Discussion:
ARRL Web Site breached...
(too old to reply)
David Cole dave-0ILqX6cLdjY@public.gmane.org [linuxham]
2014-10-08 10:54:01 UTC
Permalink
http://www.arrl.org/news/arrl-investigating-web-server-breach
--
Thanks and 73's,
For equipment, and software setups and reviews see:
www.nk7z.net
for MixW support see;
http://groups.yahoo.com/neo/groups/mixw/info
for Dopplergram information see:
http://groups.yahoo.com/neo/groups/dopplergram/info
for MM-SSTV see:
http://groups.yahoo.com/neo/groups/MM-SSTV/info





------------------------------------
Posted by: David Cole <dave-***@public.gmane.org>
------------------------------------
Original Woodchuck marmota-2p+qKb8Fl0QN+BqQ9rBEUg@public.gmane.org [linuxham]
2014-10-08 13:13:44 UTC
Permalink
Post by David Cole dave-***@public.gmane.org [linuxham]
http://www.arrl.org/news/arrl-investigating-web-server-breach
Thanks for the heads-up.

Now ARRL needs to tell:
(1) why that notice is of the form "Lie down and stay calm", and
was delayed a week;
(2) why the loss of personal data is dismissed as trivial since
someone could get the data elsewhere, say by hacking FCC's DB;
(3) why IT Manager Keane and the author of that release remain
employed;
(4) why members were not notified by email, since notifying
members individually is an established practice for every *other* admin-
istrative change or revenue promotion;
(5) why loss of "old" passwords is discounted as *the member's
problem*;
(6) why user accounts with compromised passwords are not disabled;
(7) why the nature of the hack was not disclosed, and when
Mr Keane will have removed the vulnerability;
(8) how long the vulnerability has gone unpatched;
(9) who the hacker(s) might be;
(10) whether passwords were being stored in plaintext;
(11) whether the hacker left any "surprises" behind, and how Mr
Keane can assure us concerning his answers.

I point out that Mr Keane's dismissive statement,

“We don’t keep anything of value [to a hacker] there. Hackers don’t
care about DXCC totals or want to read the online issue of QST. There’s
nothing of financial value there”,

sounds dangerously naive or worse,
cavalier. How does he know the hacker's purpose? Why does he
snark jokes? He admits he does not know the extent of the violation.
Not knowing the extent of the intrusion, he cannot make statements like
the one made. What he possibly means to say is that there is no threat
to the financial assets of ARRL.

Dave AB3NR "Mushroom"



------------------------------------
Posted by: Original Woodchuck <marmota-2p+qKb8Fl0QN+***@public.gmane.org>
------------------------------------
Andy mm0fmf-PkbjNfxxIARBDgjK7y7TUQ@public.gmane.org [linuxham]
2014-10-08 13:27:08 UTC
Permalink
As an ARRL member this affects me and so I'd like to thank the OP for pointing out the announcement of the hack in a group that is not to do with the ARRL but will have many ARRL members as subscribers.

Questions about what the ARRL is doing, why they delayed reporting it and why someone hasn't been sacked are for the ARRL to respond to if they feel they warrant a reply and should be addressed to the ARRL directly and/or ARRL discussion groups. Calling for a lynching is nothing to do with Linuxhams no matter who is at fault.

The important point I see is in the linked article "Keane said that in addition to reporting the security breach to federal law enforcement authorities" i.e. the law where the hacked server live are aware.

The immediate thing is there are some passwords to change now especially if you have used the same id and password for several sites. But we all know not to do that.

Andy, MM0FMF
ARRL member since 2001
David Cole dave-0ILqX6cLdjY@public.gmane.org [linuxham]
2014-10-08 14:27:00 UTC
Permalink
Hi,
On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

Thanks for the heads-up.

Response:
You are most welcome!
========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

Now ARRL needs to tell:
(1) why that notice is of the form "Lie down and stay calm", and
was delayed a week;

Response:
All notices of this nature are much the same... Your choice of words
biases the entire concept of the notification. I read it and did not
get a "Lie down" feeling. I am sure the delay was to insure that they
have good data prior to a press release.
======================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(2) why the loss of personal data is dismissed as trivial since
someone could get the data elsewhere, say by hacking FCC's DB;

Response:
It is trivial because it is the same data as on the FCC database, which
is freely available to all, no need to hack the FCC database, as you
say... Again, biased words... Presumably the ARRL is not feeding lies
to us here, so all that was lost were call sign data, as it appears on
the FCC's site. Also password data, which is more concerning...
"Any information the hacker might have been able to glean from the ARRL
server, he said, is already publicly available — data such as names,
addresses, and call signs that appear in the FCC database."

There is a later reference to changing passwords if you had not changed
after 2010... That implies they implemented crypto on the password file
around 2010.

While I am not worried about this, I am sad to see that the ARRL servers
got hacked... If the press release is true, then the only real data
lost was the users password, and only from 2010 back. Not good, but not
personal data being dismissed as trivial.
========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(3) why IT Manager Keane and the author of that release remain
employed;

Response:
Because the breach does not constitute a fireable offence with the ARRL,
nor most companies. Neither you nor I, have the needed information to
make that sort of decision here... Only the parties involved do.
=========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(4) why members were not notified by email, since notifying members
individually is an established practice for every *other* administrative
change or revenue promotion;

Response:
It would have been good to get a note to change a password. However I
did not get mail from, Target, Chase, TJ Max, Home Depot, or any of the
multitude of others who have been hacked over the past year either, so
the ARRL followed accepted methods for this sort of breach, shy the
password. In my opinion, an email should have gone out for the password
issue though.
=========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(5) why loss of "old" passwords is discounted as *the member's
problem*;

Response:
Because it is the members problem... I don't want the ARRL selecting my
passwords for me, then sending them to me, so I have to deal with it,
hence it is *my* problem.
=========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(6) why user accounts with compromised passwords are not disabled;

Response:
Good question, probably should have been...
=========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(7) why the nature of the hack was not disclosed, and when
Mr Keane will have removed the vulnerability;

Response:
Would have been good to hear this as well, but not the end of the world
if not...
=========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(8) how long the vulnerability has gone unpatched;

Response:
Again, would have been nice to hear, but not the end of the world if I
don't know... I never found this out from Chase, TJ Max, Target, etc...
=========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(9) who the hacker(s) might be;

Response:
Really? This again falls into the again would have been nice
category...
=========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(10) whether passwords were being stored in plaintext;

Response:
One could assume from the supplied data that passwords were plaintext up
to 2010 and passwords after 2010 were not.
==========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

(11) whether the hacker left any "surprises" behind, and how Mr
Keane can assure us concerning his answers.

Response:
You have asked an unanswerable question-- if there are "surprise's" then
no one would know about them, so no one could answer your question...
Perhaps your question should have been a statement, not a question?

I am not too worried about the ARRL assuring me of their answers being
correct... If they are lying to us, then they will tell us "all is
well"-- if all is well, they will tell us, "all is well", so whatever
the ARRL says the answer will be the same, "all is well". Your logic
dooms them to be questioned even if all is well, all the time...
==========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

I point out that Mr Keane's dismissive statement, “We don’t keep
anything of value [to a hacker] there. Hackers don’t care about DXCC
totals or want to read the online issue of QST. There’s nothing of
financial value there”, sounds dangerously naive or worse, cavalier.
How does he know the hacker's purpose? Why does he snark jokes? He
admits he does not know the extent of the violation.

Response:

I see no joke here... Not sure where you got that from. The statement
does not sound dismissive to me either...

Perhaps the statement is true, perhaps the ARRL financial data is on a
more secure network... Companies frequently keep financial data on
different networks from Internet facing networks, different security
models for different data...

Only the ARRL would know where it keeps it's financial data, so only the
ARRL can speculate about what was exposed, and what was safed...

Your statement that the ARRL comments were naive, or cavalier are at
best judgmental, and at worst finger pointing with zero data to prove
your point... You simply don't have the data to speculate reasonably.
==========================================================================

On Wed, 2014-10-08 at 09:13 -0400, Original Woodchuck
marmota-2p+qKb8Fl0QN+***@public.gmane.org [linuxham] spewed forth:

Not knowing the extent of the intrusion, he cannot make statements like
the one made. What he possibly means to say is that there is no threat
to the financial assets of ARRL.

Response:
I an not sure the extent is unknown, and *you* can't be sure it is
unknown either... The network topology and structure may have forced
constraints on what a hacker has access too, so the extent of the attack
may very well be known... Again, there is not enough information for
either of us to make the statements you are making here...
--
Thanks and 73's,
For equipment, and software setups and reviews see:
www.nk7z.net
for MixW support see;
http://groups.yahoo.com/neo/groups/mixw/info
for Dopplergram information see:
http://groups.yahoo.com/neo/groups/dopplergram/info
for MM-SSTV see:
http://groups.yahoo.com/neo/groups/MM-SSTV/info
Post by David Cole dave-***@public.gmane.org [linuxham]
------------------------------------
------------------------------------
------------------------------------
Yahoo Groups Links
------------------------------------
Posted by: David Cole <dave-***@public.gmane.org>
------------------------------------
gdmoisboq-/E1597aS9LQAvxtiuMwx3w@public.gmane.org [linuxham]
2014-10-08 20:37:11 UTC
Permalink
I'll try to add to vs repeat previous contributions

<don flame resistant knickers>

1) True this is the "boilerplate" response, but when I was working
network security, the customer's FIRST notice of an event was
"the DAMN BOX DON'T WORK!" - yes, pull it (them) off-line
immediately.

Also, the customers were notified as soon as possible that
there was a problem - usually via our help desk when they
called in. We also had staff tasked with notifying major
customer POCs.

I have to agree that a week+ is inexcusable.

2) IMHO, NO datal-loss is trivial. One thing that comes to mind is the
probable increase in spam via the ARRL's email relays, since
those names (profiles) were probably captured.

3) Nope, not a termination offense, not even within the DoD.
However I hope they have a "lessons learned" process for both
the IT and PA offices. Those need a strong update.

4) I'm sure we will be notified in the next ARRL weekly "poo" email - if
you subscribe. Then again, maybe not.

If you read between the lines - there were a couple of notices that
the web site would be down for "service" - they just didn't say
exactly what was being fixed vs upgraded.

6) Yes, should have been done - but then it would cost $$ to have to
interface with so many customers - oops I thought that was what
a service organization was set up to do However, just how many
were compromised, and how many were simply "possibles" - it
becomes a judgement call (usually wrong, either way!)

7) There is an industry standard process for this - it is usually
referred to as repsonsible disclosure. The idea is to close
the hole(s) across the industry before it becomes full public
knowledge. As an end user - we do not have any capability to
repair the vulnerability, so we are often the last to know.

Several years ago, there was a DNS vulnerability that the
WORLDWIDE IT industry "sat on" for 6 months due to the
massive damage that would result until all DNS vendors could
repair their software, not just one or two vendors. Not even the
primary users (data centers, etc) could get the full disclosure.

8) Obviously at least a week, possibly more until they get patches in.
Should things be running? - possibly so, particularly the
servers/software that has been proven NOT vulnerable.

9) Probably do not know who - even if they did, LEO has possession
of the case (per the news release) and they dictate what kind of
disclosure is permitted.

10) Really, not a good thing. Is that related to the breach? - probably
not, so why expose another (hopefully corrected) vulnerability?

11) As another reader stated - surprises are just that. HOWEVER, we
were required to maintain a reasonably current OFFLINE
cryptographic signature database. If we had any doubts - the
first thing was to validate the system against that database,
then hand validate ALL changes since the database was
created. All differences that were not verifiable had to be
resolved before the system went back on-line (and the system
admin got to go home). Won't kill all surprises, but very few will
get by.

This process will also help with the "I don't know what they did"
issue.

As to sensitive data, we don't know how much cross-feed exists with
the ARRL "store" site. Since many users allow the e-commerce
sites to retain their credit/debit information, there could be
a significant risk, but that, like passwords, is primarily the end
user's fault, IMHO
.

<doff flame retardant knickers>

73
larry bradford AE5WH
Charles Brabham n5pvl-eeV24iX8Xvtg9hUCZPvPmw@public.gmane.org [linuxham]
2014-10-08 20:51:54 UTC
Permalink
I think that we should cut the ARRL a little slack here, they do not put
themselves forward as IT professionals.

As many of us have noted with some of the ARRL's poorly thought-through
proposals to the FCC in the last decade, the organization under K1ZZ's
"leadership" is not even particularly well-informed about radio.

I mean, what can we realistically expect?

73 DE Charles, N5PVL


------------------------------------
Posted by: Charles Brabham <n5pvl-***@public.gmane.org>
------------------------------------
Jeff Francis™ jeff-CDdbmnNP9qodnm+yROfE0A@public.gmane.org [linuxham]
2014-10-09 02:02:45 UTC
Permalink
It really boils down to this. I trusted you with my data. You betrayed
that trust. If you're not competent enough to protect the data yourself,
that's fine. Not everybody is a security expert (honestly, almost nobody
is). But if you're not competent enough to protect the data I've entrusted
you with, you have no business collecting it in the first place. Either
that, or you outsource it to someone who is. It's not the ARRL's place to
tell me that their loss of my data is something I don't need to worry
about. That's up to each and every person who trusted them with their
data. The fact that much of the data is public domain is irrelevant. They
were trusted, and they failed.

Accidents happen. I get that. It actually happens a couple of orders of
magnitude more often than most people would believe. I work for a network
security vendor, so I see it day after day from the inside of companies
either trying to plug the gaps, or who are scared to death of becoming
another Wall Street Journal story. The security game has it's wins and
it's losses. But when you loose, you disclose completely and immediately,
you make whatever amends are necessary to repair the damage you've caused,
and you start towards rebuilding trust by being honest, open, and ensuring
that it won't happen again (at least not the same way). Hiding the truth,
then later disclosing it and then downplaying the value of your data is
completely the wrong move.

Jeff N0GQ
Post by Charles Brabham n5pvl-***@public.gmane.org [linuxham]
I think that we should cut the ARRL a little slack here, they do not put
themselves forward as IT professionals.
As many of us have noted with some of the ARRL's poorly thought-through
proposals to the FCC in the last decade, the organization under K1ZZ's
"leadership" is not even particularly well-informed about radio.
I mean, what can we realistically expect?
73 DE Charles, N5PVL
--
-=jeff=-
Charles Brabham n5pvl-eeV24iX8Xvtg9hUCZPvPmw@public.gmane.org [linuxham]
2014-10-09 02:26:55 UTC
Permalink
Kind of hard for me to get excited, because I'm not a member. Not a big
fan of the ARRL, I'd like to see an organizational enema over there in
Newington.

73 DE Charles, N5PVL
Post by Jeff Francis™ jeff-CDdbmnNP9qodnm+***@public.gmane.org [linuxham]
It really boils down to this. I trusted you with my data. You
betrayed that trust. If you're not competent enough to protect the
data yourself, that's fine. Not everybody is a security expert
(honestly, almost nobody is). But if you're not competent enough to
protect the data I've entrusted you with, you have no business
collecting it in the first place. Either that, or you outsource it to
someone who is. It's not the ARRL's place to tell me that their loss
of my data is something I don't need to worry about. That's up to
each and every person who trusted them with their data. The fact that
much of the data is public domain is irrelevant. They were trusted,
and they failed.
Accidents happen. I get that. It actually happens a couple of
orders of magnitude more often than most people would believe. I work
for a network security vendor, so I see it day after day from the
inside of companies either trying to plug the gaps, or who are scared
to death of becoming another Wall Street Journal story. The security
game has it's wins and it's losses. But when you loose, you disclose
completely and immediately, you make whatever amends are necessary to
repair the damage you've caused, and you start towards rebuilding
trust by being honest, open, and ensuring that it won't happen again
(at least not the same way). Hiding the truth, then later disclosing
it and then downplaying the value of your data is completely the wrong
move.
Jeff N0GQ
I think that we should cut the ARRL a little slack here, they do not put
themselves forward as IT professionals.
As many of us have noted with some of the ARRL's poorly
thought-through
proposals to the FCC in the last decade, the organization under K1ZZ's
"leadership" is not even particularly well-informed about radio.
I mean, what can we realistically expect?
73 DE Charles, N5PVL
--
-=jeff=-
Jeff KP3FT kp3ft-/E1597aS9LQAvxtiuMwx3w@public.gmane.org [linuxham]
2014-10-09 03:01:23 UTC
Permalink
Security breaches have happened, do happen, and will happen. Welcome to the real world. Change your passwrods, etc. and move on. The sky's not falling. Let's give this thread a rest...



________________________________
From: "Jeff Francis™ jeff-CDdbmnNP9qodnm+***@public.gmane.org [linuxham]" <***@yahoogroups.com>
To: "linuxham-***@public.gmane.org" <linuxham-***@public.gmane.org>
Sent: Wednesday, October 8, 2014 10:02 PM
Subject: Re: [linuxham] ARRL Web Site breached...




It really boils down to this. I trusted you with my data. You betrayed that trust. If you're not competent enough to protect the data yourself, that's fine. Not everybody is a security expert (honestly, almost nobody is). But if you're not competent enough to protect the data I've entrusted you with, you have no business collecting it in the first place. Either that, or you outsource it to someone who is. It's not the ARRL's place to tell me that their loss of my data is something I don't need to worry about. That's up to each and every person who trusted them with their data. The fact that much of the data is public domain is irrelevant. They were trusted, and they failed.

Accidents happen. I get that. It actually happens a couple of orders of magnitude more often than most people would believe. I work for a network security vendor, so I see it day after day from the inside of companies either trying to plug the gaps, or who are scared to death of becoming another Wall Street Journal story. The security game has it's wins and it's losses. But when you loose, you disclose completely and immediately, you make whatever amends are necessary to repair the damage you've caused, and you start towards rebuilding trust by being honest, open, and ensuring that it won't happen again (at least not the same way). Hiding the truth, then later disclosing it and then downplaying the value of your data is completely the wrong move.


Jeff N0GQ
Post by Charles Brabham n5pvl-***@public.gmane.org [linuxham]
I think that we should cut the ARRL a little slack here, they do not put
themselves forward as IT professionals.
As many of us have noted with some of the ARRL's poorly thought-through
proposals to the FCC in the last decade, the organization under K1ZZ's
"leadership" is not even particularly well-informed about radio.
I mean, what can we realistically expect?
73 DE Charles, N5PVL
--
-=jeff=-
Ken wa8jxm-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org [linuxham]
2014-10-09 11:13:09 UTC
Permalink
Post by Jeff KP3FT kp3ft-/***@public.gmane.org [linuxham]
Security breaches have happened, do happen, and will happen. Welcome to the real world. Change your passwrods, etc. and move on. The sky's not falling.
I agree. If you really, really want all of your information protected, stay off of the Internet. Live off grid, give no one any information. Hacking is unfortunately a reality in today's world. This one seems minor compared to many that are happening (banks, credit card companies, IRS, etc.)

WA8JXM

Loading...