Important Customer Security Announcement

[NickG]

[Darren]

[NickG]

[unwanted]

btw: Mac Users can get a program called "1Password" it can generate passwords for you and you only ever have to remember just one to get at all your passwords for everything, it also works in your web browsers to…

[Darren]

[PaulMoore2013]

I highly recommend 1Password. It's great for both PC and Mac use.

See my review here: http://ramblingrant.co.uk/2013/07/16/1password-forgot-your-password-youre-doing-it-wrong/

I'd avoid apps like LastPass/KeePass like the plague, for the reasons I mentioned in the article.

I must say "molerat", that's pretty harsh!

[Darren]

[PaulMoore2013]

Hi Darren

Thanks!

Dropbox is pretty good, but it's not foolproof. It can be and has been hacked in the past with surprising simplicity.

The config database (containing the encryption keys etc) can be copied to another device and Dropbox restores all the data without requiring a username or password. The argument (from Dropbox and advocates of it) is

"ah, but they need access to the PC to do it... so you're already compromised!"

True enough, but how many people think to check for "linked Dropbox PCs" after clearing the malware/viruses that caused it? Once those encryption keys are stolen, you're screwed. The only way to protect yourself is to revoke the PC (and thus the encryption key) and start again.

As your 1Password keychain is encrypted, the risk (even if Dropbox is hacked) is fairly minimal. The only risk is keychain tampering (not possible with v4 on a Mac) - which I mentioned in the article. Even then, there's a very specific set of circumstances in which that exploit will work. AgileBits are already working to resolve it too.

Before that article went live, I spent many hours literally tearing these password storage apps apart... and 1Password, despite a few glitches, won hands down.

[MaFt]

[PaulMoore2013]

This is a bit belated as I've already posted, but for the sake of brevity...

I'm Paul Moore. I'm the Director at the Cresona Corporation. For the past few days, I've been working with the team at PGPSW to secure the site, assess the risk and make recommendations.

Password storage:

Passwords are hashed using the MD5 algorithm. This was not a design decision; rather a restriction of the PHPNuke platform on which PGPSW is based.

There are modifications for PHPNuke which improve password security by moving to the SHA-1 algorithm. In terms of actual, tangible strength however, SHA-1 offers only slightly more resistance to attack than MD5. Furthermore, it's written by a 3rd-party, so there's no guarantee the modification itself is safe to use in a production environment.

PGPSW does not collect or store any financial or personally identifiable information.

It is advisable to change your password (under "Profile") immediately. If you re-use passwords, please invest in 1Password (see review here: http://ramblingrant.co.uk/2013/07/16/1password-forgot-your-password-youre-doing-it-wrong/).

Investigations into the breach are ongoing - with many security enhancements already applied.

@molerat
PGPSW responded within minutes of the report on Twitter. They posted a news report available on the homepage, forum and Twitter. They have been open & honest about the situation and have taken steps to resolve straight away. To describe the response as "lax" is neither accurate nor fair.
_________________
1

[molerat]

The breach was on Tuesday, I found out on Friday because this week I happened to read the newsletter, I do not always read it. What would have been easier than posting an urgent e-mail to everyone on that list, probably the easiest and quickest way to reach the majority of those possibly affected. "Responded on Twitter within minutes", FYI not everybody uses Twitter or other social media. It is not, as techies seem to believe, the answer to all the world's problems. There are probably many out there that are still uninformed because they have not actively logged into the correct area of the site, I only go directly to the area of the site that interests me and there is no mention of it there. Yes fixing the breach seems to have been handled well but I still believe that the informing those possibly affected has been handled badly.
_________________
Garmin Drive 51LMT-S EU
(TT One V3 512MB + RDS TMC UK&RoI v1005 now retired, dead due to withdrawal of manufacturer support)

[Darren]

In an ideal world we would have happily sent out an email to everyone, but we have over 570,000 users and it's far from as simple as you seem to think.

Sending out a bulk email to more than half a million recipients is not a simple process. Had we done so, the email would have instantly been flagged as spam, our mail server would be flagged or blocked and then we'd have had an even bigger issue on our hands.

As it was, our priority was to secure the server and provide as much warning as we could.

Adobe took nearly 10 days before they alerted their customers to a far more serious security breach, one which also saw payment information stolen.
_________________
Darren Griffin

[PaulMoore2013]

[ChrisM]

As one of the people who raised the alarm (I started a thread over in the subscriber area forum as soon as I'd seen what had happened), I'm in two minds about whether to lay blame here. In full disclosure, I'm an IT pro myself, with many years experience of running internet connected systems. I don't know the pgpsw system, but I've had experience of this kind of breach before. I suspect I'll be teaching grannies to suck eggs, but this is my take on it. (Apologies for the length.)

Firstly, I've watched firewall logs in real time, seeing hackers actively and repeatedly probing websites and servers looking for an entry point. It's a real education. Running live systems securely isn't easy, and it only takes a moments slippage - or a missed security patch to open up a hole. Jumping on the pocketgps guys may not be warranted. As my first boss told me when I'd dropped a by rushing through a code change that went pear shaped in live, "it's only those who do work that make mistakes". Given the fact that this hack hasn't previously occurred in the several years that I've been registered, I'm inclined to believe that the systems are run and maintained professionally - and maybe an accidentally missed php or nuke patch, or even a zero day exploit has opened up a hole here. I've personally seen a junior member of staff in my own organization connect a ghosted but non-hardened windows server to a public ip without thinking, only to see it hacked and being used as a bulk email server sending out millions of spam messages to china. From making it live, to being fully pwned by the hacker and acting as a live relay - took just twelve minutes. The bad guys take no prisoners, and they are extremely aggressive at trying to exploit php/nuke/vbulletin or windows type servers in particular. If you run these servers, you really need to be on your game. (Personally I hate them, as they're so widely used, and are therefore such a juicy target for hack attempts. I can see why you run the site with it, and moving an established site to an alternative tool is extremely difficult - but the php nuke derivatives are a favourite hacker magnet...)

Secondly I've also been responsible for running intrusion detection systems, and running penetration tests against supposedly hardened applications. There are some great open source tools available to help in this (you don't need expensive commercial alternatives) - but I have two golden procedure rules that can't be broken. Firstly, nothing goes live (not a patch, not an app change nor a hardware upgrade) without being pen-tested. Secondly, you don't test something once, and then tick the box marked "it's safe". You have to repeat the tests on an ongoing basis, keeping the probe tools updated with the latest exploits. I'd never want to be told about a hack by a member of the public. I'd want my tools and monitors to pick up any holes first, and the serious hack attempts second, so I could patch and firewall the hell out of my site. I'm sure the admins will learn from this. If they don't, and it happens again - then it'll be valid grounds for trouble.

As I mentioned on my original post, I worked out that something had gone amiss by virtue of the fact that I use my own domain and a custom return address for each email contact. It makes it easier to manage the fallout of this kind of event. I'll now change my pgpsw address, and bin emails to the original one. And before people have a go at the pgpsw admins in particular, I've already had to nuke return addresses from ebay, amazon and travelodge - to name but three much bigger organizations, with far greater resources available. They had also lost their customer contact databases (due to either hackers, or dodgy employees selling them) - and I started receiving spam to their unique addresses. If you give your single email address to the world and wife, you're never going to find out where the leak originated.

So my advice for the admins (who probably need advice like a hole in the head, and I know will be seriously p****d off and embarrassed that this has happened, and will be also as busy as hell trying to fix it) would be to go through the site code to ensure that the hack isn't more than a simple data theft (I.e.the bad guys haven't left any trojans around), tighten the security patching regime, and put in place some proactive testing processes and monitoring software to ensure that no doors are left open again. And those of us whose email addresses has been misappropriated,I'm afraid we'll just have to expect an increase in spam levels - and we'll have to deal with it. That's life. You can't put the genie back in the bottle, unfortunately.

[PaulMoore2013]

Hi Chris

I couldn't have put it better myself. These are really useful insights... if only more people would heed the advice.

PHPNuke is an awful application... even beyond the obvious security risks it introduces. I'm yet to find anyone with what I'd consider to be a sufficiently-hardened instance.

I would say however... I firmly believe the sole use of open source/free "pen testing" apps actually damages the industry as a whole. It's not because they're not effective (some are very good), but people tend to revert to a DIY approach; treating them as some sort of silver bullet.

As you know Chris, security is hard to get right and all-too easy to get wrong. A quick search for "pen testing" on Google reveals a plethora of seemingly savvy, professional firms. In truth, many are just kids sporting the latest BackTrack VMware file... with absolutely no idea of how to interpret the results correctly.

You're right too regarding eBay and others. My latest article still hasn't been resolved, despite being published around the world. BBC, Anonymous, Softpedia, CERT (http://cert.at/warnings/all/20130916.html), HackerNews et al have all picked it up... eBay believe it has been resolved. It hasn't. I notified them in July.

Absolute security is knowing security isn't an absolute.
_________________
1

We see you’re using an ad-blocker. We’re fine with that and won’t stop you visiting the site.
Have you considered making a donation towards website running costs?.
Or you could disable your ad-blocker for this site. We think you’ll find our adverts are not overbearing!