Over on the progressive exchange list, Dave Crooke gave out more technical details about the Convio security breach:
Date: Mon, 05 Nov 2007 11:42:46 -0600
From: Dave Crooke <dave@convio.com>
[rest of header deleted for brevity]Hi folks - a quick summary of key points:
1. The compromise only affected the GetActive platform, not the Convio
platform.2. The intruder obtained a login and password belonging to a Convio
(GetActive) employee. It appears that their PC was compromised, but we
are still investigating - we have sent that PC’s hard drive to a
forensic lab for formal analysis. The operating system level integrity
of the GetActive production systems was not affected.3. The intruder logged in and downloaded a number of email addresses and
passwords belonging to constituents of GetActive client non-profits. The
non-profits in question have been contacted, and advised to contact the
affected constituents, and most have already done so per Anne’s note
below.4. No personal information such as names, addresses, or credit card
numbers was obtained by the intruder.Best wishes
Dave
Hmm… these little tidbits of information seem to raise more questions than answers but waiting for Convio to report on the forensic analysis would be a good idea. You know, when I was considering purchasing eCRM services for my nonprofit years ago, I would always try to ask for a network diagram just so I would understand how secure their systems were. They would never give one to me which always made me feel uncomfortable.
What is distressing is a defense of Convio by a marketer on the progressive exchange e-mail list who is claiming “that GA was using… state of the art anti-hacking tactics.” We really don’t know that yet and unencrypted passwords are truly NOT state of the art anti-hacking tactics. At this point, it’s a really onerous problem because users won’t necessarily be reached in time to stop hackers from doing ID theft with their password. That said, the very long time between the breach and the announcement of it may already have exposed users to a lot of the damage already. My recommendation is to proceed with contacting your constituents if Convio has contacted you regarding possible exposure to this breach. And those of you who have survived this breach with not having to contact constituents, should immediately rescind the “privilege” of e-mailing members with their old passwords if they forget them and just create a random new password for them to login with instead.
Loading ...
“I would always try to ask for a network diagram just so I would understand how secure their systems were. They would never give one to me which always made me feel uncomfortable.”
From a security point isn’t that a good thing that they never gave out their network diagrams? If they had said “sure take a look so that you can work out for yourself where we are vulnerable” then I would have been very concerned.
David
No, not really. You’re relying on a security through obscurity model. And knowing a network architecture is different from trying to penetrate it. I’m not asking them to tell me what version of IOS is running on their Cisco router. I just want to know that they have multiple backups and that they have people doing decent admin on those routers.
I’ve always wanted to double-check just the basics: Do they use a firewall? What are the points of failure? Where are the servers situated? Who are their hosting providers? Who are they peered with? Where are the backups happening?
These days, if I knew who a vendor’s hosting provider was, I’d set an RSS subscription that would be searching on keywords just so I could suss out any issues in nearer to real-time.
Convio’s multiple security failures here are elementary-level and simply inexcusable.
First, as mentioned before, there’s the unencrypted passwords issue.
But secondly, from what I’ve been reading about this, the GetActive and Convio network security was laughable. An employee was allowed to work from home, on a non-secure PC, without the latest spyware & malware protections? And this employee was someone with the priveleges to administratively access ALL 150 accounts that were affected or almost affected? Why does one employee need to be able to access 150 accounts? And this is at a company that is supposed to handle millions upon millions of records of data safely and securely?
A basic security audit would have pointed these vulnerabilities out — but I guess Convio didn’t want to bother with that.
I wonder how the potential of millions and millions of dollars of liabilities from this incident will affect Convio’s planned IPO…
@activist — from what I can tell, the employee might have been phished so spyware and malware would not have helped. I’m more worried by the “download all the passwords” capability. That’s a bit nuts. It was like handing hackers the entire cookie jar. It was not a good kludge and all because they were too unwilling to do an open API. This is a great time to demand an SLA from Convio though. You couldn’t get it before but I’m sure there are lots of demands for SLAs right now coming at Convio.
well, since they took the computer away for forensic analysis, I assumed it was a case of spyware or malware. I could be wrong.
But it really doesn’t matter. Convio either:
a) allowed an employee — who has access to massive amounts of data — to work from a home computer that did not have adequate protective software installed; OR
b) employed someone who doesn’t know how to recognize and avoid a phishing attack, and gave them access to massive amounts of data.
Either way — a colossal failure. Not a technical failure, mind you, but a management failure, to put the right policies in place and enforce them rigorously.
I have just learned of this security breach. But my non-profit has been a Convio client for two years and we have spend tens of thousands of dollars and received zero benefit. The system isn’t even operational yet because we haven’t been able to get their attention for any extended period of time. Is this company going under?