Hacked Recap

from the well,-that-was-fun dept

As mentioned over the weekend, we were briefly hacked on Saturday evening. We've put in a bit of time to figure out what happened, clean up the mess and correct the problems (and harden some other defenses as well). The short story is that we left open a big hole that we shouldn't have left open. Yay. We had certainly locked down most of the obvious holes, and people try to hack us on a semi-regular basis, with little success. But, if someone's persistent enough, they'll find a way. In this case, though, we made it a hell of a lot easier than we should have. This particular hacker tried hitting a whole bunch of different routes early Saturday morning, most of which got rejected (some people noticed his attempt to do a SQL injection via the comments -- that failed). However, he went on to try SQL injections just about everywhere and eventually found one where we hadn't properly escaped things, and bam, that's all it takes. As you probably know, this site has been around since 1998, and while we've dumped/updated most of the old code, and most of the new code is properly secured, there were still a little pieces left over from the ancient code -- and that's where the big vulnerabilities were. That's not an excuse. We should have caught it earlier (in fact, we actually had been testing some code to replace some of the vulnerabilities, but hadn't deployed it yet -- but, we now realize it wouldn't have blocked all the problems). But, it is what happened.

From there, the hacker got into part of the blog admin (don't want to get into too many details of how the blog backend works, but it actually involves two separate admins -- which are separate from other stuff we do). Then, he basically had pretty good access to doing some stuff (though not everything) on the blog. He poked around a bit, deleted a bunch of comments, deleted a whole ton of old story submissions (most of which were junk anyway -- so thanks!) and then replaced a few stories on the front page with his fancy "hacked!" claims.

After that, the story is pretty straightforward. Once we realized what happened, we put the old stories back in place and made sure to quickly toss up some more secure walls to keep him out of the admin. We also shut down comments and submissions for a while, even though we were pretty damn sure the vulnerability wasn't there (it wasn't), but we wanted to make sure. Then a few of us spent some time digging around to understand just what the guy did so we could retrace his steps and make sure we killed off the basic vulnerabilities. Considering that he tried to hit us from a bunch of different angles, this took a bit longer than expected. But, once we figured out the basics, it was just a matter of tracking down the actual holes in the code. It was a little frustrating, since we really thought we'd blocked out SQL injections -- but in the end, it turns out we didn't do it absolutely everywhere. Anyway, there's a fair amount of code to go through, so we've been going over it with a fine-tooth comb, and checking it twice, then locking it down again.

Finally, we've been restoring the lost comments (we're doing that right now, so they might not all be back yet), of which we believe we didn't lose any (there's a small chance that a very very small number of comments were lost). Restoring the lost submissions is a bit much at this point (as I said, most were junk anyway), so if you submitted stories late Friday or Saturday, and really think we should see them, perhaps submit them again.

On the whole, there's not that much to say, other than check your code carefully, folks. If there's a hole somewhere, eventually someone's gonna find it. Luckily, this guy didn't do much damage -- just a bit of vandalism -- and he kept a few of us from enjoying what had otherwise been quite nice weekends with our friends and families. But he got us to go over our code pretty carefully (and mentally kick ourselves a few times), and get in touch with our inner CSI detectives to track down exactly what happened.

Update: Well, that was just great. Less than half an hour after posting this, our network provider went down for nearly two hours, despite supposedly having all sorts of redundancies. It had nothing whatsoever to do with the hack, but was a bigger issue for the provider. However, it did slow down us restoring the comments, meaning that comments need to remain off for probably another few hours. This has really been a fun weekend.

Update 2: Comments are back. We did end up losing a few comments, mostly those right before the hack. Really sorry about that. If you said something really important and it's missing... say it again, please.

64 Comments | Leave a Comment..

No, You Don't Get To Sue Facebook Because Your Account Got Hacked

from the sorry,-try-again dept

A guy in Florida has apparently sued Facebook because his account got hacked and started sending out links to a virus. He's claiming that the site failed to protect its users, and he's upset that, even though he got his account back, he lost his photos and had to re-add his friends. He's only asking for $70.50 ($0.30 for every friend he had to re-add), which got a bit of a joking response from Facebook:

"We're very interested to hear how he came up with the figure of $70.50," Facebook spokesman Barry Schnitt wrote in an e-mail to CNET News. "He's not going to get it but we promise to refund all the money he paid to use Facebook. Seriously, we're glad to know how important Facebook is to Mr. Karantsalis but his account was not disabled, is currently active, and he is using it, so I'm not sure what the problem is."

Facebook can afford to laugh since the case appears to have no legal merit. Section 230 clearly protects Facebook from liability in this situation (as it should), and the case law on similar cases backs that up. In fact, Eric Goldman notes that: "If anything, Karantsalis might be on the hook to Facebook for filing such a meritless lawsuit." The guy claims he filed the lawsuit to make a point, but the point he may end up making is that you shouldn't file frivolous lawsuits just because you don't like how things happened.

31 Comments | Leave a Comment..

Should It Be Illegal To Get Hacked?

from the might-be-a-bit-extreme dept

A few years back, we asked if it should be illegal to get hacked. In that case, we were referring to some fines that the FTC had handed out to companies that had leaked data to hackers. This raised some troubling questions -- as it's often difficult-to-impossible to stop your computer systems from getting hacked, and putting liability on the company could lead to some serious unintended consequences. Yet, at the same time, over the past few years, we've heard about large security breaches on a regular basis (thanks, in large part, to new disclosure laws) -- and often those breaches definitely seem to be due to negligence on the part of a corporate IT team that failed to lock down the data in any significant manner. That seems to be leading more people down the path of saying that companies should be liable for getting hacked.

For example, Slashdot points us to a blog post at InfoWorld, where it's suggested that companies should be criminally liable for leaking such data. I can certainly understand the sentiment, but it may go too far. Again, it's impossible to totally protect a system from getting hacked. Sooner or later there's always going to be some sort of leak. Increasing penalties could make companies take things more seriously -- especially in cases of gross negligence (which do seem all too common). But making the rules too strict can have serious negative unintended consequences as well, even to the point that some companies may stop accepting credit cards altogether, since the liability would just be too great. Would people be willing to give up the convenience of credit cards to protect their safety? From what we've seen, for most users the answer would be no. They know their credit cards are at risk, but they still use them because the benefit of the convenience still seems to outweigh the danger of the risk.

30 Comments | Leave a Comment..

Will VoIP Finally Get Hacked?

from the we-shall-see... dept

Ever since VoIP first came on the scene, there were fear mongering reports saying that you shouldn't use VoIP because it will get hacked. However, in all these years, we've yet to hear a serious report of VoIP getting hacked -- and, even the scary warnings about VoIP hackers have quieted down. Yet, here we are, with a security company now claiming that 2008 will be the year that VoIP gets hacked. Of course, that security company is also selling a solution to prevent VoIP systems from getting hacked, so perhaps you should take the prediction with a rather large grain of salt. So which is it: is hacking VoIP networks not that easy? Is the fear overblown? Or have we just been lucky?

15 Comments | Leave a Comment..

Was Kindle's DRM Hacked?

from the reverse-hacking dept

Engadget is reporting that someone has "hacked" the Kindle. But that's a little misleading: it doesn't mean someone has figured out how to crack the copy-protection on Kindle-formatted e-books. Rather, someone has figured out how to convert protected books in MobiPocket format (which Amazon owns) to the closely-related Kindle format. That means that if you've purchased protected Mobipocket books, you now have the option to play them on your Kindle. That's good news, but it's not exactly a major crack in the Kindle's DRM scheme. It's more reminiscent of Real's Harmony software, which allowed Real's DRMed music to be played on iPods. Still, it's only a matter of time before someone figures out how to crack Kindle's DRM wide open. My guess is that so far no one has bothered because there aren't enough Kindles around for anyone to care.

Timothy Lee is an expert at the Insight Community. To get insight and analysis from Timothy Lee and other experts on challenges your company faces, click here.

15 Comments | Leave a Comment..