# Security ex-perts get hacked :)



## toorski (Oct 2, 2019)

Cybersecurity giant Comodo can't even keep its own website secure
					

Comodo, which bills itself as a “global leader in cybersecurity solutions,” said its forum was hacked. The admission came in no less than a forum post, which confirmed a hacker exploited a recently disclosed vulnerability in vBulletin, a popular forum software used by Comodo. The flaw, which...




					techcrunch.com
				




"A hacker gained access to internal files and documents owned by security company and former SSL certificate issuer Comodo by using an email address and password mistakenly exposed on the internet. The credentials were found in a public GitHub repository owned by a Comodo software developer ....." 

The world is full of dumb-ass professional experts - LOL


----------



## Maelstorm (Oct 2, 2019)

We are all human and we all make mistakes.  All you can do is learn from them.  With a large code base, and multiple people working on a project, something like this happens more often that you might think.


----------



## SKull (Oct 2, 2019)

It's not 'hacking' if one finds the password. That's just called 'logging in'.


----------



## Deleted member 30996 (Oct 2, 2019)

SKull said:


> It's not 'hacking' if one finds the password. That's just called 'logging in'.



That's what I figured when a guy I used to know told me his email password.

He was bragging about how he used the number 1 after all his plain word passwords and must have thought I couldn't remember a 20 multi-character password of my own.


----------



## SKull (Oct 2, 2019)

Trihexagonal said:


> and must have thought I couldn't remember a 20 multi-character password of my own.



i can't remember faces, names, birthdays, appointments... but i still know passwords from jobs that I had years ago


----------



## 6502 (Oct 2, 2019)

This is pseudo sensation, typical for media and journalists. Comodo main business is not hacked, only a forum. And what is the achievement of the "hacker" - to read about forum exploit and use it. He is not the author of the exploit.


----------



## SKull (Oct 2, 2019)

6502 said:


> This is pseudo sensation, typical for media and journalists. Comodo main business is not hacked, only a forum. And what is the achievement of the "hacker" - to read about forum exploit and use it. He is not the author of the exploit.


That's the thing... he didn't use an exploit. He read the login credentials on github.


----------



## Crivens (Oct 2, 2019)

SKull said:


> i can't remember faces, names, birthdays, appointments... but i still know passwords from jobs that I had years ago


"Password"?


----------



## SKull (Oct 2, 2019)

Crivens said:


> "Password"?


No. The plural was intentional. 
But yeah, i also remember THE password of some of my former employers.


----------



## 6502 (Oct 2, 2019)

I think he talks about password: "Password" (like 123456)


----------



## SirDice (Oct 2, 2019)

toorski said:


> "A hacker gained access to internal files and documents owned by security company and former SSL certificate issuer Comodo by using an email address and password mistakenly exposed on the internet. The credentials were found in a public GitHub repository owned by a Comodo software developer ....."


That was the previous issue.








						Exposed password gave hacker access to Comodo internal files
					

A hacker gained access to internal files and documents owned by security company and former SSL certificate issuer Comodo by using an email address and password mistakenly exposed on the internet. The credentials were found in a public GitHub repository owned by a Comodo software developer. With...




					techcrunch.com
				




This would be a proper excerpt for the article you actually linked:


> The admission came in no less than a forum post, which confirmed a hacker exploited a recently disclosed vulnerability in vBulletin, a popular forum software used by Comodo. The flaw, which requires little skill to exploit, allows an attacker to remotely run malicious code on a vulnerable forum. In this case, the exploit was used to dump the entire user database.


----------



## CraigHB (Oct 2, 2019)

Surprising how many people still use still use weak passwords after all the press about it.  A relative or two comes to mind.  Some sites still let you use weak ones, but most now have stricter password requirements.  I used to be able to get away with going by memory for passwords, but I can't do that anymore due to strict password requirements on many sites.  I have to use a vault now which I think introduces a whole new set of security concerns.

Actually kind of miffs me now how strict passwords are on some sites.  Not that I want to use weak passwords all the time, but sometimes I don't want to use some crazy password I can't remember.  For some place that houses sensitive data I'll use the strongest one I can think of, but for some shopping site or forum who cares.

There's the argument that any weak password for any user provides an attack vector, but if an admin does not eliminate that as a threat I think they're not doing their job very well.  But I don't know, maybe that's a good thing to do, just makes it a pain for the users and probably for the admins with people forgetting their passwords more frequently.


----------



## Sevendogsbsd (Oct 2, 2019)

This particular "hack" was from someone posting their creds in a GitHub account, which I have no idea why someone would do. Thought it was somehow secret maybe? EDIT: I got the article wrong: the github password was a second article INSIDE the first. Sorry...

I don't even know what my passwords are, except for my internal network equipment and my password DB. I use long, random strings and have no clue what they are.

Agree, some sites are really bad about how they implement password controls. Some actually, unwittingly, enforce weak passwords. For example, the prime on the contract I am on has their timekeeping web site I have to enter time into. The site's password change page does not allow paste into the existing, new or repeat new password fields. So...this makes me enter the bare minimum password into the system when a change is due. Some genius thought that disallowing paste is somehow a security measure?


----------



## Deleted member 30996 (Oct 2, 2019)

I use a different complex password for each site and would never be able to remember them all so keep each one in an encrypted file. I have my usr and root passwords memorized but did forget them once after not using the computer for a while, lost all my password files and DutchDaemon was nice enough to let me back in.

That before I developed a good data backup strategy,


----------



## toorski (Oct 3, 2019)

toorski said:


> The world is full of dumb-ass professional experts - LOL


The point I was trying to make is that the Comodo's security experts are using vBulletin BBS system developed by another group of experts. Each case involved basic mistakes and security flaws , such as exposing login credential by one of Comdo's experts (I assume) And then, the Comodo's  security experts failed to detect vBulletin's flaw which requires little skill to exploit, and allows an attacker to remotely run malicious code on a vulnerable forum.  In this case, the exploit was used to dump the entire user database. 

In the real world dumb mistakes and/or errors in design can cost tons of money or even peoples lives. Tho, most software devs never think in those terms.


----------



## CraigHB (Oct 4, 2019)

Trihexagonal said:


> I use a different complex password for each site and would never be able to remember them all so keep each one in an encrypted file.



I do something similar.  Prefer to manage that manually, just don't know how much I trust an automated utility.  That way I only have to remember my login and the encryption password.

Anyway it is pretty amazing how so called professionals can overlook things like failing to change a default password or making passwords visible.  They don't always put people in positions based on competence.  I used to see that a lot when I worked for big corporations.  But even the most competent can make mistakes or overlook things.


----------



## sidetone (Oct 4, 2019)

Even if they are that foolish or stupid, I don't see the point in being happy about it.


----------

