I was wondering why Techsoup was down all day. The sad news after the jump:
UPDATE: As of 8/7/2008 3:37 EDT, Techsoup is up and running.
We have further information about what has caused our current website issues. We have suffered a SQL Injection attack. These types of attacks are known to exploit website vulnerabilities with the intent of distributing viruses and malware. We do not yet know all the details of this attack at this time. We do not have any specific evidence that malware or viruses were actually distributed; however, it is possible that people who visited our websites between 8:00PM PDT, Tuesday August 5, 2008 and 7:45AM PDT, Wednesday August 6, 2008 could have been exposed to viruses or malware. The impacted sites are:
* www.techsoup.org
* www.techsoup.org/stock
* www.techsoup.org/mar
* www.compumentor.orgWe are advising anyone who visited any of the listed websites, during the hours noted above, to:
* Make sure your anti-virus software definitions are up-to-date.
* Run a scan of your hard drive to ensure no viruses or malware show up and follow the instructions to quarantine them.
* Review the information at http://www.us-cert.gov/cas/tips/ about managing viruses.
* Please continue to check this webpage [www.techsoup.org] (which is safe!) for further updates.
This sucks for the nonprofit technology community but it is surprising to see SQL injection attacks on old code. There are pretty well known ways to stop a SQL injection attack and they’ve been built into most Web development frameworks and languages. If you want to know what a SQL injection attack is and how to stop it, check out the Wikipedia article.
As you may or may not know, Techsoup was the unlucky victim in another security breach when Convio was hit in November of last year. At the time, I issued some fairly stern remarks about the weak attempts at user notification in regards to username and password breaches. I’m reprinting the remedies here:
Means of Notification
Individually notify those affected whenever possible.
- Send the notice by first-class mail.
- As an alternative, notify by e-mail, if you normally communicate with the affected individuals by e-mail and you have received their prior consent to that form of notification.
- If more than 500,000 individuals were affected, the cost of individual notification is more than $250,000, or you do not have adequate contact information on those affected, provide notice using public communication channels.
- Post the notice conspicuously on your Web site, AND
- Notify through major statewide media television, radio, print), AND
- Send the notice by e-mail to any affected party whose e-mail address you have.
I know the costs are going to be astronomical, but I believe that there’s no guarantee a simple Web page or subsequent alert e-mail is going to capture the entire Techsoup user base. For various reasons, people need to be alerted by all reasonable methods like the ones listed above. At this point, a TV or radio ad or at least something in the Chronicle of Philanthropy and Non-Profit Times is in order.
By the way, I was an unlucky user who was hit by the Convio breach. As a test, I left a few “junk” e-mail accounts and other kinds of accounts with the same username/account combination that was scooped up during the Convio breach by persons unknown. The slow but fairly methodical hacker(s) got to a couple of accounts only in the last month. This suggests a fairly organized criminal enterprise. I would not be surprised that this attack would have similarly long-lasting consequences. I won’t be able to test this effect further as my honeypot accounts no longer have the same username/password combination. I don’t know what information was hit, but my piece of advice to you is to immediately change all username/password combinations that match that of your account on Techsoup.
Loading ...
