Just a few minutes ago, I received an email from Malwarebytes notifying me that I'd have to change my forum password next time I logged in. On November 10th their Invision Power Board based forum was compromised. Yes, it can happen to anyone! There are several lessons that can be learned, as outlined in my blog post below:
http://www.tidbitsfortechs.com/2014/11/malwarebytes-forum-hacked/
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(Score: 3, Informative) by Tramii on Friday November 21 2014, @06:19PM
Just a few minutes ago, I received the following letter in my email:
“geocrasher,
I’m writing to let you know that on November 10th a vulnerability in our
forum software allowed a hacker to gain access to the server hosting our
community. We have no evidence of any personal data being stolen (nor do
we store any on our forums!) but as a precautionary measure we are
forcing all users to reset their passwords. The next time you attempt to
log in, please select the “Forgot Your Password?” link below and follow the steps.
https://forums.malwarebytes.org/index.php?app=core&module=global§ion=lostpass [malwarebytes.org]
We’ve also migrated our community away from our servers and onto a
service hosted by Invision Power Board. They know their software best
and as vulnerabilities are discovered, they can patch them more quickly.
I personally apologize for the inconvenience and if you have any
questions, do not hesitate to contact me directly at
mkleczynski@malwarebytes.org.
Marcin”
There’s several lessons that can be learned in this:
1) Never use the same password twice. The same password used at a hacked site, used elsewhere, is asking for your accounts to be compromised. I’ve seen it happen.
2) Keep your site software up to date. Whether you’re using Invision Power Board, WordPress, Magento, Drupal, or some other solution: Keep it updated!
3) If you can’t properly manage your security, hire someone who can
Marcin fessed up here, which is nice. But it never should have happened. You’d think that a company like Malwarebytes would keep things updated, but phrases like “They know their software best
and as vulnerabilities are discovered, they can patch them more quickly” lead me to believe that this breach was due to a vulnerability that Malwarebytes didn’t patch quick enough, even though the updates were available.
So if it can happen to Malwarebytes, it can happen to you. Keep your software updated!
(Score: 2) by toygeek on Friday November 21 2014, @08:51PM
I'm not sure why you wouldn't want to go to my blog. It's not monetized or anything. Not a single ad :)
There is no Sig. Okay, maybe a short one. http://miscdotgeek.com
(Score: 2) by Ken_g6 on Friday November 21 2014, @06:27PM
Exploits are coming out and being exploited within hours these days. That's a lot faster than most people or companies can deploy patches.
Any ideas what can be done about this?
(Score: 0) by Anonymous Coward on Friday November 21 2014, @06:55PM
We all gotta duck, when the chickens come home to roost.
(Score: 2) by tibman on Friday November 21 2014, @07:02PM
Roll your own software? You'll escape the botnets. Any hacking will be very targeted (and way scarier).
SN won't survive on lurkers alone. Write comments.
(Score: 2) by bob_super on Friday November 21 2014, @07:13PM
Convince the NSA to offer hosting services. They'll get your stuff anyway if they want, so why not use them to actually protect you?
(Score: 0) by Anonymous Coward on Saturday November 22 2014, @01:55AM
Because the NSA has shown they are incompetent at protection?
http://news.slashdot.org/story/14/11/17/0229215/state-department-joins-noaa-usps-in-club-of-hacked-federal-agencies [slashdot.org]
Seems they should be focusing on protecting federal agencies from foreign rather than mass surveillance of innocent people.
(Score: 0) by Anonymous Coward on Saturday November 22 2014, @01:56AM
Foreign *attacks* that is.
(Score: 0) by Anonymous Coward on Friday November 21 2014, @07:49PM
I have been thinking about this for awhile now.
I am thinking whitelist. Basically take a computer that is in a known 'ok' state and snapshot it (md5/sha1/crc/size/date/etc). Then just catalog everything. New stuff will popup of course. But then you catalog it and know what should be there. The downside is it would be a pain to keep up with. For example add 1 mp3 to something like media player in windows. You have the new mp3, several index files change, as well as the db media player holds its info in, and a bunch of IE cache files of it looking up info, then a bunch of jpgs are added for covers, and a bunch of cached jpgs. All that from 1 small action of adding an mp3. That is just one small example of the challenge of a proper whitelist program.
That is about the only reason I have not rolled my own whitelist catalog program. As to do it right you can not have places where files or data can hide. Which is what you would have to do for every little action you do on your computer to not drive you bonkers.
(Score: 2) by SlimmPickens on Saturday November 22 2014, @04:15AM
https://en.wikipedia.org/wiki/Intrusion_detection_system#Host_Intrusion_Detection_Systems [wikipedia.org]
Host intrusion detection systems run on individual hosts or devices on the network. A HIDS monitors the inbound and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected. It takes a snapshot of existing system files and matches it to the previous snapshot. If the critical system files were modified or deleted, the alert is sent to the administrator to investigate. An example of HIDS usage can be seen on mission critical machines, which are not expected to change their configurations.
Intrusion detection systems can also be system-specific using custom tools and honeypots.
They were able to work backwards using this method when some Debian servers were hacked way back in 2003 http://www.smh.com.au/articles/2003/12/01/1070127318372.html [smh.com.au]
(Score: 1, Informative) by Anonymous Coward on Friday November 21 2014, @08:56PM
There are always things you can do about this.
First and foremost, don't deploy on a server with no security installed
* run external applications in independent containers (eg. KVM, servers, whatever, but 1 external service per container)
* define how data is to flow - for example, have a strict whitelist on outbound connections, never allow SYN outbound to untrusted addresses on the firewall. This stops `wget` rootkit fetches.
* AppArmor and remove write permissions from your server directories.
* use IPSec on internal networks to prevent things like IP hijacking
For example, if you have Java container, remove the compiler and deploy things pre-compiled.
There is always things you can do for defense in depth. But it requires extra work to set things up. Not just an `apt-get install my-stuff`. And for servers that you monitor, defense in depth works. It slows down any attacks and gives you immediate clues that something is wrong. For normal botnets, defense in depth generally prevents major damage from happening.
(Score: 2) by doublerot13 on Friday November 21 2014, @10:33PM
Have a plan B for mission critical stuff that you can load most of if not all of the data from plan A into in short order.
Then you obviously take plan A offline and use plan B until patches are released.
Or just accept the outage and a cost of doing business.
(Score: 1) by khallow on Friday November 21 2014, @11:54PM
Exploits are coming out and being exploited within hours these days. That's a lot faster than most people or companies can deploy patches.
It's probably a somewhat better situation, I think. I=t's more likely someone using their former zero day exploit on tough targets or high visibility shenanigans before the targets get patched. There's a short window of opportunity for that.
(Score: 0) by Anonymous Coward on Friday November 21 2014, @08:57PM
For those of us not in the know, what is the Malwarebytes forum about?
(Score: 0) by Anonymous Coward on Saturday November 22 2014, @01:56AM
Selling malware.
(Score: 2) by aristarchus on Saturday November 22 2014, @07:10AM
Ha, Ha, Ha, Ha. Could keep this up for quite a while. For everyone in the know, the warning is summed up in a German notice I once noticed: "The Virus Warning is the Virus!" Loosely translated. But of course, the best virus ever was the one that would, 1. give you ssn to the IRS, put you face on a milk carton, change the expiration date on you milk in the fridge, send your new number to your ex, and there are many more, usually culminating in "giving you Ebola" or "forcing you to use Win8". Both, of course, are equally deadly. But not nearly as much of a threat as systemd, which comes in the backside. Elon Musk is worried about AI, but it is the Basilisk that you must avoid!@
(Score: 1) by chewbacon on Saturday November 22 2014, @10:46PM
I ran it for a large community of gamers and hated it. It was bulky, used a bunch of JavaScript and my favorite hitch was the bug that somehow shuffled everyone's permissions. Woke up one day and my account was a basic user and random users were admins. Fortunately, they were honest folks and helped me rectify the issue. It happened more than once.