"EH-Net Compromise Disclosure

EH-Net was compromised a few months back, and we are asking all members to immediately change their passwords. Although we do not hold any sensitive data such as social security numbers, credit card numbers, date of birth, etc., we still realize that, although it is not recommended, some members may use the same password for social sites such as our as they do for more personally sensitive sites. If this is the case, please immediately change those passwords, too, and make both follow complexity guidelines.

We apologize for the late notification, but while we were in the process of cleaning the mess, we did not want the attackers to be notified. Our intention was to prevent multiple notifications and required actions by our members. Although we feel very comfortable in the status of the site and had planned on notifying all members, someone beat us to the punch. http://www.milw0rm.com/papers/297. We are providing this link, so that our members can see that a select few accounts and their passwords have been released to the public. We do not know how many more they have or will make public. This makes it even more urgent to change your passwords.

We apologize for any inconvenience this has caused. Although many other sites have experienced the same issues, and we are clearly a target based on the content of the site, this in no way excuses us for this incident.

Donald C. Donzal
Editor-in-Chief
The Ethical Hacker Network"

WTF?

EH-Net staff waited over eight months to let members know about the compromise?  According to the milw0rm release, the compromise occurred before "Jul 16 18:05:29 CEST".  I got a notice today (Feb 28, 2009) about the compromise.  This means that members of EH-Net or registrants for ChicagoCon may have had their account information in the hands of black hats for 8 moths.  Forum and conference registrants trusted EH-Net to keep their account details secure (it is a security organization after all).  At the very least they should have known about the compromise as soon as it happened so they could be given the opportunity to change passwords shared with other accounts.  Instead they're notified almost a year after the fact.  This sort of scenario is *exactly* why so many states have passed mandatory notification laws - to protect consumers from circumstances where trusted vendors lose their information but don't notify the customers.

Quite surprised myself at the length of time before notification (and also the lack of post here about it). But like the man said, there's no sensitive data here really, and we all should know better than reuse passwords. I think the sheer fact that our hats are white would mean that this site is targeted all the time.

Might see my way to forgiving Don for the delay, if he gives us a nice writeup about it

I want to know how we got pwned.   I saw that they mentioned a back door to the forum, but I don't think that was the entry point.

Thanks.   Any idea if it was 0day or a missing SMG or Joomla patch?   I am just curious as to how sophisticated the attack was. 

I definitely expect a site like this one to be constantly targeted.   I am not pissed or surprised, I am more curious. 

This is really not a huge deal, unless you have poor password hygiene. If you do, this is likely just the kick in the ass that you need. 

Just a short one from me.
Don and the others that maintain the site, good spot on identifying the hack, good work on the remediation and resolving the issues, and kudos for sharing the information.

Life is full of opportunities for us to improve our processes, and the world isnt full of nice helpful people, so these things happen.

Whats done is done, dont focus on the problem, focus on the solution, and most of all have fun and keep contributing to this great, free, public forum.