JRR shop info etc

[husker37]

Again, though, there's nothing you can do with a name, a address, and a email address.

This is where you are incorrect, but that is OK.

Basically, what you are saying is that all it's needed for identify theft is a email to someone.

No, please read my post above. Though email theft is the primary reason for the deluge of spam email in the world.

Seriously, not trying to argue (I don't really get into internet arguments - nothing is to be gained). I see you have a long posting history here, so you know quite a bit. I am the opposite here - I'm just a hobbyist, but information and IT security is my profession, and something that I am passionate about.

[chk071]

Don't get me wrong, it's bad IF (and that's a big if, because, we don't know) such data was leaked from the site. I just don't see the "identity theft" though. Unless getting spam emails is already some kind of identity theft for you.

Identity theft for me is when someone sntaches your login credentials, buys stuff with your Paypal account, stuff like that. All the data we are talking about here is available for anyone willing to put some more work in finding stuff out about you. That's just not comparable. (Hell... I know all these things about everyone I ever dealt with in the Sell & Buy forum here. I even have their Paypal addresses.)

Again, IF data has leaked. Which we don't know. So, everything we talk about here is purely speculative, and the fear about it is based on speculations as well.

[Uncle E]

Hi everyone, we are back now. We are still doing testing so please alert me if you see anything unusual.

Website still down. Seattle USA

Sorry, can you try clearing your cache and cookies? I appreciate any feedback you can provide to me.

[mladi]

Working fine here since yesterday (Germany).

[Uncle E]

information and IT security is my profession, and something that I am passionate about.

Someone was able to modify our main web page and insert a small piece of code that redirected the users to the other site. They accessed the web page through Magento Connect, which is the extension downloader for Magento (our eCommerce platform), and did not have access to our server or database. Our checkout page was not modified at all and there is no evidence that they gained access to anyone's personal information, and the vulnerability that allowed them to gain that access has been closed. In addition, I had disabled our servers as soon as I found out about the issue, after which point there was no data available for them to access.

This was our only security breach in 22 years that I know of. A few weeks ago, we replaced our previous backup system with an RDS automatic backup and had to shut the site down for a few days. In July, the connection to our database got corrupted and it was not a security issue. In 2018, we lost some data when we were upgrading our servers. In 2012, we upgraded from OScommerce to Magento and were not able to import the old orders (we kept OScommerce accessible for about 3 years in case anyone needed their old orders and we still have them stored securely on a local server). In between these times, we have had instances of the site slowing down or becoming inaccessible due to high traffic.

Please let me know if there is anything else you would like me to address. Any criticism is completely fair and I appreciate you and everyone else for being so understanding about it. IT security is not my profession and I welcome all input.

[zvenx]

It's back up for me Eric.
Thanks
rsp

[machinesworking]

Hi everyone, we are back now. We are still doing testing so please alert me if you see anything unusual.

Website still down. Seattle USA

Sorry, can you try clearing your cache and cookies? I appreciate any feedback you can provide to me.

no dice, still failed to connect to server

[epiphaneia]

Hi everyone, we are back now. We are still doing testing so please alert me if you see anything unusual.

Website still down. Seattle USA

Sorry, can you try clearing your cache and cookies? I appreciate any feedback you can provide to me.

There has been an error processing your request
SQLSTATE[HY000]: General error: 1205 Lock wait timeout exceeded; try restarting transaction, query was: INSERT INTO `log_visitor` (`session_id`, `first_visit_at`, `last_visit_at`, `last_url_id`, `store_id`) VALUES (?, ?, ?, ?, ?)

Trace:
#0 /vhosts/com_jrrshop/httpdocs/lib/Varien/Db/Statement/Pdo/Mysql.php(110): Zend_Db_Statement_Pdo->_execute(Array)
#1 /vhosts/com_jrrshop/httpdocs/app/code/core/Zend/Db/Statement.php(291): Varien_Db_Statement_Pdo_Mysql->_execute(Array)
#2 /vhosts/com_jrrshop/httpdocs/lib/Zend/Db/Adapter/Abstract.php(480): Zend_Db_Statement->execute(Array)
#3 /vhosts/com_jrrshop/httpdocs/lib/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query('INSERT INTO `lo...', Array)
#4 /vhosts/com_jrrshop/httpdocs/lib/Varien/Db/Adapter/Pdo/Mysql.php(428): Zend_Db_Adapter_Pdo_Abstract->query('INSERT INTO `lo...', Array)
#5 /vhosts/com_jrrshop/httpdocs/lib/Zend/Db/Adapter/Abstract.php(576): Varien_Db_Adapter_Pdo_Mysql->query('INSERT INTO `lo...', Array)
#6 /vhosts/com_jrrshop/httpdocs/app/code/core/Mage/Core/Model/Resource/Db/Abstract.php(453): Zend_Db_Adapter_Abstract->insert('log_visitor', Array)
#7 /vhosts/com_jrrshop/httpdocs/app/code/core/Mage/Core/Model/Abstract.php(318): Mage_Core_Model_Resource_Db_Abstract->save(Object(Mage_Log_Model_Visitor))
#8 /vhosts/com_jrrshop/httpdocs/app/code/core/Mage/Log/Model/Visitor.php(168): Mage_Core_Model_Abstract->save()
#9 /vhosts/com_jrrshop/httpdocs/app/code/core/Mage/Core/Model/App.php(1339): Mage_Log_Model_Visitor->initByRequest(Object(Varien_Event_Observer))
#10 /vhosts/com_jrrshop/httpdocs/app/code/core/Mage/Core/Model/App.php(1318): Mage_Core_Model_App->_callObserverMethod(Object(Mage_Log_Model_Visitor), 'initByRequest', Object(Varien_Event_Observer))
#11 /vhosts/com_jrrshop/httpdocs/app/Mage.php(448): Mage_Core_Model_App->dispatchEvent('controller_acti...', Array)
#12 /vhosts/com_jrrshop/httpdocs/app/code/core/Mage/Core/Controller/Varien/Action.php(527): Mage::dispatchEvent('controller_acti...', Array)
#13 /vhosts/com_jrrshop/httpdocs/app/code/core/Mage/Core/Controller/Front/Action.php(69): Mage_Core_Controller_Varien_Action->preDispatch()
#14 /vhosts/com_jrrshop/httpdocs/app/code/core/Mage/Core/Controller/Varien/Action.php(407): Mage_Core_Controller_Front_Action->preDispatch()
#15 /vhosts/com_jrrshop/httpdocs/app/code/core/Mage/Core/Controller/Varien/Router/Standard.php(254): Mage_Core_Controller_Varien_Action->dispatch('index')
#16 /vhosts/com_jrrshop/httpdocs/app/code/core/Mage/Core/Controller/Varien/Front.php(172): Mage_Core_Controller_Varien_Router_Standard->match(Object(Mage_Core_Controller_Request_Http))
#17 /vhosts/com_jrrshop/httpdocs/app/code/core/Mage/Core/Model/App.php(354): Mage_Core_Controller_Varien_Front->dispatch()
#18 /vhosts/com_jrrshop/httpdocs/app/Mage.php(683): Mage_Core_Model_App->run(Array)
#19 /vhosts/com_jrrshop/httpdocs/index.php(105): Mage::run('base_jrr', 'website')
#20 {main}

Error log record number: 347606979891

[Uncle E]

Thank you for telling me. Please try now:

www.jrrshop.com

[planetearth]

Working fine here in Tampa, FL, Eric. I was able to log in to my account quickly, and move around the site with no issues.

Steve

[SoundHunterrr]

information and IT security is my profession, and something that I am passionate about.

Someone was able to modify our main web page and insert a small piece of code that redirected the users to the other site. They accessed the web page through Magento Connect, which is the extension downloader for Magento (our eCommerce platform), and did not have access to our server or database. Our checkout page was not modified at all and there is no evidence that they gained access to anyone's personal information, and the vulnerability that allowed them to gain that access has been closed. In addition, I had disabled our servers as soon as I found out about the issue, after which point there was no data available for them to access.

This was our only security breach in 22 years that I know of. A few weeks ago, we replaced our previous backup system with an RDS automatic backup and had to shut the site down for a few days. In July, the connection to our database got corrupted and it was not a security issue. In 2018, we lost some data when we were upgrading our servers. In 2012, we upgraded from OScommerce to Magento and were not able to import the old orders (we kept OScommerce accessible for about 3 years in case anyone needed their old orders and we still have them stored securely on a local server). In between these times, we have had instances of the site slowing down or becoming inaccessible due to high traffic.

Please let me know if there is anything else you would like me to address. Any criticism is completely fair and I appreciate you and everyone else for being so understanding about it. IT security is not my profession and I welcome all input.

It's just a security thing. Knowing the inner structure of a system makes most attacks much easier. As I am a customer with jrr, I want my data to be safe.

Yes, you are completely correct in being concerned and I have not properly addressed this. There was no security breach and the site was not hacked. It appears that an extension we were using stopped functioning in June and that our site was basically hanging on by a thread. Then on July 7, when our site was being bombarded by people looking for Studio One 5, it was too much traffic and the database crashed.

There were many, MANY things that myself and a few others on the JRR staff could have done better but this was not caused by anyone with malicious intent.

But this sound security breach after all? Or do I understanded wrong?

[sengoku]

Uncle E - you might want to ask your web developer/s to switch off showing errors on your production website - a simple 'An error occurred' will suffice (or even a blank page at a pinch), giving full stack traces as it currently is, amounts to giving away internal info which is only of use to someone who wants to compromise your website. it should automatically be logging errors to the server's /logs folder anyway (for you and the web devs to check), regardless if it shows them to the website visitor too.

There's nothing worse than a temperamental website, I hope you get it fixed soon. Good luck!

[Rivanni]

Someone was able to modify our main web page and insert a small piece of code that redirected the users to the other site. [...], and did not have access to our server or database.
[...]there is no evidence that they gained access to anyone's personal information, and the vulnerability that allowed them to gain that access has been closed. In addition, I had disabled our servers as soon as I found out about the issue, after which point there was no data available for them to access.

This was our only security breach in 22 years that I know of.

But this sound security breach after all? Or do I understanded wrong?

No, you don't.
That's what Uncle E admits too but he draws some wrong conclusions.

Maybe there were more breaches. Noticing only this one doesn't mean that there weren't any others.
Not noticing that that someone gained access to personal information doesn't say it didn't happen.
Disabling a server when you notice a breach is too late. The damage is already done.

Besides the problems in the summer, it's now a continuous crash-fest of problems with publicly shown errors. It would be better if one brought in a more experienced web developer and didn't discuss the errors and problems on a public forum. I suggest to remove the posts with error messages.

[vskunk]

information and IT security is my profession, and something that I am passionate about.

Someone was able to modify our main web page and insert a small piece of code that redirected the users to the other site. They accessed the web page through Magento Connect, which is the extension downloader for Magento (our eCommerce platform), and did not have access to our server or database. Our checkout page was not modified at all and there is no evidence that they gained access to anyone's personal information, and the vulnerability that allowed them to gain that access has been closed. In addition, I had disabled our servers as soon as I found out about the issue, after which point there was no data available for them to access.

This was our only security breach in 22 years that I know of. A few weeks ago, we replaced our previous backup system with an RDS automatic backup and had to shut the site down for a few days. In July, the connection to our database got corrupted and it was not a security issue. In 2018, we lost some data when we were upgrading our servers. In 2012, we upgraded from OScommerce to Magento and were not able to import the old orders (we kept OScommerce accessible for about 3 years in case anyone needed their old orders and we still have them stored securely on a local server). In between these times, we have had instances of the site slowing down or becoming inaccessible due to high traffic.

Please let me know if there is anything else you would like me to address. Any criticism is completely fair and I appreciate you and everyone else for being so understanding about it. IT security is not my profession and I welcome all input.

very good new !

[andi75]

I assume the damage is already more expensive than the cost for professional web development and administration. On the other hand, it's hard to justify expenses for cyber security, which doesn't payoff immediately and cannot be measured easily. Everyone can tell you that the server is secure, but sadly, you will only notice if it's not true...