CFC Website - Hacked Again ( New ) !

Re: CFC Website - Hacked Again ( New ) !

Bob: question for IT experts: Why was the CFC forum site not hacked?
Was it ever? The CFC forum site is ChessTalk / Parlons Échecs - Powered by vBulletin. Does that fact
make it immune to attacks. What are they using re IT language/system wise. Please remember I know nothing about this technical stuff. Just
wondering.

Wilf Ferner

Re: CFC Website - Hacked Again ( New ) !

Bob: here is an alternate idea for the CFC to consider re troublesome
website:

Create an official CFC blog. Blogs don't cost much. Ask some of the
bloggers on the list "Canadian Chess Blogs".
A blog can be linked to an existing website or you can set up and use the blog as your website.
Blogs are good for keeping in touch with members, provide useful info like
GLs,etc, and help attract visitors to the website because blogs can be
interactive(replay games, show puzzles,etc)


Wilf Ferner

Re: CFC Website - Hacked Again ( New ) !

Hi Wilf:

I have to leave all this techie stuff to others - hopefully one of the executive will see your posting.

Bob

Re: CFC Website - Hacked Again ( New ) !

In order to avoid attacks you have to ensure that all patches and updates are applied to your systems and software. This will not stop infections but will reduce the window of vulnerability to the period between when an exploit is discovered and a patch or update is available that addresses that vulnerability.

The CFC forum site uses newer technology and from what Bob Gillanders wrote was constantly being patched and backed up by Vincent Chow so it is probably up to date on security patches and updates at least up to the date that the CFC got rid of that effective team which turned around the CFC business operations.

A good webhosting company will typically do much of that for you. If their hosting platform gets hacked it will typically affect hundreds or thousands of websites so they will tend to keep everything up to date.

If the CFC keeps things hosted the way it is now I can guarantee that any new site will be hacked. It is inevitable. To date I haven't had any website that I have been involved in maintaining hacked despite having a number of psycho internet stalkers with access to and familiarity with all of the state of the art hacker tools (not that they are terribly bright but many of the tools make it easy for dumb people to hack sites and computers). Most of this is due to using professional hosting services that don't drop the ball and also keeping a low profile so that the stalkers don't know which websites are mine aside from vanity sites (which haven't been hacked either).

Vladimir Drkulec

Re: CFC Website - Hacked Again ( New ) !

Actually, the forum site is completely separate and managed/maintained by me, not the office. It does use newer technology (PHP and MySQL), and it uses an older version of vB. I'm not exactly sure why it hasn't been hacked and Chesstalk has (twice I think?) even though CT uses a newer version of vB. (CT has been updated since the hacks so those vulnerabilities were closed).

Re: CFC Website - Hacked Again ( New ) !

From my understanding of what people have said, the attack was based on some kind of SQL injection vulnerability so the use of an up to date MySQL database implementation probably precludes this line of attack for now.

Vladimir Drkulec

Re: CFC Website - Hacked Again ( New ) !

The database doesn't, but the front end (ie vB) does. It's all about filtering what gets inserted into the database.

If they wanted to be really nasty, they could just insert a KILL statement and poof goes the whole database just like that. Which is why I agree that the CFC is being randomly targeted and not someone going after them on purpose.

Re: CFC Website - Hacked Again ( New ) !

Kevin Spraggett's blog has an amusing take on all this today :)

... Maybe I'm just groggy from waking up though, but I think he just makes fun of everyone (Except me, for once :() without actually saying what the CFC should do now.

Re: CFC Website - Hacked Again ( New ) !

Bob, I am an objective observer to these technical threads with a ton of experience in software consulting. I am not 100% familiar with some of the newer tools but my experience working with every variety of software consultant / programmer / etc reminds me of the following :

1. Many ( not all ) technical people get enamoured with new software tools and often
with specific vendors. For example, in the 1990's Microsoft dominated several
markets and yet there were a ton of techies who hated Microsoft for no real
reason just an emotional one. This tends to cloud decisions sometimes.

2. Database technology hasn't fundamentally changed in twenty years. The main
changes would be interfaces ( e.g. GUI & Internet ), integration with new tools, and
performance upgrades.

3. It disturbs me that almost all of the advice being accepted is from a company
directly benefitting from the advice. In fact, recent events suggest that company
may be average at best in this area, but I add this might be in CFC's budget range.
The prior roles of some in the CFC itself during the CFC meltdown is also
a huge red flag.

4. Some of the advice offerred by others on here is far too technical and tools
oriented. You need an IT person with a business focus. What is important right
now is reliability, cost efficiency, and whatever works don't fix/change it. Make
sure procedures of staff are documented mini-handbook style. This can be done
by volunteers or the staff itself if possible.

In short, get back to a business focus and it is possible to find this in the IT world. The
real problem is you have a very small budget ( 10k, 20k is very small really ). The danger is by paying a smaller amount you get nothing lasting and have to repay again every few years.

Just my two cents.