More Than 900,000 accounts compromised in vBulletin.com and vBulletin.org Data Breach

More Than 900,000 accounts compromised in vBulletin.com and vBulletin.org Data Breach

Approximately 401,120 vBulletin.com and 503,204 vBulletin.org member accounts who post on each respective site are being asked to change their passwords after accounts on both websites were compromised in an attack.

How many victims? About 900,000

What type of personal information? Usernames, email addresses, and hashed passwords. It is unknown at this time if members area information and any personal identifiable customer information is at risk.

What was the response? An investigation is ongoing internally. Wayne Luke, vBulletin Technical Support Lead, posted about the attack, alerting users of the data breach and is encouraging users to update their passwords.

Details of attack: A development server, mainly used for quality assurance, was successfully broken into during the summer. Sometime between the summer and early October, the attackers successfully gained access to the primary database server, installed Adminer (formerly phpMinAdmin) and accessed the vBulletin.com and vBulletin.org user tables. At the conclusion of the attack, they deleted Adminer.

The log files that were examined do not show any attempted access of customer data in the support system and that they targeted the vBulletin user table. The log integrity is in question given that the attackers did delete evidence of their presence.

Quote: “We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account.”

Source: vBulletin.com and vBulletin.org

Typhoon Haiyan Scams

Typhoon Haiyan Scams

With Typhoon Haiyan in the news, one may see many requests for help. Some people have the time to help overseas and head over, but the rest of us may feel inclined to donate to support the cause. If you feel like donating, here are some things that we recommend to ensure the money goes to the right cause.

  1. Watch out for e-mails. Most of the time, people will pretend to pose as others who claim to support the cause and accept donations. When people request money through e-mail, many times it will be fake. If someone ever asks for your banking info or provides you with theirs (i.e. Western Union, etc.), assume that it is not legitimate. Do not respond to or support these e-mails. Even the ones forwarded by friends and family.
  2. People should always look out for misspelling and improper grammar. Most of the time, scammers cannot write a proper e-mail or website.
  3. Be wary of social media links. When you are on the site, please take a few extra steps to look at the address bar to make sure that you are donating to a reputable organization and not an illegitimate website.
  4. If you do donate money to support Haiyan relief, think about supporting organizations that you know are legitimate. I am not affiliated with this organization, but the Red Cross and UNICEF are examples of reputable organizations to donate to ensure you will support the victims of Haiyan.
  5. When you are donating, ensure that the website uses SSL/HTTPS. All you have to do is look in your address bar and make sure you have “https://” in it. This will rule out donating to many illegitimate causes.

We just want to make sure that, if you donate, your money goes to the right cause. Please take these tips as advice and you can avoid getting scammed. At Net Force, we wish the survivors of Haiyan well and we hope you have a wonderful day.

The Seven Deadly Sins of Social Engineering

The Seven Deadly Sins of Social Engineering

Social Engineering has always been one of my favorite attack vectors when doing any penetration test. A big reason why our firm succeeds is that we as human beings forget the “Seven Deadly Sins”.

As I thought about social engineering attack vectors for previous engagements, I noticed I always had a few common attack vectors I utilized, but they always focused on a few key vectors that can always be attributed to the Seven Deadly Sins.

The Seven Deadly Sins, for those not familiar with them, are: Lust, Gluttony, Greed, Sloth, Wrath, Envy, and Pride. Let me give some examples:

  • Lust – Those wonderful emails promising a wonderful time with beautiful women or a sexual temptation
  • Gluttony – Free Gift Cards to some retailer in some huge sum
  • Greed – Nigerian emails or those wonderful email scams promising lots of money (gift cards to retailers can also fall under this category)
  • Sloth – Easy money by working at home
  • Wrath – Maybe not so much outrage or anger towards an individual, but a situation or outcome, like poor orphans, or a major disaster situation like the recent Typhoon Haiyan
  • Envy – Free iPads, iPhones or some beautiful electronic device
  • Pride – Involves stroking one’s ego in the email, calling them a valuable person or asset and that they are needed. Insecurity is a form of pride, where rather than building one’s ego, they tear them down and make one feel insecure about themselves.

In all cases, they are all emotional outbursts that can motivate someone to donate in the spirit of aid such as Typhoon Haiyan, or play on someone’s envy because a friend has nice shiny toys that they desire.

Either way, be conscious about these social engineering attempts, in your business and personally. These seven social engineering attack vectors will always net at least one win and the adversary only needs a single win.

 

Another vBulletin Security Hole? Not surprising

Another vBulletin Security Hole? Not surprising

First, in the interest of fair disclosure, I am a vBulletin customer for close to 10+ years. While my criticisms may be harsh, there are justified given the level of incompetence I have witnessed in the last few years.

If you missed this article on Brian Krebs’s blog two weeks ago, it details an exploit that targets the installation folder of the vBulletin 4.x and vBulletin 5.x generation with an estimated 35,000 sites affected despite Internet Brands notifying customers.

If you run a forum or site powered by vBulletin, remove the “/install” and/or “/core/install” folders. If your vBulletin site still has those directories installed, check for new administrator accounts and any accounts that may have been whitelisted in config.php as super admins.

Criticism

Regardless of product one uses, Webmasters/Business Owners/Organizations should be employing best practices when it comes to vendor risk management. That includes signing up for their notifications in the event of a security flaws related to their products. Moreover, anyone who did their homework on Internet Brands would clearly know that the product is rubbish. The product is flawed in so many ways its not even funny.

There are even a couple of vBulletin blog sites focused on the nightmare it has become.

Criticism of Internet Brands

First, we can all agree there are a set of industry best practices out there from coding to marketing. From my observations, Internet Brands has pretty much violated every conceivable best practice out there, and is a disaster beyond our imagination. This is the very same company who programmed vBulletin database credential leakage. Your database SQL username, password, server, and database name was revealed to the public if you looked it up at a forum owner’s frequently asked questions.

Yes site owners are responsible or their sites, but Internet Brands has no real concept of risk management, project management or information security. The sole purpose for them is to make money, and they will make money at the expense of your site’s information security. As a customer, I lost faith very quickly and terminated my usage of vBulletin immediately to not expose my sites to potential, and future security issues.

Moreover, their security notices downplayed the security threat. In an email Internet Brands wrote to its customers customers:

A potential exploit vector has been found in the vBulletin 4.1+ and 5.0+ installation directories. Our developers are investigating this issue at this time. If deemed necessary we will release the necessary patches. In order to prevent this issue on your vBulletin sites, you should delete the install directory for your installation. This folder is not required for normal operation of vBulletin.

When one reads the email, the choice of words highlighted in bold leads customers to draw the wrong conclusions, including that the threat is not  confirmed, and that it will be confirmed later. Moreover a customer should expect a confirmation should the security issue was confirmed, however that no immediate action was required. This miscommunication of the flaw was designed to protect Internet Brands however it also in the process the language chosen changed the risk from an actual risk to a potential risk.

Beyond the notification and communications to its customers, Internet Brands itself is responsible for the overall security of their product. That includes elements like the install directory. It is still the responsibility of Internet Brands to ensure that vBulletin is securely coded, using industry best practices to test, audit, and validate, and deliver a product that not only is coded well, but scales well.

Information security starts with your developers, your software vendors and continues with your developers and software vendors. It is (or rather, should be a required) part of software development life cycle. It isn’t easy to do, but the savings and return on investment are ten fold when it is integrated into your processes.

Do your homework on your software vendors. Yes they may claim security is at the top of their list, but I would “trust but verify”. But more so, don’t be cheap on information security. Going for checklist audits and assessments just to say you are secure is being cheap.

Your organization has a reputation to uphold. Information Security is an investment to your organization and welfare. Should you not wish to invest, be prepared for a number of sleepless nights ahead.

 

Summary:

  • Securely Code Your Products
  • Do your homework on your vendors
  • Your organization has a reputation. It can get tarnished for improper information security.
  • Information Security is not cheap. But it is well worth the investment in the long run.

See how easily Hackers can take over your life

See how easily Hackers can take over your life

Cyber security awareness month is coming to a close, and I wanted to close with this new video. It is a follow up to “Amazing mind reader reveals his ‘gift’“.

In this followup video, it features a gentlemen assuming the identity of a random man he selects as his mark on Facebook. Using social media, he acquires information about his personal life, including people his mark knows in real life.

Using movie stage makeup, he assumes his mark’s complete physical attributes. He later physically stands before his mark. See the entire video below:

Be vigilant on who you add as a friend on social media. Moreover, do not overshare information. It is amazing what one can find on the internet. Anything you say on the internet can and will be used against you.

Remember, if you give a hacker a cookie, he (or she) is going to want a glass of milk