

Specialforces.com Site Hacked - mschonfeld
http://pastebin.com/vuMypejL

======
tansey
As I'm currently in the middle of a research project on password security, I
downloaded the passwords and had a look. I'm beginning to believe that you
should just assume that if your site does not have any password creation
rules, it will be hacked soon.

The specialforces password dataset contains passwords like "post"-- four
lowercase letters found in any English dictionary, and even matches part of
the email (@post.ca.gov) for the user. If a site lets you choose this as your
password _do not give your credit card info to that site_ , simple as that. A
site that is built by someone who is so unaware of the basics of password
security is likely following other insecure practices as well, like storing
your data in plaintext and not properly sanitizing user input.

All the major recent attacks (phpbb, singles.org, rockyou, battlefield heroes
beta, faithwriters, and now specialforces) have had this same glaring issue in
common. In reality, if these sites are letting users choose any password then
for the majority of users you might as well just store them in plaintext. Most
users (70-90%), if left to their own discretion will choose a 6 or 7 character
password with all lowercase letters, meaning it will be trivial to crack even
if it's hashed and salted.

~~~
gommm
While I agree with you, adding special restrictions on passwords is a way to
lose some customers (who can't be bothered or never remember their passwords).
So while I know about basic security practices and will always store passwords
with bcrypt, sanitize user input and not store any purely private data in
plaintext, I'm not going to make a decision about password security that might
mean losing customers.

EDIT: To answer the questions below. Of course, I would not allow people with
administrative access to use weak passwords. But if a user uses a weak
password and someone gets access to his account, he can't do all that much
(save for changing the plan the user pays, which can be easily reversed)...

I'm not responsible for users choosing weak password, however I'm responsible
for making sure that no user data/passwords and so on is leaked due to
security breach. And that's why I use bcrypt to encrypt password, that's also
why I outsource the storing of credit card numbers to authorize.net or other
companies that are more competent than me, why I secure as much as possible
the website.

All of this is a matter of trade offs. Currently, the only websites that I
manage that have credit card numbers on files for some users sell
virtual/digital goods. So, it would be very easy for me to refund a
transaction if it was fraudulent (and in my interest to do so to avoid
chargebacks anyway). I might have a different view point in different
circumstances.

~~~
tansey
_> will always store passwords with bcrypt, sanitize user input and not store
any purely private data in plaintext, I'm not going to make a decision about
password security that might mean losing customers._

This seems incredibly short-sighted, highly unethical, and a breach of the
perceived (or possibly legal, IANAL) fiduciary responsibility of an e-commerce
site. You are knowingly and willingly risking your customers' sensitive data
and, by extension, their financial well-being in order to benefit in the short
term.

Edit: In response to the above edit, my whole point is simply that if you are
trusting your credit card details to a site, then you should be confident in
the security of that site. I meant that it appears from all evidence I've seen
that a good heuristic is to say that no creation rules implies an insecure
site overall. This won't be true for all sites of course, since it's abductive
reasoning, but I think in practice it's useful.

Another important point I made is that there is no point in saying "I use
bcrypt" as a defense here. If you let users choose any password without any
checks, they will choose passwords that are short, common, and consequently
easy to crack, even if hashed and salted via bcrypt. It may take 1000x longer
than if they were encrypted with just a salted MD5, but we're still talking
about effectively instantaneous cracking in either case.

I'm not sure why everyone thinks I'm overreacting here. If your users cannot
see/access their cc info because it's stored securely via some other service
then I suppose that is a lot better, since an attacker cannot actually gain
access to the credit card data. Still, it just seems wrong to me to be so
insecure about user information simply because they don't understand/care
about the potential consequences right now.

~~~
hackinthebochs
Don't you think you're overstating it? Assuming privileged accounts require a
secure password, what is the risk here except for an individual with a poor
password's information? This person is responsible for their own weak
password. Putting a weak password warning is about as much responsibility as a
site owner has here. Security policies are _always_ a trade-off between
securing information and usability. People seem to forget that around here.

~~~
tansey
And in this case, I am talking _specifically_ about security policies for
sites that store credit card information, like specialforces.com did. I do not
believe that having no password is an acceptable trade-off in this situation.

------
burgerbrain
Good to see them making use of Tor hidden services.

~~~
cookiecaper
I agree, much nicer and smoother than constantly getting removed from various
upload sites and traversing through acres of dead links before you finally
find a valid mirror, and a lot safer than something like BitTorrent.

------
mike-cardwell
Never a good idea to publicly announce that your service is hacker proof.

~~~
jarin
Never a good idea, unless you want people to give you money via credit card.
From my experience, having one of those badges on your checkout form results
in a measurable increase in conversions, even if it doesn't mean anything to
people who understand security.

~~~
drivebyacct2
Is this true even when using a third party payment provider like Stripe or
Paypal?

~~~
biturd
I would love to see an A/B comparison of this. For me, if I see those badges,
I assume the site doesn't know what they are doing, as they should know, any
GoDaddy automated scanner is not worth the wasted disk space from the hits in
your httpd logs. Any programmer that aspires to show those logos is dangerous
and that site will not get my personal information.

------
biturd
I have found this is a useful service after every one of these lulz has
happened: <https://shouldichangemypassword.com/>

~~~
nawariata
Not saying it is, but this could be ingenious way to harvest valid email
addresses. Social engineering at its finest.

~~~
pavel_lishin
It's probably cheaper to just buy them in batch than it is to pay for the
hosting.

------
mschonfeld
To what extent do you think GoDaddy should be held liable for?

~~~
click170
I don't think this is so much a question of liability as it is one of customer
perception. If 'GoDaddy Secured' sites aren't really secure and start getting
hacked, then 'secured by GoDaddy' signs will mean no more than "hackable in 10
minutes or it's free". We'll see how GoDaddy squirms when that happens.

~~~
mschonfeld
I think that beyond customer perception, there is an actual question of legal
liability here. If GoDaddy is purporting to be an expert in security and
selling a service, that is supposed to ensure security, then they should be
found liable for some degree malpractice.

I'd love to get a real lawyer's opinion on this...

------
scythe
Let's be honest here. Has _any_ "Secured by X company" certification _ever_
actually meant a damn thing? I swear I hear reports about sites like this
getting broken into every week. Those banners are basically the equivalent of
painting a target on your back.

~~~
funkah
I agree with you, these certifications are generally crap. My company signed
up for Hacker Proof a few years ago (badges and shields look secure, ya know),
and it found one SQL injection vuln we had in some old Classic ASP stuff that
nobody used but was still out there. That was good, of course, but I'm sure it
was the equivalent of running an off-the-shelf fuzzing app.

~~~
liquidityprov
Isn't it trivial without the need to use something commercial?

------
dutchbrit
While I find it's awesome that people like this bring these security issues to
attention, at least leave the CC & password details out. Sure, you got them,
whoopty-doo, we believe you. Still isn't moral to share them.

~~~
mattdeboard
Different set of morals. Just by virtue of buying tactical gear through
specialforces.com -- which a LOT of people do, not necessarily cops or
military, btw, and most of those people are good honest citizens. Most of the
LEO/mil folks who do are good honest citizens. But to them it is just as moral
to leak credit card info because of guilt-by-association as certain cops think
it's moral to hose down a 62-year-old man with pepper spray until he's dead.

Equally morally bankrupt positions.

------
nhangen
Former Soldier, the type that would have purchased things from sites like this
before venturing overseas, and I'm highly annoyed by the childish nature of
this hack.

Some of these products keep people alive, and it's juvenile to blame
SpecialForces.com for pepper spray during a protest.

If they were really intending on improving the security of these websites,
they wouldn't hand out the data. Sadly, I fear that the worst of this type of
behavior has yet to come.

------
smackfu
I'm sure people with their CC leaked will now be against SOPA.

~~~
apgwoz
why exactly?

~~~
andreyf
'twas sarcasm.

------
dutchbrit
If they really want to make a ding, they should hack GoDaddy.com :)

------
elbac
Can someone clarify exactly what and from whom was stolen?

~~~
dsl
This was just a hack of a random e-commerce site. They (like thousands of
similar small businesses) sell equipment to police and weekend warriors.

The title is a bit misleading, the site had a "Secured by GoDaddy" logo on it,
because the site had purchased its SSL certificate from GoDaddy and they throw
the security logo thing in for free.

EDIT: My bad. They also paid the $4.99/month for the "Hacker Safe" logo.

~~~
mschonfeld
Notice how they have 2 godaddy badges. The one of the right is the SSL one, as
you're describing. The one on the left however, actually reads: "Hacker
Proof... Scanned by...".

~~~
burgerbrain
[http://www.specialforces.com/catalog/view/theme/sfg/image/ic...](http://www.specialforces.com/catalog/view/theme/sfg/image/icon_hacker_proof.gif)

Stunning.

