Avast Forum Hack - Results of Analysis

Started by Kindred, June 05, 2014, 07:43:06 PM

Previous topic - Next topic

Kindred

As everyone has no doubt heard by now, over the weekend of May 24/25, the Avast forum site was hacked.

There was much supposition, a fair amount of guessing and several accusations that the forum software which Avast was running (Simple Machines Forum) was the vector of the attack.
We took a look at what was publicly available and came to our own conclusions, which did not match with what some representatives from Avast were claiming or what had been passed on to the media. In response to this, we made a post on 28-May, which indicated our position on the matter. Yes, that post was not the most politely phrased response, but we were responding to attacks on the integrity of our coding, our security and our documentation of changes.

In return, Avast DID contact us and provided us the code from the hacked site as well as the server logs for the time around that weekend in May. They seemed interested in working with us and we had some of our best experts put some serious effort and time into analyzing the code and the server data. We had planned to work WITH the folks at Avast to work on a statement.
Unfortunately, this was also the last we heard from the Avast representatives. Since our findings were presented to them, they have refused to respond to any of our attempts to contact them again. Given this refusal to communicate and given the fact that some people are still trying to lay the blame on SMF, I feel that we must make the analysis public and thus address any concerns over the security of Simple Machines Forum.

Summary - We can find no evidence that the hacker exploited any (alleged) vulnerability in the Simple Machines Forum software.

More specifically and in greater detail:
1- From the server logs, there is no evidence of any security vulnerability in the SMF code
2- From our analysis, it is our conclusion that the "hack" was the result of a compromised admin account (although, to be clear, without any specific evidence, this conclusion is still supposition, even if it is the best guess). Specifically, similar to the attack here at simplemachines.org late last year, an admin reused account information across multiple sites, one other of which was compromised. Once the hacker had the admin account information, he would be able to promote his other dummy account to Admin or even just act as the logged in account.
3- From the dates on the file edits, it would appear that the system was actually compromised several months ago, but was not noticed until the hacker did something obvious, here in May.
Of course, the server logs from that time are not available from Avast, so we can not confirm this by any method other than the date-stamp on the infected file.
4- Avast told us that they did not "lock down" the permissions of their files. This is important, because even a compromised admin account would still need FTP passwords (if FTP is even available) to make file changes if the file permissions were locked.

Now - Lest people think we are trying to throw all the blame somewhere else - We will acknowledge that, once the hacker had admin access, the features of SMF essentially gave him full access to the system.  Two Admin features which make Simple Machines Forum so simple for people to use are the Package Manager and the Theme Editor. These features allow an admin to upload a pre-packaged set of code-instructions which modifies the system. When correctly used, this allows for quick and simple customization of a forum site, adding new features and enhancing others. These powerful features, however, could also allow anyone with admin access to upload and run a mod package with malicious intention if the file permissions allow the upload. We recognize this and work our best to prevent any unauthorized access to the admin area and the package manager or theme editor. However, when the hack comes in through a human/social hack, as seems to be the case here, there is very little that we can do.

The take-away from this is: do not re-use your admin password elsewhere and maintain secure file permissions - because if file and folder permissions are properly maintained, the admin features can do no real damage because they can't write to any files without the file permissions being changed by someone with FTP, Control Panel or other server access.

Additionally, SMF v1.1.x and 2.0.x use a hashed SHA1 encryption for the password. That means that, once the hacker has the database, there is a possibility that he can discover the passwords. Although SHA1 is still considered secure, it is breakable through brute force, especially given the power of machines these days; it would take some time, but can be done. (Once again, this requires that a hacker has already gained access to your database.)  For the upcoming 2.1 release, we have changed the password storage, encryption and handling -- but note that this change was already underway well before Avast.

Two things that YOU can do to protect yourselves:
a) Never use the same username/password combination on sites.
b) If you run a forum, lock your file permissions down. Do not leave them at chmod 666/777 (which is what some hosts require in order to install mods) If you must use those settings to install a mod or a theme, then change the permissions back to a more restrictive set (644/755 at the very least, but even that is not actually secure). This takes a little more work (granting and removing permissions every time you want to install a mod), but makes your site more secure.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

SaltedWeb

Knowing your limitations makes you human, exceeding these limitations makes you worthy of being human.

Looking

Quotean admin reused account information across multiple sites, one other of which was compromised.
If that is what happened then it amazes me that people still do this. Good that SMF was cleared.

Roph

I think you guys handled all this quite well :)

Looking

I meant to ask, is Avast going to issue a statement retracting what they said earlier? Did Avast acknowledge your findings?

Arantor

Quote from: Kindred on June 05, 2014, 07:43:06 PM
We had planned to work WITH the folks at Avast to work on a statement.
Unfortunately, this was also the last we heard from the Avast representatives. Since our findings were presented to them, they have refused to respond to any of our attempts to contact them again. Given this refusal to communicate...

Survey says no.
Holder of controversial views, all of which my own.


AllanD

Thank you for the update, and sad to hear that they claimed right here on the forum to work with you and then don't.
Check out this great sites.
KnD Hosting

butchs

Humm...  This is the time of year people go on vacation here in the states.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Arantor

AVAST Software a.s. (formerly known as ALWIL Software a.s.) is headquartered in Prague, Czech Republic, though there are offices in Linz, Austria; Friedrichshafen, Germany; and Redwood City, California -- so says Wikipedia.

In any case, I'm not being funny but if it were my company involved, where my reputation and integrity were under question, I don't think I'd be relaxing on holiday...
Holder of controversial views, all of which my own.


Adrek

Thanks for update, good to know that SMF is secure :)


btw, I'm wondering how and if ESET is working with IP. Board developers. ESET forum was also hacked and they are running IPB forum.
Polskie wsparcie SMF na simplemachines.org

the simplest solution is most likely the right one

Arantor

You'd have to ask them. I'd hope so, it's in everyone's best interests that vendors work with affected clients to get to the heart of a problem.
Holder of controversial views, all of which my own.


butchs

Quote from: Arantor on June 06, 2014, 03:10:53 PM
In any case, I'm not being funny but if it were my company involved, where my reputation and integrity were under question, I don't think I'd be relaxing on holiday...

Good point.  Though we do not always agree...  I am not trying to be funny either.  Here is another possibility...  Companies can be cautious.  Maybe they are looking at every angle before replying.
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Arantor

A more detailed version - including *all* the specifics of what was found - was made available to them days ago and *no* further contact was made, not even a 'we're reviewing what you found, let us get back to you' type comment, not a sausage. Under the circumstances, I don't see what else could have been done.
Holder of controversial views, all of which my own.


butchs

All I can think of is to give them at least 10 working days or request a reply in a certain amount of time?
I have been truly inspired by the SUGGESTIONS as I sit on my throne and contemplate the wisdom imposed upon me.

Arantor

A note was posted days before, asking for some kind of feedback... no reply whatsoever.
Holder of controversial views, all of which my own.


Kindred

Believe me, they were given the analysis (and we waited) and then given notice of this post well before it was made.
In good conscience, I could wait no longer given the suggestion of security issues.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Ninja ZX-10RR

I run AVAST but now I understand why those idiots replied me a month later since I sent them a ticket telling them that the stupid program was detecting ALL .gif files as viruses -_- they said to me no dude it's you using a restricted heuristic analysis system and crap while i wasn't even scanning. It was happening everytime I was opening my gif forum images to edit them, make them look better or even change them. Screw it I got angry but *WHO KNOWS WHY!!!* a week or so after that reply AVAST got patched and didn't happen again! I felt like "AYFKM" and red in my face for that. >:(
Quote from: BeastMode topic=525177.msg3720020#msg3720020
It's so powerful that on this post and even in the two PMs you sent me,you still answered my question very quickly and you're apologizing for the delay. You're the #1 support I've probably ever encountered man, so much respect for that. Thank you, and get better soon.

I'll keep this in my siggy for a while just to remind me that someone appreciated what I did while others didn't.

♥ Jess ♥

STOP EDITING MY PROFILE

Ben_S

I don't understand why they have no logs available, if you care about security you don't rotate logs at the apace defaults, you archive them off for a significant period. I thought avast was a security company? It appears they haven't a clue.
Liverpool FC Forum with 14 million+ posts.

redone

I think the post was timely given the nature of how things begun. Clearly after detailed review of the information provided it gave you guys enough to make such a public post. They surely must understand protecting the integrity of a products image is extremely important.

Congrats on a well put together and detailed public explanation of the facts at hand. ;)

karlbenson


Advertisement: