The anatomy of a security breach, and how to do good in a bad situation

Categorized under:

, ,
Photo of author
Written By Brian Krogsgard

9 thoughts on “The anatomy of a security breach, and how to do good in a bad situation”

  1. It’s important to hold companies like this accountable for their security. iThemes has many problems beyond their use of plain-text passwords (which is the worst).

    I tried to post a comment on their blog which I’m sure won’t be approved. Full details here:

    Basically, their use HTTPS is terribly incomplete and not done properly at all.

  2. I’m sorry…did you say something after you said “stored in plaintext”.

    Now I don’t know anything about security but I do know you never store passwords in plain text. How is it I know that and they don’t? Or maybe they do but decided to say “screw it”.

    Now here’s another thing. I’m an themes customer. I specifically paid for two plugins that I can us on all client sites. Backupbuddy and ithemes Secruity Pro. Now I’ve got to wonder if theme security pro actually does anything. How can I know?

  3. I’m all for the WordPress community supporting each other.. however..

    At the end of the day, iThemes have been negligent and breached their duty of care to customers.

    If someone built a site for a client with such a major fault, they’d be sued and likely bankrupted for their negligence.

    I agree with Scott. It’s pretty unbelievable that people are using words like “honesty” and “transparency” – 6 years is a long time to know about this.

    The extreme irony about them selling a professional security plugin is a bit too much.

    I will still use iThemes and hope this event both gives them the unpleasant reminder to get their act together, and for other companies who may have that legacy system floating around still to get it sorted NOW.

  4. Thanks for putting this in context, Brian. Incidentally, Gmail suddenly flagged this post in your newsletter as containing content that is usually considered suspicious — odd, eh?

    Miller did admit and accept a lot more blame than others in his position have in the past, so we’re spared the dance of denial, but what else could he do? He didn’t quite come out and say this was the result of a fully conscious choice to keep doing business so long with a system he knew was bad for customers and bad for his business. He didn’t say this bit of kicking the can down the road was rationalized through denial and “what they don’t know won’t hurt them,” or “we’ll get to it,” and “what are the chances?” The fact is they got comfortable with the unconscionable.

    We can’t count on others’ good sense or ethics; there needs to be vigilance, and a permanent record, and people calling a spade a spade to do the work of “afflicting the comfortable.”

  5. “Simply put, it’s inexcusable to put users into long term risk”
    – wow, you can say that again. But perhaps with the additional superlative ‘absolutely’ before the word ‘inexcusable’… I sincerely hope some of the other WP-related companies, should they have similar security holes festering, fix them RIGHT NOW!

  6. [cynical thoughts]
    Here’s what I’ve learned.

    Transparency (admittance of mistakes) and common decency (public disclosure) is all one needs to win back trust, even when you’ve been negligent (not doing anything about a big security concern you know exists). Better yet, control the narrative by reporting before anyone does, because that would look a whole lot worse.
    [/cynical thoughts]

    • Its a bit more complicated then just “negligence”, I think. A key piece of iTheme’s business infrastructure, which they were planning on migrating/updating from if I understand their communications correctly, was vulnerable and attacked. It’s a real shame the passwords were stored in plain text but apparently that vulnerable business system used to only do plaintext passwords until 2011. So if you started a business in 2008 and you’re busy trying to make money and build up your company, its easy to see how these business systems get pushed to the back as far as time and resources go because they don’t directly make the money the business needs to survive and grow.

      I think what this episode really illustrates is to make sure your business infrastructure is easy to replace if needed and to make sure to invest a portion of your business time and resources in updating and maintaining your business infrastructure.

  7. That is the definition of negligence. Maybe the original decision to use aMember was made without due diligence, and iThemes didn’t realize the security problem. Later, once the security issue was known, the decision not to rectify it with reasonable haste looks willfully negligent, especially since they modified aMember so extensively they had no upgrade path, but these modifications did not include a method of storing passwords securely.

    I am surprised this record was laid out so clearly by Miller, because these are the facts and timeline that would make up the argument for anyone suing for damages. Openness is not usually rewarded after mistakes have blown up in your face. Where openness may have mattered most is in the original software. aMember is a proprietary application; I wonder how much that fact might have played into its prolonged insecurity.

  8. I agree with Brian. Accepting the mistake and having a courage to own it might not suddenly solve the issue, but at least it might create a soft corner of ithemes among customers.

    Shit happens. The only lesson I learned from this post is, Be Safe, Be Ready and Don’t be relaxed if nothing happened to you.

Comments are closed.

A2 Hosting