IMPORTANT: Community security breach

Started by LiroyvH, July 23, 2013, 12:45:08 PM

Previous topic - Next topic

Peregrinus

At the end of the day, these hackers have EVERYONE'S IP addresses now. I think it appropriate to make that fact aware...and with a password what's to stop the hacker from accessing somebodies computer?

margarett

Not only you didn't read the 25 pages, you also didn't read my post. only a part of a sentence of it.
Did you read this:
Quote from: margarett on August 02, 2013, 06:48:24 AM
...most of the users use dynamic IP addresses, and having your IP is pointless, unless someone is targeting YOU specifically. This attack is a "large scale password gathering" thing.
?
And regarding the IP addresses, a growing number of users are going mobile these days.
Of course you are right to be concerned about the "lost" user info. But:
- as it was stated clearly, the goal of this attack is to gather passwords and cross-check them in another sites
- unless someone is targeting YOU, the IP addresses are more or less irrelevant...
You should be worried about passwords and e-mail addresses.

And it seems you also missed the point where I said this:
Quote from: margarett on August 02, 2013, 06:48:24 AM
This discussion is going nowhere now.
Your harsh reply confirms that...

edit: denial != contradictory
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Peregrinus

Quote from: margarett on August 02, 2013, 07:12:43 AM

- as it was stated clearly, the goal of this attack is to gather passwords and cross-check them in another sites

How the fook do you know that? You don't...

margarett

First post of this thread:
Quote
The method used by the hacker is that a database is downloaded from another hacked website, the passwords are attempted to be decrypted and if it is successful: they try to login to other websites using that username & password, or try to cross-reference by using password reset links.
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Peregrinus

Quote all you like...A database of ip's and passwords and e-mails is fruit! I know how hackers work...you should alert everyone to the fact that even their computer could get hacked...

Kindred

Peregrinus

Please go away now.
We know what we are talking about. You know a little bit but assume that you know more.
I will say this one more time for clarity.
Yes, the hacker got the database. Yes, the hacker has the IPs.
The hacker is not interested in individual PCs (besides the fact that almost all PCs have firewalls, either on the PC or in the router)
We know what the hacker was doing and what he was after because this is part of a coordinated and escalating track on his part.

At this point, you are doing nothing but trolling and will, hence forth be treated as such.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."


CandC

Quote from: Tiny Clanger on August 02, 2013, 05:00:42 AM
Quote from: CandC on August 01, 2013, 01:56:05 PM
I don't recall who it was, but early in the thread someone posted a link to an article that helped me craft my new password... thank you for that whoever you are :)

Link: http://www.pcworld.com/article/227023/how_to_build_a_better_password.html

Mnemonics are a good idea, but ideally you wouldn't repeat obvious patterns across accounts. Leet is particularly ineffective and has been built into popular cracking software for decades, So, in the example given, Ch!cken and @dob0 are effectively dictionary words. Adding a couple of extra letters to identify your site looks like a good idea, but crackers use automated rules to try patterns like **wordword (where * is any letter/number/symbol and word is any cracker's-dictionary word), word**word, wordword**, and so on. So, although it won't fall alongside 123456, l3tm31n, and qwerty, it will fall soon thereafter. If you reuse Ch!cken**@dob0 across accounts, the pattern is easy to guess, and your other accounts are only protected by combinations of **, which is few enough to go knocking on-line.

I wouldn't "cast the first stone" at the author of that article, because we've all done things like that at one time or another.

I won't deny your reply has merit and I would be more concerned IF I had used only the link's guidelines or your type of examples.  I used that and other links I found to craft a unique password that I feel is much better than the one I was using before and it's not repeated on more than one site now. 

I don't use a passphrase.  I use letters(upper and lowercase), symbols and numbers to describe something I like (by a single letter or number used from each word) and then incorporate the unique web site detail I chose.  It's not perfect, but it's a heckuva lot better than what I was using before.


It seems some are more interested in being combative and heard/seen more than anything. I'm subscribed to this thread and those who only have rudeness to offer should consider that before posting more crap for the rest of us to have to scroll through.

ARG01

Quote from: Peregrinus on August 02, 2013, 07:07:43 AM
At the end of the day, these hackers have EVERYONE'S IP addresses now. I think it appropriate to make that fact aware...and with a password what's to stop the hacker from accessing somebodies computer?

Password or not, these days hackers are the norm and will access ones computer at will. The vast majority have their computers hacked on a regular basis and without even knowing it.
No, I will not offer free downloads to Premium DzinerStuido themes. Please stop asking.

青山 素子

Quote from: Peregrinus on August 02, 2013, 07:07:43 AM
At the end of the day, these hackers have EVERYONE'S IP addresses now. I think it appropriate to make that fact aware...and with a password what's to stop the hacker from accessing somebodies computer?

Perhaps the fact that most end-user computers don't have any kind of remote access running? Well, that plus most residential connections are behind a NAT and a firewall, which makes things a bit more difficult. Your second sentence makes me think you really don't have any clue.

Users are much more likely to get an infection by accessing a compromised website than by a direct attack from someone.

By the way, my IP is currently 108.23.63.181.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Joker™

This post is completely for knowledge base and I don't take any responsibility what you do after reading this.

Hmm, seeing the way this topic is going off topic, this is just an attempt to spread some knowledge around and get the topic back on track.

Haven't we accessed any free wifi in cafes etc at some point in our life? We went to friends home and used his network. Ohh above all that don't we use our workplace networks for personal usage from our workstations/phones etc?

We know all this can land us in trouble, but still we used all those sort of access points even after reading tons of warnings about them.

Meh Joker, went full retard? Nope.

One of the tools I used few years ago in college to demonstrate to my juniors during seminar why it is unhealthy to access such networks. With wireshark I was able to show them nearly everything they were doing with there devices one by one using proper filters. When I started showing them exactly what they were doing, headers sent in traffic and responses received by them, there was a complete silence (unlike this topic). Just think what all one can see in the traffic and how secure does it leave us with such connections.


Ok I don't have laptop/desktop what can I do. Lol I even have answer to that. Using my android based phone, if you & I are on the same network and you have anything shared, I can copy paste those files/folder in my device with the help of few tools. I can even see what exactly you are doing on network right now, and by right now I mean right now. Google 'fing'.

So question is why Joker blabbering all this right now?

My point is:
- When you are so insecure with the networks out there and people are still using them mindlessly, then why is there an outcry over here?
- Do you ask those network admins whether they are making use of such tools?
- Do you even those network admins (I personally don't know my workplace network admin)?

So, you don't know who is seeing your info on network you are using? How much of your info has been already stolen over network?

But when someone comes forward, tell you that someone has stolen your info, one starts quibbling over it. Instead of using our knowledge and helping the admin to make the place more secure, we pick up hammers and start beating the admin with it.

Lol, on a side noe when I showed the power of these tools, my team always complete work before time(as they can't do FB :D), and we always went for parties on weekend easily :P.
Github Profile
Android apps
Medium

How to enable Post Moderation

"For the wise man looks into space and he knows there is no limited dimensions." - Laozi

All support seeking PM's get microwaved

LiroyvH

Ok I very slightly cleaned the topic up to force compliance with requests and even had to hand a ban, which is rather sad that such a measure was even required.

This topic is intended to warn people about the security compromise we encountered. I am glad to see this spawned a massive discussion on security and password management with many different points of view on how to achieve the best security possible. There are multiple ways to achieve security, one better than the other, one easier to use yet less secure. In my opinion, the best way is probably to find a middle ground. Too easy is a security issue, but overly secure making it difficult for people to work with may work adversely as people will try to patch it by making it easier for themselves: breaking security once more.

The most important thing is: people ARE all thinking about it now. A massive wake up call. From that point of view there's something good that came out of this compromise.
In the end, more people will think twice about their (password) security now and that's very good.
Still of course it would have been much more preferable people would think about that without our database being compromised, but that unfortunately happened.

Now, if you have a personal issue with me: that's fine. I guess it's inevitable when posting in this topic so much and the undeniable fact that trolls are everywhere.
Yet, if you wish to make it official: either watch your language or send me a PM. Not that I will accept personal level insults in PM, so keep in mind this is not an invitation to do that ;), but at least keep the topic clean if you feel the need to start a discussion with me on a personal level.

As for one concern raised, for the second time by the same user:

Quote from: Peregrinus on August 02, 2013, 06:04:44 AM
I alerted 'Coreisp' to the fact that ip's would be available to the hacker. He dismissed it. Funny hey?

He did indeed point that out in this topic.
I'm not sure if I have dismissed it, but I probably did and probably in the same way as Motoko (青山 素子) did in this post.

Keep in mind that there are *a lot* of IP's in the database. Some users even have multiple IP's associated with their account, impossible for whoever holds the database to figure out which IP is actually their active IP. And even IF that knowledge is available: it's still not a major security risk.
If anything, it's a mere inconvenience and I don't understand why this user appears to be more afraid that his IP was stolen than that his password used here is vulnerable...

IP's are quite trivial while passwords are very sensitive information, in combination with email addresses even more dangerous.
I guess we're not all set on the same priorities, though. :) Just I will probably never understand why a user feels a IP being leaked (even though you broadcast your IP to many many places.) is much more important information than a password. Yes, it's annoying they were stolen. No, I do not consider it a major security risk and by far not the most important information that was stolen from our database.

So I implore everyone once more:
Please stay strictly to the point, and if you feel the need to make a personal attack: don't do it, or at least don't do it in this topic. Keep it clean, keep it friendly.
All the nonsense posts make it harder to read the valuable information that this topic contains. And yes, there is VERY valuable information in this topic. :)

And last but not least: thank you for the kind words of multiple people. :) I do appreciate it!


Thanks!
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Tiny Clanger

Quote from: CandC on August 02, 2013, 09:10:26 AM
I won't deny your reply has merit and I would be more concerned IF

I'm happy if you didn't fall into the errors of that article. I wouldn't want anyone else to do so, as it comes from a normally trustworthy source.

Tiny Clanger

Quote from: 青山 素子 on August 02, 2013, 10:42:25 AM
Perhaps the fact that most end-user computers don't have any kind of remote access running?

Or in other cases the password is known only to the ISP and access is limited by IP. If you want to check just how little the outside world can see you, try https://www.grc.com/shieldsup (If remote access is enabled on your router, it may be on 8080 rather than 80.)

青山 素子

Quote from: Tiny Clanger on August 02, 2013, 12:48:11 PM
Or in other cases the password is known only to the ISP and access is limited by IP.

What password is this? I'd hope my ISP doesn't know my various website account passwords. They certainly better not know my local computer account password.


Quote from: Tiny Clanger on August 02, 2013, 12:48:11 PM
If you want to check just how little the outside world can see you, try https://www.grc.com/shieldsup (If remote access is enabled on your router, it may be on 8080 rather than 80.)

Oh boy, Steve Gibson... That guy is a bit of a hack. His claim to fame was with Spinrite (which isn't as useful now since hdd tech has evolved so much from the old MFM/RLL days of the AT). His whole thing against UPnP was almost nothing but scaremongering. It was somewhat relevant back when it first came out but has become a lot less useful in the over ten years since. Security and configurations have improved a lot since Windows Me was released.
Motoko-chan
Director, Simple Machines

Note: Unless otherwise stated, my posts are not representative of any official position or opinion of Simple Machines.


Tiny Clanger

Quote from: 青山 素子 on August 02, 2013, 05:05:11 PM
I'd hope my ISP doesn't know

No - just referring to ISPs shipping routers with remote access (to the router) enabled by default and locked to a support IP range. I'm agreeing with your point. Apologies for any ambiguity.

I'm not completely sanguine about UPnP in a wider sense, but would agree that it's not likely to be relevant to the current issue.

For an alternative to the grc thing, there's http://www.canyouseeme.org/ My reason for linking shieldsup is that for many it will give a reassuring sense of stealth - but the button to click is All Service Ports.

inter

ubuntuforums.org hack

yii forum hack

smf hack

idea 1 here
idea 2:
still it is necessary to disconnect editing of templates - after all there it is possible to insert any code and it will work
Sorry for my English

Deaks

inter they never edited the template here, they uploaded a normal theme with a few extra files, when removing these extra files the theme itself was as you would find it on the themesite.
~~~~
Former SMF Project Manager
Former SMF Customizer

"For as lang as hunner o us is in life, in nae wey
will we thole the Soothron tae owergang us. In truth it isna for glory, or wealth, or
honours that we fecht, but for freedom alane, that nae honest cheil gies up but wi life
itsel."

Kindred

and we have already indicated that the hacker did not use the smf database backup function.

So, both your ideas are basically pointless.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Maxie2019

Hi All,

I'm new to this and have been hoyed in at the deep end but please bear with me. Our site was hacked over the weekend which was only discovered after it crashed. The site is up and running now but the nice hacker has left behind buttons and links to the 'HugeDomains' website. Our usual Admin has other commitments and so it falls to be to get savy with the inner workings of the site - pretty quickly. I can see the reference to the button by just viewing the source code but how do I get to the actual script page to remove the code?

Advertisement: