Improving Security For Our Community

2/3/2013
6189 Views

5 Comments
Author: Shaun Walker

As you are probably already aware, there has been a recent increase in sophisticated cyber security attacks worldwide. Within the last two weeks, the New York Times, Wall Street Journal and Twitter have all documented breaches of their online systems.

Unfortunately, we also recently discovered that DotNetNuke Corporation's network infrastructure was breached by an unknown third party. The third party was able to obtain low level access to our servers, which means that there was the potential for private information to have leaked.

After thorough analysis of our server logs, we were able to determine that the original point of entry was through an unsecure configuration in our Demo website environment. This Demo environment has since been decommissioned; however, in the past it was set up in a custom manner which allowed an untrusted website visitor to create a new portal and become the Administrator of that portal. Once the untrusted user was an Administrator, they were able to exploit a vulnerability which allowed them to upload a script file that gave them additional privileges, including the ability to browse the file system and access website user accounts.

* It is important to note that the DotNetNuke CMS product is NOT susceptible to this type of exploit by default; the vulnerability was exposed by a custom configuration we had implemented specifically in our Demo environment.

Since we do not store credit cards or other types of sensitive personal information in our infrastructure, information disclosure was limited. That being said, there was the potential that some user accounts were compromised. The information leakage for these user accounts could have included information such as username, email address, some limited demographic information, and potentially a user's password.

As a result, for precautionary reasons, we are suggesting all users who have registered on website properties managed by DotNetNuke Corporation change their passwords. Some security best practices when it comes to choosing passwords are outlined below:

Use a strong password ( i.e. something at least 9 characters long with random capitalization, numbers, and punctuation )
Use different passwords for different online services
Change your passwords regularly
If you find it difficult to remember different passwords for different sites, use a web browser utility such as LastPass.com

As I mentioned above, the Demo environment has since been replaced with a more robust Trial environment built on top of Microsoft Windows Azure which provides superior security through physical isolation between websites. We have also taken additional precautions to harden our network infrastructure to ensure that a breach of this nature cannot occur in the future. This included migration of our website from encrypted passwords to hashed passwords, as well as the installation of a more robust intrusion detection system.

Our investigation into this matter is ongoing. We have taken comprehensive steps to prevent an incident like this from occurring again.

We apologize for the inconvenience.

Author:

Shaun Walker

Shaun Walker is the former Co-Founder and CTO of DNN Corp. Shaun has 20 years professional experience in architecting and implementing large scale software solutions for private and public organizations. Shaun is the original creator of DNN, a Web Content Management System for ASP.NET which has spawned the largest and most successful Open Source community project native to the Microsoft platform. Based on his significant community contributions he has been recognized as a Microsoft Most Valuable Professional (MVP) since 2004 and an ASPInsider since 2005. He is a frequent speaker at User Groups and Conferences and is a contributing author to a number of books, including the Professional DotNetNuke 5 title from WROX Press. He also served as a founding Director for the Codeplex Foundation, a non-profit open source foundation created by Microsoft in 2009.