Comments on: Dave Crooke speaks about the Convio security breach

By: Spike3905

Spike3905 — Sun, 11 Nov 2007 01:13:55 +0000

I have just learned of this security breach. But my non-profit has been a Convio client for two years and we have spend tens of thousands of dollars and received zero benefit. The system isn’t even operational yet because we haven’t been able to get their attention for any extended period of time. Is this company going under?

By: abolla-26730@mypacks

abolla-26730@mypacks — Sat, 10 Nov 2007 01:45:04 +0000

well, since they took the computer away for forensic analysis, I assumed it was a case of spyware or malware. I could be wrong.

But it really doesn’t matter. Convio either:

a) allowed an employee — who has access to massive amounts of data — to work from a home computer that did not have adequate protective software installed; OR

b) employed someone who doesn’t know how to recognize and avoid a phishing attack, and gave them access to massive amounts of data.

Either way — a colossal failure. Not a technical failure, mind you, but a management failure, to put the right policies in place and enforce them rigorously.

By: Allan Benamer

Allan Benamer — Thu, 08 Nov 2007 14:35:17 +0000

@activist — from what I can tell, the employee might have been phished so spyware and malware would not have helped. I’m more worried by the “download all the passwords” capability. That’s a bit nuts. It was like handing hackers the entire cookie jar. It was not a good kludge and all because they were too unwilling to do an open API. This is a great time to demand an SLA from Convio though. You couldn’t get it before but I’m sure there are lots of demands for SLAs right now coming at Convio.

By: Activist

Activist — Thu, 08 Nov 2007 14:16:09 +0000

Convio’s multiple security failures here are elementary-level and simply inexcusable.

First, as mentioned before, there’s the unencrypted passwords issue.

But secondly, from what I’ve been reading about this, the GetActive and Convio network security was laughable. An employee was allowed to work from home, on a non-secure PC, without the latest spyware & malware protections? And this employee was someone with the priveleges to administratively access ALL 150 accounts that were affected or almost affected? Why does one employee need to be able to access 150 accounts? And this is at a company that is supposed to handle millions upon millions of records of data safely and securely?

A basic security audit would have pointed these vulnerabilities out — but I guess Convio didn’t want to bother with that.

I wonder how the potential of millions and millions of dollars of liabilities from this incident will affect Convio’s planned IPO…

By: Allan Benamer

Allan Benamer — Tue, 06 Nov 2007 14:15:25 +0000

No, not really. You’re relying on a security through obscurity model. And knowing a network architecture is different from trying to penetrate it. I’m not asking them to tell me what version of IOS is running on their Cisco router. I just want to know that they have multiple backups and that they have people doing decent admin on those routers.

I’ve always wanted to double-check just the basics: Do they use a firewall? What are the points of failure? Where are the servers situated? Who are their hosting providers? Who are they peered with? Where are the backups happening?

These days, if I knew who a vendor’s hosting provider was, I’d set an RSS subscription that would be searching on keywords just so I could suss out any issues in nearer to real-time.

By: David Zeidman

David Zeidman — Tue, 06 Nov 2007 11:37:47 +0000

“I would always try to ask for a network diagram just so I would understand how secure their systems were. They would never give one to me which always made me feel uncomfortable.”

From a security point isn’t that a good thing that they never gave out their network diagrams? If they had said “sure take a look so that you can work out for yourself where we are vulnerable” then I would have been very concerned.

David