News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

In response to Avast's recent hack

Started by Kindred, May 28, 2014, 08:48:22 AM

Previous topic - Next topic

Kindred

(UPDATED the post and locked the thread, pending analysis of the data)

As you may have heard, several days ago, Avast, a company known for its popular antivirus and related security software, had its forum site hacked. Avast was using SMF as their forum software as they have done for several years now. When we heard, we immediately attempted to contact the Avast staff so that we could provide assistance and, more importantly, analyze the vector of the attack.

Unfortunately, they have not been particularly forthcoming in working with us (to this point), and have indeed accused Simple Machines of a number of things. While we understand that Avast is looking to preserve its standing in the web world and looking to lay the blame at any one else's doorstep, aside from their own, we are concerned and upset over the unfounded accusations they have leveled. We take the security of our software very seriously at SMF. (Indeed, we have one of the best records of all open source forum softwares for security and for quick and effective patching of reported security issues.)

Without getting into any retaliatory accusations or attacks, let me address the issues as presented:

1- Avast claims to have been running SMF v2.0.6. We know of NO vulnerabilities in v2.0.6, and none have been reported to us.
1a- The site image taken by Google shortly before the hack indicates a copyright of 2012 on their SMF installation. This suggests to us that they are not being fully honest with their statement, since the last version of SMF to use a 2012 copyright date was 2.0.3.
(correction added: 2.0.3 used (c)2011. 2.0.4 used (c)2013 - since Avast clearly shows (c)2012, we can confidently state that they were not applying the full SMF approved patches from version to version and that whatever they were doing to patch their system was done by them, possibly manually)
1b- We know that the Avast installation was not a default installation and that some personal modifications had been made to their installation.

2- Avast claims that they have received notification from a blackhat site that there is a security vulnerability allowing RCE (Remote Code Execution) in 2.0.6. They have so far, been unwilling to share the actual vector or logs for us to confirm.
They just shared the site/link which they claim shows the vulnerability. Unfortunately, despite their claims, the "vulnerability" listed on that site is nothing of the sort. It CLAIMS to allow the arbitrary execution of any php code, but it is incorrect (and can be quickly proven to be so). Although it might LOOK dangerous to anyone who is not familiar with code, it is not possible to use that code in the way the "blackhat" author suggests. Given the fact that we expect the Avast team to be familiar with coding, at this time, we have to assume that this is yet another attempt to pass the blame with no actual evidence or support.

3- (We find this particularly troubling) Avast claims that Simple Machines released an undocumented and silent security patch in 2.0.7 which addressed the 2.0.6 issue that they note. We vehemently deny this accusation. 2.0.7 was released with a few minor bug fixes and the main update that was intended to address the preg_replace /e function which was deprecated in PHP 5.5. We have stated, over and over, that there was no security update in 2.0.7 and have even gone so far as to tell people that, if they are not using PHP 5.5, there is no need to upgrade to 2.0.7. We recently criticized a certain other software for releasing a silent security update without informing their users that the upgrade was required to be safe.  We would not do that. We did not do that. We invite ANYONE to do a differential compare of the 2.0.6 code against the 2.0.7 code and point out where this supposed silent and undocumented security patch was done.

4- Avast claimed that they are working with us. As I stated above. We approached them, eager to help and work with them to discover the vector of the attack. They not only refused to give us any information but immediately started accusing us of being the vector.  --- Shorty before the release of this statement, we received the first real communication from them. At this time, Avast is now communicating with us, somewhat, after we approached them again, but so far, we have not received any usable information so that we may analyze what exactly occurred. We will update this should the situation change.

5- Unfortunately, as happens, some news agencies have picked up on the rumor, innuendo and accusations thrown about by the Avast team and the members of that community, and have concluded (and reported), without any real evidence, as if those statements were the truth.

We assure our community and anyone using our forum software that we have been unable to find any true vulnerabilities in SMF v2.0.6 or v2.0.7.

There are many things to speculate on and I can suggest several possibilities of ways that the hacker could have gotten access to the Avast system without any vulnerability in SMF's code. I will, however, refrain from throwing out counter accusations or wild speculation until more information is available.

Despite the above, we invite the Avast webmasters to contact us further (either Kindred, who is the Project Manager of the Simple Machines Forum project, or CoreISP, who is the President of the Simple Machines corporation and the head of our server group). We are still willing to work with them to find the actual vector and will work quickly release a patch (and our apologies) if we find that the SMF code was, in any way, the vector of the attack. However, at this time, we have seen no evidence to support or even suggest that there are any vulnerabilities in SMF versions 2.0.6 or 2.0.7.  Additionally, if ANYONE has ANY information on a potential security issue in the Simple Machines Forum software, you can report it to [email protected]. ALL reports made to that address are reviewed and considered by the Developers, the Project Manager, the Server Team and members from the rest of the teams. As I stated above, we take our security record seriously.

Most of all, we wish that the Avast team and community refrain from throwing further accusations and attempting to damage the reputation of Simple Machines Forum without clear evidence and proof that they are willing to submit for review.

Avast has declared their intention to move to a different software for their forum, and that is their right. While we hate to see them leave our community of users, I do challenge them to actually find any open source forum software with a better security record or a more responsive team.

Kindred
Project Manager, Simple Machines Forum
Director, Simple Machines


UPDATE:
Avast is now working WITH us to analyze the server logs and the code from the server to determine the vector and the payload of the attack.
Once we are out of the realm of supposition and guessing, and have some evidence, we will put together a clear statement on our findings.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Looking

Interesting, I hope that it does not hurt SMF and that you can get down to the actual cause of all. I still confidently use SMF.

Steve

Thank you for the very easy to understand explanation Kindred. As 'Looking' said, I will continue to confidently use SMF.
DO NOT pm me for support!

AllanD

The problem isn't the software, anyone can get hacked it's just a fact. That being said I don't think this post is really called for. I am taking it that you more are less saying it's not us it's you. Which will result in hurting SMF far more then saying nothing at all.
Check out this great sites.
KnD Hosting

Arantor

Of course it is. Avast is outright saying it's SMF's fault, and as far as I am personally concerned it's a lie. The facts they have stated are BS from my personal perspective; I know better than ANYONE what 2.0.7 contained. I know this because I'm the person that worked on 2.0.7.

They are saying that 2.0.7 fixed a security hole in 2.0.6. This is, from my perspective, a lie, since 2.0.7 did not fix any security holes. Because as far as is known, there were none in 2.0.6 to fix in the first place. They're claiming that 2.0.7 contained a fix for a security issue and it was hidden from the changelog so they didn't install it (since 2.0.7 is only minor bug fixes)... this is also a lie.

Again, I'm the one who wrote the changelog. I wrote it as an honest and truthful record of what I changed.

From my personal perspective - and not on behalf of the team - Avast is calling me a liar. They're calling SMF a liar. Damn straight that SMF should defend itself against such accusations which, as far as I know are scurrilous and unfounded.

zappaDPJ

Quote from: Arantor on May 28, 2014, 10:55:26 AM
From my personal perspective - and not on behalf of the team - Avast is calling me a liar. They're calling SMF a liar. Damn straight that SMF should defend itself against such accusations which, as far as I know are scurrilous and unfounded.

Where can we see these accusations? Has Avast put them in the public domain? A link would be appreciated.

Arantor

http://blog.avast.com/2014/05/26/avast-forum-offline-due-to-attack/#comment-45054

QuoteThe forum was running SMF version 2.0.6 at the time the attack occured. There was a RCE vulnerability in this version through which the attacker got in. The vulnerability was fixed in v2.0.7 although the fact wasn't properly marked in the SMF changelog and/or new version announcement.
We are now in touch with SMF authors and investigating further.

No such vulnerability was fixed in 2.0.7 because no such vulnerability was known in 2.0.6 in the first place. I wrote the 2.0.7 changelog from the changes I made to 2.0.6. They're claiming that I lied to them by hiding a security detail from them, which led to them getting hacked.

Anyone can examine the changes from 2.0.6 to 2.0.7 from http://custom.simplemachines.org/upgrades/ and I will be happy to explain what each change does if requested. None of them fix an RCE since there are no known RCE vectors in 2.0.6 or 2.0.7.

AllanD

Quote from: Arantor on May 28, 2014, 10:55:26 AM
Of course it is. Avast is outright saying it's SMF's fault, and as far as I am personally concerned it's a lie. The facts they have stated are BS from my personal perspective; I know better than ANYONE what 2.0.7 contained. I know this because I'm the person that worked on 2.0.7.

They are saying that 2.0.7 fixed a security hole in 2.0.6. This is, from my perspective, a lie, since 2.0.7 did not fix any security holes. Because as far as is known, there were none in 2.0.6 to fix in the first place. They're claiming that 2.0.7 contained a fix for a security issue and it was hidden from the changelog so they didn't install it (since 2.0.7 is only minor bug fixes)... this is also a lie.

Again, I'm the one who wrote the changelog. I wrote it as an honest and truthful record of what I changed.

From my personal perspective - and not on behalf of the team - Avast is calling me a liar. They're calling SMF a liar. Damn straight that SMF should defend itself against such accusations which, as far as I know are scurrilous and unfounded.

As much as I understand you frustration and wanting to defend yourself. I work in customer relations and posting something like this for the public to view and comment will only keep out other big names or have then change to a more professional company so something like this wouldn't happen to them. Posting this thread in defense of yourself and SMF is bascially attacking a customer and that is something that you never do in public.
Check out this great sites.
KnD Hosting

Arantor

I would note this is a response to Avast asserting it as our fault - and we want to set the record straight.

They have already stated they are leaving SMF anyway, so it's not like they are a customer of ours any longer, and I would argue the damage has already been done to *our* reputation by their assertions of faults which we cannot substantiate at this time.

SaltedWeb

I have been a member of SMF and used for close to ten years. SMF has never lied about security.
Avast needs to look at motive here what possible gain would there be ?  Unlike VB and Xenforo who charge and may keep secret issues because they could lose revenue. SMF has only to see a gain to come out and say there was an issue. SMF has not even been seen by this user to be dishonest or act with deceitfulness ever in their operations.

I am disturbed at Avast, and even more so what reason would they have to lie about such a thing. I believe SMF.
Now not trying to jump on any conspiracy, but makes me wonder if higher ups at Avast are connected to other paid software like Xenforo and VB who would gain huge for bad publicity. I have no proof this has occurred.

We all know about the law suits between XF and VB, and what hidden connections there were.
For Avast to lie spells a chance something is wrong, and someone is lying for a reason, only gain would be to promote someone else and take SMF down.

What could be done is all SMF forum owners send out notices on their own free will stating they stand behind SMF.
And that accusation from Avast about security are false,  it will keep people confident about your forum, at the least it will show we support SMF.

Knowing your limitations makes you human, exceeding these limitations makes you worthy of being human.

NekoJonez

Honestly, when they are being such dicks... Let them run against a wall trying to find something better.
Retro video game blogger, writer, actor, podcaster and general amazing dude.

Twitter
My Blog

AllanD

I agree that his response in a comment was a lie and extremely damaging to SMF and I think it would be a good jester on their behalf to recant that. All I saw in the OP was that it was 3rd party software and they are moving. Funny thing is even if they move to paid software to me that's still 3rd party.
Check out this great sites.
KnD Hosting

Lou69

Quote from: AllanD on May 28, 2014, 11:12:35 AM
Quote from: Arantor on May 28, 2014, 10:55:26 AM
Of course it is. Avast is outright saying it's SMF's fault, and as far as I am personally concerned it's a lie. The facts they have stated are BS from my personal perspective; I know better than ANYONE what 2.0.7 contained. I know this because I'm the person that worked on 2.0.7.

They are saying that 2.0.7 fixed a security hole in 2.0.6. This is, from my perspective, a lie, since 2.0.7 did not fix any security holes. Because as far as is known, there were none in 2.0.6 to fix in the first place. They're claiming that 2.0.7 contained a fix for a security issue and it was hidden from the changelog so they didn't install it (since 2.0.7 is only minor bug fixes)... this is also a lie.

Again, I'm the one who wrote the changelog. I wrote it as an honest and truthful record of what I changed.

From my personal perspective - and not on behalf of the team - Avast is calling me a liar. They're calling SMF a liar. Damn straight that SMF should defend itself against such accusations which, as far as I know are scurrilous and unfounded.

As much as I understand you frustration and wanting to defend yourself. I work in customer relations and posting something like this for the public to view and comment will only keep out other big names or have then change to a more professional company so something like this wouldn't happen to them. Posting this thread in defense of yourself and SMF is bascially attacking a customer and that is something that you never do in public.


Well, it seems that Avast have already done that and did it first. So yes, SMF have every right to defend themselves. Avast as a professional company should have been loathed to have made any comment concerning any accountability what so ever until after a thorough examination of the matter with their team and the SMF team. Frankly, I do not know why SMF do not have lawyers speaking with Avast about this matter.

AllanD

Quote from: Lou69 on May 28, 2014, 11:20:39 AM
Well, it seems that Avast have already done that and did it first. So yes, SMF have every right to defend themselves. Avast as a professional company should have been loathed to have made any comment concerning any accountability what so ever until after a thorough examination of the matter with their team and the SMF team. Frankly, I do not know why SMF do not have lawyers speaking with Avast about this matter.

Don't get me wrong avast should have never pushed blame on SMF. They should have instead did what you stated in work together to find out why it happened. As in my fist post anything can by hacked regardless of what security measures are taken, look at Sony.
Check out this great sites.
KnD Hosting

Arantor

I would suspect that if Avast had worked with the team to resolve this, this post would not have been necessary. I could not help noting the irony of their blog post, when they ask people not to jump to conclusions and yet have apparently done so themselves.

In other news, the Google ad block at the bottom of the page is advertising AVG. Another little irony, I feel ;)

Deaks

AllanD, Arantor is one of the best coders out their, he is even in my opinion better than the current dev team (no offence meant to the developers), when I was PM I would have loved Arantor on the team, never happened.  Arantor is also stating his personal opinion, he nor myself are involved with the team, so his view does not mean its the team opinion.  But issue is Arantor did do the release for 2.0.7 with help from others, he is the main person behind the bug fixes so I do believe that even you can see why he takes the avast claim personally.  Its like someone blaming kndhosting for the content of someone elses site, are you to blame no but you will take it personally.

If AVAST are taking this action and making accusations that cannot be proved then they are at fault, they are at fault in saying that 2.0.6 to 2.0.7 includes a security update, even myself who isnt best at coding can see their is no security update.  Their have been a few claims from what I see regarding 2.0.6 but from what I see its more to do with third party.

I will also agree with Kindred if AVAST had been doing the updates via package manager correctly then they would not be having this issue, fact the have modified it and most likley updated manually after seeing their copyright, does raise the likleyhood of issue being on avast side not smf, and they are doing the wrong and imature ropute of blaming someone else for their mistake.

Also AllanD I also have worked in customer service, wish to debate bring it on :)
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

Looking

Interesting side note, I left Avast a long time ago, I'm happier with Comodo. ;) Also Kaspersky Lab's had their site hacked too some time ago, it made international news, so it happens to the best of them.

青山 素子

Before commenting on a few things, I'd like to note that all the changes made from 2.06 to 2.0.7 are listed here. If anyone wants to look over and confirm that there wasn't anything "secretly" changed for security, it's a good place to start. If you're really concerned that the patch system didn't handle the change, go grab the installer packages for 2.0.6 and 2.0.7 and do a full diff against the contents.

If you do find where some security hole was inadvertently patched, let us know at the e-mail address provided in the first post.


Quote from: Diamondcomputer on May 28, 2014, 11:17:54 AM
Now not trying to jump on any conspiracy, but makes me wonder if higher ups at Avast are connected to other paid software like Xenforo and VB who would gain huge for bad publicity. I have no proof this has occurred.

Probably not. It's much easier to blame an outside party when something goes wrong than to take the blame yourself. This applies even if you know you messed up. There's a reason that large companies like paid support contracts.


Quote from: Lou69 on May 28, 2014, 11:20:39 AM
Frankly, I do not know why SMF do not have lawyers speaking with Avast about this matter.

Because you really don't want to involve legal counsel until it's really bad. Despite all the users of this software, we're an open source project that's not exactly rich enough to involve lawyers whenever someone hurts our feelings. Besides, we're better than that and like to try and reach out to fix the issue if there is one.

The goal in this post, as I read it, was to try and refute the public accusations against SMF based on what is known about the software right now. I know the team and they are willing to correct their position based on new evidence. Right now, there isn't any information that backs up the accusations, and nothing that contradicts the statements in the first post. Hopefully Avast is willing to find the actual cause of the security breech and will work with us to find it.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


AllanD

Quote from: Μπράιαν Poύνικ Ντίκεν on May 28, 2014, 11:30:35 AM
AllanD, Arantor is one of the best coders out their, he is even in my opinion better than the current dev team (no offence meant to the developers), when I was PM I would have loved Arantor on the team, never happened.

Also AllanD I also have worked in customer service, wish to debate bring it on<$1alt="" title="" onresizestart="return false;" id="smiley__$2" style="padding: 0 3px 0 3px;" />

I agree he is one the best around that I know of as well. I have seen him a couple of forums and have talked, he has a huge amount of knowledge and I respect him for that. I was basically commenting on this whole situation and post.

As for customer service, I do work in relations - never said i liked it though<$1alt="" title="" onresizestart="return false;" id="smiley__$2" style="padding: 0 3px 0 3px;" />
Check out this great sites.
KnD Hosting

Colin

"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

Advertisement: