GregLedet.net Adventures in networking, security, and other things

A message about security

When I originally started this blog, it was entitled "Adventures in Networking" and it dealt primarily with networking and, more specific, Cisco network security.  Since that time I've written about everything from hurricanes to hacking an Western Digital NAS device and giving a $50 Linksys router the power of a $500 Cisco box.  Lately, I've been posting how-to's for all kinds of stuff and it's time to take a step back and talk about security for a little bit.

A web hosting client of mine got his site hacked in the past couple of days.  About a year ago, I installed phpBB3 for him and setup his domain on my server.  After that, I acted as admin on the forums and stuff like that.  Well, phpBB3 got neglected and hadn't been updated in a while.  It was running version 3.0.6 while the latest version was 3.0.7-PL1.  4 versions have been released since the last update.  When the site got exploited, he looked at me like it was my fault.  In fact, he told me something along the lines of "I paid you to build a site that was secure and you didn't do that".  Well, I did build him a secure site a year ago, but in the past year, there has been enough holes found in phpBB3 to kill a horse.

I'm sure that any freelancer or businessman out there has had to deal with clients that don't understand what it is exactly you do.  This happens a lot to me due to the range of things that I do.  But in this instance, the client was under the illusion that I was going to maintain the website and keep it up to date for him.  The original invoice that I sent for the site was simply 8 hours of work to get everything installed and setup properly and for a year of hosting.  Since that first invoice, I have fixed little errors here and there for him without invoicing him because it's little things that only take a few minutes to take care of.  Plus, the guy is a real good friend of mine and has been my friend since before we started doing business together.  I do freebies for a lot of my customers from time to time.  Maybe I messed up by doing these repairs and not charging him for them and by doing that I lead him to believe that I was doing it all for free.

I logged into the site this morning to notice that it had been defaced.  Some hacker managed to get in and screw around with the AdminCP.  Language packs were messed with, 300+ accounts were created and a bunch of spam had been posted.  I went ahead and fixed everything that happened and went through the process of upgrading phpBB3 to the latest version.  It took me about 2½ hours to get it all cleaned up and upgraded.  Once I was done, I submitted a service ticket for the work.  Here's another place I screwed up.  I should have asked him if he wanted me fix it first because we don't have a service agreement between the two companies.

Well, the site got upgraded to the latest version of phpBB3 and it was working fine.... for about 3 hours.  That's when our little hacker managed to get back in and lock me out completely.  My best guess is that there's a zero-day exploit on phpBB 3.0.7-PL1 that will also work on all previous versions.  In that instance, there's not a whole lot I can do about it other than block the proxies that he's used to get to the site with or just shut the site down.  Well, I shut it down.

Here's where the main problem starts.  The customer assumed that it was my responsibility to update the software for him.  I don't go to HP and bitch at them because there's holes in Windows.  Once I install the software, it's up to the client to keep that software up to date.  All of my other web clients know this and they keep their CMS software up to date.  If we would have set up a service contract in which I said I would maintain the security of his site, then it's no problem.  It's my responsibility to fix the security issues that come up, but there's no agreement there.

Also, the client wants 100% security. We all know that 100% security does not exist and never will exist.  He didn't like the fact that I used open-source software for the site because people can read the source code.  Well, the open-source stuff is free, so that's why it was used.  But even closed-source software has security holes in it.

To wrap up this rant, I wish people could understand that the only secure computer is one that's powered down and unplugged from the internet.  A friend once told me that if you installed a fresh copy of Windows XP (no service packs) on a computer and plugged it directly into the internet, it would be rooted within 12 seconds.  12 seconds! There is no security, only the illusion of it.

-Greg