Thursday, November 8

Security breach story continues to expand

Allan Benamer at the Non-Profit Tech Blog has been covering a couple angle's of the Convio security breach that - quite frankly - I don't understand all the technical issues. However, I know enough about security to be stunned by this exchange in Allan's comment field:

Anonymous "activist" wrote:
Convio’s multiple security failures here are elementary-level and simply inexcusable.

First, as mentioned before, there’s the unencrypted passwords issue.

But secondly, from what I’ve been reading about this, the GetActive and Convio network security was laughable. An employee was allowed to work from home, on a non-secure PC, without the latest spyware & malware protections? And this employee was someone with the priveleges to administratively access ALL 150 accounts that were affected or almost affected? Why does one employee need to be able to access 150 accounts? And this is at a company that is supposed to handle millions upon millions of records of data safely and securely?

A basic security audit would have pointed these vulnerabilities out — but I guess Convio didn’t want to bother with that.

I wonder how the potential of millions and millions of dollars of liabilities from this incident will affect Convio’s planned IPO

Allan responded by saying:
@activist — from what I can tell, the employee might have been phished so spyware and malware would not have helped. I’m more worried by the “download all the passwords” capability. That’s a bit nuts. It was like handing hackers the entire cookie jar. It was not a good kludge and all because they were too unwilling to do an open API. This is a great time to demand an SLA from Convio though. You couldn’t get it before but I’m sure there are lots of demands for SLAs right now coming at Convio.

Yikes. I hadn't read anything about the employee working from home who had access to so many records... and I certainly didn't think that this security breach could be tied to the new API developments that made headlines several weeks ago. Now I'm beginning to think we haven't heard the full story yet.

As always, I know the fact that I run this blog anonymously rubs some people the wrong way, but I continue to invite Convio to use the comments feature on this website if they choose to explain or refute any of this statements... after all, it seems like a better place than the progressive exchange list.


Jacob said...

I don't think Alan was saying the API caused it. I think he was saying if they would have done an open API such a utility (download all passwords) wouldn't have been necessary.

On another note it is important to remember this is not Convio's code base. When they bought GetActive they assumed responsibility for that code so I'm not saying they are off the hook.

What I am saying is that if we are going to draw broader assumptions about how their software works you can't necessarily do that. I'm 99 percent sure that the traditional Convio eCRM doesn't store unencrypted passwords.

Again they should have fixed the security of GetActive when they acquired it, so you can blame them for bad practice. But you can't say they don't code securely when they get a chance to do it from scratch.

That isn't to say I'm sure that they do, but that you can't draw that inference from this incident.

"a fundraiser" said...

Thanks for the clarification Jacob.

Allan Benamer said...

Jacob is right. An open API would have actually ELIMINATED the need to download all passwords. So it's quite unfortunate that this had to happen in the first place.

I'm a little puzzled as to why they didn't see this coming. It's bad security practice to have a "mass password download" feature. You don't have to be a security specialist for that red flag to be raised. What's clear here is that Convio was surprised by the level of opprobrium directed at it for failing to protect what it considered to be low-value goods -- usernames and passwords. Convio was more worried about protecting credit cards instead. This led to a distortion in its security policy that resulted in the issue we have now.

Mindy Reed said...

Is that part about an employee being able to work from a personal computer at home true?