Simple Auctions Hacked Again

[sbfinley]

Quote:

Originally Posted by BRoberts

How has Bob Freedman never made a public post on this board regarding whether the thousands of people registered with the auction websites on his platform had their personal information compromised by the first "hackers" weeks ago? He finds time to post his memorabilia pickups but can't address this issue?

Stolen data briefing laws are almost universal now in all 50 states. I would venture to guess anyone who would have had personal data breached will be notified. Yeah it sucks not knowing (I’m probably registered at 20 SSA affiliated sites) but:

A) Most data breach notifications go out months after the initial attack, when the full scope of data stolen is accounted for.

B) If any data was stolen, by law the effected parties will be alerted.

C) They were probably advised not to discuss it until the above notices are posted.

[Exhibitman]

I hear they will be up and running again on Monday...

[mantlefan]

How many times does this have to happen until Auction houses start using another company? (Create Auctions) SA should have implemented security patches after the last attack.

[bnorth]

Quote:

Originally Posted by mantlefan

How many times does this have to happen until Auction houses start using another company? SA should have done a better job of protecting their data.

As long as customers keep bidding and the AHs make $ it will never change. We as collectors seem to turn a blind eye to a LOT of stuff.

[Peter_Spaeth]

Quote:

Originally Posted by mantlefan

How many times does this have to happen until Auction houses start using another company? (Create Auctions) SA should have implemented security patches after the last attack.

Has any auction changed companies since SA started having these problems or are they all just staying the course despite all the issues?

[prewarsports]

We switched about four years ago from SA to Create.

[Shoeless Moe]

Day 3


and still nothing.


getting annoying.

[bobbyw8469]

Seriously...this is ridiculous.

[Mark17]

Hopefully, after the ransom was paid and the hackers helped the sites come back up, there was a thorough analysis of all the code to be sure the hackers didn't leave any back doors, or redirect links.

I had won an auction with VSA and there was no way I was going to pay through their website - I went down and paid in person. Had they been too far away, I would've mailed a check. Even opening an invoice in .pdf format would make me nervous.

I think it is false security to assume that payment info is safe because it isn't collected or stored by the various AH. IF the hackers left spyware on the servers - and I'm not saying they did, but since they had control of the servers for several days (including that weekend they supposedly weren't working,) unless and until a full forensic analysis is performed and results made public, we don't really know what's going on.

[BRoberts]

Quote:

Originally Posted by sbfinley

Stolen data briefing laws are almost universal now in all 50 states. I would venture to guess anyone who would have had personal data breached will be notified. Yeah it sucks not knowing (I’m probably registered at 20 SSA affiliated sites) but:

A) Most data breach notifications go out months after the initial attack, when the full scope of data stolen is accounted for.

B) If any data was stolen, by law the effected parties will be alerted.

C) They were probably advised not to discuss it until the above notices are posted.

Let's hope Bob Freedman knows the laws.

[autograf]

My nonsports auction is with SSA. I have done three auctions a year for the last two years. 2021 is the third year. I'll do Feb, Jun and October this year. The hack hasn't caused me many problems other than I had to push my Jan auction back to Feb. It sounds easy to just hop over to another software but it is not quite that easy. All the historical data would have to be ported over somehow and you'd have to learn a completely new software for running your auctions. It may come to that at some point and I'm sure other SSA users are considering jumping ship, but, for now, I'm staying put. As for information gathered, other than address and phone number which is important, my site doesn't collect any payment info--only paid through the PayPal API or via check/money order. And passwords are not visible to me through the software. I hope that's the case as, like most of you all, I'm registered with a number of SSA sites too. Last word I got was that the sites would be back up this afternoon.

[MCyganik]

I'm curious how these things work behind the scenes because for the layman like myself it sounds like a bad movie.

Auction Server gets taken hostage. Hacker claims responsibility, supposedly doesn't want info from the hostage, just wants money to release the hostage.

Server CEO has long-time IT experience, hires firm that specializes in internet hostage situations. "Never negotiate with terrorists!" customers say. They begin negotiating with the hackers.

Server CEO and hostage firm negotiate a settlement to release the hostage. "It's okay," they say, "in most situations the hacker just wants a lump sum and they'll go away".

The hacker releases the hostage. The Auction Server needs time to recuperate from the trauma but otherwise is intact and well-functioning. After a few days, life moves on.

3 Weeks Later

Auction Server is missing. Who is to blame?

[SWinn]

Quote:

Originally Posted by MCyganik

I'm curious how these things work behind the scenes because for the layman like myself it sounds like a bad movie.

Auction Server gets taken hostage. Hacker claims responsibility, supposedly doesn't want info from the hostage, just wants money to release the hostage.

Server CEO has long-time IT experience, hires firm that specializes in internet hostage situations. "Never negotiate with terrorists!" customers say. They begin negotiating with the hackers.

Server CEO and hostage firm negotiate a settlement to release the hostage. "It's okay," they say, "in most situations the hacker just wants a lump sum and they'll go away".

The hacker releases the hostage. The Auction Server needs time to recuperate from the trauma but otherwise is intact and well-functioning. After a few days, life moves on.

3 Weeks Later

Auction Server is missing. Who is to blame?

In my experience, it boils down to more common sense than IT experience. I know guys who have been in the industry for years but everything always, and I mean always, seems to fall apart (for some strange reason lol). If you're routinely getting attacked by ransomware I would be running like crazy in the other direction (as a customer).

There are many auction platforms out there. I come across them all the time in my own work. Many people opt for fully managed solutions because they don't want the IT headache on top of the logistics, understandably. It's a lot to manage.

But sometimes the best route is DIY for reasons like this. Hopefully the light is seen and all works out well.

[bobfreedman]

Board members, we were hacked once again however after the first hack, SpearTip was hired and prevented a second attempted attack Sunday Morning. A decision was made to take the servers offline and do a through check to determine how they were able to penetrate our servers (although no encryption nor data loss occurred). We have estimated that there was a Trojan Horse installed on the first hack. We decided to take everything offline and rebuild our environment and harden the security even more.

The decision was also made to install redundant security measures to prevent future attacks. This is why the servers of all our clients utilizing our software have been down. These additional layers of security have now been implemented, the servers are being tested and should be ready to be back online tonight.

We have gone through great expense to prevent the this again and we are being very proactive in hiring additional staff and hiring SpearTip on a full time basis. This has been a very trying time as you can imagine and I appreciate our customers loyalty and hope that we can once again provide you the level service you are accustomed too. Thank you

Also, from the first hack, a complete forensic analysis was done and determined that no data loss occurred

Bob Freedman

[RedsFan1941]

Quote:

Originally Posted by bobfreedman

We have estimated that there was a Trojan Horse installed on the first hack.

Also, from the first hack, a complete forensic analysis was done and determined that no data loss occurred

Bob Freedman

your people did a forensic analysis after the first hack and determined no data loss but somehow during this analysis a trojan horse was missed?

[UKCardGuy]

Quote:

Originally Posted by bobfreedman

Also, from the first hack, a complete forensic analysis was done and determined that no data loss occurred

No data loss occurred isn't the same as a secure environment. To me, "No data loss occurred" means that all the data was unencrypted and the records were restored.. Was the forensic analysis performed on just the data integrity or the entire environment?

Based on the fact that a trojan horse had been left, I'm guessing it was the former. That's extremely disappointing. I'd have expected the full security implications to have been considered after the first hack. At best, the approach seems very naive.

If someone takes over my house, changes the locks and demands a ransom for the new keys - I wouldn't simply trust that they didn't make copies of the keys or sabatoge other entrances.