Developers of the vBulletin software package for website forums released a security patch, just hours after reports surfaced that a hack on the developers’ site leaked password data and other sensitive information belonging to almost 480,000 subscribers. Security experts from CertiVox and Lieberman software have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Brian Spector, CEO of CertiVox :
What happened?
“It seems the culprit or perhaps someone pretending to be them defined the attack as a sql injection vulnerability. This means the attacker can upload shell and remote execute.It’s a fact of the password world: use the same password across two or more sites and you face the risk of being affected.
Either way, all vbulletin forum users should reset their password as soon as possible.”
Why hack a bulletin board?
“Hacking a bulletin board is a high value target for gathering very high quantity of username and password pairs to re-purpose on other sites that may be of higher value. Users to cope with the mess that passwords create for them will, perhaps understandably use the same passwords for several different sites. Some of those sites and services can include high value information such as credit cards that are very attractive to attackers.
This is particularly true if the suspicion were confirmed that the bulletin service vbulletin itself were vulnerable. The service is used by 100,000 sites around the world! The only evidence of this available publicly, is that a patch was released by vbulletin.”
Advice for organisations
“If you have vbulletin installed: install the patch that was released immediately!
But the reality is that, the advice that has for many years now been repeatedly given to online services customers is to avoid using the same password for multiple sites applies in this situation – again. The human aspect of memorising all these different passwords is not to be underestimated: it’s simply too hard. Customers should activate 2 factor authentication wherever available and insist on 2 factor authentication where it’s not.
The industry needs to get over passwords. They don’t scale for users, they don’t protect the service itself and they are vulnerable to a myriad of attacks. 2-Factor-Authentication for protection works, but it’s hardly user friendly. There are cryptographic security advancements available in the authentication space today, that combine multi-factor-authentication with excellent ease of use that delight customers. These protocols remove all the threats we have become so accustomed to reading about every week. Database hacks, password reuse, browser attacks and social engineering can all be a thing of the past in the authentication space. Your customers are rightly demanding to be protected when they submit their valuable personal information to you and online services should seriously consider taking that seriously.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Jonathan Sander, VP of Product Strategy at Lieberman Software :
What happened?
“This hack happened because software is written by humans, humans are flawed, and therefore code is flawed. Just like the builder thinks differently than the demolition specialist, the people writing code can’t always see what someone seeking an exploit may find. We won’t know the exact details for a bit, but that’s the ultimate cause.
The first ones affected will be the site admins who will be sucking down caffeine as they patch, retool, and attempt to mitigate any damage caused by this. The effects on the users who had their details stolen will be a long tail that will dribble out over time.”
Why hack a bulletin board?
“All data is useful. The usernames and passwords people use for one site, even a bulletin board, may be the same they use for their bank, their credit cards, or their Apple ID. With that I can steal money, clone their credit cards, or pirate tons of movies for free. Since vBulletin was widely used even by boards that are considered secure like the boards over at the Defcon.org security focused forums, this may be an opportunity for bad guys to get things they would not normally get from careful people. There’s also an element of reputation. Many exploits are more like graffiti than breaking and entering. This may be someone making a reputation, and we see someone taking very public credit for it.”
Advice for organisations
“The first step in security is always inventory. Are you using vBulletin? Are you sure you’re not? You had better be. Only once you know where and if you are affected can you do anything else. Right now even the security experts over at Defcon.org who were using vBulletin have opted to simply shut down the affected sites and wait to see what happens.”[/su_note]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.