Security and Privacy Issue : May-2014

[BTDK]

Quote:

Originally Posted by SeijiSensei

For the vast majority of people connected to the Internet behind routers, only the routers will see those attacks, regardless of whether they have a static or dynamic IP address.

Scanning addresses from the outside is a very unproductive method for attack. It's much more effective to get a person behind the firewall to install a piece of malicious software that phones home.

The point is they know your IP address but not mine.

That's what we know, but not majority of internet users are aware of that. In short I've just been making a simple warning of risk they could face.

@Busaiku: It's the best method.

[SaintessHeart]

Quote:

Originally Posted by Cosmic Eagle

Fortunately our side is all dynamic for some reason...

Not for fibre users. Our telcos are damn confidence tricksters - they didn't tell the consumers they would only get a 10Mpbs increase in international connections, share bandwidth with their neighbours and have a static IP, which I think increases security risk.

Tor could be a workaround, but it makes you look like a Darknet child-porn peddler or a Silkroad hashish dealer. CIDCCD will be on your ass sooner than you can say loli/shota.

[Dr. Casey]

Quote:

Originally Posted by Paradoxe

I have a problem here, so it has been a long time since I was active on the AnimeSuki.forum, which leads to the fact that i forgot the password originally used for this account, now that everything is reset and i have to use a new one, i'm kind of scared, because I don't know if the password used on this account originally was used in any other websites... Sorry for the bad explenation but I have no idea what to do next :/

The only idea that comes to mind would be to check the email address you registered with, do a search for 'AnimeSuki,' and see if the confirmation email from whenever you first registered contains your old password. Otherwise, I'm not sure what you could do; I don't think even an administrator could help in your case, since typically admins can only change passwords, not see what your password actually is.

[Cosmic Eagle]

Quote:

Originally Posted by SaintessHeart

Not for fibre users. Our telcos are damn confidence tricksters - they didn't tell the consumers they would only get a 10Mpbs increase in international connections, share bandwidth with their neighbours and have a static IP, which I think increases security risk.

Tor could be a workaround, but it makes you look like a Darknet child-porn peddler or a Silkroad hashish dealer. CIDCCD will be on your ass sooner than you can say loli/shota.

Or just use VPN by default....(still trying to find one that doesn't require money...)

And why is fiber static when my more crappy traditional line isn't?

[Pellissier]

Quote:

Originally Posted by Busaiku

I always generate my passwords randomly, is that good?

Yes, also make sure to use both letters (capital and not) and numbers. In addition, have the password be at least in double-digit lenght.

[Tiberium Wolf]

So is the forum safer now?

[SaintessHeart]

Quote:

Originally Posted by Cosmic Eagle

Or just use VPN by default....(still trying to find one that doesn't require money...)

That is why, use Tor. It is free. Why bother with VPN when you connect to the internet through the browser most of the time?

Quote:

Originally Posted by SeijiSensei

Scanning addresses from the outside is a very unproductive method for attack. It's much more effective to get a person behind the firewall to install a piece of malicious software that phones home. On firewalls I manage, the inbound traffic rules have been pretty static over the past couple of years. However we've been adding rules to filter outbound traffic in case a machine in the office somehow gets exploited.

Over here we would convince senior management to bar the turd from using any computers until the issue has been resolved. Then we punish her accordingly with black marks on the appraisal.

Meanwhile, I think we should just monitor our emails and just delete/block anything suspicious. Not much GHD can do on his side now other than work on security, which I think can be rather cost-inefficient considering this is only a forum.

Quote:

Originally Posted by Tiberium Wolf

So is the forum safer now?

Yes and no. We know what the hacker used to exploit us so we can fix it, though some issues might be very difficult to fix.

Quote:

Originally Posted by Cosmic Eagle

Or just use VPN by default....(still trying to find one that doesn't require money...)

And why is fiber static when my more crappy traditional line isn't?

Future sales issues. APNIC already started rationing the remaining addresses since 2011 because we, in AsiaPac, have exhausted our supply of addresses. What makes is worse is that the companies are not very keen on IPv6, and they can keep as many customers as they have IPv4.

The initial uptake due to marketing campaigns means that many people will take up fiber and end up sharing bandwidth. So the stone meant to kill 2 birds (boost the local image as a tech hub with fiber and make money out of it) ended up missing them both.

[BTDK]

Quote:

Originally Posted by Tiberium Wolf

So is the forum safer now?

Well there's no annoucement of what the hacker did and what the forum administrators have done to solve the problems.

I'm afraid we have to defense ourselves.

[Dist]

Are you kidding me? You were hacked almost two weeks ago and it took you this long to announce our passwords were far from protected, and likely compromised. Even if it took you time to '' gather facts '' you could've made the announcement regardless to inform people and have them change their passwords just in case. I am extremely disappointed in the staff's decision to wait this long.

I personally used my password across multiple sites, which some include games where I have heavily invested in.. The password is so complex, that there is no way anyone could ever guess it which is why I've used the same password - little did I expect AS would be hacked, let alone you notify us two weeks later - when it's probably too late. Hell, I just realized I have the same email/password combo on my Paypal account, with all of my cards linked to it ..

Off to check all those sites/accounts now -__-

[Velsy]

Since my password to my email and here was different. Does that mean I have averted the main problem ? Fortunately I dont use Velsy as a username all that often. Or so hardly anymore. I cant raelly remember what password it was since I have a few passwords I rotate with. So I like try them all til one works. I use the option remember me, so I dont log in all that much to remember what it was.

[milan kyuubi]

Tried entering site. I got this...

Quote:

502 Bad Gateway
nginx/1.1.19

I waited for a both 5 seconds. Refreshed the page. And I was able to acsess forum.

[GHDpro]

Quote:

Originally Posted by milan kyuubi

Tried entering site. I got this...

I waited for a both 5 seconds. Refreshed the page. And I was able to acsess forum.

Yeah I was doing something I thought was fairly simple but somehow put the server load up to 50

I had to stop the webserver for a few seconds to let the load die down (by that time the command I was running had already completed as well).

[-KarumA-]

Quote:

Originally Posted by Dist

Hell, I just realized I have the same email/password combo on my Paypal account, with all of my cards linked to it ..

Off to check all those sites/accounts now -__-

You can't really blame Asuki for that. As much as I agree a mail to change passwords would be nice in time even if there's a 50% certainty (Adobe did this a while back) using the exact same password because it is complex to remember for all websites is a little stupid. Hackers don't really sit behind a computer and guess they have a file which just lists them all for them. Use a variation of the password or perhaps parts of it combined with a sentence, just don't use the exact same for your paypal and such and don't post here that you use the same password before changing them all.

[Lilith]

This is quite funny, right when I got back into anime and decided to visit Animesuki for old time's sake. XD

Thanks for everyone's effort into restoring peace.

[SaintessHeart]

I would like to tell all the readers here who are grumbling about the mods : never expect the forum mods to give you top notch security because the mods are largely limited by the forum service providers, who do not take into account security integrity simply because it is a only bloody message board, not a financial transactions system. It evolved by the olden days of BBSes, which are free-for-all, into a secret base for the passionate kid in everyone.

It is still a public message system. Same rules IRL apply with regards to dealing with public matters.

Quote:

Originally Posted by Velsy

Since my password to my email and here was different. Does that mean I have averted to problem ? Fortunately I dont use Velsy as a username all that often. Or so hardly anymore. I cant raelly remember what password it was since I have a few passwords I rotate with. I use the option remember me, so I dont log in all that much.

Just watch out for spam mail. You could be phished - ascertain links before opening , block the sender and report to your mail service provider.

Quote:

Originally Posted by GHDpro

Yeah I was doing something I thought was fairly simple but somehow put the server load up to 50

I had to stop the webserver for a few seconds to let the load die down (by that time the command I was running had already completed as well).

You are the one who sent out the mass email! Now they are all coming back to change their passwords!

I better go watch my lolis before some lolicon steal them away.

[GHDpro]

Quote:

Originally Posted by Dist

Are you kidding me? You were hacked almost two weeks ago and it took you this long to announce our passwords were far from protected, and likely compromised. Even if it took you time to '' gather facts '' you could've made the announcement regardless to inform people and have them change their passwords just in case. I am extremely disappointed in the staff's decision to wait this long.

It's not like we've known since May 2~4, we only now know that is when the attack happened. As the attackers weren't out to destroy the forum but rather steal account details, it took a few days to figure out what the weird "anomalies" were that people noticed (such as the back-button problem and a weird announcement).

And I suppose you could blame me for not visiting the forum everyday anymore and not checking my @animesuki.com email account basically... never. Other admins had tried to warn me a few days ago but it wasn't until Nightwish actually took the forum offline for a few minutes that I got a notification from my server monitoring service.

[Alistair]

Quote:

Originally Posted by GHDpro

I think whatever the change would be, it would make maintaining the forum even harder than it is now. Granted there are few patches for vBulletin 3 these days, but nonetheless the most recent was just a few months ago.

An easier solution would be to add a notice to the register & change password pages explaining the weakness of vBulletin password hashing algorithm and that reusing passwords used on vBulletin forums is a really bad idea.

I find it insulting, and I think other users would too, that you would neglect actually taking real steps to secure the data you store about your users in favor of presenting a message saying "Sorry, we don't care enough about your security to actually protect you, whatever decisions you make in creating passwords, so please just try to protect yourself."
Making the appropriate changes to the sort of hashing algorithm you use, as well as purchasing and applying an SSL cert to protect your users might take you all of a day if you're slow, and then you never have to do it again. We're talking about making programmatic changes to the forum and the server once, not adding to the list of tasks you need to carry out manually.

Quote:

Originally Posted by KanbeKotori

But I question one thing: Why doesn't AS go for the bare minimum of securing data by using HTTPS? I mean one could be adventurous and aim for either the OTP - the best cipher in history or even BATON - one of the best block cipher encryption out there. I think it's time for AS to transit to using HTTPS at least after this attack. I hope more could be done to prevent such attacks again.

They absolutely should be using HTTPS at the bare minimum.

Quote:

Originally Posted by SaintessHeart

Tor could be a workaround, but it makes you look like a Darknet child-porn peddler or a Silkroad hashish dealer. CIDCCD will be on your ass sooner than you can say loli/shota.

Tor is used by all kinds of different people all over the world, including political dissidents and activists, as well as regular families that just want to communicate securely. Awareness of this fact is spreading even in America, where technical illiteracy is probably higher than just about anywhere else I can think of in the Western world, particularly as a result of increased awareness following the Snowden documents' publication.
Using Tor would provide AS users with anonimity, though I don't think that's really helpful to an average anime forum user. Also, until AS supports HTTPS, Tor exit nodes would be able to see everything an AS user does, as well as read their passwords and such, which I outlined previously.

Quote:

Originally Posted by Cosmic Eagle

Or just use VPN by default....(still trying to find one that doesn't require money...)

You shouldn't trust a free VPN. The people running VPN services need to make money, and the ones that offer their service for free do it the same way Google does- by selling information they collect about you as you use their services. You can get a perfectly good VPN for as little as $3/month, which would at least help to protect your privacy online.

Quote:

Originally Posted by Tiberium Wolf

So is the forum safer now?

I would argue that it's probably not, based on what I've seen in this thread so far.

Quote:

Originally Posted by Dist

Are you kidding me? You were hacked almost two weeks ago and it took you this long to announce our passwords were far from protected, and likely compromised. Even if it took you time to '' gather facts '' you could've made the announcement regardless to inform people and have them change their passwords just in case. I am extremely disappointed in the staff's decision to wait this long.

This is exactly the kind of outrage the admins need to be taking steps to quell. You're perfectly right for being upset about not having your information secured, or being notified about it sooner. It certainly is your own blunder that you used the same passwords so often, but AS is still responsible for the data you provided them. Even though you used the same passwords, if AS had updated the hashing algorithm used to secure said passwords, you would have far less to worry about.

Quote:

Originally Posted by SaintessHeart

I would like to tell all the readers here who are grumbling about the mods : never expect the forum mods to give you top notch security because the mods are largely limited by the forum service providers, who do not take into account security integrity simply because it is a only bloody message board, not a financial transactions system. It evolved by the olden days of BBSes, which are free-for-all, into a secret base for the passionate kid in everyone.

There is absolutely NO reason any user should not expect to have the most BASIC protections in place to secure their data. It is not the responsibility of users to ensure that the data stored by the forum's servers adequately protect their information, as they cannot have such control. It is instead the responsibility of the moderators. This goes for ANY website that stores any potentially sensitive information about users.

Quote:

Originally Posted by SaintessHeart

It is still a public message system. Same rules IRL apply with regards to dealing with public matters.

I don't know about you, but I don't know a single person who goes about their public matters with their passwords and personal information tagged on their back in such a way that you (metaphorically) only need to squint a little to read.

[SeijiSensei]

Quote:

Originally Posted by BTDK

That's what we know, but not majority of internet users are aware of that. In short I've just been making a simple warning of risk they could face.

No, you're spreading FUD. Knowing someone's IP address offers little or nothing to a hacker. I have servers that get scanned all the time by automated processes. They didn't get chosen because someone knew my address. The process was simply generating IP addresses using some algorithm and running port scans against each address.

As I say, if you connect to the Internet through a router, only the router is publicly visible. I just ran an nmap scan against my ISP-provided router (an Acctiontech from Verizon) from another computer on the Internet. The scan ran for over five minutes as nmap tried all sorts of tricks to break into the router. Not one of the 1680 ports it examined was open to the outside.

If you connect your computer directly to the Internet, then yes, you should be running firewall software on that machine. Of course, that's always been true. The AS breach does nothing to change that fact.

[kache]

So, considering that the staff fucked up badly now and it has quite a few debts with the users, are you gonna pay a little of it by adding tapatalk support, which was requested for years and never implemented?

[mrSh4dy]

Quote:

Originally Posted by Dist

Are you kidding me? You were hacked almost two weeks ago and it took you this long to announce our passwords were far from protected, and likely compromised. Even if it took you time to '' gather facts '' you could've made the announcement regardless to inform people and have them change their passwords just in case. I am extremely disappointed in the staff's decision to wait this long.

I personally used my password across multiple sites, which some include games where I have heavily invested in.. The password is so complex, that there is no way anyone could ever guess it which is why I've used the same password - little did I expect AS would be hacked, let alone you notify us two weeks later - when it's probably too late. Hell, I just realized I have the same email/password combo on my Paypal account, with all of my cards linked to it ..

Off to check all those sites/accounts now -__-

While I agree the announcement is a bit too late you can't really blame them for your own stupidity to use the same password e-mail combo on your paypal account. Either you're way too naive or just a newbie on how the internet works.

I personally use a unique password and a different e-mail account (not used for mails or sign ups with a different password) for my paypal account. I won't claim it to be hack proof but at least I take some measure of precaution.

As a general note: A smart thing to do is to make a specific set of passwords for different uses. 1 for forums 1 for online shops 1 for online gaming etc. and use unique passwords to safeguard the more important accounts and stuff. This way you don't have to remember too many passwords and can easily change just that specific set when necessary.
Also change those unique passwords once a year and don't save them on your pc (write it down and keep it safe if you have to) and clear your cookies and cache once a month, all this helps in keeping your shit a little bit more safe.