SWAMP User Password Reset
Dear SWAMP users,
This is an important notification regarding your SWAMP account. We will require you to reset your SWAMP password the next time you sign in to https://www.mir-swamp.org/ as described below. We apologize for the inconvenience.
Last month, the SWAMP’s informational website (https://www.continuousassurance.org/) was successfully attacked and was down briefly while we restored the site. For more details on that incident, please see: https://continuousassurance.org/blog/2015/10/21/swamp-security-notification/.
We strive very hard in the SWAMP to keep our web assets isolated to minimize the impact of such attacks. Unfortunately, as we were doing forensics on the site, we determined some private cryptographic (SSL) keys for other SWAMP servers, including the main https://www.mir-swamp.org/ website, were on the informational website due to earlier plans in the project to use the websites as hot spares for each other.
While we have no evidence the cryptographic keys were detected or misappropriated by the attacker, it’s impossible to rule out that they were. Such theft, in conjunction with other attacks, could have given the attackers access to encrypted user traffic going to and from the SWAMP. As a security-oriented project, we have decided to take a conservative approach and address this possibility. We have already replaced all the cryptographic keys, revoked our old certificates, and changed all administrative passwords across our infrastructure.
To address the possibility that user passwords may have been compromised, you will be required to reset the password on your account the next time you sign in. When you do so, SWAMP will send an email to the address you registered with your SWAMP account that provides you with a link to reset your password. When prompted, please choose a new, unique password for your SWAMP account. Also, if you reused your previous SWAMP password at any other sites, we recommend that you set new, unique passwords at those other sites.
We apologize for this inconvenience but feel it is necessary to protect the confidentiality of your data. We have already taken steps to reduce the chance and consequences of a recurrence.
If you have any questions please don’t hesitate to contact myself or SWAMP support.