EH-Net

"EH-Net Compromise Disclosure

EH-Net was compromised a few months back, and we are asking all members to immediately change their passwords. Although we do not hold any sensitive data such as social security numbers, credit card numbers, date of birth, etc., we still realize that, although it is not recommended, some members may use the same password for social sites such as our as they do for more personally sensitive sites. If this is the case, please immediately change those passwords, too, and make both follow complexity guidelines.

We apologize for the late notification, but while we were in the process of cleaning the mess, we did not want the attackers to be notified. Our intention was to prevent multiple notifications and required actions by our members. Although we feel very comfortable in the status of the site and had planned on notifying all members, someone beat us to the punch. http://www.milw0rm.com/papers/297. We are providing this link, so that our members can see that a select few accounts and their passwords have been released to the public. We do not know how many more they have or will make public. This makes it even more urgent to change your passwords.

We apologize for any inconvenience this has caused. Although many other sites have experienced the same issues, and we are clearly a target based on the content of the site, this in no way excuses us for this incident.

Donald C. Donzal
Editor-in-Chief
The Ethical Hacker Network"

WTF?

EH-Net staff waited over eight months to let members know about the compromise?  According to the milw0rm release, the compromise occurred before "Jul 16 18:05:29 CEST".  I got a notice today (Feb 28, 2009) about the compromise.  This means that members of EH-Net or registrants for ChicagoCon may have had their account information in the hands of black hats for 8 moths.  Forum and conference registrants trusted EH-Net to keep their account details secure (it is a security organization after all).  At the very least they should have known about the compromise as soon as it happened so they could be given the opportunity to change passwords shared with other accounts.  Instead they're notified almost a year after the fact.  This sort of scenario is *exactly* why so many states have passed mandatory notification laws - to protect consumers from circumstances where trusted vendors lose their information but don't notify the customers.

Doesn't look like I have to change mine I wasn't even in the damn milw0rm paper they published...way to leave me my e-mail & my password out.   :'(. Impressive work though.

Quite surprised myself at the length of time before notification (and also the lack of post here about it). But like the man said, there's no sensitive data here really, and we all should know better than reuse passwords. I think the sheer fact that our hats are white would mean that this site is targeted all the time.

Might see my way to forgiving Don for the delay, if he gives us a nice writeup about it :)

i'm not read into all the details but you are making a LARGE assumption that someone knew the box was owned in July and they knew the level of access the bad guys had.

I'm confused what "information" you are referring to. your username, email and password?  If you blog, You put plenty more information about you out on the net than that for free. 

I want to know how we got pwned.   I saw that they mentioned a back door to the forum, but I don't think that was the entry point.

Several months ago I detected that EH-Net's site was hosting a malicious HTML tag and if I remembered correctly, it was an iframe pointing to a malicious site. It appeared that it was inserted via a SQL Injection. I reported this to Don and he immediately took care of it. So, I assumed that probably EH-Net was hacked via SQL Injection.

EH-Net is a Security Professional portal so expect it to be scrutinized by hackers or crackers for the fun of it.

Remember to use a different password other than the one you use for your banking, email or other important accounts. Thank God I did because my EH credentials is now posted publicly on the Internet. 

Thanks.   Any idea if it was 0day or a missing SMG or Joomla patch?   I am just curious as to how sophisticated the attack was. 

I definitely expect a site like this one to be constantly targeted.   I am not pissed or surprised, I am more curious. 

I believe any site is vulnerable sooner or later.  And targeted sites are going to be the ones that are the ones that are 'against' the attacker in whichever way possible.  So - no site is 'free' from people like what happened here.  Not even some mom and pop site.
The good thing is...we were notified of the attack.  Some may think it's too late.  I am happy that we were notified all together.  There are other sites/industries that may not even let you know because of one reason or another.
Best practice...never use the same password on several accounts.  Always change passwords (don't leave the password unchanged forever!).  Being in the security field in one way or another, we should all know this!  ;-)

I am also curious on how it was done, but do not hold anything against anyone that keeps this site up and running.

This is really not a huge deal, unless you have poor password hygiene. If you do, this is likely just the kick in the ass that you need. 

No problem for me, password best practice means I use a different password per site/account. As the notification stated there is no sensitive information stored on the site, so I don't see the comparison and link to breach notification laws. Not ideal, but sh1t happens. As the site gets bigger it's going to become a bigger target for someone to go after for rep and kudos from various circles. Can't say I'm overly surprised or concerned, everything I post is there for public consumption anyway

We should no better than most that nothing more complex than a 'hello world' script can be 100% secure, if it was then we would all be out of a job and a hobby (and there'd be no fun in that...)

Just a short one from me.
Don and the others that maintain the site, good spot on identifying the hack, good work on the remediation and resolving the issues, and kudos for sharing the information.

Life is full of opportunities for us to improve our processes, and the world isnt full of nice helpful people, so these things happen.

Whats done is done, dont focus on the problem, focus on the solution, and most of all have fun and keep contributing to this great, free, public forum.