Site "Not Secure"

[Admin]

Was this 3rd party "partner" held accountable for their actions? Because every article on the 45 million users who lost data the first time, and the 2.7 million users who lost data the second time, never once mentioned that anyone was caught or prosecuted for these hacks. Every article did say the data was "up for sale" both times.

"In its official statement to Krebs, Vertical Scope noted that the intruders obtained access to all individual websites files but did not provide exclusive details about who conducted the attack and when did the data breach occur."

So stealing data is ok from your partners or kyle is full of "it" or what's the deal? And then there's the malicious advertisements. Almost every time I've encountered malicious advertisements, I've been on a sketchy site to begin with. Which begs the question, do you guys care about your users? Because Kyle knows one of the data breaches was from a 3rd party partner who tried to sell said data and suffered no consequences for their actions. Seems more like the VerticalScope team is just blowing smoke and doesn't have anything under control, specifically their users interests in keeping their personal data safe. And that's my concern, my personal data.

Then there's the malicious ads...

Please do not twist my statement. I never said anything about it was ok, nor did I even reference the second attack, which was a targeted webshell. The breach was referenced and I stated, accurately, that ssl would have done nothing to help in either instance. And if you go further into the history of each instance you'd notice that we do in fact take action to keep user data safe, it's even referenced in this thread that all user data is encrypted on our servers. SSL prevents man in the middle style attacks which have not occurred. It's also been stated that we are adding SSL compliance to our network site by site because SSL is not a plug and play function on a platform like Vbulletin. If this site were xenforo maybe, or IPB 4, but that's not the case so we have to treat each vbulletin site as a unique instance to add it so as not to break functions on each site that would react to the change of the root url.

Lastly, the malicious ads, IE the amazon gift card ads, are not a localized problem. https://discussions.apple.com/thread/8220208

Kyle

[jcase]

SSL prevents man in the middle style attacks which have not occurred.

Kyle, please do tell me how you would even know if a MITM attack has occurred or not? Without implementing https, there is no mechanism to even detect it (let alone prevent it). Previous client of mine did deep packet analysis, and I know I visited beesource from their facility. I know for a fact mitm has occurred between beesource and myself.

Please stop replying with ill informed comments regarding security. Denial of reality isn't how you handle security issues, it is how you end up quoted in Kreb articles. Just keep working on implementing SSL, and stop trying to downplay the fact that lack of SSL is indeed a real security issue here.

[Admin]

Kyle, please do tell me how you would even know if a MITM attack has occurred or not? Without implementing https, there is no mechanism to even detect it (let alone prevent it). Previous client of mine did deep packet analysis, and I know I visited beesource from their facility. I know for a fact mitm has occurred between beesource and myself.

Please stop replying with ill informed comments regarding security. Denial of reality isn't how you handle security issues, it is how you end up quoted in Kreb articles. Just keep working on implementing SSL, and stop trying to downplay the fact that lack of SSL is indeed a real security issue here.

Could you please provide details of the MITM attack, as this will need to be investigated by our security department.
-Philip

[jcase]

Could you please provide details of the MITM attack, as this will need to be investigated by our security department.
-Philip

Philip, many major corporations do active packet analysis on their networks. Many public wifi networks do this, even some consumer ISPs do this. These are all MITM attacks. Since you dont have https running, you security team couldn't do any incident response, they have nothing to act on.

[rwurster]

Kyle, you said it was a 3rd party smash and grab. Misdirection and not addressing the issue and saying I twisted your words is a sure sign of deception. As stated, it must be ok for your 3rd party partners to do these things as they obviously suffered no reprecussions from selling our data.

I agree, HTTPS would not have stopped your smash and grab. It would help keep all of our logins safer though, which is what we've been saying. I mean its not like its the title of the thread or anything.

Thanks

[Admin]

No, they did not sell anything, they were the ones who were hit. As the formal investigation it outside my purview I'm permitted to disclose further information to that effect. This is not misdirection.

But thank you for agreeing with me

Kyle

[BadBeeKeeper]

That was a DB smash and grab from a third party partner we have. SSL would not have prevented that.

Kyle

Correct, which is exactly the point I was making to the other poster- SSL offers protection only in one limited area, and the idea that it would make all login info 'safe' is false.