Dispute over cyber attack prompted questions over third-party software
Simple Machines is now working with Avast to analyse the recent cyber attack that compromised the details of 400,000 forum users, following a public dispute between the two companies over the nature of the breach.
Details of the attack emerged haphazardly, leading to questions over how up-to-date security firm Avast’s installation of Simple Machines Forum (SMF) was, whether the software was vulnerable and how the hack had taken place.
Liroy van Hoewijk, chief executive of Simple Machines, said: "What bothers us the most are the claims that we would have patched a 2.0.6 security hole in our 2.0.7 release without notifying the community that such a security issue existed. That is a false statement.
"Simple Machines Forum is known for its high security and stability, and we refuse to allow our project to be thrown in front of the bus without any evidence to support Avast’s claims."
Avast were alerted to the cyber attack when the company forum was brought offline, leading to the loss of usernames, hashed passwords and email addresses. Financial information contained on a separate system was unaffected, according to Avast.
Citing a site image taken just before the attack, Simple Machines said that the copyright of their software dated back to 2012, indicating Avast may have been running software several version out-of-date. The forum developer added that it knew Avast had made modifications to their installation.
Responding to claims of a vulnerability allowing remote code execution, Simple Machines dismissed the report as "yet another attempt to pass the blame with no actual evidence or support".
"The ‘exploit’ would never work unless the server or site was already compromised and someone could modify the PHP code in the SSI [server side includes] file," van Hoewijk said.
"If someone is already able to change source code of PHP files: why would they bother doing this hack? With such access, much more damage can be done, more directly."
Vince Steckler, chief executive of Avast, said that forum would be moved to a new software platform, and advised users to change passwords if they had reused them on other websites.
Peter Martini, chief operations officer at iboss Network Security, said: "It is not uncommon for companies to rely on third-party ERP [enterprise resource planning] systems to manage inventory, assets and customer orders.
"However, even if the company has strong internal security practices in place, if the third party software has a security flaw in it, it makes the company susceptible to a breach."
Concern over the use of open-source software has been heightened since the Heartbleed OpenSSL bug in April left the likes of Facebook, Yahoo and Google vulnerable to hackers, in what Hugh Thompson of security firm Blue Coat termed a "call to action for open-source committees".
"Ultimately, this should serve as a reminder for all companies to continually run security stress test against all systems including third-party software integrated into the organisation," Martini said.