Alright, let me vent about
the VerticalScope data breach statement for a minute. In the "What the hell are we even doing" section, the page states:
We are in the process of implementing additional safeguards to detect, alert and mitigate any future brute force attempts...
... indicating that the vulnerability exploited during the breach was a brute force attack. Is that how you guys read it as well?
If I were administering a large database of account info and it were brute forced, I could either:
A: implement account lockouts after
n1 failed attempts to log in within
n2 minutes, having the account lockout time out after
n3 duration
B. after
n4 lockouts with no successful login in the interim, disable the account and re-enable only after 2-factor auth
C. secure the database so that a compromised user doesn't have rights to pull the entire database
D. parameterized queries to prevent SQL injection attacks
E. secure the database server box with Fail2Ban and PPK authentication
F. A through E
or
G. Increase user password complexity and expiration policies for
every user, activating a level of intrusiveness not seen even with banks or hospitals, putting undue burden on the users with requirements that possibly wouldn't have stopped the February breach in the first place.
Yeah, let's go with G. Seems legit.
If I were admin on any forum using VerticalScope, I believe I'd be shopping for a different solution right about now. If I were VerticalScope, I believe I'd be shopping for a different admin right about now.