Hacking attempt on the forum
#21
(01-12-2011, 11:02 PM)Rosarium Wrote:
(01-12-2011, 09:10 PM)QuisUtDeus Wrote:
(01-12-2011, 09:01 PM)devotedknuckles Wrote: Can u determine who was targeted and if the target has been penetrated?

It's walking through the entire member list, including spammers.

No, I can't easily tell if they got in to a particular account.

Make an account with a the password "password" and see what they are trying to do.

Eh.  Probably won't tell me anything.  They'll just collect the password.  Unless they get the admin account, there's nothing they can do they can't do by joining.

I went over to the SMF forum and it seems other people are experiencing the same issue.  I read through some of the solutions, and I took different steps than others did to protect their forums, but I think mine are better.  With his current tactics, he won't get in here.  If he changes tactics, I'll have to do something else.
Reply
#22
(01-13-2011, 01:42 AM)QuisUtDeus Wrote: Eh.  Probably won't tell me anything.  They'll just collect the password.  Unless they get the admin account, there's nothing they can do they can't do by joining.

It would show potential intentions.

They can't access other people's accounts by joining ;)
Reply
#23
i already change my password.

before it was "icecreamjunky"

pretty easy to crack  ;D
Reply
#24
(01-15-2011, 05:59 PM)icecream Wrote: i already change my password.

pretty easy to crack  ;D
That password better be unique to this forum...

If you use that, or variations of it, on any account (email, etc), change them now.
Reply
#25
Here's a real-world example of that, and also giving too much info.

BTW, it's also imprudent to take and send nude pix of one's self.  I'm just sayin'....



http://www.msnbc.msn.com/id/41082627/ns/...-security/

Sometimes social networking makes social engineering very easy.

A California man faces six years in prison for using personal information found on women's Facebook profiles to take over their e-mail accounts, steal nude pictures of them and sometimes even blackmail them. One victim likened it to "virtual rape."

George Samuel Bronk pleaded guilty in Sacramento Superior Court Thursday to seven felony charges, including computer intrusion, impersonation and possession of child pornography.

The charges stem from a nine-month period ending in September, during which Bronk hijacked the e-mail accounts of hundreds of women across 17 states and in England, the Sacramento Bee reported.

A press release from the office of Kamala Harris, California’s attorney general, says Bronk targeted his victims by searching Facebook for women who posted both their e-mail addresses and also personal information such as their favorite foods, their father’s middle names, their high-school mascots and their favorite colors.
Such details are routinely used in "identity challenges" when changes are made to online personal accounts. "Social engineering" scams, such as phishing scams, are designed to trick the victim into revealing this sort of information — but Bronk found it all right there on Facebook.

With it, Bronk could pose as a legitimate e-mail user, hit the "Forgot your password?" button, pass the identity challenge, change the password to one of his own and take over the e-mail account, locking out the victim.

And then the problems would begin.

Bronk, 23, searched hundreds of “sent mail” folders for any nude photographs or videos.  If he found any, he'd often sending the most scandalous or pornographic pictures to the women’s contacts lists, or would contact the victims directly and threaten to make the pictures public unless they sent him even more revealing ones.
In some cases, he'd go back for seconds. After he'd taken over an e-mail account, he'd e-mail Facebook from it and tell the company he'd forgotten the victim's Facebook password -- and then take over the woman's Facebook account as well.

In October, when police confiscated Bronk’s computer and arrested him, they found more than 170 files of explicit photographs stolen from e-mail accounts he had hijacked.
The Attorney General’s office and the California Highway Patrol used location-tagging information to help identify victims, and e-mailed 3,200 questionnaires to women who may have been targeted. Forty-six women replied that they had been victimized.

Bronk has been held on $500,000 bail since October, and will return in March for his sentencing.

This security breach highlights the problems websites face in trying to authenticate their users.  Thanks to social-networking sites, it's now easy to find out someone's mother's maiden name or the street he or she lived on as a child, yet that's exactly what hackers would need to know to pass an identity challenge.
Security experts say the solution is simple, if a bit confusing: Use fake information to fill in the answers to identity-challenge questions when setting up or changing an online account.  If you grew up on Elm Street, say instead that you grew up on "55a55afra55."  Your mother's maiden name could be the same thing. Just don't put your real password in there.

And as always, people are advised to limit the amount of personal information they post online.
Reply
#26
LOL
Curious how they  caught him
Reply
#27
(01-15-2011, 08:09 PM)QuisUtDeus Wrote: George Samuel Bronk pleaded guilty in Sacramento Superior Court Thursday to seven felony charges, including computer intrusion, impersonation and possession of child pornography.
Should be "pled".

Quote:Bronk, 23, searched hundreds of “sent mail” folders for any nude photographs or videos.  If he found any, he'd often sending the most scandalous or pornographic pictures to the women’s contacts lists, or would contact the victims directly and threaten to make the pictures public unless they sent him even more revealing ones.
Verb had sense no making.

Quote:And as always, people are advised to limit the amount of personal information they post online.
I would say be aware of how that personal information can be used. Revealing personal information is not necessarily bad (one does not see RMS in trouble for being completely open about his identity online).

The weak link is of course humans. The average person will always be...average. The key is surpassing everyone else to a degree which makes you safe from the most profitable schemes. My security measures are not foolproof, but it would take an inordinate amount of effort to cause me any sort of inconvenience I would regret.

My forum passwords are deliberately rather weak compared to my "real" passwords. That way, forums do not have access to my higher security practices. They are rather strong compared to most passwords though.  Forums usually do not have secure networks, so I always keep that in mind. It may be secure on the server, and on my computer, but the connection? Not so much.
Reply
#28
(01-15-2011, 08:37 PM)devotedknuckles Wrote: LOL
Curious how they  caught him

Howso?  It seems like some woman who was a victim just went to the cops.
Reply
#29
(01-15-2011, 08:39 PM)QuisUtDeus Wrote:
(01-15-2011, 08:37 PM)devotedknuckles Wrote: LOL
Curious how they  caught him

Howso?  It seems like some woman who was a victim just went to the cops.

Yeah, I read the article again to find out how and it seems rather ordinary.

I was hoping that I happened to miss a Naked Gun tactic.
Reply
#30
(01-15-2011, 08:38 PM)Rosarium Wrote: Forums usually do not have secure networks, so I always keep that in mind. It may be secure on the server, and on my computer, but the connection? Not so much.

Well, I could make an SSL login or even make it all SSL after one is logged in, but it's not worth it for here as long as people have a relatively unique forum password.  And if they don't, they should.

Another problem is since the forum is hosted, the hosting company has access to the databases and such.  The passwords are one-way encrypted, so they won't get the passwords that easily, but all the PMs are in the database, so they could get those.  Same with any hacker (sorry, Rosarium) that sucked down the database.

Which brings up another point people should be aware of if they aren't.  E-mail, PMs, etc. aren't private in the sense that:  I have the database, and if I wanted to, I could read everyone's PMs.  Same is true with Yahoo Mail, gmail, or any other forum.

For the record:  I don't read people's PMs .  I'm just pointing out that we often have a false sense of security.  My rule is: if you put it on the internet, even privately, it has become, in some sense, public.  Either encrypt it yourself or use another method to communicate these things if it is a concern.

Also, it is prudent in general to copy PMs to your computer and delete them. If for no other reason: if the forum closes tomorrow, you'll lose them.
Reply




Users browsing this thread: 1 Guest(s)