IMPORTANT: Community security breach

Started by LiroyvH, July 23, 2013, 12:45:08 PM

Previous topic - Next topic

LiroyvH

Quotesuggests a confusion between brute-force and dictionary attacks, and the explanatory assertion

No, it does not... I already explained.

Quote
confirms the confusion. The alternative explanation:

Um, no... Absolutely not. Do you even read what I said?

Quote
I think salting has already been discussed,

Indeed it has been, but it looks like you missed a relevant part of that discussion in this very topic.



I'm kinda done discussing this with you as you keep putting everything I say in to a self made-up context pulled from thin air nor do you read well, I'm not going to play that game...
Have a good day and good luck. :)
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Tiny Clanger

Quote from: CoreISP on July 30, 2013, 11:29:07 AM
Do you even read what I said?

I have read what you wrote, as others will, and if they know what they are talking about they will conclude that you do not. Perhaps, when you have gained a little more experience, you will arrive at the same conclusion. I am not playing a game with you, just trying to cut through the specious bluster.

Tony Reid

Kind of relevant - this in detail is how the they did the same to ubuntu - however it appears an XSS in Vbulletin was to blame from the start...

http://blog.canonical.com/2013/07/30/ubuntu-forums-are-back-up-and-a-post-mortem/
Tony Reid

Tiny Clanger

Quote from: Tony Reid on July 31, 2013, 03:48:13 AM
how the they did the same to ubuntu

A lot of learning going on - shame the various vulnerabilities weren't picked up by ethical hacking.

LiroyvH

Quote
I have read what you wrote, as others will, and if they know what they are talking about they will conclude that you do not. Perhaps, when you have gained a little more experience, you will arrive at the same conclusion. I am not playing a game with you, just trying to cut through the specious bluster.

Oh by all means please do get off your high horse... You can get back up on it when you have learned how to read and stop making things up that I never claimed nor said.
Either stick to what actually has been said without altering it's meaning based on assumptions that solely exist in your mind, or please simply don't say anything at all...
As for experience, I won't even be tempted to go down that road as I'm really not interested in a d*** measuring contest, pardon the French.


Thanks in advance.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

a10

What's the view on passwords stored in browsers, how safe are they? (not thinking about theft of pc or keylogger etc, but hacking)
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

NanoSector

Quote from: a10gf on July 31, 2013, 12:44:48 PM
What's the view on passwords stored in browsers, how safe are they? (not thinking about theft of pc or keylogger etc, but hacking)
Your computer is not affected, but you might want to tell your browser to update your password.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Kindred

I think he was asking for our opinion on the security protocol --   should he be storing password in his browser?

and the answer to that is: Store what you fele comfrotable storing - with the understanding that - if your computer itself is ever hacked or you accidentally install a trojan, all of your data will eb available to that hacker.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

a10

Quoteour opinion on the security protocol
Yes. I suppose most here have at least some of their personal forum related PW's stored (login, ftp, sql etc) in the browser, and feel secure doing so. Anyone ever heard of, or read about, any browser stored passwords ever being exploited ? (have never seen this mentioned anywhere so far, but I'd guess the hackers must be working on it).
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

Kindred

Quote from: Kindred on July 31, 2013, 01:54:57 PM
if your computer itself is ever hacked or you accidentally install a trojan, all of your data will be available to that hacker.


Of course hackers have done this for ages...   it was one of the first goals of trojans, even before keyloggers.
Since the data is stored on your computer, anyone with access to your computer can get to it.
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

LiroyvH

Browsers storing passwords is not very secure.
It's still not 100% secure of course, but storing your passwords in a encrypted container, like KeePass, reduces the risk of the passwords being stolen.
((U + C + I)x(10 − S)) / 20xAx1 / (1 − sin(F / 10))
President/CEO of Simple Machines - Server Manager
Please do not PM for support - anything else is usually OK.

Burke ♞ Knight

Using RoboForm is very good idea.
It stores the passwords in your documents folder and is cross browser.
Even integrates with Windows.

http://www.roboform.com/

NanoSector

Quote from: BurkeKnight on July 31, 2013, 07:36:55 PM
Using RoboForm is very good idea.
It stores the passwords in your documents folder and is cross browser.
Even integrates with Windows.

http://www.roboform.com/
To be honest with you, I'd never trust password managers which are not open source. You don't know if they send data back to roboform or so.
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Burke ♞ Knight

RoboForm does not send any personal info.
If you pay for the desktop instead of just getting the free, you get more features.
You also can set up a master password to further protect your passwords.

NanoSector

Quote from: BurkeKnight on July 31, 2013, 08:07:11 PM
RoboForm does not send any personal info.
If you pay for the desktop instead of just getting the free, you get more features.
You also can set up a master password to further protect your passwords.
Point still applies,  how do you know for sure that it does not send any data or passwords to the company?
My Mods / Mod Builder - A tool to easily create mods / Blog
"I've heard from a reliable source that the Answer is 42. But, still no word on what the question is."

Tiny Clanger

Quote from: CoreISP on July 31, 2013, 12:34:01 PM
[...]

I know you have reason to feel vulnerable and defensive at the moment, but your efforts to cover your shaky grasp of the subject in hand with verbal smoke and flame do neither you nor anyone else any favours. You are not inspiring confidence. Please control yourself and your language.

Tiny Clanger

Quote from: a10gf on July 31, 2013, 12:44:48 PM
passwords stored in browsers, how safe are they? (not thinking about theft of pc or keylogger etc, but hacking)

Banking sites tend not to let your browser save your password, with good reason. A number of respected authorities and crime-prevention agencies have suggested that if you can't remember your strong passwords then write them down on on old-fashioned paper (or encrypted on an unconnected device) and rely on adequate physical security, and in many cases that may be the least-worst option - the remaining weakest link, as you suggest, is between your keyboard and the secure connection.

Burke ♞ Knight

Tiny Clanger,

The only person here that has no idea what they are talking about, is YOU!

This is a simple case of one person making mistake of using the same password at more than one site. Something that is very frowned about everywhere. It does not matter one iota where the password was stored. Browser, brain, it's all the same in this case.

As for CoreISP, he's been very patient with people, and he's usually the cool headed one here.
I'm the hot headed one, want to argue and be rude with me?
Take your best shot, and I do say good luck.

Everything CoreISP and the other staff has said is the way it is. If you think they are full of it, then by all means, do read their posts.
If you think anything in the software could have prevented this attack, why don't you explain how, Mr. Genius?

Tiny Clanger

Quote from: BurkeKnight on August 01, 2013, 04:34:20 AM
It does not matter one iota where the password was stored. Browser, brain, it's all the same in this case.

Er, I was answering a question put by a10gf, which does not relate to the cause of this incident, but to password security in general. Others have commented on the same question.

None of my comments have related to the cause of this incident but to how one reacts to the aftermath. I do not suspect and have no reason to suggest that the cause had anything to do with the forum software. I could not comment on the general security of your systems and procedures because I do not have access to them - they may be as good as could be expected or may have identifiable deficiencies, but in any case I have no reason to suspect that they contributed to this incident.

I am reluctant to comment on the cause of the incident itself. In other cases where forums have fallen in short order, we know that it was because users with elevated privileges had picked up the same dodgy download which had been targeted at users of one of the sites. Where daisy-chaining has occurred, it has tended to be by following the email addresses home or by knocking lists on large or high value sites (like Twitter - remember the Acai berries). However, I assume that you have evidence either that your admin's login could be readily cross-referenced to this site or that the login came while lists were being knocked on it. (If it was a distributed, knock-once-and-run-away attack then they got awfully lucky.) In any event, the failure was human, and we're all human.

With regard to CoreISP, I wish him no ill will, but confident bluffing is no substitute for understanding, and I find it disappointing that he should persist in the manner he has (and the descent into body references was poor behaviour).

butch2k

Quote from: a10gf on July 31, 2013, 03:54:11 PM
Quoteour opinion on the security protocol
Yes. I suppose most here have at least some of their personal forum related PW's stored (login, ftp, sql etc) in the browser, and feel secure doing so. Anyone ever heard of, or read about, any browser stored passwords ever being exploited ? (have never seen this mentioned anywhere so far, but I'd guess the hackers must be working on it).

As an ex-security auditor, i do not put much faith into browser password security...
There are various tools available which are able to read passwords from Chrome, FF and al.
AFAIR the tools did not even require elevated privileges to run, so yes it could be done, and it was probably done at some point by trojan.

Advertisement: