Forbes hack throws cold water on its platform dreams

[Audrey McNeil <audrey () riskbasedsecurity com>]

dhttp://digiday.com/publishers/forbes-hack-undermines-platform-ambitions/

Forbes wants to be a tech company, and hackers are treating it like one.

On Saturday, Forbes confirmed that the Syrian Electronic Army (SEA) had
compromised its content management system, nabbing the login details for
over a million Forbes users -- including reporters, editors and network
contributors.

"The email address for anyone registered with Forbes.com has been exposed.
Please be wary of emails that purport to come from Forbes, as the list of
email addresses may be used in phishing attacks," Forbes wrote in a notice
posted to its homepage.

After making off with the data, the SEA then released it online, exposing
usernames and encrypted passwords to the entire Web.

While hacks like this one are common these days - the SEA also recently
took down The New York Times --  the latest hack at Forbes raises some big
questions about whether Forbes can actually follow through on its ambition
to not only build out its contributor platform but alsolicense its
underlying CMS to other companies.

The hack also exposed one of the biggest issues with how Forbes is
approaching its platform technology. Like many publisher sites today,
Forbes built its CMS on top of WordPress. While this gives Forbes a lot of
customization options, it also exposes the site to countless security
holes, especially from third-party plugins and themes.

Forbes did not comment to Digiday about the hack. But Forbes chief product
officer Lewis DVorkin wrote in a post on Tuesday that the attack was one of
the "challenges and risks associated with a platform that supports a
distributed workforce using a distributed set of tools in a social news
environment."

In other words, Forbes has realized what many tech companies intuitively
understand from the start: The more users and third-party features  you
plug into your system, the more vulnerabilities you expose yourself to.

What's especially bad for Forbes is that the hack also disrupted the
ability for contributors to post autonomously. Instead, contributors who
want to get posts up on the site first have to email them to the Forbes
editors in charge of publishing. ("Our loyal contributors eagerly
participated in the make-shift process," Dvorkin wrote.)

Considering that Forbes's business model is centered around posting as many
articles as possible and selling ads off of them, a lower number of posts
is clearly bad news.

All of this is actually worse if you believe security researcher Graham
Cluley, who said that the attack that hit Forbes wasn't particularly
sophisticated.

"There's no doubt that if Forbes had had tougher security in place (for
instance, two-factor authentication), they could have helped prevent the
hackers from gaining access to their systems and stealing the user
information," he said by email.

Cluley went on: "There have been so many media organisations hacked by the
SEA in recent months that there really is no excuse for such firms not to
have better trained their staff to be on the lookout for the kinds of
social engineering and phishing attacks that the SEA typically employ."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!