“The purpose of encryption is to prevent third parties from recovering the original information” ~wikipedia
Last night, an email from Acixs Hosting was posted on Twitter by Minalien (saved version). The conversation that followed that upsets me, both as a person and as an IT professional. The email was just a jumping off point, but I want to address a couple of things, some very nit-picky, some not so much, before I move on.
The email was kinda confrontational, and had some questionable-at-best information. Examples of this are statements like “information is infact secure from outside sources other than your self” and “the only plausible way for your information to be compromised is if you leave you machine unattended“. I’d like to remind Acixs that just in 2014 alone, over 20 major companies were hacked in some form or another. Giants like Sony, AT&T, Ebay, UPS, Target, and Yahoo! have all fallen to a variety of attack styles, and the assertion that the only possible vector for unauthorized information access is via the customer’s computer is egotism, pure and simple. Even if Acixs’s encryption is completely 100% uncrackable, this doesn’t change the fact that a huge hacking attack vector has nothing to do with technology…it’s the people themselves. A quick Google search for “social engineering attack vectors” returns thousands of entries.
On a slightly more nit-picky note…suggestion for you, Alexander Dietrich: proofread your emails before sending. If that’s too much effort, then let customer support or your legal team handle emails to customers. You’re really quick to shoot the messenger, too…statements like “given the amount of drama you’ve created” (when addressing Minalien) or “your concerns are a facade” don’t give people warm fuzzies about the services you provide. Learn to be diplomatic. It’s completely possible to tell the customer “no, that’s incorrect, here’s why” without being antagonistic or a jerk.
As a sidenote…I don’t know what all was said privately before this point. It’s completely possible that there was much heated conversation, and this email was taken out of context. That said, as the CEO of a company, you need to be constantly aware that anything you say as an official of the company, especially in a permanent form, could be displayed to the public. Being classy is never a bad thing.
Enough about the email. There was also a set of statements made on Twitter by Matthew Wisniewski, the (former) Acixs CTO/Software Engineer. First he says “only time you’ll see your PW is when you create it“, but then less than 2 hours later, in the very same conversation, he says “you can see your password but its not stored in plain text its encrypted in our DB” (links to both tweets, screenshot of both with timestamps). Coming from the ex-CTO, this is…worrying, to say the least. The person who (should have) designed the entire architecture, the person who (until a month ago) had the biggest pull as to what tech goes into their stack…doesn’t even know if the password is displayed or not. I’d encourage you to look to Matthew Salsamendi for an example of what understanding some tech looks like (original thread).
Matt goes on to make more assertions, saying that the data is encrypted, it’s sent over https, it’s not in plaintext, that even if someone could access the data, it’s secure. These statements are…possibly correct. I haven’t attempted to poke Acixs’ web services with a logic probe. But I’m going to echo what LexManos said…”Reversible encryption is no security“, and add “especially when we’re talking passwords“. When storing passwords, there’s no excuse for storing them in a retrievable format. Hash them using whatever the current industry standard is (I’d encourage Acixs to give crackstation’s password hashing write-up a thorough read). When data MUST be encrypted/decrypted, do it clientside, and require the password.
There’s more to the conversation thread, but I want to get to my final point. Acixs, you’ve gotten yourself into a mess, but it’s completely fixable. Here’s what I, as an IT professional would recommend:
- First and most importantly, apologize to Minalien for being jerkish. Even if you’re technically 100% correct (newsflash, you weren’t), it’s the nice thing to do. Being nice goes a long way towards keeping customers, and can de-escalate a tense situation.
- Get a security consultant. Have them do a full audit of your technology stack with an emphasis on data security.
- Actually listen to said security consultant’s recommendations, and then come up with a plan to secure your data. I’m not talking about using HTTPS, I’m talking about if necessary completely rewriting your database layer and encryption implementation.
- Listen to your customers. Many of us are quite technically competent, and trying to bullshit away legitimate concerns (screenshot) is never acceptable.
It’s completely possible that this post will draw anger, recriminations, and more finger-pointing from Acixs and friends. This is absolutely the wrong way to handle the situation, and shows that Acixs doesn’t actually care about their customers…only about how things look.
Take a breath, Acixs. Let HR do some damage control. And then fix your damn systems.
UPDATE: There’s been more discussion of this topic on Twitter, with Matt forging ahead with his assertion that Acixs is completely secure (comment thread, screencap), it’s the customer’s responsibility to secure their email, and plus blame WHMCS and Multicraft, it’s totally not Acixs’ fault for deploying that specific software.
There’s a couple of things wrong with this, Matt. First off, “it hasn’t happened to me (yet)” is a horrible, stupid, inane reason not to consider securing your tech. I can’t emphasize this enough. As a tech company, if someone brings a security concern, you address it, period. Secondly, if you didn’t send the password in cleartext via email, you’d eliminate that specific possibility. Finally, regardless of the language software is written in, it’s always best to do everything possible to improve security. At the end of the day, the only secure computer is one behind about 8 feet of lead shielding, inside a locked vault, guarded by armed professionals, and most importantly, switched off. The trick is using enough security that the cost of breaching it is higher than the potential gain.
UPDATE2: At the time of writing this, Matthew Wisniewski was listed on Acixs’ homepage as the CTO. Matt tweeted that this is no longer the case, so I’ve updated the post to reflect that. Protip Matt, lead with this info next time, don’t put it 5 tweets down after saying that “the biggest concern would be that its written in PHP at the end of the day” (link, screencap).
UPDATE3: I’d like to take a moment to thank Matthew Salsamendi. His comments (link, screencap) on the issue show that he really gets what is at stake here, in a way that Matthew Wisniewski and Acixs clearly don’t. Gems include “WHMCS doesn’t usually hash passwords by default”, because apparently “There is *NO* encryption of panel passwords at all. I repeat, NONE…This is so that the module can then send the password to Multicraft itself, which then MD5+salts it.”.
UPDATE4: Less than 3 days after I posted this, Acixs got hacked, and badly. I don’t know (and don’t want to know) the details of how they handled it, but I do know that if they’d listened to the warnings of people like Minalien, dariusc93, and others, they might have prevented the hack from ever happening.
UPDATE5: Looks like Acixs is officially going down. They’re terminating everyone’s services a week earlier than they originally said (after making an effort to migrate them to Creeperhost/Nitrous/etc), and I doubt they’ll be around for much longer.
(as a sidenote, had a convo with a Matt about whether or not Acixs was actually hacked. Draw your own conclusions…)
Comments are disabled on this post