In response to Avast's recent hack

Started by Kindred, May 28, 2014, 08:48:22 AM

Previous topic - Next topic

Kindred

(UPDATED the post and locked the thread, pending analysis of the data)

As you may have heard, several days ago, Avast, a company known for its popular antivirus and related security software, had its forum site hacked. Avast was using SMF as their forum software as they have done for several years now. When we heard, we immediately attempted to contact the Avast staff so that we could provide assistance and, more importantly, analyze the vector of the attack.

Unfortunately, they have not been particularly forthcoming in working with us (to this point), and have indeed accused Simple Machines of a number of things. While we understand that Avast is looking to preserve its standing in the web world and looking to lay the blame at any one else's doorstep, aside from their own, we are concerned and upset over the unfounded accusations they have leveled. We take the security of our software very seriously at SMF. (Indeed, we have one of the best records of all open source forum softwares for security and for quick and effective patching of reported security issues.)

Without getting into any retaliatory accusations or attacks, let me address the issues as presented:

1- Avast claims to have been running SMF v2.0.6. We know of NO vulnerabilities in v2.0.6, and none have been reported to us.
1a- The site image taken by Google shortly before the hack indicates a copyright of 2012 on their SMF installation. This suggests to us that they are not being fully honest with their statement, since the last version of SMF to use a 2012 copyright date was 2.0.3.
(correction added: 2.0.3 used (c)2011. 2.0.4 used (c)2013 - since Avast clearly shows (c)2012, we can confidently state that they were not applying the full SMF approved patches from version to version and that whatever they were doing to patch their system was done by them, possibly manually)
1b- We know that the Avast installation was not a default installation and that some personal modifications had been made to their installation.

2- Avast claims that they have received notification from a blackhat site that there is a security vulnerability allowing RCE (Remote Code Execution) in 2.0.6. They have so far, been unwilling to share the actual vector or logs for us to confirm.
They just shared the site/link which they claim shows the vulnerability. Unfortunately, despite their claims, the "vulnerability" listed on that site is nothing of the sort. It CLAIMS to allow the arbitrary execution of any php code, but it is incorrect (and can be quickly proven to be so). Although it might LOOK dangerous to anyone who is not familiar with code, it is not possible to use that code in the way the "blackhat" author suggests. Given the fact that we expect the Avast team to be familiar with coding, at this time, we have to assume that this is yet another attempt to pass the blame with no actual evidence or support.

3- (We find this particularly troubling) Avast claims that Simple Machines released an undocumented and silent security patch in 2.0.7 which addressed the 2.0.6 issue that they note. We vehemently deny this accusation. 2.0.7 was released with a few minor bug fixes and the main update that was intended to address the preg_replace /e function which was deprecated in PHP 5.5. We have stated, over and over, that there was no security update in 2.0.7 and have even gone so far as to tell people that, if they are not using PHP 5.5, there is no need to upgrade to 2.0.7. We recently criticized a certain other software for releasing a silent security update without informing their users that the upgrade was required to be safe.  We would not do that. We did not do that. We invite ANYONE to do a differential compare of the 2.0.6 code against the 2.0.7 code and point out where this supposed silent and undocumented security patch was done.

4- Avast claimed that they are working with us. As I stated above. We approached them, eager to help and work with them to discover the vector of the attack. They not only refused to give us any information but immediately started accusing us of being the vector.  --- Shorty before the release of this statement, we received the first real communication from them. At this time, Avast is now communicating with us, somewhat, after we approached them again, but so far, we have not received any usable information so that we may analyze what exactly occurred. We will update this should the situation change.

5- Unfortunately, as happens, some news agencies have picked up on the rumor, innuendo and accusations thrown about by the Avast team and the members of that community, and have concluded (and reported), without any real evidence, as if those statements were the truth.

We assure our community and anyone using our forum software that we have been unable to find any true vulnerabilities in SMF v2.0.6 or v2.0.7.

There are many things to speculate on and I can suggest several possibilities of ways that the hacker could have gotten access to the Avast system without any vulnerability in SMF's code. I will, however, refrain from throwing out counter accusations or wild speculation until more information is available.

Despite the above, we invite the Avast webmasters to contact us further (either Kindred, who is the Project Manager of the Simple Machines Forum project, or CoreISP, who is the President of the Simple Machines corporation and the head of our server group). We are still willing to work with them to find the actual vector and will work quickly release a patch (and our apologies) if we find that the SMF code was, in any way, the vector of the attack. However, at this time, we have seen no evidence to support or even suggest that there are any vulnerabilities in SMF versions 2.0.6 or 2.0.7.  Additionally, if ANYONE has ANY information on a potential security issue in the Simple Machines Forum software, you can report it to [email protected]. ALL reports made to that address are reviewed and considered by the Developers, the Project Manager, the Server Team and members from the rest of the teams. As I stated above, we take our security record seriously.

Most of all, we wish that the Avast team and community refrain from throwing further accusations and attempting to damage the reputation of Simple Machines Forum without clear evidence and proof that they are willing to submit for review.

Avast has declared their intention to move to a different software for their forum, and that is their right. While we hate to see them leave our community of users, I do challenge them to actually find any open source forum software with a better security record or a more responsive team.

Kindred
Project Manager, Simple Machines Forum
Director, Simple Machines


UPDATE:
Avast is now working WITH us to analyze the server logs and the code from the server to determine the vector and the payload of the attack.
Once we are out of the realm of supposition and guessing, and have some evidence, we will put together a clear statement on our findings.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Looking

Interesting, I hope that it does not hurt SMF and that you can get down to the actual cause of all. I still confidently use SMF.

Steve

Thank you for the very easy to understand explanation Kindred. As 'Looking' said, I will continue to confidently use SMF.
DO NOT pm me for support!

AllanD

The problem isn't the software, anyone can get hacked it's just a fact. That being said I don't think this post is really called for. I am taking it that you more are less saying it's not us it's you. Which will result in hurting SMF far more then saying nothing at all.
Check out this great sites.
KnD Hosting

Arantor

Of course it is. Avast is outright saying it's SMF's fault, and as far as I am personally concerned it's a lie. The facts they have stated are BS from my personal perspective; I know better than ANYONE what 2.0.7 contained. I know this because I'm the person that worked on 2.0.7.

They are saying that 2.0.7 fixed a security hole in 2.0.6. This is, from my perspective, a lie, since 2.0.7 did not fix any security holes. Because as far as is known, there were none in 2.0.6 to fix in the first place. They're claiming that 2.0.7 contained a fix for a security issue and it was hidden from the changelog so they didn't install it (since 2.0.7 is only minor bug fixes)... this is also a lie.

Again, I'm the one who wrote the changelog. I wrote it as an honest and truthful record of what I changed.

From my personal perspective - and not on behalf of the team - Avast is calling me a liar. They're calling SMF a liar. Damn straight that SMF should defend itself against such accusations which, as far as I know are scurrilous and unfounded.

zappaDPJ

Quote from: Arantor on May 28, 2014, 10:55:26 AM
From my personal perspective - and not on behalf of the team - Avast is calling me a liar. They're calling SMF a liar. Damn straight that SMF should defend itself against such accusations which, as far as I know are scurrilous and unfounded.

Where can we see these accusations? Has Avast put them in the public domain? A link would be appreciated.

Arantor

http://blog.avast.com/2014/05/26/avast-forum-offline-due-to-attack/#comment-45054

QuoteThe forum was running SMF version 2.0.6 at the time the attack occured. There was a RCE vulnerability in this version through which the attacker got in. The vulnerability was fixed in v2.0.7 although the fact wasn't properly marked in the SMF changelog and/or new version announcement.
We are now in touch with SMF authors and investigating further.

No such vulnerability was fixed in 2.0.7 because no such vulnerability was known in 2.0.6 in the first place. I wrote the 2.0.7 changelog from the changes I made to 2.0.6. They're claiming that I lied to them by hiding a security detail from them, which led to them getting hacked.

Anyone can examine the changes from 2.0.6 to 2.0.7 from http://custom.simplemachines.org/upgrades/ and I will be happy to explain what each change does if requested. None of them fix an RCE since there are no known RCE vectors in 2.0.6 or 2.0.7.

AllanD

Quote from: Arantor on May 28, 2014, 10:55:26 AM
Of course it is. Avast is outright saying it's SMF's fault, and as far as I am personally concerned it's a lie. The facts they have stated are BS from my personal perspective; I know better than ANYONE what 2.0.7 contained. I know this because I'm the person that worked on 2.0.7.

They are saying that 2.0.7 fixed a security hole in 2.0.6. This is, from my perspective, a lie, since 2.0.7 did not fix any security holes. Because as far as is known, there were none in 2.0.6 to fix in the first place. They're claiming that 2.0.7 contained a fix for a security issue and it was hidden from the changelog so they didn't install it (since 2.0.7 is only minor bug fixes)... this is also a lie.

Again, I'm the one who wrote the changelog. I wrote it as an honest and truthful record of what I changed.

From my personal perspective - and not on behalf of the team - Avast is calling me a liar. They're calling SMF a liar. Damn straight that SMF should defend itself against such accusations which, as far as I know are scurrilous and unfounded.

As much as I understand you frustration and wanting to defend yourself. I work in customer relations and posting something like this for the public to view and comment will only keep out other big names or have then change to a more professional company so something like this wouldn't happen to them. Posting this thread in defense of yourself and SMF is bascially attacking a customer and that is something that you never do in public.
Check out this great sites.
KnD Hosting

Arantor

I would note this is a response to Avast asserting it as our fault - and we want to set the record straight.

They have already stated they are leaving SMF anyway, so it's not like they are a customer of ours any longer, and I would argue the damage has already been done to *our* reputation by their assertions of faults which we cannot substantiate at this time.

SaltedWeb

I have been a member of SMF and used for close to ten years. SMF has never lied about security.
Avast needs to look at motive here what possible gain would there be ?  Unlike VB and Xenforo who charge and may keep secret issues because they could lose revenue. SMF has only to see a gain to come out and say there was an issue. SMF has not even been seen by this user to be dishonest or act with deceitfulness ever in their operations.

I am disturbed at Avast, and even more so what reason would they have to lie about such a thing. I believe SMF.
Now not trying to jump on any conspiracy, but makes me wonder if higher ups at Avast are connected to other paid software like Xenforo and VB who would gain huge for bad publicity. I have no proof this has occurred.

We all know about the law suits between XF and VB, and what hidden connections there were.
For Avast to lie spells a chance something is wrong, and someone is lying for a reason, only gain would be to promote someone else and take SMF down.

What could be done is all SMF forum owners send out notices on their own free will stating they stand behind SMF.
And that accusation from Avast about security are false,  it will keep people confident about your forum, at the least it will show we support SMF.

Knowing your limitations makes you human, exceeding these limitations makes you worthy of being human.

NekoJonez

Honestly, when they are being such dicks... Let them run against a wall trying to find something better.
Retro video game blogger, writer, actor, podcaster and general amazing dude.

Twitter
My Blog

AllanD

I agree that his response in a comment was a lie and extremely damaging to SMF and I think it would be a good jester on their behalf to recant that. All I saw in the OP was that it was 3rd party software and they are moving. Funny thing is even if they move to paid software to me that's still 3rd party.
Check out this great sites.
KnD Hosting

Lou69

Quote from: AllanD on May 28, 2014, 11:12:35 AM
Quote from: Arantor on May 28, 2014, 10:55:26 AM
Of course it is. Avast is outright saying it's SMF's fault, and as far as I am personally concerned it's a lie. The facts they have stated are BS from my personal perspective; I know better than ANYONE what 2.0.7 contained. I know this because I'm the person that worked on 2.0.7.

They are saying that 2.0.7 fixed a security hole in 2.0.6. This is, from my perspective, a lie, since 2.0.7 did not fix any security holes. Because as far as is known, there were none in 2.0.6 to fix in the first place. They're claiming that 2.0.7 contained a fix for a security issue and it was hidden from the changelog so they didn't install it (since 2.0.7 is only minor bug fixes)... this is also a lie.

Again, I'm the one who wrote the changelog. I wrote it as an honest and truthful record of what I changed.

From my personal perspective - and not on behalf of the team - Avast is calling me a liar. They're calling SMF a liar. Damn straight that SMF should defend itself against such accusations which, as far as I know are scurrilous and unfounded.

As much as I understand you frustration and wanting to defend yourself. I work in customer relations and posting something like this for the public to view and comment will only keep out other big names or have then change to a more professional company so something like this wouldn't happen to them. Posting this thread in defense of yourself and SMF is bascially attacking a customer and that is something that you never do in public.


Well, it seems that Avast have already done that and did it first. So yes, SMF have every right to defend themselves. Avast as a professional company should have been loathed to have made any comment concerning any accountability what so ever until after a thorough examination of the matter with their team and the SMF team. Frankly, I do not know why SMF do not have lawyers speaking with Avast about this matter.

AllanD

Quote from: Lou69 on May 28, 2014, 11:20:39 AM
Well, it seems that Avast have already done that and did it first. So yes, SMF have every right to defend themselves. Avast as a professional company should have been loathed to have made any comment concerning any accountability what so ever until after a thorough examination of the matter with their team and the SMF team. Frankly, I do not know why SMF do not have lawyers speaking with Avast about this matter.

Don't get me wrong avast should have never pushed blame on SMF. They should have instead did what you stated in work together to find out why it happened. As in my fist post anything can by hacked regardless of what security measures are taken, look at Sony.
Check out this great sites.
KnD Hosting

Arantor

I would suspect that if Avast had worked with the team to resolve this, this post would not have been necessary. I could not help noting the irony of their blog post, when they ask people not to jump to conclusions and yet have apparently done so themselves.

In other news, the Google ad block at the bottom of the page is advertising AVG. Another little irony, I feel ;)

Deaks

AllanD, Arantor is one of the best coders out their, he is even in my opinion better than the current dev team (no offence meant to the developers), when I was PM I would have loved Arantor on the team, never happened.  Arantor is also stating his personal opinion, he nor myself are involved with the team, so his view does not mean its the team opinion.  But issue is Arantor did do the release for 2.0.7 with help from others, he is the main person behind the bug fixes so I do believe that even you can see why he takes the avast claim personally.  Its like someone blaming kndhosting for the content of someone elses site, are you to blame no but you will take it personally.

If AVAST are taking this action and making accusations that cannot be proved then they are at fault, they are at fault in saying that 2.0.6 to 2.0.7 includes a security update, even myself who isnt best at coding can see their is no security update.  Their have been a few claims from what I see regarding 2.0.6 but from what I see its more to do with third party.

I will also agree with Kindred if AVAST had been doing the updates via package manager correctly then they would not be having this issue, fact the have modified it and most likley updated manually after seeing their copyright, does raise the likleyhood of issue being on avast side not smf, and they are doing the wrong and imature ropute of blaming someone else for their mistake.

Also AllanD I also have worked in customer service, wish to debate bring it on :)
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

Looking

Interesting side note, I left Avast a long time ago, I'm happier with Comodo. ;) Also Kaspersky Lab's had their site hacked too some time ago, it made international news, so it happens to the best of them.

青山 素子

Before commenting on a few things, I'd like to note that all the changes made from 2.06 to 2.0.7 are listed here. If anyone wants to look over and confirm that there wasn't anything "secretly" changed for security, it's a good place to start. If you're really concerned that the patch system didn't handle the change, go grab the installer packages for 2.0.6 and 2.0.7 and do a full diff against the contents.

If you do find where some security hole was inadvertently patched, let us know at the e-mail address provided in the first post.


Quote from: Diamondcomputer on May 28, 2014, 11:17:54 AM
Now not trying to jump on any conspiracy, but makes me wonder if higher ups at Avast are connected to other paid software like Xenforo and VB who would gain huge for bad publicity. I have no proof this has occurred.

Probably not. It's much easier to blame an outside party when something goes wrong than to take the blame yourself. This applies even if you know you messed up. There's a reason that large companies like paid support contracts.


Quote from: Lou69 on May 28, 2014, 11:20:39 AM
Frankly, I do not know why SMF do not have lawyers speaking with Avast about this matter.

Because you really don't want to involve legal counsel until it's really bad. Despite all the users of this software, we're an open source project that's not exactly rich enough to involve lawyers whenever someone hurts our feelings. Besides, we're better than that and like to try and reach out to fix the issue if there is one.

The goal in this post, as I read it, was to try and refute the public accusations against SMF based on what is known about the software right now. I know the team and they are willing to correct their position based on new evidence. Right now, there isn't any information that backs up the accusations, and nothing that contradicts the statements in the first post. Hopefully Avast is willing to find the actual cause of the security breech and will work with us to find it.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


AllanD

Quote from: Μπράιαν Poύνικ Ντίκεν on May 28, 2014, 11:30:35 AM
AllanD, Arantor is one of the best coders out their, he is even in my opinion better than the current dev team (no offence meant to the developers), when I was PM I would have loved Arantor on the team, never happened.

Also AllanD I also have worked in customer service, wish to debate bring it on<$1alt="" title="" onresizestart="return false;" id="smiley__$2" style="padding: 0 3px 0 3px;" />

I agree he is one the best around that I know of as well. I have seen him a couple of forums and have talked, he has a huge amount of knowledge and I respect him for that. I was basically commenting on this whole situation and post.

As for customer service, I do work in relations - never said i liked it though<$1alt="" title="" onresizestart="return false;" id="smiley__$2" style="padding: 0 3px 0 3px;" />
Check out this great sites.
KnD Hosting

Colin

"If everybody is thinking alike, then somebody is not thinking." - Gen. George S. Patton Jr.

Colin

Kindred

OK Folks, I have been away from the computer, dealing with my real life job and haven't been able to respond.

I am somewhat disappointed in the behavior in this thread.
I went out of my way, in the original post, to avoid hyperbole and direct attacks or name-calling. Let's not let the comment degenerate into that either.

Motoko hit the nail on the head.
This statement was made to put a clear statement forth regarding accusations that Avast has publicly and privately made regarding SMF (comments which, I will note, have been picked up by several news services). This is not an attack on Avast.
And no. There is no need for lawyers to get involved, unless this goes a lot further downhill (which I hope it does not)

I understand that many of you also want to defend SMF. We appreciate your support, but please keep it professional.

AllanD, as to your statements. This was a clearly needed statement to address accusations against our software.

I will also note... If Avast does share their server logs and we discover that this does turn out to be due to a previously undiscovered vulnerability, we will promptly and clearly update the statement and our position (although the accusation of secret/silent updates is still unjustified)
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Xarkurai

Quote from: AllanD on May 28, 2014, 10:47:15 AM
The problem isn't the software, anyone can get hacked it's just a fact. That being said I don't think this post is really called for. I am taking it that you more are less saying it's not us it's you. Which will result in hurting SMF far more then saying nothing at all.

^ I have to agree with this.

ANY website OR software can be hacked, regardless of whatever they are using. Avast is a "bigger" company and were probably targeted for some reason by those hackers.
It hurts me to see them making such blaming towards SMF while they are in fact a security company. If I'd be using their software and see that they got hacked, I'd step aside and took other software just because they blame someone else and are unable to secure it back. Also uncalled that they blame it on the patch. If they manage their forum properly then they should see the newest patches inside their admin screen.

Nevertheless, I will stick with SMF for all of my forum websites.
Sorry to hear about this, I wish everyone good luck with solving this issue and problems.
Useful paid mod: Badge Awards - Award members for actions

Arantor

The thing is, while software can and does have faults, you'd be surprised how often it's not the software that's *actually* at fault. All too often it's an account that's compromised - the people being the weakest part of the system.

There's still no evidence that it actually *is* the SMF software at fault.

_Vlk

Hi there,

It's Vlk, a global moderator from the Avast forums and a senior executive at Avast.

I'd like to jump in to this discussion and share my point of view.

First, I have to say that I really like SMF as we have relied on it for many years (and before that, used its predecessor, YaBB SE). During all those years, it served us really well and I'd like to thank all the good people who created and have maintained the product for their generosity,making the software available for free.

Now I think it's sort of pointless to blame each other, especially in public. If you found the statements we have released after the incident offensive, I apologize. The point we were making was that we were running SMF 2.0.6 (not upgrading to 2.0.7 because there were no security updates documented in this version). The server only had ports 80 and 443 open, and we're quite confident there was no other hole through which the attacker could possibly get in. Plus, when doing the post-mortem analysis, we found that hacker forum which talked about the RCE vulnerability in 2.0.6 (which we forwarded to you) and so our preliminary conclusion was that that must have been it.

I think it is really premature to draw any definitive conclusions at this time. We have now shared all the log files from the affected server with you (AFAIK) and would love to work with you on finding the real vector the attacker used for the hack.

Until then, I propose we stop any public commenting on the issue and move to private discussion / investigation. Of course, once this is finished, I'm certainly OK with sharing our findings with the general public.


Thanks,
Vlk


Steve

Maybe this topic should be locked then?
DO NOT pm me for support!

LiroyvH

Hi Vlk,

Thank you for your comment and reaching out. It is good to hear you have been using it for so long. :) I'm locking this topic for now.
Kindred will make a short statement shortly.


Kind regards,
- Liroy
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Kindred

Hi Vik,

I would also like to thank you for reaching out. We were dismayed by the statements originally made and felt it important to make a statement, given the media coverage that this incident is garnering. However, I agree whole-heartedly with you that playing the blame game helps no one.

I do confirm that what Vik said is correct and Avast is now working WITH us to analyze the server logs and the code from the server to determine the vector and the payload of the attack.
Once we are out of the realm of supposition and guessing, and have some evidence, we will put together a clear statement on our findings.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Advertisement: