Tuesday, November 05, 2002

Security Update.

For those still wondering about the hacker incident from a week-1/2 ago, our investigation has uncovered new information, all of it reassuring. Immediately after the attack, we patched some potential vulnerabilities we discovered in our network and made some tweaks to our application that would make a similar attack extremely unlikely, if not impossible. And based on the evidence we had at the time, we thought it unlikely that the assailant did more than update information in the database—e.g., gained access to information, such as passwords, ftp logins, credit cards, etc. However, that was a best-guess at the time and we hadn't yet done a full-scale investigation. Based on our newest discoveries about how the attack was perpetrated, we can much more assuredly rule out the possibility that sensitive information was gathered.

There was the window, of course, during when the site was still up and the passwords were changed (about 7-9 am), during which, if someone was aware of this, and wanted to target you directly, and knew your username, they could have logged in as you. This is bad, of course, but still highly unlikely for almost all users (that no one targeted me, with probably an extremely easy-to-guess username and access to the Blogger home page, among other things, is a strong indication of that).

I don't want to trivialize it. We take all security threats, let alone incidents, extremely seriously. But the real damage of this attack, despite the attention it got, was pretty minimal. And, of course, it has resulted in us being even more security-aware. We have tightened up our code and configurations to further limit the chances of a more serious attack in the future.

Thank you for your understanding.