[sugar-n-spice]

wat was taken?

[iSMark]

(Original post by TheSownRose)
^ This.


Using a different username and password for everything doesn't look so silly now.

It almost seems like catch 22 though, I do have a usernames and passwords different for different sites, but then I need a list of all these, it isn't possible to remember:

Banks
Forums
Bills
Uni/Work
Other Misc accounts

which could result in maybe 50 different username/password combinations, it is rather stupid to rely upon memory. So then people create lists, so when a list may be stolen electronically or physically, then you're ****ed.

[Idle]

(Original post by iSMark)
which could result in maybe 50 different username/password combinations, it is rather stupid to rely upon memory. So then people create lists, so when a list may be stolen electronically or physically, then you're ****ed.

Password protect the list

[iSMark]

(Original post by Idle)
Password protect the list

There is nothing more idiotic than creating/viewing/storing the list on the computer you use. Poor advice by a TSR moderator themselves, not surprising they got hacked.

[Idle]

(Original post by iSMark)
There is nothing more idiotic than creating/viewing/storing the list on the computer you use. Poor advice by a TSR moderator themselves, not surprising they got hacked.

Moderators do not develop the site technically

[Melancholy]

(Original post by sugar-n-spice)
wat was taken?

Numerous essays from coursework.info were accessed for free.

[iSMark]

(Original post by Idle)
Moderators do not develop the site technically

They are chosen by those who do....

[Potally_Tissed]

(Original post by iSMark)
They are chosen by those who do....

Still not true, really, development and moderation are two different areas with different people responsible for them.

[politics_student]

Is it necessary to change UCAS details? (I'm hopefully starting in Sept. this year)

[Idle]

(Original post by politics_student)
Is it necessary to change UCAS details? (I'm hopefully starting in Sept. this year)

If you used the same email and password as on TSR then it's probably best to change your password to be safe

[GenerationX]

(Original post by rmhumphries)
Two of the links exploit a bug in the default search system - where TSR uses Sol, a non-default search system - so that bug won't work, and one applies to an outdated version of vbulletin (3.6.1) when the site uses version 4.

Just because there are security bugs which exist (and I assume have now been fixed as vbulletin is at version 4.2 and the search bug was only said to work until version 4.1) doesn't mean they are likely to affect TSR. Even if TSR doesn't upgrade every time an update comes out with the vbulletin upgrade path, it is still able to manually apply security patches.

Nearly all software, vbulletin, Windows, Mac OS X, etc etc will have security holes in it, and then will patch said holes when someone finds them.

Thats a minute of searching to find those and as I said they may or may not have been used, it could have been a straight forward exploit on the server to get the database. I did see others that stated they work on any version of vBulletin. One thing will be for sure is that now one exploit has been successful here it will be all around the hacking forums and others will be having a go. I know about software and patching and updates and given TSR has been exploited then probably they didn't since vBulleting keep an FAQ on known exploits.

[GenerationX]

(Original post by Mad Vlad)
http://www.thestudentroom.co.uk/show...67&postcount=3
You need to chill out - the vein in your forehead is about to burst - at your time of life, you need to be careful about these things.

Back with the old insults, shows the maturity in your personality guess it supports the idea your the only person working in the IT industry LOL.

So you have access to a web cam to check my veins LOL better get yourself a job as a Doctor.

False. Nowhere has it been stated that the administrative passwords were either null or default.

But then no one has said the admin passwords were not either null or default so your own assupmtion is *******s but you do like to be a shield.

Seeing as the payment details are all held with Paypal and have not been included in the damage assessment, it's reasonable to suggest that these have not been affected.

Already said that is at least one saving grace that they were smart enough to realise they did not have the knowledge to be storing payment details.

No, I don't know the detail - I know what I've been told. But then again, neither do you - not exactly a tenable standpoint from which to launch a first-strike, is it?

Its not me going around calling people who have every justification to be annoyed 'Dicks' is it?

No, I don't see the site's owners passing that responsibility. They've held their hands up and apologised for what has happened.

The site was attacked on the 14th and the announcement given to user on the 22nd if thats how often they check their logs or how quick they manage to figure these things out they need to employ better monitoring. As for holding their hands up then if any usable information was gathered it would already have been used. If they hadn't held their hands up they would have been liable to punishment from ICO so thats a bit like saying an individual would never try to reduce their taxes when they have only ever been PAYE with their employer deducting it.

TSR isn't standing me up to defend them - I do not represent TSR. I'm just a regular user that works in infosec for a living and take an interest in the site

Thats another small saving for them as you would think anyone they actually did put up would have better customer skills than to be going around insulting anyone thats not in agreement that TSR was a poor victim.

[westhamkirk]

How do you delete your account? This isn't fair important stuff could have betaken and we can't even get off this site!!! I am so worried right now what can they even access! Somebody that works on this site should tell us right now because these people could do so much with that information and it's terrible service if you can't tell us what'll even going on instead of all these scary warnings and no way to get away from you what is going on here

[Captain Jack]

(Original post by westhamkirk)
How do you delete your account? This isn't fair important stuff could have betaken and we can't even get off this site!!! I am so worried right now what can they even access! Somebody that works on this site should tell us right now because these people could do so much with that information and it's terrible service if you can't tell us what'll even going on instead of all these scary warnings and no way to get away from you what is going on here

Hello,
We're sorry to have scared you and for the inconvenience this is causing. I would suggest you first read this blog post which explains what happened, what we're doing about it and how to protect yourself. However, the quickest way to protect your data is simply to 1) change your password 2) if you use the same password elsewhere, change it on other sites too. Once you do these two things, your data will be safe. We collect very little personal data on the site, so in most cases the only important information this person is likely to have stolen will be emails and password - we don't even ask for people's names.
To close your account, please post a request in the Ask A Moderator forum. We have overhauled our security system though to further protect from this happening, and we'd obviously be sorry to see you go!
Jack

[rmhumphries]

(Original post by GenerationX)
But then no one has said the admin passwords were not either null or default so your own assupmtion is *******s but you do like to be a shield.


Already said that is at least one saving grace that they were smart enough to realise they did not have the knowledge to be storing payment details.


The site was attacked on the 14th and the announcement given to user on the 22nd if thats how often they check their logs or how quick they manage to figure these things out they need to employ better monitoring. As for holding their hands up then if any usable information was gathered it would already have been used. If they hadn't held their hands up they would have been liable to punishment from ICO so thats a bit like saying an individual would never try to reduce their taxes when they have only ever been PAYE with their employer deducting it.

I think it can be assumed that any account which has privileges is not an 'easy' password, as this is the first time anything like this has happened in ~10 years. Also, afaik vbulletin doesn't allow empty passwords, and there is no 'default' password - you enter the base admin password during initial install, and then any account you enter a password when it is created.


Incorrect - they don't have the additional security that would be warranted if they store payment details (and they don't have justification to get the resources needed to process payments themselves). Regardless of how strong/weak the default password storage system was, then I believe it is acceptable to assume that it was fit for purpose, as I said before. Dev time for them is limited, and so they work on adding new features / fixing bugs in their own code, instead of checking through code they have bought (and so should be tested by the provider). If they were doing something not supported by the base code, so they wrote their own code for it, then they would consider other parts affected, and upgrade them as needed, such as data storage.


It depends on how clever the person who store the data was. Unless you are suggesting that every single action taken by every privileged user should be checked, then sometimes things will take time to spot. Not to mention that the hacker may have taken steps to hide what they were doing, and so it only became clear when there was a number of 'normal' actions which when put together were not normal. I don't think we can comment on their monitoring systems without knowing more about what they do, and I at least do not assume that everything is worst-case without reason to.

(Original post by westhamkirk)
How do you delete your account? This isn't fair important stuff could have betaken and we can't even get off this site!!! I am so worried right now what can they even access! Somebody that works on this site should tell us right now because these people could do so much with that information and it's terrible service if you can't tell us what'll even going on instead of all these scary warnings and no way to get away from you what is going on here

If you use the internet, 'important stuff' might be taken. Much much bigger companies than TSR have been attacked, so if you are worried - you better close your internet banking, close paypal, close any e-mail accounts, and so on.

If you decide you only want to leave TSR, you can change your e-mail address and password to something that isn't related to you, and then ask in Ask a Moderator to be permanently banned. Then if anything like this happened again, nothing related to you would be disclosed.

[Chrosson]

(Original post by Mr Dangermouse)
13 characters, small case letters and numbers?

Of the order of 20 million years using a single half decent GPU. You should be fine.

(Original post by iSMark)
There is nothing more idiotic than creating/viewing/storing the list on the computer you use. Poor advice by a TSR moderator themselves, not surprising they got hacked.

There are plenty of things more idiotic. Writing passwords on a post-it note stuck to your monitor screen is one of them.
There are advantages and disadvantages to using password managers. Try and have a balanced perspective - http://security.stackexchange.com/questions/3458/password-manager-vs-remembering-passwords

(Original post by GenerationX)
Ok so in a few minutes google search for 'how to hack vbulletin username passwords I got over 1.5 million results. heres a small selection:

Spoiler:

Show

http://www.youtube.com/watch?v=htGClYoBN9k
http://www.nextgenupdate.com/forums/...x-4-1-3-a.html
http://www.youtube.com/watch?v=pPEOfndtLLY

I can't say whether any of these were used as I have no association with TSR or whether it was an exploit direct on the server but do you still feel comfortable that all was done to prevent being hacked or do you think TSR was at best complacent by not keeping up to date via at least simple searchs on google to check if new exploits had been published.

Web applications get hacked the more popular they are the more people want to hack them. When Talkback a guestbook app was hacked the simple tell in the server logs was searches looking for 'Powered by Talkback' with the vBulletin hacks like TalkBack you need to confirm the site is running the software so the server logs should be showing searches for sites running vBulletin and if your logs show searches for the application you are running its pretty obvious you have peeked the interest in people hacking at that application maybe even just as a practice for a more important target. Mind you have to love the name of the parent company that owns this site 'Acumen Professional Intelligence Ltd' LOL IMHO not much of any of their keywords in the name have been displayed for this to have happened.

I do like the hacks though some good reading and I have a site in mind that might have a go at.

(Spoilered to reduce length)

You are the second person who seems to be saying that TSR needs to have a security audit and a dedicated security team. This is absurd.

[chriswalker]

im sorry but what is up with all the brown noses on here.

the fact is peoples' passwords have been given away. a causal apology really isnt good enough.

more annoying is the arrogant attitude of people on here saying 'if you use the internet then expect your data to be breached'. sort your act out you silly geeks, not every body has ten computers and military grade encryption for their passwords! RIDICULOUS

[medbh4805]

I've changed the passwords of about fifteen websites since I found out about this (I keep remembering them randomly at different times)

I'm learned my lesson about using the same password for different things. But TSR, why did you have to be the one to teach me it?

[medbh4805]

Also - for anything using facebook connect, I only have to change my fb password right? I don't have to go through all the individual websites?

[Potally_Tissed]

(Original post by chriswalker)
the fact is peoples' passwords have been given away. a causal apology really isnt good enough.

They've apologised for what happened and not tried to cover it up or play it down, they've emailed everyone saying they should change their passwords, and they've taken steps to ensure the same thing can't happen again. What exactly would be "good enough" if that isn't?