avast! Forums hacked

I actually didn’t bother to make a sensational news about it, because I found out it’s really not that important. You can read more about it here .

Instead, I will write about reactions some have to this. It’s actually funny how people react to this rather insignificant hack. Yes, I’ve actually seen words as “embarrassed”, “hideous” and various other variations. Now, let’s go one thing at a time and explain it…

What got hacked here was a 3rd party software that was powering their forums. So, not something they designed. You can’t control something you don’t have source code for. You just secure it as much as it’s possible by design and that’s it. If it gets hacked, fuck it. It’s nothing you could prevent, if 3rd party software was vulnerable.

People said they were using outdated version based on the copyright year number on the forums page. That is yet again incorrect, because the year number is not a year number of the forum software, but a hardcoded number within a custom skin used on the forums. Meaning software was in fact up to date, it was just the skin that was displaying old year number.

What was the significance of the hack and how that actually affects users? Well, all that attackers got were usernames (already displayed publicly on a forum), e-mails (most users post them around anyway, just like me) and hashed passwords. Thing worth pointing out is the fact that they only got hashed passwords, which means avast! Software team actually did a good job. Most of web admins store passwords in plain text format and that is something worth being marked as embarrassing and hideous. People just aren’t aware of such idiotic security practices until that page gets hacked and data is stolen. But not in avast!’s case. You can in theory derive passwords from the hashed values, but that requires time to process and it might not be successful. In the mean time, users are advised to change passwords. And again, that applies only to those who use same password everywhere. Let me just point out that using same password on forums and financial sites like your online banking, PayPal or paid for services like Steam store or for example paid for music/video streaming services etc is a bad idea. If you use same password for insignificant services, that’s no biggie, but make sure you use different and complex passwords for important webpages. This means at least 16 characters long password that is using lower/uppercase letters and also numbers. I was raging about this years ago and I will yet again point it out how some web admins actually limit the max number of characters used for passwords. Yup, you heard it right. You can’t make passwords 30 characters long, no no no, they limit them to for example 10 characters only. Or 12. WHY? Why on Earth would you want to limit maximum number of characters that can be used for password? Enforce max lower number for god sake so users don’t use passwords like “1234”. But limiting the upper limit is plain idiotic. And big companies like Adobe were doing this and I think they are still doing it. Every users should have a right to make at least 50 characters long passwords if they wish so. if you can’t code that into your webpage, it’s better that you don’t design webpages for others (or big companies). I know 50 charactes is generally an overkill, but if someone feels the need to use such long password, he should be entitled to do so.

There were also complaints from various users that all big security firms got hacked at some point. Now, lets stop here again. As far as my memory goes, it was always word “3rd party” involved in the hacks. Either it was a forum software, a partner distributor webpage, hacked government servers etc. I remember avast! German distributor webpage got hacked several months ago if not more. How is that under official avast!’s control if it’s not actually their webpage (just a domain given to a distributor). And as such, they can’t be blamed for it. Panda Security webpage got defaced year or two ago. It was yet again just some info site for some promotion or something, nothing was really stolen, they just defaced the webpage. Years ago, Symantec and Kaspersky source code was stolen. But here is a catch. It wasn’t stolen from their webpage or servers, it was stolen from some government servers (because they requested their source code, probably to examine it for possible backdoors). Again, not under control of original developers, besides, it was a very old source code for outdated versions of their software.

So, when you draw a line,  nothing really happened. People hacked some 3rd party software, they haven’t really stolen anything significant or worth mentioning and that’s about it. Blaming security firms for getting hacked due to flaws in 3rd party software such as forum software is just idiotic. No one is going to write their own forum software, because that would be stupid and wasteful. No one does that. And even then it wouldn’t guarantee absolute security, because every software can be vulnerable at some point.

So, stop doing sensational news about the hack and how they should be ashamed and other yadidadida. Forum software that they haven’t coded was hacked and people make such big of a deal out of it, it’s not even funny anymore. Make sensational news when their actual software profiles get hacked or their entire licenses database stolen or actual users personal info from their internal servers. That’s something where you can bash security firms, but not for some stupid forum hack. They found the hack, notified the users if they are stupid enough to use same password everywhere and that’s about it. They did their part and they are fixing the damage done to the forums. It’s up to the users if they’ll have to change their passwords or not.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s