Home PageFacebookRSS News Feed
PocketGPS
Web
SatNav,GPS,Navigation
Pocket GPS World - SatNavs | GPS | Speed Cameras: Forums

Pocket GPS World :: View topic - Important Customer Security Announcement
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in for private messagesLog in for private messages   Log inLog in 

Important Customer Security Announcement
Goto page Previous  1, 2, 3, 4  Next
 
Post new topic   Reply to topic    Pocket GPS World Forum Index -> News And Latest Information
View previous topic :: View next topic  
Author Message
NickG
Frequent Visitor


Joined: Nov 09, 2003
Posts: 357
Location: UK

PostPosted: Fri Nov 08, 2013 10:10 am    Post subject: Reply with quote

hoolahoops wrote:
Did you store user's passwords in the clear or were these hashed? Thanks


Ditto the above... Were they stored hashed?
Back to top
View user's profile Send private message Visit poster's website
Darren
Frequent Visitor


Joined: 11/07/2002 14:36:40
Posts: 23848
Location: Hampshire, UK

PostPosted: Fri Nov 08, 2013 10:10 am    Post subject: Reply with quote

NickG wrote:
hoolahoops wrote:
Did you store user's passwords in the clear or were these hashed? Thanks


Ditto the above... Were they stored hashed?

I've already answered that, yes they were hashed.
_________________
Darren Griffin
Back to top
View user's profile Send private message Send e-mail Visit poster's website
NickG
Frequent Visitor


Joined: Nov 09, 2003
Posts: 357
Location: UK

PostPosted: Fri Nov 08, 2013 10:11 am    Post subject: Reply with quote

Darren wrote:
I've already answered that, yes they were hashed.


Apologies... I didn't see your reply for some reason. I perhaps didn't notice there was a Page 2. Smile
Back to top
View user's profile Send private message Visit poster's website
unwanted
Occasional Visitor


Joined: Jan 31, 2006
Posts: 34

PostPosted: Fri Nov 08, 2013 11:06 am    Post subject: Reply with quote

btw: Mac Users can get a program called "1Password" it can generate passwords for you and you only ever have to remember just one to get at all your passwords for everything, it also works in your web browsers to…

Last edited by unwanted on Fri Nov 08, 2013 11:08 am; edited 1 time in total
Back to top
View user's profile Send private message
Darren
Frequent Visitor


Joined: 11/07/2002 14:36:40
Posts: 23848
Location: Hampshire, UK

PostPosted: Fri Nov 08, 2013 11:32 am    Post subject: Reply with quote

unwanted wrote:
btw: Mac Users can get a program called "1Password" it can generate passwords for you and you only ever have to remember just one to get at all your passwords for everything, it also works in your web browsers to…

And for PC users, there are solutions such LastPass
_________________
Darren Griffin
Back to top
View user's profile Send private message Send e-mail Visit poster's website
PaulMoore2013
Occasional Visitor


Joined: Nov 06, 2013
Posts: 12
Location: 1

PostPosted: Fri Nov 08, 2013 1:37 pm    Post subject: Reply with quote

I highly recommend 1Password. It's great for both PC and Mac use.

See my review here: http://ramblingrant.co.uk/2013/07/16/1password-forgot-your-password-youre-doing-it-wrong/

I'd avoid apps like LastPass/KeePass like the plague, for the reasons I mentioned in the article.

I must say "molerat", that's pretty harsh!
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
Darren
Frequent Visitor


Joined: 11/07/2002 14:36:40
Posts: 23848
Location: Hampshire, UK

PostPosted: Fri Nov 08, 2013 2:14 pm    Post subject: Reply with quote

PaulMoore2013 wrote:
I highly recommend 1Password. It's great for both PC and Mac use.

That's a very interesting article, thank you. I'm a 1Password user, I've spent some time over the past few months going through all the old accounts I have and upgrading their passwords using the random password generator.
_________________
Darren Griffin
Back to top
View user's profile Send private message Send e-mail Visit poster's website
PaulMoore2013
Occasional Visitor


Joined: Nov 06, 2013
Posts: 12
Location: 1

PostPosted: Fri Nov 08, 2013 2:34 pm    Post subject: Reply with quote

Hi Darren

Thanks!

Dropbox is pretty good, but it's not foolproof. It can be and has been hacked in the past with surprising simplicity.

The config database (containing the encryption keys etc) can be copied to another device and Dropbox restores all the data without requiring a username or password. The argument (from Dropbox and advocates of it) is

"ah, but they need access to the PC to do it... so you're already compromised!"

True enough, but how many people think to check for "linked Dropbox PCs" after clearing the malware/viruses that caused it? Once those encryption keys are stolen, you're screwed. The only way to protect yourself is to revoke the PC (and thus the encryption key) and start again.

As your 1Password keychain is encrypted, the risk (even if Dropbox is hacked) is fairly minimal. The only risk is keychain tampering (not possible with v4 on a Mac) - which I mentioned in the article. Even then, there's a very specific set of circumstances in which that exploit will work. AgileBits are already working to resolve it too.

Before that article went live, I spent many hours literally tearing these password storage apps apart... and 1Password, despite a few glitches, won hands down.
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
MaFt
Pocket GPS Staff
Pocket GPS Staff


Joined: Aug 31, 2005
Posts: 15125
Location: Bradford, West Yorkshire

PostPosted: Fri Nov 08, 2013 2:35 pm    Post subject: Re: Badly handled ? Reply with quote

molerat wrote:
I am appalled with the lax way you have handled this serious breach of your security. Why have you not informed ALL of your subscribers with a personal e-mail. Many will not receive or read the news letter or go to the main page. Why do you not have a bold banner on all of the forums and the download pages so there is a chance that ALL of your subscribers stand a chance of receiving this information. 1/10 for your handling of this serious situation I am afraid.


I wonder how many smaller companies (like ours) simply wouldn't have told anyone and, worse still, not taken steps to improve matters?

Would that then get 10/10 because you'd not even be aware of the breach?

MaFt
Back to top
View user's profile Send private message Visit poster's website
PaulMoore2013
Occasional Visitor


Joined: Nov 06, 2013
Posts: 12
Location: 1

PostPosted: Fri Nov 08, 2013 4:23 pm    Post subject: Reply with quote

This is a bit belated as I've already posted, but for the sake of brevity...

I'm Paul Moore. I'm the Director at the Cresona Corporation. For the past few days, I've been working with the team at PGPSW to secure the site, assess the risk and make recommendations.

Password storage:

Passwords are hashed using the MD5 algorithm. This was not a design decision; rather a restriction of the PHPNuke platform on which PGPSW is based.

There are modifications for PHPNuke which improve password security by moving to the SHA-1 algorithm. In terms of actual, tangible strength however, SHA-1 offers only slightly more resistance to attack than MD5. Furthermore, it's written by a 3rd-party, so there's no guarantee the modification itself is safe to use in a production environment.

PGPSW does not collect or store any financial or personally identifiable information.

It is advisable to change your password (under "Profile") immediately. If you re-use passwords, please invest in 1Password (see review here: http://ramblingrant.co.uk/2013/07/16/1password-forgot-your-password-youre-doing-it-wrong/).

Investigations into the breach are ongoing - with many security enhancements already applied.

@molerat
PGPSW responded within minutes of the report on Twitter. They posted a news report available on the homepage, forum and Twitter. They have been open & honest about the situation and have taken steps to resolve straight away. To describe the response as "lax" is neither accurate nor fair.
_________________
1
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
molerat
Lifetime Member


Joined: Jul 06, 2007
Posts: 202
Location: Very North of the Border

PostPosted: Sat Nov 09, 2013 5:24 pm    Post subject: Reply with quote

The breach was on Tuesday, I found out on Friday because this week I happened to read the newsletter, I do not always read it. What would have been easier than posting an urgent e-mail to everyone on that list, probably the easiest and quickest way to reach the majority of those possibly affected. "Responded on Twitter within minutes", FYI not everybody uses Twitter or other social media. It is not, as techies seem to believe, the answer to all the world's problems. There are probably many out there that are still uninformed because they have not actively logged into the correct area of the site, I only go directly to the area of the site that interests me and there is no mention of it there. Yes fixing the breach seems to have been handled well but I still believe that the informing those possibly affected has been handled badly.
_________________
Garmin Drive 51LMT-S EU
(TT One V3 512MB + RDS TMC UK&RoI v1005 now retired, dead due to withdrawal of manufacturer support)
Back to top
View user's profile Send private message
Darren
Frequent Visitor


Joined: 11/07/2002 14:36:40
Posts: 23848
Location: Hampshire, UK

PostPosted: Sat Nov 09, 2013 5:36 pm    Post subject: Reply with quote

In an ideal world we would have happily sent out an email to everyone, but we have over 570,000 users and it's far from as simple as you seem to think.

Sending out a bulk email to more than half a million recipients is not a simple process. Had we done so, the email would have instantly been flagged as spam, our mail server would be flagged or blocked and then we'd have had an even bigger issue on our hands.

As it was, our priority was to secure the server and provide as much warning as we could.

Adobe took nearly 10 days before they alerted their customers to a far more serious security breach, one which also saw payment information stolen.
_________________
Darren Griffin
Back to top
View user's profile Send private message Send e-mail Visit poster's website
PaulMoore2013
Occasional Visitor


Joined: Nov 06, 2013
Posts: 12
Location: 1

PostPosted: Sat Nov 09, 2013 8:39 pm    Post subject: Reply with quote

molerat wrote:
FYI not everybody uses Twitter or other social media. It is not, as techies seem to believe, the answer to all the world's problems.


I wasn't suggesting it was. It is however, another venue to quickly and reliably contact members who want to keep themselves informed. Crucially, it's a method of communication separate from a system which they suspected was compromised. The decision not to immediately mass-mail everyone was a wise one. As Darren has said, it would have taken a fair amount of admin time to write and send (time better spent elsewhere), placed the server under considerable load and could have led to further issues.

molerat wrote:
I only go directly to the area of the site that interests me and there is no mention of it there.


Short of posting the same sticky repeatedly throughout the forums, there's not a great deal the admins can do. There is a global sticky / global announcements facility in later version but back-porting to a heavily modified earlier version could be tricky and time consuming.
_________________
1
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
ChrisM
Occasional Visitor


Joined: Jan 04, 2005
Posts: 9

PostPosted: Tue Nov 12, 2013 5:04 am    Post subject: I have some experience in this... Reply with quote

As one of the people who raised the alarm (I started a thread over in the subscriber area forum as soon as I'd seen what had happened), I'm in two minds about whether to lay blame here. In full disclosure, I'm an IT pro myself, with many years experience of running internet connected systems. I don't know the pgpsw system, but I've had experience of this kind of breach before. I suspect I'll be teaching grannies to suck eggs, but this is my take on it. (Apologies for the length.)

Firstly, I've watched firewall logs in real time, seeing hackers actively and repeatedly probing websites and servers looking for an entry point. It's a real education. Running live systems securely isn't easy, and it only takes a moments slippage - or a missed security patch to open up a hole. Jumping on the pocketgps guys may not be warranted. As my first boss told me when I'd dropped a by rushing through a code change that went pear shaped in live, "it's only those who do work that make mistakes". Given the fact that this hack hasn't previously occurred in the several years that I've been registered, I'm inclined to believe that the systems are run and maintained professionally - and maybe an accidentally missed php or nuke patch, or even a zero day exploit has opened up a hole here. I've personally seen a junior member of staff in my own organization connect a ghosted but non-hardened windows server to a public ip without thinking, only to see it hacked and being used as a bulk email server sending out millions of spam messages to china. From making it live, to being fully pwned by the hacker and acting as a live relay - took just twelve minutes. The bad guys take no prisoners, and they are extremely aggressive at trying to exploit php/nuke/vbulletin or windows type servers in particular. If you run these servers, you really need to be on your game. (Personally I hate them, as they're so widely used, and are therefore such a juicy target for hack attempts. I can see why you run the site with it, and moving an established site to an alternative tool is extremely difficult - but the php nuke derivatives are a favourite hacker magnet...)

Secondly I've also been responsible for running intrusion detection systems, and running penetration tests against supposedly hardened applications. There are some great open source tools available to help in this (you don't need expensive commercial alternatives) - but I have two golden procedure rules that can't be broken. Firstly, nothing goes live (not a patch, not an app change nor a hardware upgrade) without being pen-tested. Secondly, you don't test something once, and then tick the box marked "it's safe". You have to repeat the tests on an ongoing basis, keeping the probe tools updated with the latest exploits. I'd never want to be told about a hack by a member of the public. I'd want my tools and monitors to pick up any holes first, and the serious hack attempts second, so I could patch and firewall the hell out of my site. I'm sure the admins will learn from this. If they don't, and it happens again - then it'll be valid grounds for trouble.

As I mentioned on my original post, I worked out that something had gone amiss by virtue of the fact that I use my own domain and a custom return address for each email contact. It makes it easier to manage the fallout of this kind of event. I'll now change my pgpsw address, and bin emails to the original one. And before people have a go at the pgpsw admins in particular, I've already had to nuke return addresses from ebay, amazon and travelodge - to name but three much bigger organizations, with far greater resources available. They had also lost their customer contact databases (due to either hackers, or dodgy employees selling them) - and I started receiving spam to their unique addresses. If you give your single email address to the world and wife, you're never going to find out where the leak originated.

So my advice for the admins (who probably need advice like a hole in the head, and I know will be seriously p****d off and embarrassed that this has happened, and will be also as busy as hell trying to fix it) would be to go through the site code to ensure that the hack isn't more than a simple data theft (I.e.the bad guys haven't left any trojans around), tighten the security patching regime, and put in place some proactive testing processes and monitoring software to ensure that no doors are left open again. And those of us whose email addresses has been misappropriated,I'm afraid we'll just have to expect an increase in spam levels - and we'll have to deal with it. That's life. You can't put the genie back in the bottle, unfortunately.
Back to top
View user's profile Send private message
PaulMoore2013
Occasional Visitor


Joined: Nov 06, 2013
Posts: 12
Location: 1

PostPosted: Tue Nov 12, 2013 2:16 pm    Post subject: Reply with quote

Hi Chris

I couldn't have put it better myself. These are really useful insights... if only more people would heed the advice.

PHPNuke is an awful application... even beyond the obvious security risks it introduces. I'm yet to find anyone with what I'd consider to be a sufficiently-hardened instance.

I would say however... I firmly believe the sole use of open source/free "pen testing" apps actually damages the industry as a whole. It's not because they're not effective (some are very good), but people tend to revert to a DIY approach; treating them as some sort of silver bullet.

As you know Chris, security is hard to get right and all-too easy to get wrong. A quick search for "pen testing" on Google reveals a plethora of seemingly savvy, professional firms. In truth, many are just kids sporting the latest BackTrack VMware file... with absolutely no idea of how to interpret the results correctly.

You're right too regarding eBay and others. My latest article still hasn't been resolved, despite being published around the world. BBC, Anonymous, Softpedia, CERT (http://cert.at/warnings/all/20130916.html), HackerNews et al have all picked it up... eBay believe it has been resolved. It hasn't. I notified them in July.

Absolute security is knowing security isn't an absolute.
_________________
1
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger







Posted: Today    Post subject: Pocket GPS Advertising

Back to top
Display posts from previous:   
Post new topic   Reply to topic    Pocket GPS World Forum Index -> News And Latest Information All times are GMT + 1 Hour
Goto page Previous  1, 2, 3, 4  Next
Page 2 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Make a Donation



CamerAlert Database

Click here for the PocketGPSWorld.com Speed Camera Database

Download Speed Camera Database
22.034 (27 Mar 24)



WORLDWIDE SPEED CAMERA SPOTTERS WANTED!

Click here to submit camera positions to the PocketGPSWorld.com Speed Camera Database


12mth Subscriber memberships awarded every week for verified new camera reports!

Submit Speed Camera Locations Now


CamerAlert Apps



iOS QR Code






Android QR Code







© Terms & Privacy


GPS Shopping