Topic: About the recent server compromise - page 4. (Read 15325 times)

Quote from: Gisado on May 26, 2015, 07:21:59 PM

On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:

Does this mean that only people with the member rank were effected, or all forum members? Changing my password anyways, just curious.

Also, I found this interesting article: https://www.cryptocoinsnews.com/bitcoin-mining-figure-joshua-zipkin-responsible-bitcointalk-hack/

Opinions?

shavers

sr. member

Activity: 439

Merit: 288

Good job on getting this up again lads! Hope next time you'll be ready and fully armed! Wink

This downtime looked like an eternity, lot of us missed you.

Welsh

staff

Activity: 3248

Merit: 4110

Compromise notification email said reset question was less brute-force resistant, so I wanted to remove it. Is blanking QnA form (and save) enough to disable it?

You can always test it yourself by going to the "forgotten password" and selecting "Ask me my security question". It will tell you if it's not enabled on your account. That's if you want to double check.

theymos_away

member

Activity: 82

Merit: 26

Quote from: Gisado on May 26, 2015, 07:21:59 PM

Compromise notification email said reset question was less brute-force resistant, so I wanted to remove it. Is blanking QnA form (and save) enough to disable it?

Yes, make the secret question field empty.

Gisado

full member

Activity: 168

Merit: 100

Yoohoo

Compromise notification email said reset question was less brute-force resistant, so I wanted to remove it. Is blanking QnA form (and save) enough to disable it?

readysalted89

sr. member

Activity: 327

Merit: 250

Quote from: favdesu on May 26, 2015, 05:27:56 PM

Quote from: Scamalert on May 26, 2015, 05:23:58 PM

Quote from: favdesu on May 26, 2015, 05:27:56 PM

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

How much does the password need to be changed, whould it be enough to change a letter or two.
Or would it be better to make a brand new long and complicated password.
Reason I ask is that it take some time to memories a long complicated password,
if only added or removing something will the learning time for the new password decrease.

no, make a fresh, and new password.

if you have issues remembering all passwords - check out KeePass 2 - it's a open source password vault. you only need one master password

Are the passwords it generates by using mouse movements for additional entropy completely random? Does it only generate pseudo random passwords without using mouse movements or anything else to collect additional entropy?

Scamalert

hero member

Activity: 490

Merit: 500

Captain

Quote from: Scamalert on May 26, 2015, 05:23:58 PM

Quote from: Scamalert on May 26, 2015, 05:23:58 PM

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

How much does the password need to be changed, whould it be enough to change a letter or two.
Or would it be better to make a brand new long and complicated password.
Reason I ask is that it take some time to memories a long complicated password,
if only added or removing something will the learning time for the new password decrease.

no, make a fresh, and new password.

if you have issues remembering all passwords - check out KeePass 2 - it's a open source password vault. you only need one master password

Yes, you are proberly right....... I need a brand new one, adding 8 letters is not good enough.
I look at that KeePass 2, it looks pretty good, just not sure I can trust it.....
But thank you anyways

favdesu

legendary

Activity: 1764

Merit: 1000

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

How much does the password need to be changed, whould it be enough to change a letter or two.
Or would it be better to make a brand new long and complicated password.
Reason I ask is that it take some time to memories a long complicated password,
if only added or removing something will the learning time for the new password decrease.

no, make a fresh, and new password.

if you have issues remembering all passwords - check out KeePass 2 - it's a open source password vault. you only need one master password

Scamalert

hero member

Activity: 490

Merit: 500

Captain

Quote from: MakingMoneyHoney on May 25, 2015, 11:30:54 AM

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

How much does the password need to be changed, whould it be enough to change a letter or two.
Or would it be better to make a brand new long and complicated password.
Reason I ask is that it take some time to memories a long complicated password,
if only added or removing something will the learning time for the new password decrease.

teddy5145

hero member

Activity: 714

Merit: 528

Quote from: teddy5145 on May 25, 2015, 11:24:36 AM

Thank you for keeping this site safe

Maybe you could invest in some kind better security in the future? just in case something like this happening again
and im still trying to figure out what's the motive of the attacker to attack this site Undecided

If they get an email/password combo figured out, they could have passed them self off as a well respected member and done deals where they get money and run. Or, just use the email/password to log into a bank account, or exchange account and withdraw the money. One of the main things is to use a unique password for each site. Lastpass.com is good for that, if anyone hasn't heard of them.

Luckily my btctalk password is different from my bank and paypal account.
When creating my password i used text randomizer and then save it onto my notepad and backed it up on gdrive
Very safe i must say Cheesy

redsn0w

legendary

Activity: 1778

Merit: 1042

#Free market

Quote from: favdesu on May 26, 2015, 04:35:43 PM

Quote from: AGD on May 26, 2015, 04:04:44 PM

Quote from: MakingMoneyHoney on May 26, 2015, 01:24:59 PM

Quote from: AGD on May 26, 2015, 04:04:44 PM

It wasn't the forum's fault but the hosting.

Theymos claims it was the hosting. That's what you meant to say.
He openly states, in this very thread, that before any of the alleged social engineering took place,
"... The attacker was able to acquire KVM access credentials for the server. The investigation into how this was possible is still ongoing, so I don't know everything ..."

Not sure why everyone is acting like lax DC security is the issue,

The hoster denied beeing attacked with SE. It is still not clear how attacker gained access and why.

Where did you see this? People here are still under the impression it was Social Engineering....

I don't remember where it was. It was one of the crypto news sites. They wrote, they have called NFOrce about the incident and they denied beeing attacked with SE.

of course they would deny it. Social engineering is the worst PR for them, no one would trust them anymore

Exactly, I have started to think ....that with a simple thing you can ruin all the security that you have created. A soc. eng. attack is a simple concept but it is not simple to do, it brought me back to my mind the story of 'kevin mitnick".

favdesu

legendary

Activity: 1764

Merit: 1000

Quote from: MakingMoneyHoney on May 26, 2015, 01:24:59 PM

Quote from: MakingMoneyHoney on May 26, 2015, 01:24:59 PM

It wasn't the forum's fault but the hosting.

Theymos claims it was the hosting. That's what you meant to say.
He openly states, in this very thread, that before any of the alleged social engineering took place,
"... The attacker was able to acquire KVM access credentials for the server. The investigation into how this was possible is still ongoing, so I don't know everything ..."

Not sure why everyone is acting like lax DC security is the issue,

The hoster denied beeing attacked with SE. It is still not clear how attacker gained access and why.

Where did you see this? People here are still under the impression it was Social Engineering....

I don't remember where it was. It was one of the crypto news sites. They wrote, they have called NFOrce about the incident and they denied beeing attacked with SE.

of course they would deny it. Social engineering is the worst PR for them, no one would trust them anymore

AGD

legendary

Activity: 2069

Merit: 1164

Keeper of the Private Key

It wasn't the forum's fault but the hosting.

Theymos claims it was the hosting. That's what you meant to say.
He openly states, in this very thread, that before any of the alleged social engineering took place,
"... The attacker was able to acquire KVM access credentials for the server. The investigation into how this was possible is still ongoing, so I don't know everything ..."

Not sure why everyone is acting like lax DC security is the issue,

The hoster denied beeing attacked with SE. It is still not clear how attacker gained access and why.

Where did you see this? People here are still under the impression it was Social Engineering....

I don't remember where it was. It was one of the crypto news sites. They wrote, they have called NFOrce about the incident and they denied beeing attacked with SE.

MakingMoneyHoney

hero member

Activity: 504

Merit: 500