	Resources > Blogs
	DNN Blog Title Make Public Authoring Mode Syndicate Blog Allow Comments MetaWeblog URL: Create Cancel Improving Security For Our Community Return to Previous Page 2/3/2013 1402 Views 5 Comments Author: Shaun Walker Tags: As you are probably already aware, there has been a recent increase in sophisticated cyber security attacks worldwide. Within the last two weeks, the New York Times, Wall Street Journal and Twitter have all documented breaches of their online systems. Unfortunately, we also recently discovered that DotNetNuke Corporation's network infrastructure was breached by an unknown third party. The third party was able to obtain low level access to our servers, which means that there was the potential for private information to have leaked. After thorough analysis of our server logs, we were able to determine that the original point of entry was through an unsecure configuration in our Demo website environment. This Demo environment has since been decommissioned; however, in the past it was set up in a custom manner which allowed an untrusted website visitor to create a new portal and become the Administrator of that portal. Once the untrusted user was an Administrator, they were able to exploit a vulnerability which allowed them to upload a script file that gave them additional privileges, including the ability to browse the file system and access website user accounts. * It is important to note that the DotNetNuke CMS product is NOT susceptible to this type of exploit by default; the vulnerability was exposed by a custom configuration we had implemented specifically in our Demo environment. Since we do not store credit cards or other types of sensitive personal information in our infrastructure, information disclosure was limited. That being said, there was the potential that some user accounts were compromised. The information leakage for these user accounts could have included information such as username, email address, some limited demographic information, and potentially a user's password. As a result, for precautionary reasons, we are suggesting all users who have registered on website properties managed by DotNetNuke Corporation change their passwords. Some security best practices when it comes to choosing passwords are outlined below: Use a strong password ( i.e. something at least 9 characters long with random capitalization, numbers, and punctuation ) Use different passwords for different online services Change your passwords regularly If you find it difficult to remember different passwords for different sites, use a web browser utility such as LastPass.com As I mentioned above, the Demo environment has since been replaced with a more robust Trial environment built on top of Microsoft Windows Azure which provides superior security through physical isolation between websites. We have also taken additional precautions to harden our network infrastructure to ensure that a breach of this nature cannot occur in the future. This included migration of our website from encrypted passwords to hashed passwords, as well as the installation of a more robust intrusion detection system. Our investigation into this matter is ongoing. We have taken comprehensive steps to prevent an incident like this from occurring again. We apologize for the inconvenience. Author: Shaun Walker Shaun Walker (MVP, ASPInsider) is Co-Founder and CTO of DotNetNuke Corporation. Shaun has 18 years professional experience in architecting and implementing large scale software solutions for private and public organizations. Shaun is the original creator of DotNetNuke, a Web Content Management System for ASP.NET which has spawned the largest and most successful Open Source community project native to the Microsoft platform. Based on his significant community contributions he has been recognized as a Microsoft Most Valuable Professional (MVP) since 2004 and an ASPInsider since 2005. He is a frequent speaker at User Groups and Conferences and is a contributing author to a number of books, including the Professional DotNetNuke 5 title from WROX Press. He also served as a founding Director for the Codeplex Foundation, a non-profit open source foundation created by Microsoft in 2009. More from this Author As you are probably already aware, there has been a recent increase in sophisticated cyber security attacks worldwide. Within the last two weeks, the New York Times, Wall Street Journal and Twitter have all documented breaches of their online systems. Unfortunately, we also recently discovered that DotNetNuke Corporation's network infrastructure was breached by an unknown third party. The third party was able to obtain low level access to our servers, which means that there was the potential for private information to have leaked. After thorough analysis of our server logs, we were able to determine that the original point of entry was through an unsecure configuration in our Demo website environment. This Demo environment has since been decommissioned; however, in the past it was set up in a custom manner which allowed an untrusted website visitor to create a new portal and become the Administrator of that portal. Once the untrusted user was an Administrator, they were able to exploit a vulnerability which allowed them to upload a script file that gave them additional privileges, including the ability to browse the file system and access website user accounts. * It is important to note that the DotNetNuke CMS product is NOT susceptible to this type of exploit by default; the vulnerability was exposed by a custom configuration we had implemented specifically in our Demo environment. Since we do not store credit cards or other types of sensitive personal information in our infrastructure, information disclosure was limited. That being said, there was the potential that some user accounts were compromised. The information leakage for these user accounts could have included information such as username, email address, some limited demographic information, and potentially a user's password. As a result, for precautionary reasons, we are suggesting all users who have registered on website properties managed by DotNetNuke Corporation change their passwords. Some security best practices when it comes to choosing passwords are outlined below: Use a strong password ( i.e. something at least 9 characters long with random capitalization, numbers, and punctuation ) Use different passwords for different online services Change your passwords regularly If you find it difficult to remember different passwords for different sites, use a web browser utility such as LastPass.com As I mentioned above, the Demo environment has since been replaced with a more robust Trial environment built on top of Microsoft Windows Azure which provides superior security through physical isolation between websites. We have also taken additional precautions to harden our network infrastructure to ensure that a breach of this nature cannot occur in the future. This included migration of our website from encrypted passwords to hashed passwords, as well as the installation of a more robust intrusion detection system. Our investigation into this matter is ongoing. We have taken comprehensive steps to prevent an incident like this from occurring again. We apologize for the inconvenience. Author: Shaun Walker Shaun Walker (MVP, ASPInsider) is Co-Founder and CTO of DotNetNuke Corporation. Shaun has 18 years professional experience in architecting and implementing large scale software solutions for private and public organizations. Shaun is the original creator of DotNetNuke, a Web Content Management System for ASP.NET which has spawned the largest and most successful Open Source community project native to the Microsoft platform. Based on his significant community contributions he has been recognized as a Microsoft Most Valuable Professional (MVP) since 2004 and an ASPInsider since 2005. He is a frequent speaker at User Groups and Conferences and is a contributing author to a number of books, including the Professional DotNetNuke 5 title from WROX Press. He also served as a founding Director for the Codeplex Foundation, a non-profit open source foundation created by Microsoft in 2009. More from this Author Joined See Full Comment Unfollow Follow See Full Profile Reply Unlike Like () Report Reply Cancel Add a Comment Reply Cancel It is low-quality It is spam It does not belong here Other (enter below) Thank you for reporting this content, moderators have been notified of your submission.

Advertisers

DNN Blog Archive

Blog Calendar

Subscribe Now

DotNetNuke Corporation

DotNetNuke (DNN) provides a suite of solutions that make designing, building and managing feature-rich sites and communities fast, easy and cost-effective. The DotNetNuke Platform CMS is the foundation for more than one million websites worldwide. DNN Social, our newest solution, enables businesses to create immersive, interactive communities. Thousands of organizations like True Value Hardware, Bose, Cornell University, Glacier Water, Dannon, Delphi, USAA, NASCAR, Northern Health and the City of Denver have leveraged DNN to deploy highly engaging business- critical websites. Our rapid growth in product sales and deployments resulted in DotNetNuke Corp. being named one of the fastest growing private companies in America by Inc. Magazine in 2011 and 2012.

Community
Resources & Support
- Support
- Training
- FAQs
- Report a Bug
- Downloads
- Security Policy
Partners
- Partner Directory
- Become a Partner
News Room
App Gallery
- The Store
- Extension Forge
What is DNN
Get Started
- Downloads
- Video Instruction
In Action
About Us
sales@dnncorp.com (650) 288 - 3150 (650) 288 - 3191

Hosted by MaximumASP

DNN Blog

Improving Security For Our Community

Author:

Author:

Advertisers

Sponsors

DNN Blog Archive

Blog Calendar

Related Content

DotNetNuke Corporation