During the last week we had two major failed attempts to hack ocPortal.com.
The first was a bot attack of many different hack patterns, multiple attempts per second sustained over roughly an hour. The hack-attack detection system flagged up these attacks well and correctly banned the offending machines.
The second was a "script kiddie" attack that successfully defaced the demo system, but nothing beyond that. It was caused by an error in the restrictions of our demo system, in an area that we had not considered. This has now been corrected on a number of levels. The attack was intentional and sustained, and to be quite frank caused serious concern for us and consumed significant staff time.
A warning to would-be hackers: we do reserve the right to carry forward legal action against anyone involved in attacks against us. We welcome knowledge of how we can improve our security, but the correct thing to do is to work with us, not attack us. We will give credit to people who point out mistakes we have made (and we do make them and learn from them!), so long as it is done in a courteous and professional manner.
In both cases we had to carefully check to ensure there were no hidden breaches, for example placed backdoors or cracked passwords.
These kinds of events do prompt thought. What if ocPortal.com had been breached? If we had made bigger mistakes, or come across a better hacker, it is conceivable we could be, and we have to think how we could better prepare for that.
We have therefore put a number of measures in place to mitigate the effect of such a possibility, should it ever happen.
- We have written new intrusion-detection systems for ocPortal.com, to detect things such as back-doors that could have been placed. The main thing we want to do here is quickly and automatically detect if a hacker ever has put a virus onto our downloadable code.
- We will now try to automatically garble passwords posted in support tickets or private topics, after 60 days. Our written policy has always been users should only grant temporary access, but often high-level permanent access is provided to us. We will therefore now automatically garble this as far as we can. Our algorithm isn't perfect, there will be cases of it garbling things that are not passwords, or missing some passwords, but it is fairly accurate.
- Various internal policy changes have been enacted to better protect our off-server password records and lock down account access, in case various different non-website systems were breached.
This news post is intentionally vague because we don't want to create a roadmap for potential hackers. However, I felt it necessary to do a proper disclosure on all this. We cannot perfectly protect against hackers, but we can put in place policies and systems to reduce the chance of getting hacked and reduce the cost should it happen.
Another warning to hackers: This announcement is not an advertisement to hackers to try to find new weaknesses in our systems. We welcome professional-acting hackers to bring issues to us, but we don't welcome our own internal systems being probed deeply without advance notice and permission. Don't mistake our advertisement of the kind of security features we build into ocPortal as any kind of arrogance on our part, or a contest for you: it's a sincere attempt to make things as secure as we can for our users with the resources that we/they have, but you will never notice us make the mistake of advertising ocPortal as 100% secure, because no system ever is.