A vast
gulf yawns between security and security firms.
But, hey, your credit card info is safe rubadub.
Antivirus firm Avast! has 'fessed up to a breach. The small upside is that the mess only impacts the company's forums. As the company's CEO Vincent Steckler has blogged “Less than 0.2% of our 200 million users were affected. No payment, license, or financial systems or other data was compromised.” Don't click away to another …
Although it probably wasn't their own software they were using, it still doesn't reflect favourably on Avast...
*If* (as claimed) the passwords are hashed, how big is the risk of a "rainbow table" attack, and (importantly) were the values salted? If they were, doesn't this minimise the risk to those using the same password for multiple sites?
Yes, I'm a freetard using their free AV, and I still think it's fairly decent. (especially for free) But now that they've grown a bit, I get an endless parade of "special offers" along with the legitimate notifications. It used to be that "it just works", now "it just annoys". I have shortened the duration of the popups to only a second, which mitigates it, but it's still annoying.
The thing of it is, I don't think ANYONE's security offerings are worth paying much for these days. I will say that Avast at least isn't bloatware like Symantec's offerings.
NOD32 - which besides being very good; not bricking your machine every now and then; and NOT full of bloat or other that makes the device sluggish - can be had for about £10 per year. It is certainly better than Avast, AVG, MSE etc etc. Avira - there's another free one that used to be very good, then switched to being nagware. Or rather nagware you couldn't turn off anymore.
I had a long spell of being bombarded by their self advertising too, and I'm a paying customer.
Which is why when the license expired on my home machine (after a month of "URGENT!! You must renew RIGHT NOW!!!" warnings) I got rid and went with a competitor. If all goes well that competitor will be our AV at work too.
As a long time user of the avast! Free product and as a lecturer on computer security, this points out that it can happen to any one. The only true defense, is a good offense. If you don't have a good backup strategy, you can pretty much kiss your personal information good bye.
I'm also sure that Avast has the forum backed up and will transfer the information to a more secure platform. By now, I've gotten the "change your password" routine down to a science.
I guess most of us have after the recent Heartbleed fiasco.
Stay safe, be free!
They were not using their own platform, they were using the free and open source package SMF. Exactly what version of it is not entirely clear, and it's been modified beyond pure aesthetic changes from the stock distribution. The extent of modification is not entirely clear.
The method used by SMF 2.0.x series (which is what they're using) is SHA1(lowercase(username) + password), which is what SMF has always used, and the developers are upgrading that in coming releases. I could try and defend the reasons for staying with this but most of them amount to 'OMG we have to keep compatibility with hosts' which is why it wasn't until this week that the 2.1 series actually bumped its minimum PHP version to 5.3+ instead of 5.1+ (and 2.0 series will work on PHP 4.4.x)
There are no known vulnerabilities in the 2.0.6 or 2.0.7 releases (the 2.0.7 release strictly addressed minor bug fixes and PHP 5.5 compatibility after the preg_replace function deprecated use of /e, both of which are therefore considered 'secure' releases by the developers).
I still wonder, though, whether this was the fault of the software or someone with a bad password. It's certainly not unheard of for admin passwords to have been bruteforced - and all kinds of things that happen afterwards. Unfortunately there is a persistent stubbornness from the SMF team about allowing their package manager to do what it does (find/replace on raw code, which of course requires it be writable!), and anyone who bruteforces or otherwise acquires an admin account subsequently can upload any code they like to the server and most admins leave it insecure.
My understanding is that the developers have reached out to Avast to find out what happened, though details are apparently not especially forthcoming.
Disclaimer: I am one of the people that, in the past, has contributed to SMF. I am not trying to defend my contributions; all I worked on were minor bug fixes and new stuff for the current in-development version as well as providing support.