home studios equipment staff/friends booking/rates for sale forum contact

CHANGE YOUR PASSWORD!!!

Moderators: kerble, Electrical-Staff

CHANGE YOUR PASSWORD!!!

Postby russ on Tue Oct 01, 2013 5:01 pm

Sometime this morning, several files on the forum were maliciously changed causing errors when loading pages.

After I was made aware of the issue, I googled the errors and saw that they could be from a compromise to the forum files. Sure enough, that was the case.

I followed the steps recommended by the forum software's support, necessitating that the forum be shut down today while I made backups, changed server passwords, removed the changes to the files and checked for further issues.

Unfortunately, it looks like one of the checks that I ran restored the original style configuration, and I've managed to get the style back so it fits within the site, but it will take a bit more work to get things looking like they used to. I'll continue to work on that, but my main concern is ensuring that the forum software is updated and doesn't get compromised again.

UNFORTUNATELY this means that if the site files were able to be changed, they were also readable, including the file that contains the forum's database password. With access to the database, the attacker has access to all forum member's email address and encrypted copies of passwords. Since we all know that encrypted data can eventually be unencrypted, I would STRONGLY URGE you to change your forum password IMMEDIATELY. You can change it under "Edit Account Settings" in the User Control Panel > Profile.

More importantly, if you were using the same password anywhere else with the same e-mail/details then you should also change it there.

Please let me know if you have questions and I'll try to answer them to the best of my ability.
User avatar
russ
suspicious flashlight
suspicious flashlight
 
Posts: 1359
Joined: Tue Nov 12, 2002 12:23 pm
Location: Oakland Twp, MI

Re: CHANGE YOUR PASSWORD!!!

Postby BlahBlah on Tue Oct 01, 2013 5:05 pm

More importantly, if you were using the same password anywhere else with the same e-mail/details then you should also change it there.
BlahBlah
bert
bert
 
Posts: 275
Joined: Wed Nov 26, 2008 4:58 pm
Location: Scotland

Re: CHANGE YOUR PASSWORD!!!

Postby russ on Tue Oct 01, 2013 5:11 pm

True. Thanks. I've added that bit to the original post.
User avatar
russ
suspicious flashlight
suspicious flashlight
 
Posts: 1359
Joined: Tue Nov 12, 2002 12:23 pm
Location: Oakland Twp, MI

Re: CHANGE YOUR PASSWORD!!!

Postby ::: on Tue Oct 01, 2013 5:11 pm

Wow, that sucks. Thanks for your efforts. Do you know who did this?
:::
man forced to eat beard
man forced to eat beard
 
Posts: 1890
Joined: Tue Mar 20, 2012 12:37 am

Re: CHANGE YOUR PASSWORD!!!

Postby Major on Tue Oct 01, 2013 5:14 pm

If they hacked into my PMs Kerble's dick is gonna be all over Reddit soon.
User avatar
Major
Heaven-Sent Hero
Heaven-Sent Hero
 
Posts: 6390
Joined: Sun Oct 30, 2005 11:19 am
Location: 29.7604° N, 95.3698° W

Re: CHANGE YOUR PASSWORD!!!

Postby russ on Tue Oct 01, 2013 5:14 pm

I don't know at this point who did it. Probably just some script kiddie.
User avatar
russ
suspicious flashlight
suspicious flashlight
 
Posts: 1359
Joined: Tue Nov 12, 2002 12:23 pm
Location: Oakland Twp, MI

Re: CHANGE YOUR PASSWORD!!!

Postby ::: on Tue Oct 01, 2013 5:14 pm

Major wrote:If they hacked into my PMs Kerble's mom is gonna be all over Reddit soon.

kmyp
:::
man forced to eat beard
man forced to eat beard
 
Posts: 1890
Joined: Tue Mar 20, 2012 12:37 am

Re: CHANGE YOUR PASSWORD!!!

Postby Major on Tue Oct 01, 2013 5:18 pm

Oh there's been an r/kerblesmom for years
User avatar
Major
Heaven-Sent Hero
Heaven-Sent Hero
 
Posts: 6390
Joined: Sun Oct 30, 2005 11:19 am
Location: 29.7604° N, 95.3698° W

Re: CHANGE YOUR PASSWORD!!!

Postby squarewave on Tue Oct 01, 2013 5:29 pm

Done.

Thanks for your work on the forum.
rocker654 wrote:(regarding jail) I can't recommend it. The toast is too rubbery, and the bellboys have too much snotty attitude.

steve wrote:I haven't heard your band, and you might not want me to.
User avatar
squarewave
Saint Who Rules w/ Extensive Magnanimity
Saint Who Rules w/ Extensive Magnanimity
 
Posts: 2155
Joined: Wed Jan 26, 2005 12:19 am
Location: Severe Distortion

Re: CHANGE YOUR PASSWORD!!!

Postby Rémy on Tue Oct 01, 2013 6:31 pm

Thank you Russ for the infos.
User avatar
Rémy
freelance gynaecologist
freelance gynaecologist
 
Posts: 953
Joined: Fri Jan 06, 2012 6:05 am

Re: CHANGE YOUR PASSWORD!!!

Postby fredrock on Tue Oct 01, 2013 6:38 pm

:smt023
Nice work Russ
U is the buss
When it comes to a fixin'
The internet muss

(extreme poetic license imposed)
Life is just what happens to you while you're busy making other plans.
-John Lennon
User avatar
fredrock
Perfect Picture of Wisdom and Boldness
Perfect Picture of Wisdom and Boldness
 
Posts: 3217
Joined: Mon Mar 16, 2009 3:30 pm
Location: 6/10ths along toward a century in Chicago IL

Re: CHANGE YOUR PASSWORD!!!

Postby Jodi S. on Tue Oct 01, 2013 6:42 pm

I have a question about passwords in general.

If you use elements of, say, your Electrical PW in another PW (but not the exact PW) are those at risk also?

This might just be the incident that has me kill off my old email address for good.
User avatar
Jodi S.
Influential Poster
 
Posts: 21119
Joined: Fri Jul 11, 2003 3:47 pm
Location: I am sitting in a room, different from the one you are in.

Re: CHANGE YOUR PASSWORD!!!

Postby Adam Sr on Tue Oct 01, 2013 6:56 pm

Thanks for the advice, but I'm sticking with 'ah84ghwaklhd'.
User avatar
Adam Sr
Lode Star of the Twenty-First Century
Lode Star of the Twenty-First Century
 
Posts: 2450
Joined: Sat Nov 12, 2011 1:55 pm

Re: CHANGE YOUR PASSWORD!!!

Postby Frank Decent on Tue Oct 01, 2013 7:05 pm

Done. Thank you.
Redline wrote:The dead bodies on your mattress and the rubber sheets in your wardrobe should dampen the early reflections.
User avatar
Frank Decent
Man with Encyclopedic Knowledge
Man with Encyclopedic Knowledge
 
Posts: 5108
Joined: Thu Jun 05, 2008 7:04 pm
Location: Canaduh

Re: CHANGE YOUR PASSWORD!!!

Postby BlahBlah on Tue Oct 01, 2013 7:10 pm

Jodi S. wrote:I have a question about passwords in general.

If you use elements of, say, your Electrical PW in another PW (but not the exact PW) are those at risk also?

This might just be the incident that has me kill off my old email address for good.


No. Password storage generally works by storing a hashed version of the password, i.e. one that has been run through some cryptographic hash function. There are a bunch of factors that go into the creation/decision of these algorithms but one of them is that similar input shouldn't map to similar output, so JodiPassword1 and JodiPassword2 will be stored in the database with completely different values and it should be impossible to relate the two by looking at the hashes.

Attacks on the encrypted passwords are usually carried out using a very large pre-computed table of the hashes of various passwords. Each of these values can then be searched in the DB and then for matching users their password is known. So actually if there is an extremely dedicated attacker who wants to access your accounts on other sites and knows matching details then they *may* be able to get your Electrical PW and manually guess the other parts but if your other passwords aren't as simple as <PRFPassword>1 then this is extremely unlikely. It's all just going to be automated scripts trying out these things anyway.

Also, thanks Russ!

(and, yes, to pedantic people: salts to prevent rainbow table attacks, etc, and there's so much more to talk about. I imagine this site doesn't store salted+hashed passwords since I think phpBB2 didn't do that. Some interesting things to discuss in the comp sci thread maybe!)
BlahBlah
bert
bert
 
Posts: 275
Joined: Wed Nov 26, 2008 4:58 pm
Location: Scotland

Re: CHANGE YOUR PASSWORD!!!

Postby Bro Shark on Tue Oct 01, 2013 7:39 pm

Thanks, I changed it to "Password123".
User avatar
Bro Shark
bear
bear
 
Posts: 801
Joined: Thu Dec 13, 2007 5:41 pm
Location: SF

Re: CHANGE YOUR PASSWORD!!!

Postby lemur68 on Tue Oct 01, 2013 8:08 pm

fredrock wrote::smt023
Nice work Russ
U is the buss
When it comes to a fixin'
The internet muss


BURMA SHAVE
big_dave wrote:This is just about finding a dorky selfie on his blogspot?

Jesus, this is the Space Ace by Don Bluth of internet intrigue.
User avatar
lemur68
King Shit of Fuck Mountain
 
Posts: 18283
Joined: Fri Sep 15, 2006 12:52 am
Location: Columbus, OH

Re: CHANGE YOUR PASSWORD!!!

Postby Colonel Panic on Tue Oct 01, 2013 8:19 pm

Jodi S. wrote:I have a question about passwords in general.

If you use elements of, say, your Electrical PW in another PW (but not the exact PW) are those at risk also?

This might just be the incident that has me kill off my old email address for good.

It's unlikely, but theoretically, yes. It depends largely on how much similarity exists between your other password and your EA Forums one. The more similarity exists, the more the uniqueness and integrity of your password is compromised. That's why they say you should never use the same word in passwords for multiple sites in recognizable patterns such as "googleswordfish," "yahooswordfish" and "electricalswordfish." There are password cracking algorithms that use "dictionary attacks" coupled together with the "rainbow tables" technique mentioned by BlahBlah above that do actually automate the process of brute-forcing passwords. Add to that the fact that (as BlahBlah also mentioned) PHPBB doesn't salt hashed passwords by default, plus the distinct possibility of the attacker sharing our forum's ~/etc/password list file for all his friends to have a crack at.

If I were you, I'd play it safe and change any passwords for other sites that share similar words or long character sequences with your EA password.
All that glitters is not aluminum.
User avatar
Colonel Panic
King Shit of Fuck Mountain
 
Posts: 17039
Joined: Thu Apr 19, 2007 8:12 am
Location: The Internet

Re: CHANGE YOUR PASSWORD!!!

Postby ::: on Tue Oct 01, 2013 9:58 pm

Colonel Panic wrote:
Jodi S. wrote:I have a question about passwords in general.

If you use elements of, say, your Electrical PW in another PW (but not the exact PW) are those at risk also?

This might just be the incident that has me kill off my old email address for good.

It's unlikely, but theoretically, yes. It depends largely on how much similarity exists between your other password and your EA Forums one. The more similarity exists, the more the uniqueness and integrity of your password is compromised. That's why they say you should never use the same word in passwords for multiple sites in recognizable patterns such as "googleswordfish," "yahooswordfish" and "electricalswordfish." There are password cracking algorithms that use "dictionary attacks" coupled together with the "rainbow tables" technique mentioned by BlahBlah above that do actually automate the process of brute-forcing passwords. Add to that the fact that (as BlahBlah also mentioned) PHPBB doesn't salt hashed passwords by default, plus the distinct possibility of the attacker sharing our forum's ~/etc/password list file for all his friends to have a crack at.

If I were you, I'd play it safe and change any passwords for other sites that share similar words or long character sequences with your EA password.

Good to know. I've now also changed the password for the email account with which I registered to post here.
:::
man forced to eat beard
man forced to eat beard
 
Posts: 1890
Joined: Tue Mar 20, 2012 12:37 am

Re: CHANGE YOUR PASSWORD!!!

Postby SecondEdition on Tue Oct 01, 2013 10:36 pm

Thanks. Changed the email address (which was dead) and the password.
Life...life...I know it's got its ups and downs.

In the someday, what's that sound.


CS. PC. MM.
User avatar
SecondEdition
King Shit of Fuck Mountain
 
Posts: 22412
Joined: Wed May 03, 2006 8:32 am
Location: Midwest, USA

Next

Return to General Discussion

Who is online

Users browsing this forum: Google [Bot], Verbs & Nouns and 21 guests