Massive Afrihost security flaw exposed

[ToxicBunny]

They can't.

They could in the past, and we always tried to balance the needs of our clients with security. Many clients are not that tech savvy, so we made it possible, subject to verification checks against their bona fides.

We've since removed that and our agents cannot view or change passwords (as far as I am aware).

Then that is a step in the right direction... as for your statement about balancing the needs of the client with security, the minute an agent could decrypt the password then you threw security away... you should never be able to decrypt a password ever.

 

[AfriMan]

Then that is a step in the right direction... as for your statement about balancing the needs of the client with security, the minute an agent could decrypt the password then you threw security away... you should never be able to decrypt a password ever.

We always have to balance the needs of our clients with our needs. As much as we'd love to implement the most high tech security features, we have to measure the impact this would have with our clients, many of whom are older. We met a client of our who is 99 years old the other day (very sweet lady) and we need to take their pain points into account (as well as their safety).

 

[AfriMan]

Sounds like you made a menu change in your software, not fixed the underlying problem. You should be using a salt and one way hash algorithm, I'm not a security expert but I know at least that.

I couldn't answer the super technical questions here - but to my knowledge the passwords were always encrypted but a support agent could view the password on request. I would guess that means it was not one way encryption (at that point). Now there is no way for them to do so at all.

 

[ToxicBunny]

We always have to balance the needs of our clients with our needs. As much as we'd love to implement the most high tech security features, we have to measure the impact this would have with our clients, many of whom are older. We met a client of our who is 99 years old the other day (very sweet lady) and we need to take their pain points into account (as well as their safety).

High tech security? Sorry dude... what I’m talking about is the most basic of security principles... you can implement measures that allow call center agents to change a users password for a once off use or something of that sort.. lowering your security to pretty much non existent is incredibly poor form in the extreme

 

[AfriMan]

High tech security? Sorry dude... what I’m talking about is the most basic of security principles... you can implement measures that allow call center agents to change a users password for a once off use or something of that sort.. lowering your security to pretty much non existent is incredibly poor form in the extreme

Given the number of clients we have, we always have to juggle those. But our plan, as it says in the article, was always to phase in more security but in a way that would impact our clients the least.

 

[ponder]

We always have to balance the needs of our clients with our needs. As much as we'd love to implement the most high tech security features, we have to measure the impact this would have with our clients, many of whom are older. We met a client of our who is 99 years old the other day (very sweet lady) and we need to take their pain points into account (as well as their safety).

Sorry but that is a load of bollocks.

Given the number of clients we have, we always have to juggle those. But our plan, as it says in the article, was always to phase in more security but in a way that would impact our clients the least.

The hated telkom has way more clients than you guys and not even they know what their clients passwords are. Your excuse is just that, a feeble excuse.

 

[AfriMan]

Sorry but that is a load of bollocks.

The hated telkom has way more clients than you guys and not even they know what their clients passwords are. Your excuse is just that, a feeble excuse.

Just giving you the truth. Sorry you feel that way about it

 

[biometrics]

Just giving you the truth. Sorry you feel that way about it

He's correct. You are/were wrong. No need to spin it.

 

[AfriMan]

He's correct. You are/were wrong. No need to spin it.

I am telling you our reasons behind our approach. No spin, that's what we felt at the time certain decisions were made.

 

[biometrics]

I am telling you our reasons behind our approach. No spin, that's what we felt at the time certain decisions were made.

Bad decisions.

 

[AfriMan]

Bad decisions.

I think it's easy to have perfect vision in hindsight. I still think we had valid reasons for wanting to adopt a more phased, gentle approach. We did it with our client's in mind, not for any reasons to do with cutting corners or saving money. Our client's convenience was our primary concern.

 

[ToxicBunny]

I think it's easy to have perfect vision in hindsight. I still think we had valid reasons for wanting to adopt a more phased, gentle approach. We did it with our client's in mind, not for any reasons to do with cutting corners or saving money. Our client's convenience was our primary concern.

No you didn’t. You ignored basic security best practices and you clearly did so willfully. There is zero way you can spin your way out of this cockup.

 

[biometrics]

I think it's easy to have perfect vision in hindsight. I still think we had valid reasons for wanting to adopt a more phased, gentle approach. We did it with our client's in mind, not for any reasons to do with cutting corners or saving money. Our client's convenience was our primary concern.

You didn't follow best security practices. For a company your size that's underwhelming.

 

[ToxicBunny]

You didn't follow best security practices. For a company your size that's underwhelming.

Underwhelming? You’re being very very nice to them with that statement

 

[AfriMan]

No you didn’t. You ignored basic security best practices and you clearly did so willfully. There is zero way you can spin your way out of this cockup.

I think it's easy to look from the sidelines, but we had our business and technical reasons to plan the rollout of a feature like this for a specific time to minimise the impact.

That is why were were able to rollout a change so quickly, since it had already been planned.

 

[biometrics]

Underwhelming? You’re being very very nice to them with that statement

Well their PR people are so nice, I felt like reciprocating.

 

[ToxicBunny]

I think it's easy to look from the sidelines, but we had our business and technical reasons to plan the rollout of a feature like this for a specific time to minimise the impact.

That is why were were able to rollout a change so quickly, since it had already been planned.

Hardly the sidelines... I work in the it industry... we would never in a million years provide a support agent the ability to see a users password regardless of the level of tech savvy of the user.

The fact that you didn’t architect your system from day one with that type of basic security is appalling in the extreme and you should question whether your security officer and your software architect are actually worth their salaries

 

[mister]

Hardly the sidelines... I work in the it industry... we would never in a million years provide a support agent the ability to see a users password regardless of the level of tech savvy of the user.

The fact that you didn’t architect your system from day one with that type of basic security is appalling in the extreme and you should question whether your security officer and your software architect are actually worth their salaries

No toxic, you have to understand that they have clients that are 99 years old. I think the banks should adopt the same approach, because they also have old clients.

 

[AfriMan]

Hardly the sidelines... I work in the it industry... we would never in a million years provide a support agent the ability to see a users password regardless of the level of tech savvy of the user.

Again, I think you make a few assumptions here. Our security and dev team have years of experience in the industry and are often asked to speak at industry conferences. I do believe they are the best of the best, and in high demand.

We use a bespoke CRM system that has evolved over several years. One can't simply making sweeping changes without a lot of planning, testing and optimisation.

If you believe that our approach was the wrong one, I'd love to get your details (maybe you could pass me your CV). Maybe we need your experience and expertise on our team

 

[AfriMan]

If I lived in jhb I might be interested in that offer but I doubt you would be happy with me since I definitely would be ordering a complete dev freeze and system audit to make sure everything meets basic best practices

I think it's a bit of a leap to make an all out character assassination here of people you don't know, or have any insight into their reasons for making the decision they make. As I mentioned, I would be happy to make an introduction if you are genuinely interested in furthering the conversation around these topics for the benefit of all.

I think you've made your point, and I think we can agree that you would have done things differently. But lets keep the personal remarks out of the conversation