security incident on forum.eset.com

[Marcos 5,069]

Security forum that doesn't check how secure it's host is. Oops.

 

This is not true. Penetration tests were performed before the forum was launched and the provider keeps it safe. The incident is being investigated so drawing any conclusions now would be premature.

[cutting_edgetech 25]

My password has been changed.

[SweX 871]

For some reason it feels better having the forum hosted by a 3'rd party as it is them that will get hacked. I don't really look at these forum hacks with harsh eyes anymore since we see news like this almost everyday now. As long as one doesn't use the same pass elsewhere there's not much to worry about. Registering with an "alias" is also good of course.

[y0s3m1t3 0]

 

What if you login with your Facebook account to this forum, LAZY as I am? 

 

Nothing to worry if you use two different passwords. 

Otherwise...disconnect your FB account and create new account on this forum.

And change passwords of course.

 

 

Thanks and and nice to meet!  

[mattspchelp 4]

Maybe Eset should add there two factor authentication to there forum , a simple pin sent to the phone to confirm you are who you say you are?

[Arakasi 549]

LOL @ some of the responses thus far from people who know as much about security and forums as my dog Willy.

[MAKAnet 0]

Funny.

This is really funny, guys/gals.

Eset forum hacked is something like a "Coven in The Vatican", or sounds like it, doesn't?

 

PASSWORD CHANGED.(btw)

[SweX 871]

LOL @ some of the responses thus far from people who know as much about security and forums as my dog Willy.

Nice I didn't know that you had a Dog  

Perhaps we can use Willy as a watchdog for the forum and if someone tries to sneak in he will bark 

[TomFace 539]

Mission accomplished! (password changed) 

Edited June 8, 2014 by TomFace

[cyberhash 188]

Willy the sql server protector

 

Patent that name

[nickster_uk 1]

I don't negotiate with terrorists...cyber or otherwise.

 

Stand firm and unite against them.

 

If we change our passwords, they win

[IanR 1]

The whole Web seems like it's disintegrating, securitywise. 

1. Heartbleed
2. Ebay
3. Avast
4. Office
5. Gameover Zeus
6. Eset

Of course we don't know the full lowdown on most of these yet, but we do know that Heartbleed is a buffer over-read, basically a C programming language weakness, and Gameover Zeus is basically propagated by user spoofing. It's my guess that most of the others were either SQL code injections (highly likely) or Javascript XSS. 

 

It strikes me that there is a need for a drastic overhaul of the whole software coding scene; If Windows XP is frowned on as insecure, then so should be SQL, in fact it is far older and has infinitely worse security issues than WinXP. Likewise, application programmers should be discouraged from using C or C++ with their inherent buffer overflow vulns. Until we get these two sorted out, the hackings will continue.

 

The irony of it is that even before the Internet era there were plenty application and database languages that didn't have these issues. It seems like the choices made in the early days were the absolute worst ones possible from a security standpoint. The choice of C for early 8086 machines is understandable in that its poor security was unimportant on a standalone PC, and it gave the fastest perfromance bar assembly code.  But, the choice of SQL for content-managed websites was totally inexcusable. By that era the need for security was apparent, and the unsuitability of a language which doesn't understand variables and thus has to take its input as mixed commands and literals (where the literals may themselves be malicious commands) should have been obvious.

 

Dropping these two flawed coding tools will be a painful process with the amount of library code based on them, but IMHO it has to be done if users are ever to have confidence in online apps.

[Exfso 0]

Thanks for the rapid response, changed password.  It is getting to the point that nothing is safe in cyberspace.

[cyberhash 188]

The whole Web seems like it's disintegrating, securitywise. 

1. Heartbleed
2. Ebay
3. Avast
4. Office
5. Gameover Zeus
6. Eset

Of course we don't know the full lowdown on most of these yet, but we do know that Heartbleed is a buffer over-read, basically a C programming language weakness, and Gameover Zeus is basically propagated by user spoofing. It's my guess that most of the others were either SQL code injections (highly likely) or Javascript XSS. 

 

It strikes me that there is a need for a drastic overhaul of the whole software coding scene; If Windows XP is frowned on as insecure, then so should be SQL, in fact it is far older and has infinitely worse security issues than WinXP. Likewise, application programmers should be discouraged from using C or C++ with their inherent buffer overflow vulns. Until we get these two sorted out, the hackings will continue.

 

The irony of it is that even before the Internet era there were plenty application and database languages that didn't have these issues. It seems like the choices made in the early days were the absolute worst ones possible from a security standpoint. The choice of C for early 8086 machines is understandable in that its poor security was unimportant on a standalone PC, and it gave the fastest perfromance bar assembly code.  But, the choice of SQL for content-managed websites was totally inexcusable. By that era the need for security was apparent, and the unsuitability of a language which doesn't understand variables and thus has to take its input as mixed commands and literals (where the literals may themselves be malicious commands) should have been obvious.

 

Dropping these two flawed coding tools will be a painful process with the amount of library code based on them, but IMHO it has to be done if users are ever to have confidence in online apps.

 

 

Some good and valid points raised here as most users will have no idea of how code actually works. It will be an ever running battle against viruses/exploits.

 

Anyone with the talent can write a bit of code, that could be installed in literally millions of devices worldwide until its noticed that its bad code. Sadly no one is ever going to drop these languages as they are what everything is built on. Even if a new language was started from scratch, there will be people with the above said talent that can write just as destructive code in it.

 

Best policy for online security outwith your A/V & Firewall

 

Never use the same password on more than one site

Never allow cross site posting on your behalf, like forums wanting to post to facebook/twitter accounts

Never underestimate the underestimated

 

[siljaline 57]

Asked and answered at post 26
 

For some reason it feels better having the forum hosted by a 3'rd party as it is them that will get hacked. I don't really look at these forum hacks with harsh eyes anymore since we see news like this almost everyday now. As long as one doesn't use the same pass elsewhere there's not much to worry about. Registering with an "alias" is also good of course.

Edited June 6, 2014 by siljaline

[rcash 0]

So would this be why I got an email last night from orders.eset.com with trial username/password information when I did not request one?

Edited June 6, 2014 by rcash

[Weng 3]

Nowadays, there is no 100% safe place in the cyber world. What we can do is protect ourselves by several ways like choosing a good AV product. In my opinion, Eset is doing almost prefectly. Yesterday my notebook was infected by Ramnit A virus, which is a very dangerous virus. It can create backdoor for the devices and it spread very fast. Luckly I have Eset, it detected and quaranteen most of it otherwise I have to re-format my notebook again. So don't blame Eset anymore. Its not Eset's fault！ Other forums also experienced this incident as well. What I can say is the hacker is too inteligent but he uses in the wrong way.

[IanR 1]

Nowadays, there is no 100% safe place in the cyber world. What we can do is protect ourselves by several ways like choosing a good AV product. In my opinion, Eset is doing almost prefectly. Yesterday my notebook was infected by Ramnit A virus, which is a very dangerous virus. It can create backdoor for the devices and it spread very fast. Luckly I have Eset, it detected and quaranteen most of it otherwise I have to re-format my notebook again. So don't blame Eset anymore. Its not Eset's fault！ Other forums also experienced this incident as well. What I can say is the hacker is too inteligent but he uses in the wrong way.

 

Eset is one of the best AV products, but no AV product can protect against nonreplicating malware which has never been seen before. Much of today's malware falls into that category, often being spread by way of spoofing users into installing fake 'updates.' 

 

The flood of updates is in turn mainly created by the security issues with C and SQL. And, to a lesser extent, by Javascript XSS issues.

 

You might find this applet helpful in preventing spoof attacks. It basically stops executables from being launched in typical browser download folders, and unlike UAE, it can't be absentmindedly OK'd to. (and since it's on sourceforge I think it can be assumed it's not a spoof!)

[longtimeuser 2]

Passing the buck to the 3rd party is all very well but Eset are in the security business and a security breach harms their credibility.

 

Perhaps the lesson to learn is that Eset should not have used a third party. Or maybe the forum should have been left with Wilders where users perhaps would have been more careful in deciding what email address or profile information to provide. Users might assume their data is more secure on an official Eset forum.

 

The answer "Who cares? Everything's been breached these days!" is no answer at all. If that's the attitude, why bother with any security?

 

People in the security business are there to 'secure' data, not always be on the back foot, closing the stable door after the horse has bolted. The current run of breaches should be a wake-up call to the entire security industry that it needs to raise its game.

[cyberhash 188]

Passing the buck to the 3rd party is all very well but Eset are in the security business and a security breach harms their credibility.

 

Perhaps the lesson to learn is that Eset should not have used a third party. Or maybe the forum should have been left with Wilders where users perhaps would have been more careful in deciding what email address or profile information to provide. Users might assume their data is more secure on an official Eset forum.

 

The answer "Who cares? Everything's been breached these days!" is no answer at all. If that's the attitude, why bother with any security?

 

People in the security business are there to 'secure' data, not always be on the back foot, closing the stable door after the horse has bolted. The current run of breaches should be a wake-up call to the entire security industry that it needs to raise its game.

 

Of course it harms their credibility and i would presume that Eset are not happy with the situation that they have found themselves in just now, the same can be said for an enormous company like ebay.

 

Wilders uses 3rd party software to run their forums on a paid host and no more secure than any other board. All this forum asked for from me when i signed up was a email address and password, the same as any other forum. There are no credit card/bank details on here.

 

Yes i care, but i also use a bit of common sense and use unique passwords for every site i sign up to. In the knowledge that if any site is breached then my password is useless to anyone that's managed to get hold of it.

 

The internet is a "nice place for good people" , but can also be a "good place for bad people".

 

Maybe in the future we can hope that there might be something like a "certificate" applied on websites/forums that gives you some sort of guarantee that if your details are stolen then you have some legal path that you can go down and make them accountable. This would need to be enforced by government agencies and not the security industry itself.

 

Unlike just now, where every forum you sign up to has a disclaimer that you must read/tick the box to join. Stating that if anything goes wrong that nobody is responsible. But nobody reads these and just assumes that everything will be ok and then complain when it all goes wrong

[Arakasi 549]

The above post is spot on.

There is nothing stored on these forums but text.

 

If you used a password for this forum, that is also your FB password, email password, or financial management password, then maybe its a good thing you are here. ( ie. Learn to use different passwords )

[longtimeuser 2]

Okay,

 

To be clear, I use strong passwords, unique mailboxes, don't include any personal data yada, yada, yada.

 

But what you seem to be missing is that wheres I mostly sign onto boards using 10minutemail there may be many people who sign on using an active email account - whether primary or disposable. The hackers now have the opportunity to spam and/or test those email addresses against banks/retail/mail accounts etc.

 

The issue is not about unique passwords, it's about unique email addresses.

 

I respect your support for Eset but not your possibly over-confident attitude to security.

 

I think certification would be a good idea, and also support the oft-mooted security internet redesign.

[cyberhash 188]

Okay,

 

To be clear, I use strong passwords, unique mailboxes, don't include any personal data yada, yada, yada.

 

But what you seem to be missing is that wheres I mostly sign onto boards using 10minutemail there may be many people who sign on using an active email account - whether primary or disposable. The hackers now have the opportunity to spam and/or test those email addresses against banks/retail/mail accounts etc.

 

The issue is not about unique passwords, it's about unique email addresses.

 

I respect your support for Eset but not your possibly over-confident attitude to security.

 

I think certification would be a good idea, and also support the oft-mooted security internet redesign.

 

Everyone here wants security in it best possible form. But i feel that we are a long way from getting what would be ideal

 

I an not overly confident and personally "expect the unexpected" and try to use what means are at my disposal to reduce my risks whilst online.

 

The internet should be like your house, 1 key to unlock the door and walk in ,, or online 1 username and password........ but sadly the way software & sites have been coded from day one this is not an option.

 

It was law that made it illegal to break into peoples property, you cant blame the lock manufacturer if someone manages to break it and get in.

 

I fear that is going to take some massive security breach at a large multinational bank that forces the majority of people online to question online security as stands just now and force governments to act.

But when you have Muppets like Snowden telling you that Governments are the bad guys , who do you trust

[Weng 3]

 

Nowadays, there is no 100% safe place in the cyber world. What we can do is protect ourselves by several ways like choosing a good AV product. In my opinion, Eset is doing almost prefectly. Yesterday my notebook was infected by Ramnit A virus, which is a very dangerous virus. It can create backdoor for the devices and it spread very fast. Luckly I have Eset, it detected and quaranteen most of it otherwise I have to re-format my notebook again. So don't blame Eset anymore. Its not Eset's fault！ Other forums also experienced this incident as well. What I can say is the hacker is too inteligent but he uses in the wrong way.

 

Eset is one of the best AV products, but no AV product can protect against nonreplicating malware which has never been seen before. Much of today's malware falls into that category, often being spread by way of spoofing users into installing fake 'updates.' 

 

The flood of updates is in turn mainly created by the security issues with C and SQL. And, to a lesser extent, by Javascript XSS issues.

 

You might find this applet helpful in preventing spoof attacks. It basically stops executables from being launched in typical browser download folders, and unlike UAE, it can't be absentmindedly OK'd to. (and since it's on sourceforge I think it can be assumed it's not a spoof!)

Totally agree and thanks for your information. Yesterday is really unlucky for me. I downloaded a patch for a game from non official website and that's why I got infected.

 

[Triple Helix 0]

 

This is dumb for a security forum!

 

TH

Don't worry the Webroot Forum will follow soon     (But let's hope not)

 

AFAIK, It doesn't matter if a forum is about Cars, Technology or Security. They are all forums running on software, so if the Car forum runs the same forum platform as the Security forum then you can't secure the Security forum any better than the Car forum and hope that the 3'rd party does everything they can to keep it as secure as possible.

 

I imagine that we will just see more and more of these bastard attacks.

 

 

This is not about Webroot I said it's sad (dumb) for a security forum and nothing more I could of picked a better word and I belong to many security forums so who is next and I did check with the Webroot Community Manager about this and he showed me this from Lithium Board Software and they Host their own Forum Software hxxp://www.lithium.com/security sorry if anyone took offence.

 

TH

Edited June 6, 2014 by Triple Helix