F-Secure Forum Server Defaced

The news I want to get across with this post is not to point out some veiled hypocrisy about a security company getting pwn3d. I actually want to point out that this is how you handle it when it happens.

Rather than try to brush the public incident under the rug or claim that the defacement only touched a small portion of a load balanced server, or blame the web vendor, system admin, etc., F-Secure immediately posted a blog with a screen cap of the defacement.

And they admitted that yes, it was embarrassing. Then they publicized exactly what was vulnerable about the server, which in this case was the forum software the server was hosting. They even went so far as to explain that the exploit took advantage of a lesser-known extension of an IM feature of the forum software.

A lesson here is that “Bad News does not improve with age.” If a data breach happens, its best to tell people in charge about it immediately. Even if you don’t know the details yet, getting the information out to the right people is key to controlling the public relations issues that surround a breach, both from an incident handler’s perspective and for the company’s public image.