Security and Privacy Issue : May-2014

[SaintessHeart]

Quote:

Originally Posted by Alistair

I find it insulting, and I think other users would too, that you would neglect actually taking real steps to secure the data you store about your users in favor of presenting a message saying "Sorry, we don't care enough about your security to actually protect you, whatever decisions you make in creating passwords, so please just try to protect yourself."
Making the appropriate changes to the sort of hashing algorithm you use, as well as purchasing and applying an SSL cert to protect your users might take you all of a day if you're slow, and then you never have to do it again. We're talking about making programmatic changes to the forum and the server once, not adding to the list of tasks you need to carry out manually.

That is grudge mentality. Insisting that what someone started as a hobby to be owing a service is plain obnoxious, I don't think GHD and Nightwish expected this forum to become the top 100,000 sites on the Internet.

Also, the mods are human beings too. The amount of attention they can spend here are limited by what they have in real life. Using HTTPS could be a start, however taking into account the time required for implementation and their living needs, it is best that we users protect ourselves first.

Quote:

I don't know about you, but I don't know a single person who goes about their public matters with their passwords and personal information tagged on their back in such a way that you (metaphorically) only need to squint a little to read.

Also, like I said, this is a public system, like Facebook. Use with some caution - compartmentalise what you can afford to lose and what you can't. Spending my younger days as a script kiddy taught me that it is unwise to put all eggs in a single basket. I know it is alot of work, however practice makes perfect - that practice comes from frequency of use.

Everything can be hacked and exploited. It is only a matter of time and the hackers' passion.

[milan kyuubi]

Quote:

Originally Posted by SeijiSensei

Knowing someone's IP address offers little or nothing to a hacker.

This is true. Otherwise all of those who edit wikis are in big trouble!

[Kakurin]

Quote:

Originally Posted by Alistair

I don't know about you, but I don't know a single person who goes about their public matters with their passwords and personal information tagged on their back in such a way that you (metaphorically) only need to squint a little to read.

You won't believe how careless many people (especially those who are inexperienced or naive) are handling their passwords. For example using very simplistic passwords that are easy to crack, or naive to a degree that it doesn't take much coercion to get them to reveal their passwords.

[WiliamZ0]

That's quite a serious breach, I hope we all learned about this and try to prevent this to happened. It also wise to make sure you have different password and username at different sites

[GHDpro]

Quote:

Originally Posted by Alistair

Making the appropriate changes to the sort of hashing algorithm you use, as well as purchasing and applying an SSL cert to protect your users might take you all of a day if you're slow, and then you never have to do it again. We're talking about making programmatic changes to the forum and the server once, not adding to the list of tasks you need to carry out manually.

People once again expect forum admins to write their own forum software and have absolute utter expert knowledge of how everything works under the hood.

IT SIMPLY ISN'T THAT EASY

I haven't really found a ready-made easy-to-implement solution to implement stronger hashing in vBulletin, a complex piece of PHP software that I didn't invent.

The link you mentioned earlier gives some hints, but I'm pretty sure if I simply copy & pasted those lines I'd hose the forum. Even if the code works, existing passwords are still MD5 and it doesn't look the code on that page has any provisions for handling "old" passwords (I could be wrong, didn't stare at the code too long). An existing vB 4.x mod I found openly admitted having that same issue (not supporting old passwords). The result would be that absolutely everyone would have to change their passwords again immediately and people will get sick of that, for sure.

Added to that, once again this is a custom modification of the source. There are not many official patches for vB 3.x these days but every patch I'd have to be careful not to overwrite the wrong file and/or apply my own modifications again, which is a pain. Rather I'd like to see the custom modifications to the forum reduced to absolute 0, making upgrades painless.

SSL, as I've said before, is something I'm very much willing to implement, but I've currently still got some other issues to resolve first.

[serenade_beta]

Otsukaresama~ Mods and staff. ヽ(´∀｀)ノ
The email and password I used were so old, I had to randomly put in lines to even get back into my email account. So no worries for me, I guess. I don't use that email, so it doesn't matter if the hacker spams it.

(So that "Test" post was the hacker?)

[psicomenace]

Quote:

Originally Posted by Guardian Enzo

Damn, it's midnight here, I have to be out early tomorrow and I'm wracking my brain trying to figure out every place that I could possibly have used a similar password. What a royal pain in the ass.

Totally agree.

[AnimeRat]

Can I see my old password somewhere? would be nice to know what password did the hackers get.

[mrSh4dy]

Quote:

Originally Posted by AnimeRat

Can I see my old password somewhere? would be nice to know what password did the hackers get.

If you use firefox and auto input passwords you can find the passwords under the security tab.

For IE use credential manager.

[Nvis]

Wow took you guys this f**king long to find out?

Who is taking responsibility for this?

I'll let the hacker know I'm using the same password.

AS FTL. Absolutely terrible. First Heart Bleed, now this s**t?

[Emballage]

I don't visit this forum that often, so it's kind of lucky for me to have read the news now, instead of say, a few weeks down the road.

While (for now) I've only used this account name and email address for only AnimeSuki, before this I've used basically only one username and two or three passwords for everything that I did, including on sites I've never visited in years and possibly have forgotten about. I wonder how many of THOSE had suffered something similar to this.

[Hazou]

Well this was quite a shocking surprise. The e-mail I use is an e-mail that is quite active. So I changed the password to something else. All though tbh, if the hackers did get into my email all they will be doing is getting a pizza on me.

I don't put any credit info or cellphone info on my e-mail. The mandatory number I did put belongs to a Domino pizza. Which is rofl, because a lot good that does. The address is to a Subway.

[Hiroi Sekai]

Perhaps this is a sign that everyone should grab LastPass and just generate your passwords with special characters. If even I don't know my own passwords, cracking this one has no effect on me, aside from a few private messages they can look at.

I also hope the staff will come up with a better hashing and salting algorithm for the passwords this time. MD5 alone is just not enough, no matter the site. If you're allowing input of personal data in accounts, it should be well protected, no matter how much one can play the "at-your-own-disclosure" card. Add secret tags to the algorithm; they're super quick to add but just keeps adding steps for hackers to try and push through. By then, hopefully you can discover that someone's snooping around in your code. Sanitation and adding top-tier levels of code moderation away from the new mods/admins is helpful too.

Kudos to you guys for getting the site back up and running, but I hope you'll take the steps necessary to investigate what to do for those who may now have their other accounts compromised as a result, and to improve security so it doesn't happen again. I think it's the least you can do for us all.

tl;dr: GET LASTPASS, GENERATE NEW PASSWORDS FOR EACH SITE. NEVER REUSE PASSWORDS WHEN YOU DON'T HAVE TO.

[haseo0408]

Well I´m just glad they fixed the problem, stuff like this happens sometimes.

[Dextro]

Guy seriously, stop blaming the forum admins for this. They did what they could considering this is a completely free service without a single advertisement in sight that they are providing. For me this was only a minor annoyance: open up Keepass and change the forum password, no big deal. In this day and age people should already be using something like Keepass/Lastpass/1Password to manage different relatively strong passwords for each site they visit.

While I am saddened to see MD5 still being used I'm not at all surprised since this forum isn't really something that warrants high levels of technical maintenance luckily. This stuff happens, not even the most secure system in the world is immune to being broken into.

[Eisdrache]

Quote:

Originally Posted by Nvis

Wow took you guys this f**king long to find out?

Who is taking responsibility for this?

I'll let the hacker know I'm using the same password.

AS FTL. Absolutely terrible. First Heart Bleed, now this s**t?

While I don't really have technical knowledge about this topic it seems that the invaders knew exactly what they were doing and quite skilled as well. This could have happened to a lot if not most large(r) online community sites in one way or another, so we shouldn't look for 'someone to take responsibility' but instead for ways to prevent this and more from happening again.

[Nvis]

Never heard of Lastpass/whatever. Enlighten this old and very grumpy guy.

[DarkWarrior]

Disappointing news of course, but I'm glad I was using an old password that I don't use anywhere else (I think). Honestly this isn't the first time AS had an "incident" like this though, so people shouldn't be too surprised.

And I really hope this serves as a wake up call to some people. Big corporations with far more security and oversight are getting hacked left and right, so a smaller forum getting compromised is far less of a big deal. Not to mention the whole Heartbleed debacle. If you're using the same exact password for an anime forum that you are using for sensitive sites like your bank, you seriously need to re-examine your priorities.

[Kakurin]

Quote:

Originally Posted by Nvis

Never heard of Lastpass/whatever. Enlighten this old and very grumpy guy.

I don't use it, but from what I get it is a program that keeps track of passwords, allowing you to use different and very complicated passwords for different websites. What you need to memorise is solely the master password for Lastpass itself.

[Hiroi Sekai]

Quote:

Originally Posted by Nvis

Never heard of Lastpass/whatever. Enlighten this old guy.

LastPass is a secure vault for all of your passwords. You sign up for an account, remember that one password and use it to access all of your other randomly generated passwords. Literally, you can have LastPass generate the strangest babble as a password, and it'll lock it in your vault. If lots of people are touchy with your computer, you can leave it fully locked. If you work alone and want quick access, you can have LastPass auto-login as soon as you hit login pages- you literally touch nothing and it does it for you.

The site has a strong sense of monitoring security, so if anything suspicious occurs as they do their multiple daily checks, they instantly lock everything and notify you to take action. Quite simply, I don't know any of my other passwords, aside from my LastPass one. Once I log into that, I can access my other ones. Your LastPass password is securely hashed as well, of course. It even has useful plugins for most popular browsers like Chrome and even Safari, allowing you to access it from the browser itself.