PDA

View Full Version : Recommend password changes



Off Camber
11-07-16, 02:18 AM
There was a vulnerability in the ForumRunner add-on for vBulletin which could enable attackers to expose information such as encrypted passwords and email addresses. Unfortunately we didn't patch for this because we incorrectly believed that the plugin had to be added and activated to be vulnerable. Today we found log activity that suggests that the vulnerability has been attacked and may have been used to expose this information.

While the password information is encrypted, once it's obtained brute force cracking techniques may make your password vulnerable. We recommend that you change your password on Off Camber and anywhere else where you may be using the same password.

Beware of any emails claiming to be from Off Camber (or anywhere, really) requesting account or personal information. We will never email you asking for such information. If you receive an email from Off Camber which asks for such information please PM nrc.

Also beware of email claiming to be from other OC users sharing links or attached files. Always verify the sender of such emails before following links or opening attachments. Email addresses are not public on the forum so emails from anyone you haven't provided your email address to yourself should be viewed with suspicion.

We have blocked access to the vulnerable scripts until the appropriate patches can be applied. Our apologies for this error and any inconvenience it may cause.

Insomniac
11-07-16, 09:51 AM
Firstly, thank you for the heads up. I'd suggest that an e-mail be sent to all members as well.

Do you have a time frame for the attack? I recently changed my password, and while I am not reusing either the old or new one, others may be in a similar situation and may need to know which/both were exposed in case of reuse. Also, out of curiosity, when you say encrypted, do you mean encrypted and the vulnerability exposed keys as well, or was that a more generic term for passwords were not in plain text?

Also, for others, you can find the page to change your password here: http://www.offcamber.net/forums/profile.php?do=editpassword

Or to navigate there:

In the menu near the top (under the logo), choose "General Settings" under the Forum Actions item. Then on the left menu choose "Edit Email & Password" under My Account (which is under My Settings) on the left side.

dando
11-07-16, 02:02 PM
Crap. Now I have to change abc123? :gomer: ;)

SteveH
11-07-16, 04:17 PM
The password I use here is unique to this site. I'm considering not changing it just because. There's very little value in logging in as me, the only thing of value (and that is minimal at best) is my email address on my profile. And if this site was hacked they probably took that too. Does anyone know? I doubt if the user database has much value other than some of the passwords might be valid on other sites that do contain more personal data for some users. But that is a lot of work for someone to go through for minimal return.

nrc
11-07-16, 04:58 PM
Firstly, thank you for the heads up. I'd suggest that an e-mail be sent to all members as well.

Do you have a time frame for the attack? I recently changed my password, and while I am not reusing either the old or new one, others may be in a similar situation and may need to know which/both were exposed in case of reuse. Also, out of curiosity, when you say encrypted, do you mean encrypted and the vulnerability exposed keys as well, or was that a more generic term for passwords were not in plain text?

Also, for others, you can find the page to change your password here: http://www.offcamber.net/forums/profile.php?do=editpassword

Or to navigate there:

In the menu near the top (under the logo), choose "General Settings" under the Forum Actions item. Then on the left menu choose "Edit Email & Password" under My Account (which is under My Settings) on the left side.

Our logs only go back through October. There were a few access attempts on the vulnerable URL during that time but we can't determine whether there was any information exposed. To be safe, you should assume that the information may have been exposed as early as July when the vulnerability was first made public.

vBulletin stores a cryptographic hash of your password, specifically an MD5 hash with a random string for what they call "salt". This is a one way conversion to a string of characters unique to your password. Essentially your password is the "key" to this hash. The only way to crack it is to test passwords through this conversion until you get one that creates the same string of characters.

Unfortunately if they get access to the list of hashes from the database they can spend as much time as they want on this kind of brute force attack. This is why a good password is important. A trivial password can be matched almost instantly. If your password is eight characters with upper and lower case and digits and not a dictionary word then it will take long enough to be more trouble than it's worth for most hackers - unless it's your bank account.

Yes, we'll send out an email notice as well.

Napoleon
11-07-16, 05:16 PM
. . . as early as July

Likely not related, but, long story short, on August 18th I had someone, somehow, place an order through my Amazon account (I forget what my password was, and I changed it in my password database, and the old version of that database, at least on my work computer went by-by a week ago). AMAZINGLY, even though the Amazon people in a long phone call confirmed to me that they had then cleared my card information from my account and also, allegedly, cleared my log in password and sent me an email to reset it, which I intentionally did not do, somehow that happened a second time just weeks later. The second time I had them close the account ASAP.

nrc
11-07-16, 05:16 PM
The password I use here is unique to this site. I'm considering not changing it just because. There's very little value in logging in as me, the only thing of value (and that is minimal at best) is my email address on my profile. And if this site was hacked they probably took that too. Does anyone know? I doubt if the user database has much value other than some of the passwords might be valid on other sites that do contain more personal data for some users. But that is a lot of work for someone to go through for minimal return.

The vulnerability allows them to run arbitrary queries against the database so email addresses could be exposed. Basically, anything you see in your profile.

The main value of these attacks are harvesting email addresses for phishing attacks, harvesting password hashes that they can link with an account or email address, crack, and then try on other sites, and specifically trying to crack vBulletin administrative accounts probably as an interim step to trying to get full system access. Access to a normal user account on a forum doesn't do them much good.

It's a good rule of thumb not to use the same password on any public web site that you use for email, banking, or really anything that could cause you real damage if it were compromised.

Napoleon
11-07-16, 05:21 PM
PS, the email account I used for that Amazon account (which is how you log in) is what I use for this account.

nrc
11-07-16, 05:38 PM
PS, the email account I used for that Amazon account (which is how you log in) is what I use for this account.


Amazon definitely falls into the category of things I wouldn't use the same password for as any public forum. Based on those Amazon events I would be concerned that someone had access to your email account. Hopefully you've changed that password since then.

Off Camber
11-07-16, 06:58 PM
Sorry, I couldn't login on the admin console so I shut the forum off for a moment to make sure something wasn't going on. Nothing other than my big fat fingers hitting the wrong keys, as it turns out. :irked:

cameraman
11-07-16, 07:49 PM
My password for this place was unique (at least unique to me) to here but it was so old and ridiculously insecure that I changed it anyway now that I was forced to think about how silly it was. :laugh:

Tifosi24
11-07-16, 09:09 PM
My password for this place was unique (at least unique to me) to here but it was so old and ridiculously insecure that I changed it anyway now that I was forced to think about how silly it was. :laugh:

My password was also remarkable old and insecure but it was unique to here. I was also shocked by what email address was on file. Thanks again for the heads up so I could update my account.

nissan gtp
11-07-16, 10:03 PM
darn it, "toneysucks" was so easy to remember

Napoleon
11-07-16, 10:42 PM
Amazon definitely falls into the category of things I wouldn't use the same password for as any public forum. Based on those Amazon events I would be concerned that someone had access to your email account. Hopefully you've changed that password since then.

OK, on my laptop at home I have an archive that predates by about a month the loss of my credit cards and other stuff in NYC and the one month later Amazon incident, and my Amazon password was different from here (for that matter my email I use for here as well). So the breach hear does not explain what happened here.

By the way, Amazon is outrageous. First they use your email address as your "name" instead of something that could be unique to it. Then on top of it they automatically keep your credit card info (you would have to clear the info after every order), although accessing it after logging in does not give you the actual numbers, but you can still charge to them.

dando
11-07-16, 10:50 PM
My password for this place was unique (at least unique to me) to here but it was so old and ridiculously insecure that I changed it anyway now that I was forced to think about how silly it was. :laugh:

BYUfan has been changed? :gomer: :D

Insomniac
11-08-16, 11:36 AM
Our logs only go back through October. There were a few access attempts on the vulnerable URL during that time but we can't determine whether there was any information exposed. To be safe, you should assume that the information may have been exposed as early as July when the vulnerability was first made public.

vBulletin stores a cryptographic hash of your password, specifically an MD5 hash with a random string for what they call "salt". This is a one way conversion to a string of characters unique to your password. Essentially your password is the "key" to this hash. The only way to crack it is to test passwords through this conversion until you get one that creates the same string of characters.

Unfortunately if they get access to the list of hashes from the database they can spend as much time as they want on this kind of brute force attack. This is why a good password is important. A trivial password can be matched almost instantly. If your password is eight characters with upper and lower case and digits and not a dictionary word then it will take long enough to be more trouble than it's worth for most hackers - unless it's your bank account.

Yes, we'll send out an email notice as well.

Ahh good, salted hash. Renders the rainbow table methods basically useless.

cameraman
11-08-16, 03:52 PM
BYUfan has been changed? :gomer: :D

:flaming:

:tony:

TravelGal
11-08-16, 06:49 PM
OKAAAAY. Eventually I'll change my password. It's unique to here as is the email address, making a unique combination. Back near the dawn of recorded history (1999), I set up one email for "hobbies." A few have come and gone since then but only this group and open wheel abide.

SteveH
11-26-16, 09:52 PM
Check to see if your email address has been pwned https://haveibeenpwned.com

You can subscribe by email address to alert you if your email address ever appears in a dump.

The two I use show three known breaches. So I feel pretty good as I've addressed each; Dropbox, Adobe and LinkedIn.

TravelGal
11-27-16, 07:37 PM
Check to see if your email address has been pwned https://haveibeenpwned.com

You can subscribe by email address to alert you if your email address ever appears in a dump.

The two I use show three known breaches. So I feel pretty good as I've addressed each; Dropbox, Adobe and LinkedIn.

GREAT info. I'm putting it in my December agent newsletter. I knew something was up with one email address and, sure enough, it showed a breach. I think it's telling it was probably from the Adobe breach in 2013. Odd that it just happened this week. But then, TravelGuy doesn't change his passwords very often.

nissan gtp
11-27-16, 10:21 PM
one. Adobe. not surprised. :thumbdown:

SteveH
12-01-16, 12:42 PM
related....

A beginner’s guide to beefing up your privacy and security online (http://arstechnica.com/security/2016/12/a-beginners-guide-to-beefing-up-your-privacy-and-security-online/)