SWAMP User Password Reset

Dear SWAMP users,

This is an important notification regarding your SWAMP account. We will require you to reset your SWAMP password the next time you sign in to https://www.mir-swamp.org/ as described below. We apologize for the inconvenience.

Last month, the SWAMP’s informational website (https://www.continuousassurance.org/) was successfully attacked and was down briefly while we restored the site. For more details on that incident, please see: https://continuousassurance.org/blog/2015/10/21/swamp-security-notification/.

We strive very hard in the SWAMP to keep our web assets isolated to minimize the impact of such attacks. Unfortunately, as we were doing forensics on the site, we determined some private cryptographic (SSL) keys for other SWAMP servers, including the main https://www.mir-swamp.org/ website, were on the informational website due to earlier plans in the project to use the websites as hot spares for each other.

While we have no evidence the cryptographic keys were detected or misappropriated by the attacker, it’s impossible to rule out that they were. Such theft, in conjunction with other attacks, could have given the attackers access to encrypted user traffic going to and from the SWAMP. As a security-oriented project, we have decided to take a conservative approach and address this possibility. We have already replaced all the cryptographic keys, revoked our old certificates, and changed all administrative passwords across our infrastructure.

To address the possibility that user passwords may have been compromised, you will be required to reset the password on your account the next time you sign in. When you do so, SWAMP will send an email to the address you registered with your SWAMP account that provides you with a link to reset your password. When prompted, please choose a new, unique password for your SWAMP account. Also, if you reused your previous SWAMP password at any other sites, we recommend that you set new, unique passwords at those other sites.

We apologize for this inconvenience but feel it is necessary to protect the confidentiality of your data. We have already taken steps to reduce the chance and consequences of a recurrence.

If you have any questions please don’t hesitate to contact myself or SWAMP support.

Von Welch
SWAMP CISO
vwelch@iu.edu

SWAMP Support:
https://continuousassurance.org/support/
Phone:  (317) 274-3942
Email:   support@continuousassurance.org

Comments

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s