• Welcome to Simple Machines Community Forum. Please login or sign up.
October 24, 2021, 02:34:36 PM

News:

SMF 2.1 RC4 has been released! Try it out and help us test! :) Read more.


IMPORTANT: Community security breach

Started by LiroyvH, July 23, 2013, 12:45:08 PM

Previous topic - Next topic

Tony Reid

Its easy, just turn the browser developer tools on, view source and then change the input box from type="password" to type="text" and it instantly reveals the password on the page. Of course, this requires access to the machine.

Hackers are more likely going to try and grab your logged on session though - rather than installing software, because its less obtrusive and therefore less like to be picked up by security software.

Tony Reid

Burke ♞ Knight

Another thing to look for.
People saying they are from certain places, asking for username and passwords, saying it's for tech support issues.

Tiny Clanger

Quote from: butch2k on August 01, 2013, 06:49:05 AM
yes it could be done, and it was probably done at some point by trojan.

Like Trojan-PWS-Nslog

a10

Regarding browser stored PW's, basically, I get it that the encryption is not very strong (or not strong enough).

QuoteHackers are more likely going to try and grab your logged on session though - rather than installing software, because its less obtrusive and therefore less like to be picked up by security software.
Good point as well.

Thanks for all the info > reading trough this whole topic and one will be quite educated\updated in the whole PW and security dept.
2.0.18, ssl, php 7.4.23, 10.3.30-MariaDB<br />Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

FrizzleFried

August 01, 2013, 10:55:04 AM #484 Last Edit: August 01, 2013, 11:01:35 AM by Kindred
Quote from: Tiny Clanger on August 01, 2013, 04:26:58 AM
Quote from: CoreISP on July 31, 2013, 12:34:01 PM
[...]

I know you have reason to feel vulnerable and defensive at the moment, but your efforts to cover your shaky grasp of the subject in hand with verbal smoke and flame do neither you nor anyone else any favours. You are not inspiring confidence. Please control yourself and your language.

See guys... what I said about "low post" losers... er... users.

Hey man,  you're disrespectful  Go away.

PS: Mods... Yes,  I broke a rule,  please do what is necessary... just had to be said.


-note by kindred- edited for content... :(

LiroyvH

Quote from: Tiny Clanger on August 01, 2013, 04:26:58 AM
I know you have reason to feel vulnerable and defensive at the moment, but your efforts to cover your shaky grasp of the subject in hand with verbal smoke and flame do neither you nor anyone else any favours. You are not inspiring confidence. Please control yourself and your language.

Cute. Still not reading, and then blaming me for having a "shaky grasp of the subject". :)
And this is the second time you're throwing a futile attempt trying to belittle or offend me, not sure which one of the two it is you're trying to achieve, without any reason and I'm not sure why I even tolerate it.
That and ignoring my request to stick to what has been posted, rather than what you posted and putting words in my mouth. You're actually talking yourself down.

For the last time: stop this offtopic nonsense or begone from this thread.
I'm much more interested in answering questions from people who actually have any questions and/or concerns about their safety and I fear that such questions are at risk of being drowned in between this useless back and forth chatter.

Thanks.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

CandC

I got my email on 7/23 and took the time to read the first 5 pages and the last 10 pages of this thread which is now on pg. 25.   

I hate the community and members are having to deal with this, but I've got to admit it was the final kick in the pants I needed to make my internet practices more secure.  I've always had a pretty strong password and figured since it was quite complicated it was OK to use it across almost all the sites I use. I've known it wasn't the best practice, but couldn't fathom having to create & remember a unique password for each site. Yeah, feel free to roll your eyes at me, I deserve it.

This incident ended my procrastination and I've now spent 2 days going to each and every site I'm registered and changed my password to one that's unique to each site and a formula I can remember.  I don't recall who it was, but early in the thread someone posted a link to an article that helped me craft my new password... thank you for that whoever you are :)

Link: http://www.pcworld.com/article/227023/how_to_build_a_better_password.html


As far as the browser remembering passwords discussion - I have always made it a practice to log out of every site I'm on before moving to another and/or closing my browser window. 


Finally, a sincere Thank-You to all the support team members here who have been patient with the questions and calming the nerves of the members who got the notice.

kat

Nicely put, Cand. :)

Thanks for your kindness, towards us, too.

TssCman123

I have changed my password as well.  I would encourage members to keep an eye on their e-mail accounts, as the hackers have those as well.  You might also be spammed.  Please view this article [nofollow] about dealing with spam.

I use different passwords for all of my accounts.  My SMF password is currently 272 bit encryption with 50 characters.

Thank you, SMF, for letting us know about this, and not trying to keep this a secret.  I appreciate it.

We should also lookout for new websites that will try to imitate this one.

I would recommend employing the anti spam system for all members (before posting) until time passes.  The hacker could login through a member's account, and have a script spam this place up.

Kindred

no, we will not do that. The staff here is pretty vigilant and if we notice any spamming accounts, they will be dealt with.
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Tiny Clanger

Quote from: FrizzleFried on August 01, 2013, 10:55:04 AM
Go away.

Flamed by FrizzleFried. I shall wear that as a badge of honour. (You'll be glad to know I saw the unexpurgated version before Kindred got to it and edited for obscenity.)

Tiny Clanger

Quote from: CandC on August 01, 2013, 01:56:05 PM
I don't recall who it was, but early in the thread someone posted a link to an article that helped me craft my new password... thank you for that whoever you are :)

Link: http://www.pcworld.com/article/227023/how_to_build_a_better_password.html

Mnemonics are a good idea, but ideally you wouldn't repeat obvious patterns across accounts. Leet is particularly ineffective and has been built into popular cracking software for decades, So, in the example given, Ch!cken and @dob0 are effectively dictionary words. Adding a couple of extra letters to identify your site looks like a good idea, but crackers use automated rules to try patterns like **wordword (where * is any letter/number/symbol and word is any cracker's-dictionary word), word**word, wordword**, and so on. So, although it won't fall alongside 123456, l3tm31n, and qwerty, it will fall soon thereafter. If you reuse Ch!cken**@dob0 across accounts, the pattern is easy to guess, and your other accounts are only protected by combinations of **, which is few enough to go knocking on-line.

I wouldn't "cast the first stone" at the author of that article, because we've all done things like that at one time or another.

Peregrinus

August 02, 2013, 05:01:32 AM #492 Last Edit: August 02, 2013, 11:41:26 AM by CoreISP
-edit-
User has been banned for this post.

Antes

Quote from: Peregrinus on August 02, 2013, 05:01:32 AM
I'm getting pissed off with 'CoreISP'. He is shamelessly promoting his website here and talking ******. Are you Dutch CoreISP? Ik weet genoeg, oprotten met je gelul. Are you a mod here or are you just spamming?

Please watch what you're writing, you can't attack people.

CoreISP is President of Simple Machines Organization. Beside your nonsense talks I never saw him spamming and you are accusing some top level person in this project/organization with unsupported *ideas* (aka bull******s).

Tiny Clanger

 Please note, I have no idea who Peregrinus is, and in general, can we please cut down on the number of asterisks? We can discuss this without getting heated.

Peregrinus

I alerted 'Coreisp' to the fact that ip's would be available to the hacker. He dismissed it. Funny hey?

margarett

This discussion is going nowhere now.

All the relevant technical discussion is now buried in some of those 25 pages that no-one seems to have patience to read, so we are repeating the same stuff over and over.
Quote from: Peregrinus on August 02, 2013, 06:04:44 AM
I alerted 'Coreisp' to the fact that ip's would be available to the hacker.
Because:
1 - it was stated more than once in those 25 pages. You should try to read them
2 - CoreISP is aware of that, more than you or me, for what matters. If you read the 25 pages you will discover that the general opinion is that "it's not relevant": most of the users use dynamic IP addresses, and having your IP is pointless, unless someone is targeting YOU specifically. This attack is a "large scale password gathering" thing.

I fail to understand the "dick-measuring-contest" with CoreISP that some users are trying to set here... Ego massage maybe?

For a real discussion:
Quote from: Tiny Clanger on August 02, 2013, 05:00:42 AM
Mnemonics are a good idea, but ideally you wouldn't repeat obvious patterns across accounts. Leet is particularly ineffective and has been built into popular cracking software for decades...
Another link provided in this thread
http://password-checker.online-domain-tools.com/
allows to confirm that. Even that some l33t writing builds a so-called "strong" password, it's pointless regarding dictionary attack.
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Peregrinus

Quote from: margarett on August 02, 2013, 06:48:24 AM
This discussion is going nowhere now.

All the relevant technical discussion is now buried in some of those 25 pages that no-one seems to have patience to read, so we are repeating the same stuff over and over.
Quote from: Peregrinus on August 02, 2013, 06:04:44 AM
I alerted 'Coreisp' to the fact that ip's would be available to the hacker.
Because:
1 - it was stated more than once in those 25 pages. You should try to read them
2 - CoreISP is aware of that, more than you or me, for what matters. If you read the 25 pages you will discover that the general opinion is that "it's not relevant": most of the users use dynamic IP addresses, and having your IP is pointless, unless someone is targeting YOU specifically. This attack is a "large scale password gathering" thing.

I fail to understand the "dick-measuring-contest" with CoreISP that some users are trying to set here... Ego massage maybe?

For a real discussion:
Quote from: Tiny Clanger on August 02, 2013, 05:00:42 AM
Mnemonics are a good idea, but ideally you wouldn't repeat obvious patterns across accounts. Leet is particularly ineffective and has been built into popular cracking software for decades...
Another link provided in this thread
http://password-checker.online-domain-tools.com/
allows to confirm that. Even that some l33t writing builds a so-called "strong" password, it's pointless regarding dictionary attack.

I've read the lot...to say that most people have 'dynamic ip's' is just bollox. Most people have a cable or DSL connection so their ip's are the same for months...stop talking shi! Who's on dial up now? lol

kat

Keep it friendly, Peregrinus, please.

Peregrinus

Quote from: K@ on August 02, 2013, 06:57:15 AM
Keep it friendly, Peregrinus, please.

I will, I just don't like denial :)

Advertisement: