recent revocation was on January 31st 2013 for a certificate issued in late 2011, showing it was at risk of misuse for more than a year.
![](http://news.netcraft.com/wp-content/uploads/2013/03/wpid-graph1.png)
![](http://news.netcraft.com/wp-content/uploads/2013/03/wpid-graph2.png)
Developer | March 2013 | Percent | April 2013 | Percent | Change |
---|---|---|---|---|---|
Apache | 341,021,574 | 54.00% | 331,112,893 | 51.01% | -2.99 |
Microsoft | 113,712,293 | 18.01% | 129,516,421 | 19.95% | 1.95 |
nginx | 85,467,555 | 13.53% | 96,115,847 | 14.81% | 1.27 |
22,605,646 | 3.58% | 22,707,568 | 3.50% | -0.08 |
![](http://news.netcraft.com/wp-content/uploads/2013/03/wpid-graph3.png)
Developer | March 2013 | Percent | April 2013 | Percent | Change |
---|---|---|---|---|---|
Apache | 101,960,513 | 54.98% | 101,671,575 | 54.37% | -0.61 |
nginx | 22,224,423 | 11.98% | 24,138,825 | 12.91% | 0.93 |
Microsoft | 22,962,575 | 12.38% | 22,686,924 | 12.13% | -0.25 |
15,016,785 | 8.10% | 15,178,507 | 8.12% | 0.02 |
For more information see Active Sites
![](http://news.netcraft.com/wp-content/uploads/2013/03/wpid-graph4.png)
Developer | March 2013 | Percent | April 2013 | Percent | Change |
---|---|---|---|---|---|
Apache | 583,521 | 58.73% | 581,497 | 58.52% | -0.22 |
Microsoft | 136,037 | 13.69% | 136,552 | 13.74% | 0.05 |
nginx | 127,222 | 12.81% | 129,561 | 13.04% | 0.23 |
18,307 | 1.84% | 18,387 | 1.85% | 0.01 |