News Flash: phpBB Massive Hack
ComputerWorld is running an article from Paul Ferguson of TrendMicro claiming that there is a massive hack going on as you read this - via the phpBB bulletin-board software. Truth be told, phpBB has been known to be bug-ridden over the years (simply Google "phpBB vulnerability" and you'll get more than you wanted) but I believe that these have come to a boiling point now. If it's actually true, the number of site that was hacked stands at ~500,000, it would point to a massive problem within phpBB's code which likley hasn't been disclosed yet.
What worries me is not that these sites are being hacked (because this is a "normal" occurrence these days) but that they're increasingly effective. While a half-million web sites being broken into isn't something to sound the alarm over - and this is truly a sad commentary on the state of web security today - the precision and effectiveness of these types of attacks is scary. Furthermore, the "drive-by" installations of malware, trojans and other unwanted stuff on your computer is the stuff that security managers worry about at night. Just think of the amount of data that a half-million key loggers can pull? Think of the potential fallout of having to re-load (because cleaning isn't possible most of the time) every machine at your office... the possibility boggles the mind.
What comes out in incidents like this, and sadly people still do not understand, is that an insecure web application/site does more than just possibly damage the host. A vulnerable site leaves its visitors vulnerable, which sets off a chain of reactions that resonates back into the CISO's office at any company that allows its users to browse the Internet. More on this in a future post.
While I know it's rather un-common to have a php-facing application like this in an entierprise - it's definitely not impossible so I felt like I needed to notify and warn you readers. More as information comes in... if it comes in.