South African ISP suffers massive password leak online

AfricanTech

Honorary Master
Joined
Mar 19, 2010
Messages
38,745
Hi, could you please explain abit more? there were more isp's whose details were leaked?
CW were not the only customer of the company who hosted their portal.

The 'server' that the portal was hosted on contained the vulnerability for a long time (prior to CW by all accounts). It also appears that other customers of the service provider were hosted on the same platform, and, given the nature of the vulnerability, must have had data exposed as well.

I for one, would like to know which other companies were affected.

This is supposition on my part based on the information shared by MagicDude.
 

quovadis

Executive Member
Joined
Sep 10, 2004
Messages
7,310
As a general rule, only later, once users have been protected, should third parties such as the media get involved. Otherwise general publication in the media could exacerbate the loss to the owner/ISP. Don't forget that the victims are not just the end-users, but also the ISP/business/website operator, and any responsible person will have due regard for that.

So if a week goes by and the company continues to state they are still mitigating the damage then what? Can you imagine the ramifications of this and where do you draw the line? What's to stop the government from claiming a leak will affect the citizens of a country if it was disclosed and the media should wait until they have mitigated risk indefinitely?
 

quovadis

Executive Member
Joined
Sep 10, 2004
Messages
7,310
I for one, would like to know which other companies were affected.

Unfortunately this cannot be disclosed until such a time as the risk to these companies and their customers has been mitigated and everyone involved has been notified. /sarcasm
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
CW were not the only customer of the company who hosted their portal.

The 'server' that the portal was hosted on contained the vulnerability for a long time (prior to CW by all accounts). It also appears that other customers of the service provider were hosted on the same platform, and, given the nature of the vulnerability, must have had data exposed as well.

I for one, would like to know which other companies were affected.

This is supposition on my part based on the information shared by MagicDude.

And this is really my issue with it. First of all, Cyrstal Web is the only company being named and shamed as it was specifically targeted by the attacker to discredit the company. Secondly, that "global cutting edge full service software development agency" who seems to be at fault for not just storing passwords in clear-text but also not having any intrusion and malware detection in place has yet to own up and inform any one. If the company is who I think it is, it will be very scary to think that their developers might have written and deployed similar code at other clients.

I have so far on record one customer (not part of the initial Crystal Web list) whose Gmail account was compromised due to a leaked password and subsequently an attempt was made from Poland to gain access to his bidorbuy account (the access was automatically blocked due to our automated intrusion prevention and abnormal login behavior). The customer confirmed that his password was secure and it would have been impossible to hack/brute force.

Any case, I think there will be a lot more issues because of this and the silence of the service provider and purposeful non-disclosure is not helping anyone.
 

quovadis

Executive Member
Joined
Sep 10, 2004
Messages
7,310
And this is really my issue with it. First of all, Cyrstal Web is the only company being named and shamed as it was specifically targeted by the attacker to discredit the company. Secondly, that "global cutting edge full service software development agency" who seems to be at fault for not just storing passwords in clear-text but also not having any intrusion and malware detection in place has yet to own up and inform any one. If the company is who I think it is, it will be very scary to think that their developers might have written and deployed similar code at other clients.

I have so far on record one customer (not part of the initial Crystal Web list) whose Gmail account was compromised due to a leaked password and subsequently an attempt was made from Poland to gain access to his bidorbuy account (the access was automatically blocked due to our automated intrusion prevention and abnormal login behavior). The customer confirmed that his password was secure and it would have been impossible to hack/brute force.

Any case, I think there will be a lot more issues because of this and the silence of the service provider and purposeful non-disclosure is not helping anyone.

Now if only a media outlet would release a story about the unnamed third party then anyone who could possibly be affected could take action? Yet, perhaps we should give them an opportunity to mitigate the risk to their customers and customers clients?
 

MagicDude4Eva

Banned
Joined
Apr 2, 2008
Messages
6,479
Now if only a media outlet would release a story about the unnamed third party then anyone who could possibly be affected could take action? Yet, perhaps we should give them an opportunity to mitigate the risk to their customers and customers clients?

Worst part about this (now really showing my age): Back in 1991 when we developed the branch banking application for SBSA in C/C++ running on OS/2 and storing data in a DB2 database, it was natural for us to encrypt passwords and sensitive information (back then we had to write assembler modules to talk to a special IBM crypto card). So my mind is blown that we are sitting in 2016 (25 years later) and someone still stores passwords in clear-text.
 

quovadis

Executive Member
Joined
Sep 10, 2004
Messages
7,310
Worst part about this (now really showing my age): Back in 1991 when we developed the branch banking application for SBSA in C/C++ running on OS/2 and storing data in a DB2 database, it was natural for us to encrypt passwords and sensitive information (back then we had to write assembler modules to talk to a special IBM crypto card). So my mind is blown that we are sitting in 2016 (25 years later) and someone still stores passwords in clear-text.

Blame the DB makers for never introducing a auto-hashing password datatype ;)
 

AfricanTech

Honorary Master
Joined
Mar 19, 2010
Messages
38,745
Worst part about this (now really showing my age): Back in 1991 when we developed the branch banking application for SBSA in C/C++ running on OS/2 and storing data in a DB2 database, it was natural for us to encrypt passwords and sensitive information (back then we had to write assembler modules to talk to a special IBM crypto card). So my mind is blown that we are sitting in 2016 (25 years later) and someone still stores passwords in clear-text.

Ah, but that was the old school who worked with 'back end systems' - these days it's all 'front end' frameworks and 'drop in' code
 

Slamz

Senior Member
Joined
Oct 1, 2010
Messages
946
CW were not the only customer of the company who hosted their portal.

The 'server' that the portal was hosted on contained the vulnerability for a long time (prior to CW by all accounts). It also appears that other customers of the service provider were hosted on the same platform, and, given the nature of the vulnerability, must have had data exposed as well.

I for one, would like to know which other companies were affected.

This is supposition on my part based on the information shared by MagicDude.
Aaah ok thanks... mybb should really investigate more than shoot from.the hip... politics and emotions...
 

Arthur

Honorary Master
Joined
Aug 7, 2003
Messages
26,423
So if a week goes by and the company continues to state they are still mitigating the damage then what? Can you imagine the ramifications of this and where do you draw the line? What's to stop the government from claiming a leak will affect the citizens of a country if it was disclosed and the media should wait until they have mitigated risk indefinitely?
Good point.

A week?? I'm thinking more like 6-36 hours max, depending on the gravity of the leak.

I recognise it's probably neither possible nor prudent to set definite hardcore deadlines because cases vary in gravity, complexity and extent.

My own view is that, as a general rule, the more serious the breach the shorter the time between stages, ie the faster one goes to customers and to the media.

Stages?

Both prudence and good governance should impel every org that keeps other people's data (such as login creds, or more) document a clear policy and action plan on information asset security and the steps to be followed when customer or staff information is compromised. There are also legislative requirements, such as POPI.

Such an "Action Plan in the Event of Compromised Customer Credentials", which is part of the Information Asset Security Plan, should set out the decision tree, stages and timelines to be followed, from first suspicion all the way through to case closure.

It should also spell out the internal and external communications plan, including:
~ internal comms and escalation policy and plan
~ when is top mgt informed. What decisions must they take.
~ when and how are affected customers informed
~ when and how are staff and partners informed
~ when are the police and other gov agencies informed
~ when and how are the media informed
~ how to handle queries and questions from customers, partners, media, staff, etc, etc.

Media can be important allies in this battle against the baddies. It is also their job to ensure rotten managers don't try to bury stories that are genuinely in the public interest.

(There's a lot more to be said, but I'm tired of one-finger typing on the phone.)
 
Top