Author Topic: Important Security Notice About Comodo Forums Accounts  (Read 28659 times)

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 592
  • Paranoid B#st#rd - CIA
Re: Important Security Notice About Comodo Forums Accounts
« Reply #30 on: October 05, 2019, 08:26:32 PM »
The fact sheet for Comodo indicates they have over 600 employees.

It would appear to me that most of Comodo employees are not part of the consumer web development team nor I would expect be trained to manage it either. If they had been then I would expect the consumer websites would be less of a mess.

Furthermore they have actually used a 3rd party marketing/web agency based in Clifton. I expect they may be contracted to carry out some of the updates.

Quote from: chilinux
was Comodo Endpoint Security which was stated to me as providing 100% protection able to stop the breach?

Comodo Endpoint has nothing to do with protecting this forum on the web server from a forum software based exploit.

Quote from: chilinux
How about Comodo HackerProof site inspector, did it provide the next dimension in website scanning to stop the breach?

Is HackerProof used on this forum?

Quote from: chilinux
How about Comodo Dragon Platform, was there bulletproof 100% protection from zero-day attacks to stop this breach?

Once again, Comodo Dragon is not going to prevent forum software exploits being targeted on a web server.

Offline chilinux

  • Newbie
  • *
  • Posts: 11
Re: Important Security Notice About Comodo Forums Accounts
« Reply #31 on: October 05, 2019, 11:53:40 PM »
It would appear to me that most of Comodo employees are not part of the consumer web development team nor I would expect be trained to manage it either. If they had been then I would expect the consumer websites would be less of a mess.

Furthermore they have actually used a 3rd party marketing/web agency based in Clifton. I expect they may be contracted to carry out some of the updates.

So they take security very seriously for their forum but nether take direct responsibility or act in an advisory role in hardening the security of their own forum?  I think we might be getting back to the Zack Whittaker's complaint then that it is a hollow statement for vendors to keep claiming to take security seriously after a data breach.

Is HackerProof used on this forum?

Why wouldn't they use it as part of taking security seriously and if there is a known issue with a 3rd party run service that directly impacts the Comodo brand to insist the 3rd party address the issue?  Why wouldn't they also offer the Clifton agency free licenses to all the Comodo security tools if not at the very least for protecting the Comodo brand and Comodo customers?  We should buy into security solutions even their own marketing agency wouldn't touch??

mmalheiros points out that the web server indicates it is Apache/Debian.  He then points out an online tool to get that information.  The online tools states it is Apache v2.4.45 which seems to indicate they are still running Debian 9.  That distribution version was released in June 2017.  At the time it made sense to have TLS 1.0 and TLS 1.1 enabled by default.  In 2018, the IETF and NIST has stated those protocols should be considered deprecated.  TLS 1.0 has not aged well with such issues as BEAST and POODLE.  Shouldn't Comodo take security seriously enough to scan for that issue and see that it gets addressed?

The forum performs HTTP code 307 redirects to non-HTTPS emoji icons.  In the past there have been browser exploits based on maliciously crafted image files.  Shouldn't a Comodo that take security seriously avoid the potential for a man in the middle attack delivering such an exploit when sending the image unencrypted?  Why are they undermining the HSTS setting with HTTP redirects to unencrypted transmission of these images?

According to BleepingComputer, the Comodo forums database include MD5 hashed password for the Comodo forums running the Simple Machines Forum software.  According to the changelog for SMF, if the forum software is upgraded since 2005 then any successful login will also upgrade the MD5 hash to a SHA-1 hash.  There have been 16 CVEs issued for the Simple Machines Forum software since 2005, have those security fixes not been applied?  Shouldn't Comodo use it's "next dimension in website scanning" to make sure the web application is kept up to date with security patches?  Would it really be acceptable that Comodo took security seriously by sitting on the side lines and letting a 3rd party using their brand not address this?

Once again, Comodo Dragon is not going to prevent forum software exploits being targeted on a web server.

If you picked any medium size company at random and told the CEO of that company that a product has 100% protection from zero-day attacks using zero trust breach protection, would that imply to that CEO that the software is not going to prevent forum software exploits?  What is a zero-day attack if it isn't something that takes advantage of software exploits such as forum software exploits?  What exactly is Comodo trying to communicate in the material for why we should be using the Comodo Dragon platform?

As far as I see it, the way Comodo claims their tools work to prevent at 100% levels make security worse for several users.  If you believe that you have everything covered through magic without having to take any additional steps then you may become lax on applying other preventive measures.  Getting lax to the point of leaving deprecated default configuration options, leaving open MITM attacks and not keeping software up to date for known issues would be bad for taking security seriously.

Instead, if Comodo could dial down their marketing claims just a slight notch such as stating their tools are helpful for security exploit mitigation when used as part of a well-balanced breakfast of security policies and tools, then the customer might be more aware to not be lax.

But the claim of having 100% prevention tools and have a data breach which can still happen when taking security very seriously just doesn't logically mesh together well.

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 592
  • Paranoid B#st#rd - CIA
Re: Important Security Notice About Comodo Forums Accounts
« Reply #32 on: October 06, 2019, 06:58:24 AM »
Quote
If you picked any medium size company at random and told the CEO of that company that a product has 100% protection from zero-day attacks using zero trust breach protection, would that imply to that CEO that the software is not going to prevent forum software exploits?

and

Quote
The online tools states it is Apache v2.4.45

Only Windows Endpoint has container technology to protect infecting the host system. They do not provide this for Linux (Debian).

Furthermore even if they did, hacking a website does not mean that the host system has been hacked either.

The job of a system AV Endpoint client is not to stop websites being hacked.
« Last Edit: October 06, 2019, 07:43:50 AM by ReeceN »

Offline prodex

  • Comodo's Hero
  • *****
  • Posts: 510
Re: Important Security Notice About Comodo Forums Accounts
« Reply #33 on: October 06, 2019, 10:19:19 AM »

Furthermore even if they did, hacking a website does not mean that the host system has been hacked either.

The job of a system AV Endpoint client is not to stop websites being hacked.

In a nutshell: That's all there is to say and I trust my experience with comodo.

Offline chilinux

  • Newbie
  • *
  • Posts: 11
Re: Important Security Notice About Comodo Forums Accounts
« Reply #34 on: October 06, 2019, 04:50:11 PM »
Only Windows Endpoint has container technology to protect infecting the host system. They do not provide this for Linux (Debian).

Let's go with your assumption that Windows has a container technology that Linux lacks or that the Linux offering is somehow insufficient.

The Comodo e-book never states that preventing breaches with zero trust requires discontinued use of Linux.  It instead brings up the need to protect data in the hybrid cloud.  They even reference a report from LogicMonitor on the decline of on-premise service in favor of cloud services from AWS, Azure and Google Cloud.  The most popular operating system on all three of those cloud platforms is currently Linux.

Comodo's e-book reaches the conclusion they are providing a comprehensive portfolio which cover the "entire IT ecosystem, on-premises and in the cloud."  If there are fundamental issues with including Linux in that IT ecosystem for achieving the Comodo's zero trust security of preventing breaches then they should disclose that in the e-book.  Instead, they point to cloud services that Linux hold a majority in and state they will provide a solution for entire IT.

Also, the onus was on Comodo when choosing a forum provider to use their findings on operating system container technology accordingly.  If Comodo believes Windows container technology is somehow better then Comodo should have selected to run their forums on Windows.  If they are taking security seriously, they should go with what they are the most confident they can secure.

Furthermore even if they did, hacking a website does not mean that the host system has been hacked either.

Correct.  My complaint is not if the host system had been hacked.  What I am stating is they have an e-book about preventing breaches and then their own forum was hit by a data breach.  Regardless of the integrity of the host system at this point, they either failed to take security seriously enough to follow their own breach prevention method or their breach prevention method failed.

The job of a system AV Endpoint client is not to stop websites being hacked.

If that is the limitation of Comodo's suite of products, that would be understandable.  What is not understandable is to promote having breach protection and then not provide that breach protection to their own forum members' data.

Does Comodo have the tools that can "beach proof [a] business with [Comodo's] zero trust platform" as stated on Comodo's home page?  If they do, then why wasn't that protection provided to the data of their own forum members?

In a nutshell: That's all there is to say and I trust my experience with comodo.

That is great.  I am glad you are getting the experience you expect from Comodo.  I am not endorsing or trying to sell you on any alternative product.  I am trying to get the opposite, how would you sell me on that the forum data breach is consistent with getting me buy active "breach proof" prevention solution from Comodo?  Or why should the average medium business CEO now believe Comodo's home page they can provide a "breach proof" solution?  Is your full selling point that everyone should trust your specific experience or do you have something more to back the breach proof claim?

Offline pio

  • Malware Research Group
  • Comodo's Hero
  • *****
  • Posts: 667
  • I like CIS , Kali Linux , IDA Pro & Fl Studio ;)
Re: Important Security Notice About Comodo Forums Accounts
« Reply #35 on: October 06, 2019, 05:18:32 PM »
Whoever was responsible for updating the forum software has to do it the next time as soon as possible. That this hasn't happened, reveals abuses in the company's internal processes or the responsibilities. Comodo can and should definitely make improvements to this! This is not magic, but simply forms the indispensable basis of ANY IT security concept.
« Last Edit: October 06, 2019, 05:22:32 PM by pio »
*** Paranoid Bastard since CIS 3.5 ! Independent - NON Profit Malware Analyst ***

Offline prodex

  • Comodo's Hero
  • *****
  • Posts: 510
Re: Important Security Notice About Comodo Forums Accounts
« Reply #36 on: October 07, 2019, 12:57:39 AM »
If they do, then why wasn't that protection provided to the data of their own forum members?.....

Is your full selling point that everyone should trust your specific experience or do you have something more to back the breach proof claim?

1) Of course an argument to think about! But no argument not to trust comodo furthermore as a software to protect your PC.

2) Not everyone is an IT specialist or a programmer.

Do I have to be a vehicle specialist to be able to say whether my car drives reliably? If out of 100 people in a car forum 95 percent are satisfied with a particular car (no special repairs, reliable in any weather, etc), then this is a good condition to buy this car.

Comodo protects reliably - until now and not only on my PC. and that has more value for me and not just for me than when a forum has been cracked.

Or vice versa:
It seems that Kasperky's forum has never been hacked, but hackers have been able to spy on K-software users for years while surfing . Which protection is better now and yes: experiences are a buying argument (see opinions of users on Amazon - if you should consider them with caution).


Whether Kapersky's opinion will satisfy the users is another question:


https://www.kaspersky.com/blog/tracking-ids-bug/27979

And because this matter is not a problem for me, this is done for me.
« Last Edit: October 07, 2019, 01:03:08 AM by prodex »

Offline chilinux

  • Newbie
  • *
  • Posts: 11
Re: Important Security Notice About Comodo Forums Accounts
« Reply #37 on: October 07, 2019, 04:40:27 AM »
2) Not everyone is an IT specialist or a programmer.

Do I have to be a vehicle specialist to be able to say whether my car drives reliably? If out of 100 people in a car forum 95 percent are satisfied with a particular car (no special repairs, reliable in any weather, etc), then this is a good condition to buy this car.

If 95 out of 100 people driving the Chevrolet Cobalts were satisfied with their car, then I am happy for them.  When General Motors claims they take safety seriously, they should address any known issues that don't live up to the marketing.  Once 124 people die from a faulty ignition switch that the company silently fixed only for new model years, then the discussion about the 95 satisfied customers makes less sense.  No mater how many people are satisfied with GM's products they still have an obligation to be honest about the degree their product is what they claim it to be.

Do you have to be a vehicle specialist?  No, you don't--but you do need the car vendor to be honest.

Comodo protects reliably - until now and not only on my PC. and that has more value for me and not just for me than when a forum has been cracked.

Or vice versa:
It seems that Kasperky's forum has never been hacked, but hackers have been able to spy on K-software users for years while surfing . Which protection is better now and yes: experiences are a buying argument (see opinions of users on Amazon - if you should consider them with caution).

Whether Kapersky's opinion will satisfy the users is another question:

https://www.kaspersky.com/blog/tracking-ids-bug/27979

And because this matter is not a problem for me, this is done for me.

It is disappointing the number of vendors that have super-cookie style tracking issues with the software they sell.

And if the vendor stated on their home page they provide 100% privacy only to then discover they have a super-cookie, that would be really upsetting.  I would expect an explanation for that situation.

Despite not claiming 100% privacy protection, the vendor you are talking about has provided a more detailed explanation than Comodo has.

I would feel better if there was as detailed an explanation from Comodo how they can claim on their home page to have breach protection but then also have a forum breach.

Offline mmalheiros

  • Comodo's Hero
  • *****
  • Posts: 315
Re: Important Security Notice About Comodo Forums Accounts
« Reply #38 on: October 07, 2019, 05:53:06 AM »
https://www.kaspersky.com/blog/tracking-ids-bug/27979

Regarding problems at Kaspersky, I'd like to point this article which mentions Kaspersky software being used by the Russian Government to track people of interest to them. We rarely see people or the specialized press criticizing Kaspersky because of this. Even with such situations Kaspersky still has a good reputation.
http://www.pcworld.com/article/3235484/what-the-kaspersky-antivirus-hack-really-means.html

I also remember some of their websites being hacked in 2009 alongside Bitdefender IIRC.

Like the article also mentioned, these problems at security firms rarely matters anything at all to home or office users. In Kaspersky's case this can be regarded as a issue at Governments who may use their software. And Trump did ban Kaspersky from US Government machines after all.

IMO the multiple problems that Comodo faced in the past, as well as the recent Forum breach, are nothing to detriment the quality of their Windows Security software at preventing malware infections.

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 592
  • Paranoid B#st#rd - CIA
Re: Important Security Notice About Comodo Forums Accounts
« Reply #39 on: October 07, 2019, 09:15:12 AM »
Quote from: chilinux
My complaint is not if the host system had been hacked.

Whilst in your previous post.

Quote from: chilinux
was Comodo Endpoint Security which was stated to me as providing 100% protection able to stop the breach?

Mentioning Comodo Endpoint regarding the issue of protecting a web forum from a hack can make it sound like you were trying to argue that Comodo Endpoint should have protected the website from being hacked.

You should be careful not to confuse less tech savvy users as that is rather irresponsible.

Dragon Platform nor Comodo Endpoint are tasked with preventing any websites being hacked and I doubt you will find any statement from Comodo that states these two products protect websites from hacks.

Thus mentioning either product regarding a website hack is misleading at best.

Offline chilinux

  • Newbie
  • *
  • Posts: 11
Re: Important Security Notice About Comodo Forums Accounts
« Reply #40 on: October 07, 2019, 11:24:40 AM »
Dragon Platform nor Comodo Endpoint are tasked with preventing any websites being hacked and I doubt you will find any statement from Comodo that states these two products protect websites from hacks.

Thus mentioning either product regarding a website hack is misleading at best.

Comodo's main web page:

"ACTIVE BREACH PROTECTION Breach Proof Your Business with Our Zero Trust Platform [EXPLORE THE PLATFORM]"

Lead to:

"DRAGON PLATFORM"

"Activate breach protection for your business with the Dragon Platform."

"Comodo delivers everything cybersecurity you ever needed to activate breach protection immediate value added from day one"

"Bulletproof Protection  Scored 100% protection from zero-day attacks"

"ZERO TRUST PROTECTION  Get breach protection from our leading portfolio of cybersecurity solutions and services."

"Comodo's Dragon platform offers your business a zero trust environment to provide breach protection for your digital evolution."

"Make your life easier, your customers safer, your employees more productive and your data more secure with the Comodo's Dragon Platform."


There are multiple places were Comodo refers to their Comodo Dragon platform as providing breach protection and protecting customer data.  If you go back to Comodo's home page and download the E-Book on "Preventing Breaches by Building a Zero Trust Platform" talks about the protection for the entire IT environment including the public and hybrid cloud.  It also states:

"This shift from reactive to proactive is what makes Comodo Cybersecurity unique and gives them the capacity to protect your business—from network to the web to cloud—with confidence and efficacy."

Back on Comodo's main page also references "Comodo Cybersecurity" in a heading right above the "DRAGON PLATFORM" and "REQUEST DEMO TODAY" which leads to "See the Comodo Dragon Platform in Action"


So, there is strong indications on the Comodo web page that "Comodo Cybersecurity" and the "Zero Trust Platform" are both references to the "Comodo Dragon Platform."  They also state multiple times that this platform provides protection from breaches.  As far as I know, the majority of public and hybrid cloud are web based which they also imply their platform protects.  The E-Book clearly defines the web services as part of the entire IT ecosystem and reaches the conclusion Comodo is the solution for protecting them.  What Comodo product are they talking about if not the Comodo Dragon Platform?  Comodo is clearly indicating to provide prevention of breaches, so what product from Comodo should they have been running on this forum to get that breach prevention?

Offline ReeceN

  • Comodo's Hero
  • *****
  • Posts: 592
  • Paranoid B#st#rd - CIA
Re: Important Security Notice About Comodo Forums Accounts
« Reply #41 on: October 07, 2019, 12:40:06 PM »
Not one sentence from what you posted there states Comodo provides protection against websites being hacked via the Dragon Platform.

You seem to have have misunderstood what its meaning.

In fact the first paragraph on the Dragon Platform page makes it clear it is for endpoints.

Quote from: https://www.comodo.com/why-comodo.php
Our complete cloud-native framework delivers zero trust architecture to protect & defend your endpoints. Activate breach protection for your business with the Dragon Platform.

Offline chilinux

  • Newbie
  • *
  • Posts: 11
Re: Important Security Notice About Comodo Forums Accounts
« Reply #42 on: October 07, 2019, 03:36:29 PM »
Not one sentence from what you posted there states Comodo provides protection against websites being hacked via the Dragon Platform.

The original security notice about "a potential data breach" did not use the word "hacked" and I didn't either.  I was focused strictly focused on a noticed of data breach from a company that has a very strong claim to being able to prevent data breaches.

I have also found nothing in the Zero Trust e-book or any of the promotional material that indicates limitations to the "active breach proof protection."  If a hack can result in a data breach then that would still violate the claim of having protected against a breach.  Once a vendor gets to the point of releasing a full e-book, there should be no excuse as to being transparent about the product limitations.

Also, a product called "Comodo HackerProof" ... it is really strongly implied in the name of the product it is to prevent being hacked.

From the web page about why sites should use the HackerProof TrustLogo(R), it is stated:
"78 percent of online shoppers say that a seal indicates that their information is secure"

"Nearly 70 percent of online shoppers have terminated an online order because they did not 'trust' the transaction. In those cases, 53 percent indicated that the presence of a seal would have likely prevented the termination."

So, they seem to be acknowledging the role of the seal is to make shoppers less vigilant and proceed with (blindly?) trusting the site to keep the data secure.  If HackerProof is allowing for the site to be hacked then they seem to be admitting that 78% of shoppers are being mislead regarding the security the logo indicates.  What exactly is "the next dimension in website scanning" accomplishing at the end of the day?

While the Comodo forums does not have the HackerProof TrustLogo(R) displayed, as part of taking security seriously Comodo should be using HackerProof for their own forums and the capabilities of the product should still remain the same.

In fact the first paragraph on the Dragon Platform page makes it clear it is for endpoints.

Correct.  Any device that is the final destination for a network packet is an endpoint.  This forum is on an endpoint.  A system running Debian Linux is an endpoint.  I have evaluated endpoint protection products for Linux.  If they don't provide support for Linux, then I question their claim of protecting the entire IT ecosystem that includes the public and hybrid cloud.  However, they also have had option to run the forum on Windows.  PHP runs on Windows and can be used with IIS.  MySQL runs on Windows.  A system running Windows server is also an endpoint.

So, now that we are in agreement that the Dragon Platform is for endpoints.  Where was the "Active Breach Proof Protection" via a "Zero Trust Platform" for this endpoint which now has a notice of a breach?
« Last Edit: October 07, 2019, 03:40:19 PM by chilinux »

Offline prodex

  • Comodo's Hero
  • *****
  • Posts: 510
Re: Important Security Notice About Comodo Forums Accounts
« Reply #43 on: October 07, 2019, 11:50:32 PM »
I have no sales platform, sell nothing on the Internet, I'm just a regular user.
In this forum are about me no confidential, sensitive data to find. No credit card number, no bank account - nothing (oh: my e-mail address). I do not know how many users here personal data such. have saved the mentioned by me. I no. So why should I worry about that?

Why doesn't comodo use their own tool on this page? Ask someone from the team.


https://www.g2.com/products/comodo-hackerproof/competitors/alternatives
Quote

Comodo HackerProof Alternatives & Competitors
(1)
5.0 out of 5

Looking for alternatives to Comodo HackerProof? Tons of people want Vulnerability Scanner software. What's difficult is finding out whether or not the software you choose is right for you.

Top 20 Alternatives & Competitors to Comodo HackerProof

Nessus
AlienVault USM (from AT&T Cybersecurity)
BurpSuite
Acunetix Vulnerability Scanner
Qualys

.....and more

https://gbhackers.com/best-vulnerability-scanner/#

Quote
Giridhara Raam
http://www.gbhackers.com
Giridhara Raam is a Cybersecurity Evangelist, Analyst, Author, Speaker. He also immerses himself in cybersecurity research from an endpoint security management. He is a Security Writer & Author of GBHackers On Security
ABOUT US
GBHackers on security is a Cyber Security platform that covers daily Cyber Security News, Hacking News, Technology updates and Kali Linux tutorials. Our mission is to keep the community up to date with happenings in the Cyber World.
Contact us: admin[at]gbhackers.com

10 Best Vulnerability Scanning Tools For Penetration Testing ? 2019

1.OpenVAS Vulnerability Scanner

4.Comodo HackerProof

« Last Edit: October 08, 2019, 12:35:54 AM by prodex »

Offline chilinux

  • Newbie
  • *
  • Posts: 11
Re: Important Security Notice About Comodo Forums Accounts
« Reply #44 on: October 08, 2019, 01:37:38 AM »
I have no sales platform, sell nothing on the Internet, I'm just a regular user.
In this forum are about me no confidential, sensitive data to find. No credit card number, no bank account - nothing (oh: my e-mail address). I do not know how many users here personal data such. have saved the mentioned by me. I no. So why should I worry about that?

According to BleepingComputer, the data for sale from the breach of the Comodo forums includes the member's name, country, IP address of last login and MD5 hash of the password.

If I ask you to give me all of those details, would you?  Are you at all curious what type of spear phishing email can be composed with that information?  Are you interested in what using hashcat could do with a MD5 hashed password?  What if I offered to give a penny to someone you never met if you give me those details, would it be a good deal then?

What if you were forced to take that deal, would you want to know why?  Or would you want no explanation at all?  Did this deal meet with your expectations of Comodo?

Why doesn't comodo use their own tool on this page? Ask someone from the team.

Comodo's team has not been responsive to questions in the past even when they initiate the conversation about buy their enterprise services.

- link to list of hackproof alternatives -

- link to gbhackers list of 10 best vulnerability scanning tools -

Neither of these lists provide any details for a test methodology or criteria for success.

gbhackers throws in Wireshark and Aircrack-ng in a top 10 list of vulnerability scanning tools??  Both are great projects but nether are vulnerability scanning tools.

At least gbhackers keeps his wordpress up to date.  So maybe Comodo should hire one of them to maintain the forums software?

Thank you for your feedback.

 

Free Endpoint Protection
Seo4Smf 2.0 © SmfMod.Com Smf Destek