Discussion
So for me and anyone else who might not be au fait with all of this techno-jargon, was the site taken down temporarily whilst potential holes in it's security were rectified?
I'm quite interested in the whys and wherefores of what it was all about, but unfortunately I need it explaining in simple terms
I'm quite interested in the whys and wherefores of what it was all about, but unfortunately I need it explaining in simple terms
I'm a simpleton, not a techy. Pete and the guys are doing what they do, so Garlick and I will be fending things off. Forgive us if we explain things incorrectly.
We don't know for certain why the site went down. This can happen if something breaks, or if we get overloaded with traffic. That second reason could be genuine high traffic levels, which is what can slow down the site during busy periods. It could also be caused by hackers attempting to swamp the site with queries to exploit vulnerabilities. Or it could be a combination of the two which overload the site.
When the site went down yesterday we assumed that something malicious had been a factor as a precaution, and so elected not to put it back up until we could be certain that as many vulnerabilities as possible had been closed off. So it was the act of removing this older code and making sure that we were problem free which took the time, not the thing which took the site down in the first place.
Pete and his team are currently analysing the data to understand what actually happened and what actions need to be taken as a result.
We don't know for certain why the site went down. This can happen if something breaks, or if we get overloaded with traffic. That second reason could be genuine high traffic levels, which is what can slow down the site during busy periods. It could also be caused by hackers attempting to swamp the site with queries to exploit vulnerabilities. Or it could be a combination of the two which overload the site.
When the site went down yesterday we assumed that something malicious had been a factor as a precaution, and so elected not to put it back up until we could be certain that as many vulnerabilities as possible had been closed off. So it was the act of removing this older code and making sure that we were problem free which took the time, not the thing which took the site down in the first place.
Pete and his team are currently analysing the data to understand what actually happened and what actions need to be taken as a result.
Stuart said:
On the encryption front, when we acquired the site passwords were not encrypted and were stored in text. We added encryption to all passwords of member accounts early in 2008, and we use AES to encrypt passwords.
The inherent problem with encryption when used in this application is that it's designed to allow decryption, using the same key in AES, which you'll probably be storing in a server-side script for easy processing. Nice and insecure, and completely flawed if the server or code is compromised.I didn't see an IV field in the user table scheme on that hacker site, so i hope you're not using the same IV and key for each password?
DrTre said:
As an aside if the site has been hacked, this does provide justification for allowing peoples requests that their profiles be deleted.
I know you join a forum on their terms but ...
Not really. A person's profile is visible anyway, and people are free to moderate their profile notes to completely anonymise themselves. We will also delete a profile on request if there's a strong enough reason for this route rather than just deleting all details.I know you join a forum on their terms but ...
Except I can't delete the email from my profile so that info would presumably still be in the datavase for those accounts you don't deem to have a "strong enough reason"? Or are you able to delete that from your side?
Since the dawn of all this internet I've always felt a "strong enough reason" is that persons desire to have the account deleted, though I realise having more accounts on a forum is good for business.
Since the dawn of all this internet I've always felt a "strong enough reason" is that persons desire to have the account deleted, though I realise having more accounts on a forum is good for business.
Accelebrate said:
Looks like they've got something, the DB structure they posted looks plausible.
Out of interest, the billing, address and phone details in the users table, is that still used for store purchases? Or is that all handled by Dread now?
We don't store any such details. Any transaction (currently either for classifieds or the shop) is handled by Worldpay, and they'll store card details using the security and processes demanded of them as a payment processor. Out of interest, the billing, address and phone details in the users table, is that still used for store purchases? Or is that all handled by Dread now?
So if you've ever bought an ad or a T Shirt, you have nothing to fear.
Stuart said:
We don't store any such details. Any transaction (currently either for classifieds or the shop) is handled by Worldpay, and they'll store card details using the security and processes demanded of them as a payment processor.
So if you've ever bought an ad or a T Shirt, you have nothing to fear.
If you (PH) were to store card details, you'd need to be PCI DSS compliant which usually involves a fair amount of money for secure servers with secure access to the server room, dedicated IP routes and a whole raft of other things. Getting Worldpay to run it as a managed service with a pass through is a lot easier. Also means that you don't have to run the risks associated with being an online merchant.So if you've ever bought an ad or a T Shirt, you have nothing to fear.
Snoggledog said:
If you (PH) were to store card details, you'd need to be PCI DSS compliant which usually involves a fair amount of money for secure servers with secure access to the server room, dedicated IP routes and a whole raft of other things. Getting Worldpay to run it as a managed service with a pass through is a lot easier. Also means that you don't have to run the risks associated with being an online merchant.
Indeed. Plus, a lot of security systems associated with PSPs come from their ability to aggregate intelligence across a range of different types of transactions, which we wouldn't be able to do.Stuart said:
Snoggledog said:
If you (PH) were to store card details, you'd need to be PCI DSS compliant which usually involves a fair amount of money for secure servers with secure access to the server room, dedicated IP routes and a whole raft of other things. Getting Worldpay to run it as a managed service with a pass through is a lot easier. Also means that you don't have to run the risks associated with being an online merchant.
Indeed. Plus, a lot of security systems associated with PSPs come from their ability to aggregate intelligence across a range of different types of transactions, which we wouldn't be able to do.Sonic said:
Accepting the card details means you need to be PCI compliant, even if you immediately pass them over to a third-party API. So, unless you're using a hosted world-pay solution and don't touch the card details, you would still have to abide to certain, albeit less strict, criteria.
That's correct. We do pass them over to a third party site, and don't touch card details at all. We've been PCI/DSS audited.Stuart said:
Sonic said:
Accepting the card details means you need to be PCI compliant, even if you immediately pass them over to a third-party API. So, unless you're using a hosted world-pay solution and don't touch the card details, you would still have to abide to certain, albeit less strict, criteria.
That's correct. We do pass them over to a third party site, and don't touch card details at all. We've been PCI/DSS audited.Now, about storing account passwords in a decryptable state...
Gassing Station | Website Feedback | Top of Page | What's New | My Stuff