An Eventful Morning

7:50:00 PM
An Eventful Morning -
TL; DR: Our facility in Vanilla Forum was hacked, but our VPN system was totally insensitive. Forum users should change their passwords if they are used on other websites.

Today, November 18, 2013, or about 5 o'clock, we discovered a message posted at the top of our forums offsite visitors of propositioning send to a Bitcoin address to receive 10x Bitcoins back. Fortunately, visitors to our forums are much more experienced than to fall for such tactics.

How is it done?
Moving in detail, the exploit was publicly announced some time ago as you can see here. Our security team was aware of this problem, but the details reported vulnerability were incorrect. As such, our system remained vulnerable despite having been out of the report of the vulnerability.

Our response
We immediately found and corrected the problem and, more we examined the steps taken by the intruder and determined that they had acceded to the SQL database server forum.

our strategy going forward will be to make a number of changes to harden our front lines in the ongoing battle to push best practice security industry to new frontiers. Specifically, we will transfer to a more secure forum system. This new forum, safer continue to be isolated from the rest of our systems as it has always been.

In addition, we would like to introduce our new private Internet access program Whitehat Security Alert (PIA WASP). PIA WASP will whitehat and blackhat reward researchers still following simple guidelines our program. We will reward the name or anonymously, by any method, including Bitcoin to confirm exploit discoveries based on their severity. Shell and SQL as access will be awarded a minimum of $ 5,000 US if determined to be legitimate, unique and severe.

Finally, we have sent an email to all forum users to report this issue. Private Internet access subscribers who did not use the forum are not affected in any way, shape or form.

What user forum should not be worried about
our VPN system is completely separate from our third party forum system offsite. They use entirely different passwords, servers, different databases, different keys, certificates, various software stacks, different data centers, and, of course, there is no cross-access between our forum server and VPN system. Absolutely nothing is shared.

We have deliberately setting this early structure to mitigate against these types of attacks from our forums and other third-party systems are built and maintained by of other. We were worried about the possibility of an attack vector that could compromise the privacy of our users, so this was setup in advance. The forum is simply reverse proxy in order to appear to be served from the same root domain. You can learn more about reverse proxies on Wikipedia.

What other users of the forum should
Vanilla Forums uses 256 iterations a salted MD5 hash of the user's passwords. While this is correct in practice, unfortunately, a very determined adversary could break the password, even if it is simple (like a password dictionary, etc.). It is strongly recommended that you change your password on other sites if you use a common password across multiple sites, including the forum. Moving forward, it is also strongly recommended to use a password manager that generates random, long, strong and unique passwords for each site / service such as Last Pass with 20+ char passwords.

For users of the forum who are also private Internet access subscribers, please be assured. Even if your VPN password is your password for the forum and the opponent is able to break somehow your password, it will not affect your VPN security / privacy, since the password is used only for authentication. Encryption is not based on the password at all, and more details can be found on our VPN encryption page.

Notes Ending
We apologize greatly for what happens. Fortunately, this was an event we had planned, and that's why our basic VPN systems remain strong and unaffected. We will continue to focus on and strengthen our security practices.

Previous
Next Post »
0 Komentar