Breaches happens - nothing is fool proof. Why does the US NAVY lose so many laptop PC's every year ? Why do police stations lose weapons inside their building (please don't say it does not happen globally because it does) ? Why is evidence lost in transit ?

Why did NRM_Oz have to spend 36 hours washing and gassing up patrol cars over 3 shifts for misplacing his portable radio (with trunk call facilities) in the carpark 1989 with the 2nd shift commander who also misplaced his as well in the carpark ?

It happens and every precaution in the world is not going to ensure full security protection from everything. In IT anyone with a bit of nouse will tell you that "termiting" which means chipping away at something will eventually lead to penetration and it does happen - but does take time.

Ok. Here's my take on this...

1. In all likelyhood, SIW was compromised because of the forum software they run. Just like many other sites are. vBulletin is one of the most heavily used forums out there. Many, many, sites run vBulletin. There are always bugs in all software, and the company that makes vBulletin publishes security advisories and patches. Its a game, where bots created to take advantage of the exploit in a particular version of vBulletin try to gain access to unpatched copies before they're patched.

2. Forums are constantly under attack from scripts which try to use known exploits against the forum. Lists of forums that happen to be what the bot can attack are created by using search engines looking for specific strings. SIW was most likely not targeted because it was SIW, but because it was a forum running vBulletin.

3. No forum is safe from these exploits. It isn't because of who the forum is, its because it runs of software that bots are actively trying to attack. Right now, bots are roaming the internet trying to attack every forum on the planet running the bot's target software. vBulletin, phpBB, YaBB, SMF, you name it, its being looked at.

Accountability is good and all, but remember: For most exploits, its nothing personal. Its a bot who found the site through Google while searching for 'vBulletin <version number>' and then tries to hack in to every site listed in the return.

Allow me to respond

David's note was fully accurate and SIW is very keen on security, however, breaches do happen. I will say that when I set up these forums from an administrative perspective, I wanted to make sure that security professionals felt comfortable here, and that means not requiring you to proivde details that could compromise your own security -- which is why we DON'T require you to provide things like date of birth, phone number, real name, name of employer, etc. I thank you all for understanding, and the reason we sent out the note is to get the passwords changed, and to make sure you know that if you were using the exact same username and password elsewhere, you would consider renewing your password elsewhere. Frankly, it's good practice to update passwords (even though it's a pain), and SIW will continue to be prompt and open about how we value your privacy.

As others have said, we think we are on stronger ground --- even if we take a bit of public "egg on the face" by disclosing this --- if it means you are notified swiftly and promptly. David's announcement note will continue to sit on our forums pages for at least another week so that our members know to update their passwords. Again, thanks for being a member of SecurityInfoWatch.com's forums, and if you have concerns, feel free to PM me.


Geoff Kohl
SecurityInfoWatch.com

Ironic- YES, and SCARY too.

I agree with most of you that it was good how quickly this problem was handled (if what the message that was sent was true in all aspects), but I also agree that it should not be necessary to ask persons joining the forums for personal info (like date of birth's) or even names for that matter. A person's computer usage name (their aka, or moniker as it were) and their password is all that is really needed. You can ask for a brief summary of why their joining, but let's face it, it could all be lies anyway.

I tell you I'm a recently retired police officer looking to get back into the security field. How do you know it's true. I tell you it is, I hope you believe me, but really, how do you know. It's the same for everyone else. If only 1% of our fellow members are up to no good, that would still be quite a large number. If we did not have to provide identifying info, no matter what info was stolen from the forum's website, no harm (should be) able to be done to any member. TTFN (TA TA FOR NOW

You should be able to demonstrate that due diligence (no pun intended) has been completed to prevent such breaches from occurring. We all know that hackers are out there and always refining their techniques. Therefore, a company that maintains a database with personal information is obligated to ensure that prudent and reasonable steps have been taken to guard against such attacks. Failure to do so is a form of negligence.

No computer system is 100% safe just as no driver is 100% safe from causing an accident. That's why we are legally required to be insured and may face civil action in the event of an accident – we have to take responsibility.

True, but what can you do to take action against hackers. Keep in mind I am no techie...

I agree that that is a plus, provided the law doesn't already require it. Nevertheless, I still don't see anyone (not singling out any one company) stepping up to the plate to take responsibility.

I see it as more of an act of honesty personaly... As for the laptop theft that seems like a physical security issue though I am not familiar with the story.

Cheers

I guess what I don't care for is the implied message of disclosure: "There, we told you, now we're free and clear."

I would like to see more accountability for the information that companies ask for. If they don't want the liability, then let us opt out of revealing it as a requirement.

I just recently received notification that some laptops were missing from a large SECURITY company. I bet they didn't print it in the WSJ for all their clients to see.

Well guess I don't have to ask if anyone else got that email anymore...

Fortunately this security breach was detected early and hopefully minimal at most harm was done. Thank you to those involved in the catch, as well as your honesty to us all.

I had a thought...

This goes to show that it isn't just the 'good guys' checking out SIW, which leads me to reinstate that which has been said before regarding the use of caution when discussing our duties, properties, clients, location, and anything else that may be sensitive or overtly beneficial to someone with ill intent. After all this is the internet and I believe I found this site while researching something or other involving security on a popular search engine. Glad I did.

We have everyone from entry level security types who are trying to better themselves, to very experienced security professionals, and all in between who refuse to stop learning and becoming better. Working at sites ranging from basic and under appreciated/paid jobs to, well... who knows.

We all have one simple thing in common, we are trusted by someone who wants to keep something be it property or people safe, and that's What we do, then congregate here to learn, share and have a few laughs.

Cheers

JB

SecTrainer it is meet indeed they took the notification route so quickly as they did. Others would have taken forever to have done so.
Wnjoy the day,
Bill