From the ZD Net aritcle:
Download links to the hacked database have been shared by a hacked data trader known as Instakilla, believed to be operating out of Bulgaria.I would not call sharing hacked data by a “hacked data trader” activity of a white hat hacker.
I dont want to defend anyone who invades foreign systems and also forces ME to change my password and i dont know the exact content of the state documents that were stolen, but for example, in order to expose the intention of illegal practices or to reveal security gaps, this would give the thing a different character.
He has also an VIP-Account on “raidforums.com” and he describes himself as “Penetration Tester & Web Developer”. Whether this is true or if he would rather be described as “Gray Hat”, i can not answer unfortunately. :a0
Update:
The “loot” from the forum Hack was also already offered for trade/selling and i dont like that!!! >:(
I only heard about this from another site, maybe sending out an e-mail to forum members asking them to change their passwords would be helpful.
Totally agree, this should have been done as soon as the forums were put back online.
Makes me think Comodo has a lack of contingency plans for such events.
To me this shows one thing.
I think that Comodo has too many websites resulting in the lack of resources to effectively manage them all.
I think that you only need one main website guys. I would kill off all of the legacy websites that are just clogging up time and development.
You, seemingly to me, can’t even update all of the different listings for CIS with the new pricing at the same time (as you seem to be still finding old listings). This just further proves my point.
I think that you should kill that clutter!
I think you are going in the wrong direction with this. The fact sheet for Comodo indicates they have over 600 employees. The mission statement of Comodo seems to indicates that they should have a larger percentage of employees dedicated to computer security than your average company. Given the information provided by Comodo for their products, they should be able to run more mainstream public facing internet services in a honey-pot like state and keep it secure. At least they should be in a better position than most of their customers to use their tools to keep things safe. It seem to me that Comodo employees when asked if their tools will protect online web services, they won’t stop at just indicating it can protect use of vBulletin or SMF. Comodo seems like the type of company that is willing to companies should be using Comodo tools to protect phpBB, WordPress, Joomla, Magneto, etc. Comodo seems to have so much ambition about what their tools can do. But it would be nice if Comodo demonstrated that level of protect themselves.
Something that caught my attention of this notice was the very first line:
"At Comodo, we take security very seriously and it is our highest priority."
A highly respected computer security journalist, Zack Whittaker, wrote an article for Tech Crunch back in February of this year called “At Comodo, we take security very seriously and it is our highest priority.”
The article begins with:
And the article ends with:
I’m sure a company as security focus as Comodo is aware of the works of Zack Whittaker and wouldn’t post hollow remarks on their forum. So, when Comodo says they take security seriously that should imply they have been using their own products to protect the data.
So, was Comodo Endpoint Security which was stated to me as providing 100% protection able to stop the breach?
Answer seem to be NO.
How about Comodo HackerProof site inspector, did it provide the next dimension in website scanning to stop the breach?
Unfortunately, NO.
How about Comodo Dragon Platform, was there bulletproof 100% protection from zero-day attacks to stop this breach?
I can come to a 100% verdict in 0 seconds on that and say: NO.
So, if a company of 600+ employees with better security training and skills than your average Comodo customer can’t protect commonly used forums, what hope do those customers have?
There is a definite need for the type of products that do the things Comodo claims they do, but there still seems to be a lot of work to be done. Thank goodness for Comodo’s exciting ambition.
I think Comodo needs to show their products can protect more instead of consolidate to less. They should be able to expose the top ten most popular public facing web applications on their own servers with an open “capture the flag” style invite for any security research to deface them.
If they aren’t willing to show complete buy-in themselves for their own products, why should any potential customer take them very seriously about Comodo’s claim of taking security very seriously? Please don’t let Comodo just be another company that makes hollow remarks.
Comodo’s priority is safety for consumer/user, should be so and it claims to be.
Aren’t they two pair of shoes: security of a website and security of my PC?
This so-called hollow saying “At Comodo, we take security very seriously and it is our highest priority.”, which can be used by anyone, applied and applies to my PC:
Why else have I never had problems with Trojans, Ransomware, worms, viruses, etc.? Like many others I do online-banking, too, and have never had any problems.
Of course, such an event can make you a little insecure, but AV-Labs, for example, certifies Comodo:
of August 2019:
protection: 6 points of 6
and then 5.5 of 6/5.5 of 6 (not so interesting for me)
Should I say good-bye to comodo now? Would you
YES? (Not a very serious question for me)
Please note Comodo Endpoint Security or Comodo Client Security (CCS) which uses the same protection core as CIS is for Windows only.
The affected Forum server was running on an Apache/Debian server.
You can check it at: browserspy.dk/webserver.php inserting forums.comodo.com in the URL field.
There is no such a thing as CCS or CIS for Linux and it’s variants. Comodo for Linux is just another average AV Realtime Scanner with low detection ratio.
I do agree Comodo should take better diligency steps for handling vulnerabilities in Third Party softwares and services they may use. But they don’t do the code for VBulletin Forum platform, it’s a Third Party service. What they should have done in this case is updating the VBulletin platform in the same day the patch was released or 24 hours later at max.
So was this forum here affected? I could still login with my old password.
I am not sure why you mention your email password. It should be different than any other password you use. And different passwords for everything in general. If you leak your email password by having it for the accounts you create as well, each time it is a leak.
…and why you then said, you were about to change the passwords for comodo too… Those were the ones probably affected, so had to be changed.
It would appear to me that most of Comodo employees are not part of the consumer web development team nor I would expect be trained to manage it either. If they had been then I would expect the consumer websites would be less of a mess.
Furthermore they have actually used a 3rd party marketing/web agency based in Clifton. I expect they may be contracted to carry out some of the updates.
Comodo Endpoint has nothing to do with protecting this forum on the web server from a forum software based exploit.
Is HackerProof used on this forum?
Once again, Comodo Dragon is not going to prevent forum software exploits being targeted on a web server.
So they take security very seriously for their forum but nether take direct responsibility or act in an advisory role in hardening the security of their own forum? I think we might be getting back to the Zack Whittaker’s complaint then that it is a hollow statement for vendors to keep claiming to take security seriously after a data breach.
Why wouldn’t they use it as part of taking security seriously and if there is a known issue with a 3rd party run service that directly impacts the Comodo brand to insist the 3rd party address the issue? Why wouldn’t they also offer the Clifton agency free licenses to all the Comodo security tools if not at the very least for protecting the Comodo brand and Comodo customers? We should buy into security solutions even their own marketing agency wouldn’t touch??
mmalheiros points out that the web server indicates it is Apache/Debian. He then points out an online tool to get that information. The online tools states it is Apache v2.4.45 which seems to indicate they are still running Debian 9. That distribution version was released in June 2017. At the time it made sense to have TLS 1.0 and TLS 1.1 enabled by default. In 2018, the IETF and NIST has stated those protocols should be considered deprecated. TLS 1.0 has not aged well with such issues as BEAST and POODLE. Shouldn’t Comodo take security seriously enough to scan for that issue and see that it gets addressed?
The forum performs HTTP code 307 redirects to non-HTTPS emoji icons. In the past there have been browser exploits based on maliciously crafted image files. Shouldn’t a Comodo that take security seriously avoid the potential for a man in the middle attack delivering such an exploit when sending the image unencrypted? Why are they undermining the HSTS setting with HTTP redirects to unencrypted transmission of these images?
According to BleepingComputer, the Comodo forums database include MD5 hashed password for the Comodo forums running the Simple Machines Forum software. According to the changelog for SMF, if the forum software is upgraded since 2005 then any successful login will also upgrade the MD5 hash to a SHA-1 hash. There have been 16 CVEs issued for the Simple Machines Forum software since 2005, have those security fixes not been applied? Shouldn’t Comodo use it’s “next dimension in website scanning” to make sure the web application is kept up to date with security patches? Would it really be acceptable that Comodo took security seriously by sitting on the side lines and letting a 3rd party using their brand not address this?
If you picked any medium size company at random and told the CEO of that company that a product has 100% protection from zero-day attacks using zero trust breach protection, would that imply to that CEO that the software is not going to prevent forum software exploits? What is a zero-day attack if it isn’t something that takes advantage of software exploits such as forum software exploits? What exactly is Comodo trying to communicate in the material for why we should be using the Comodo Dragon platform?
As far as I see it, the way Comodo claims their tools work to prevent at 100% levels make security worse for several users. If you believe that you have everything covered through magic without having to take any additional steps then you may become lax on applying other preventive measures. Getting lax to the point of leaving deprecated default configuration options, leaving open MITM attacks and not keeping software up to date for known issues would be bad for taking security seriously.
Instead, if Comodo could dial down their marketing claims just a slight notch such as stating their tools are helpful for security exploit mitigation when used as part of a well-balanced breakfast of security policies and tools, then the customer might be more aware to not be lax.
But the claim of having 100% prevention tools and have a data breach which can still happen when taking security very seriously just doesn’t logically mesh together well.
If you picked any medium size company at random and told the CEO of that company that a product has 100% protection from zero-day attacks using zero trust breach protection, would that imply to that CEO that the software is not going to prevent forum software exploits?
and
The online tools states it is Apache v2.4.45
Only Windows Endpoint has container technology to protect infecting the host system. They do not provide this for Linux (Debian).
Furthermore even if they did, hacking a website does not mean that the host system has been hacked either.
The job of a system AV Endpoint client is not to stop websites being hacked.
In a nutshell: That’s all there is to say and I trust my experience with comodo.
Let’s go with your assumption that Windows has a container technology that Linux lacks or that the Linux offering is somehow insufficient.
The Comodo e-book never states that preventing breaches with zero trust requires discontinued use of Linux. It instead brings up the need to protect data in the hybrid cloud. They even reference a report from LogicMonitor on the decline of on-premise service in favor of cloud services from AWS, Azure and Google Cloud. The most popular operating system on all three of those cloud platforms is currently Linux.
Comodo’s e-book reaches the conclusion they are providing a comprehensive portfolio which cover the “entire IT ecosystem, on-premises and in the cloud.” If there are fundamental issues with including Linux in that IT ecosystem for achieving the Comodo’s zero trust security of preventing breaches then they should disclose that in the e-book. Instead, they point to cloud services that Linux hold a majority in and state they will provide a solution for entire IT.
Also, the onus was on Comodo when choosing a forum provider to use their findings on operating system container technology accordingly. If Comodo believes Windows container technology is somehow better then Comodo should have selected to run their forums on Windows. If they are taking security seriously, they should go with what they are the most confident they can secure.
Correct. My complaint is not if the host system had been hacked. What I am stating is they have an e-book about preventing breaches and then their own forum was hit by a data breach. Regardless of the integrity of the host system at this point, they either failed to take security seriously enough to follow their own breach prevention method or their breach prevention method failed.
If that is the limitation of Comodo’s suite of products, that would be understandable. What is not understandable is to promote having breach protection and then not provide that breach protection to their own forum members’ data.
Does Comodo have the tools that can “beach proof [a] business with [Comodo’s] zero trust platform” as stated on Comodo’s home page? If they do, then why wasn’t that protection provided to the data of their own forum members?
That is great. I am glad you are getting the experience you expect from Comodo. I am not endorsing or trying to sell you on any alternative product. I am trying to get the opposite, how would you sell me on that the forum data breach is consistent with getting me buy active “breach proof” prevention solution from Comodo? Or why should the average medium business CEO now believe Comodo’s home page they can provide a “breach proof” solution? Is your full selling point that everyone should trust your specific experience or do you have something more to back the breach proof claim?
Whoever was responsible for updating the forum software has to do it the next time as soon as possible. That this hasn’t happened, reveals abuses in the company’s internal processes or the responsibilities. Comodo can and should definitely make improvements to this! This is not magic, but simply forms the indispensable basis of ANY IT security concept.
Of course an argument to think about! But no argument not to trust comodo furthermore as a software to protect your PC.
Not everyone is an IT specialist or a programmer.
Do I have to be a vehicle specialist to be able to say whether my car drives reliably? If out of 100 people in a car forum 95 percent are satisfied with a particular car (no special repairs, reliable in any weather, etc), then this is a good condition to buy this car.
Comodo protects reliably - until now and not only on my PC. and that has more value for me and not just for me than when a forum has been cracked.
Or vice versa:
It seems that Kasperky’s forum has never been hacked, but hackers have been able to spy on K-software users for years while surfing . Which protection is better now and yes: experiences are a buying argument (see opinions of users on Amazon - if you should consider them with caution).
Whether Kapersky’s opinion will satisfy the users is another question:
And because this matter is not a problem for me, this is done for me.
If 95 out of 100 people driving the Chevrolet Cobalts were satisfied with their car, then I am happy for them. When General Motors claims they take safety seriously, they should address any known issues that don’t live up to the marketing. Once 124 people die from a faulty ignition switch that the company silently fixed only for new model years, then the discussion about the 95 satisfied customers makes less sense. No mater how many people are satisfied with GM’s products they still have an obligation to be honest about the degree their product is what they claim it to be.
Do you have to be a vehicle specialist? No, you don’t–but you do need the car vendor to be honest.
It is disappointing the number of vendors that have super-cookie style tracking issues with the software they sell.
And if the vendor stated on their home page they provide 100% privacy only to then discover they have a super-cookie, that would be really upsetting. I would expect an explanation for that situation.
Despite not claiming 100% privacy protection, the vendor you are talking about has provided a more detailed explanation than Comodo has.
I would feel better if there was as detailed an explanation from Comodo how they can claim on their home page to have breach protection but then also have a forum breach.
Regarding problems at Kaspersky, I’d like to point this article which mentions Kaspersky software being used by the Russian Government to track people of interest to them. We rarely see people or the specialized press criticizing Kaspersky because of this. Even with such situations Kaspersky still has a good reputation.
I also remember some of their websites being hacked in 2009 alongside Bitdefender IIRC.
Like the article also mentioned, these problems at security firms rarely matters anything at all to home or office users. In Kaspersky’s case this can be regarded as a issue at Governments who may use their software. And Trump did ban Kaspersky from US Government machines after all.
IMO the multiple problems that Comodo faced in the past, as well as the recent Forum breach, are nothing to detriment the quality of their Windows Security software at preventing malware infections.
Whilst in your previous post.
Mentioning Comodo Endpoint regarding the issue of protecting a web forum from a hack can make it sound like you were trying to argue that Comodo Endpoint should have protected the website from being hacked.
You should be careful not to confuse less tech savvy users as that is rather irresponsible.
Dragon Platform nor Comodo Endpoint are tasked with preventing any websites being hacked and I doubt you will find any statement from Comodo that states these two products protect websites from hacks.
Thus mentioning either product regarding a website hack is misleading at best.