This page was created to try to address as many submitted questions as possible that arose around the 2014 cyber-security incident.
A little background
The BAMONA website is built and maintained by the Butterfly and Moth Information Network (BAMIN) using a website content management system called Drupal. BAMIN operates several Drupal websites that all reside on a single server.
On October 15, 2014, the Drupal security team announced a very significant security vulnerability and recommended that all sites running Drupal version 7 be updated or patched. Two weeks after the original security advisory, the Drupal team followed up with a public service announcement (PSA). In the PSA, the team advised that hackers had launched systematic attacks on Drupal sites within hours of the original advisory. They recommended that all sites that were not patched within seven hours of the security advisory should be considered to have been hacked. This is very fast! It is not uncommon for websites to be on a on weekly or monthly update schedule. By simultaneously announcing the vulnerability to Drupal users and to the public at large, hundreds of thousands of websites were placed at risk, and the vast majority of websites were not patched in that seven-hour window.
Is BAMONA affected?
Yes. While BAMONA utilizes an older version of Drupal that was not vulnerable, the other BAMIN-operated websites were vulnerable. While these other sites were patched quickly, they were not patched within seven hours. Because of the nature of the security vulnerability, any sites operated on the BAMIN server (including BAMONA) may have been compromised by hackers who took advantage of the known vulnerability.
So, was BAMONA hacked?
Maybe. There is no way to know. All BAMIN-operated sites have been examined for evidence of a compromise, and there is no indication that any site has been attacked. However, this type of security vulnerability allows advanced hackers to create a "backdoor" or hidden access to the server hosting the website. An infected site could run normally for months or years until hackers decide to take control of the server for malicious purposes. There may be no trace of an attack because these hidden "backdoors" cannot be detected. As a result, there is no one who can review BAMONA or other BAMIN-hosted sites and say that they have definitely NOT been hacked.
What are you going to do?
We know that an attack can leave no trace, and there is no way to be sure of the security of the server, now or in the future. As a result, we have decided to follow the best practices outlined by the Drupal team: assume that we have been hacked, assume that the content of the sites (including usernames and passwords, data, files) have been stolen, take the server offline, build a new server, restore the websites from backups prior to October 15, patch the backups, and then re-launch the sites. This is the most conservative approach, and it is the only way we can be sure that there are no backdoors on the server as a result of this security vulnerability. As part of this process, we will reset all user passwords, and the BAMONA website will be reverted to the September 30th backup.
What does this mean for me?
First, you should assume that your combination of email address and password were compromised. If you use your BAMONA password anywhere else on the web, go to that website and change your password just to be safe. Second, if you submitted or reviewed any sightings on BAMONA between September 30 and November 12, those actions will be lost. You can check your My BAMONA page to see whether any of your sightings are missing. Coordinators can check their Pending Sightings page for the status of sightings assigned to them.
Why can't you just restore the sighting data I submitted? Don't you have a backup?
We do have all of the data backed up. The data (sighting details and images) are intimately part of the website and not separate from it. Due to the kind of security vulnerability, it is possible that malicious code was injected anywhere into any Drupal website, and that includes our sighting data and images. Downloading the data from the database and re-uploading into the restored site is not without risk because we could unknowingly be placing malicious code onto the new server. If you submitted sightings between September 30 and November 12, we cannot restore those submissions. Please consider re-submitting those sightings; when appropriate, include the verified identification in the "suggested identification" field.
I am a coordinator. I reviewed a lot of sightings, and those sightings are now back on my Pending Sightings list. Is there any way that my verified IDs of those sightings can be restored?
Maybe. We are currently trying to answer this question.
Finally, we want to thank you for your patience. It has not been an easy decision to revert the BAMONA website to the copy from September 30, especially knowing how many hundreds of hours of all of our work will be lost. Many sleepless nights and difficult conversations have been had, and we have lost hours of work as well. However, we believe that restoring the server is in the best interest of our users' ongoing safety in interacting with the site, and it is the right thing to do. We greatly appreciate your hard work and ongoing contributions to the project, and we will be doing our best to answer questions and make clarifications as quickly as possible.
Kelly and Thomas
For users who are interested in a more detailed explanation of the security vulnerability, please see the additional resources listed below.