Crystal Web ADSL performance feedback thread Part 3...

Status
Not open for further replies.
georgelza said:
... here's the thing, who ever did this knew how to troll through the CW thread also, and extract all viewers/contributors.
and he did it the last day/2.

G
Click to expand...

That is very easy to strip out with a web dump.

A few minutes max.
 
Ho3n3r said:
Yeah, 4170 user account details sent to what looks like everyone who's ever touched CrystalWeb on MyBB, maybe even more... Sounds like a bit more than just a minor breach.
Click to expand...

Yeah, the claim of having personal info including bank details also makes me feel like this is not a minor breach.
 
Phinix said:
I honestly feel that of what data I have seen from the PM the user sent everyone - as well as the amount of time it has taken you to respond on this forum - probably because you are doing your own investigation before anything else - I wouldn't call it a "minor breach".

That's just how I see it.



I agree, problem is they just use throw away accounts when posting/sending all the pm's. And if they are half way intelligent they would use a VPN when creating the throw away accounts. Which will make it very difficult to find not only who they are but their actual location.
Click to expand...

what's the difference between a minor or major breach? Is there an industry standard?
 
Ho3n3r said:
Yeah, 4170 user account details sent to what looks like everyone who's ever touched CrystalWeb on MyBB, maybe even more... Sounds like a bit more than just a minor breach.
Click to expand...

yahoo had 500 million...whats' that? super duper breach?

and I don't believe the banking and ID's. why say it and not dump it?
 
Ho3n3r said:
It's a pretty big chunk of CW's user accounts, I assume, so it's pretty big.
Click to expand...

do you know the total number of CW customers? even if it was all of them, login id and password really considered a major breach? I would say no. but if there was ID numbers and banking numbers...that's a different ball game now.
 
crackersa said:
what's the difference between a minor or major breach? Is there an industry standard?
Click to expand...
My take? Minor is when the damage can be easily mitigated by a quick and simple action, eg. change all passwords and send a new one to each user.

Major would be if banking details were leaked, which does not appear to have happened here. Reading through today's posts it sounds like they used the same process as last time and, if so, they would extract the same data set.
 
MickeyD said:
My take? Minor is when the damage can be easily mitigated by a quick and simple action, eg. change all passwords and send a new one to each user.

Major would be if banking details were leaked, which does not appear to have happened here. Reading through today's posts it sounds like they used the same process as last time and, if so, they would extract the same data set.
Click to expand...

get out of my head.
 
Ho3n3r said:
So the portal is the main reason you're missing out on the best performance on the market? I don't believe that.

What do you need from the portal specifically, as everything you'd get there, is covered in other ways anyway.
Click to expand...

I don't like dealing with humans.
 
crackersa said:
do you know the total number of CW customers? even if it was all of them, login id and password really considered a major breach? I would say no. but if there was ID numbers and banking numbers...that's a different ball game now.
Click to expand...

Well, do you know? Nope.

In my opinion, minor is 10 or 20.
 
Okay this morning (it maybe 3pm but it is one of those days) has been spent collecting proper information as to what is happening and then having something sensible out.

There is no reason to believe that any banking information is available as there is a systems isolation approach, however it is the height of arrogance to underestimate the depths to which certain criminal individuals will go and the fact that we have established what route could motivate some maligned person.

The following email will be going out as the reset is initiated:
Hi

As part of our on-going security protocols, please find your updated username and password below:
Username:
Password:

Please note that we no longer store these passwords and should you forget it, we will need to initiate a password reset for you.

Why are we doing this?
Earlier in the year, our software developers (IndigoVision) responsible for building our customer portal were the victims of a malicious piece of software installed many years ago on their servers, and our code and their servers were compromised. Upon learning about this, as well as their failure to deliver on properly salted and hashed passwords as required of them, we terminated all commercial services with the company in question and began rebuilding our portal from the ground-up. In conjunction with numerous network, private investigation, messaging forum, and police parties and as part of the criminal investigations, certain access was retained in order to identify the criminals involved. While this process was successful, IndigoVision failed to implement the salting and hashing of the passwords which was in the 1st place the reasons for terminating services with them.
While their failure to implement this results in an inconvenience relating to switching passwords, the intention of the investigation principles was successful and form part of further criminal proceedings which we are now confident can proceed, with the assistance of South African prosecutors.
Information stored on these servers did not include banking information in any way, and our credit card transactions are processed by SnapScan entirely off our site, so rest assured that no information from these servers contain any of this information. We partner with Sagepay for debit order transactions who have an exemplary service and security track record, and who are one of the largest debit order processors in South Africa.

While we apologise for the inconvenience, this process forms part of our on-going commitment to securing your information, as well as bringing criminals to book. Furthermore, additional security features on both our DSL accounts and customer portal (to be released soon) will enhance security even further.
Regards
Crystal Web
Click to expand...
 
Crystal Web Management said:
Okay this morning (it maybe 3pm but it is one of those days) has been spent collecting proper information as to what is happening and then having something sensible out.

There is no reason to believe that any banking information is available as there is a systems isolation approach, however it is the height of arrogance to underestimate the depths to which certain criminal individuals will go and the fact that we have established what route could motivate some maligned person.

The following email will be going out as the reset is initiated:
Click to expand...

So apparently isolated systems so no banking details would have been obtained.

ID numbers?
 
Crystal Web Management said:
.....we terminated all commercial services with the company in question and began rebuilding our portal from the ground-up. In conjunction with numerous network, private investigation, messaging forum, and police parties and as part of the criminal investigations, certain access was retained in order to identify the criminals involved. While this process was successful, IndigoVision failed to implement the salting and hashing of the passwords which was in the 1st place the reasons for terminating services with them.
Click to expand...



You terminated services with the company? - but they then failed to implement the salting and hashing of the passwords?

Does not make sense.
 
requiem said:
You terminated services with the company? - but they then failed to implement the salting and hashing of the passwords?

Does not make sense.
Click to expand...

No more work for you from CW, but please safeguard the data that is on your server while the forensic process goes on...

?
 
Status
Not open for further replies.
Back
Top
Sign up to the MyBroadband newsletter
X