| Pages:
1
2
3
4
..
7 |
Texium
Administrator
Posts: 4508
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
I'm not sure who was first, but maybe Polverone will find out since he's been looking through the archives and stuff.
|
|
|
Zyklon-A
International Hazard
Posts: 1547
Registered: 26-11-2013
Member Is Offline
Mood: Fluorine radical
|
|
I noticed, all of the accounts that have been compromised (in the top ten pages of members, by post count) do not have real words for usernames -
especially with numbers and strange letter sequences.
Manifest is an exception, but I'm pretty sure he put /root/ as his location himself.
|
|
|
Texium
Administrator
Posts: 4508
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
I think that that's probably a coincidence. And I don't think that Manifest faked it. His was already like that before we knew what was going on. I
had reason to believe that B&F did, because it happened later and right after he posted something about how we might be dealing with an
experienced hacker, and then the same thing happened to his Töilet Plünger account when he posted to say that Brain&Force was compromised. It
looked a bit sketchy to me, but it seems like he was being serious.
|
|
|
arkoma
Redneck Overlord
Posts: 1761
Registered: 3-2-2014
Location: On a Big Blue Marble hurtling through space
Member Is Offline
Mood: украї́нська
|
|
Well I may owe Mr_Magnesium an apology if that wasn't really him. Only he knows.
I DID just CHANGE my password.
@Polverone---thank you AGAIN for your tireless, mostly thankless, time consuming effort in keeping Sciencemadness.org the PREMIER home science spot on
the web.
"We believe the knowledge and cultural heritage of mankind should be accessible to all people around the world, regardless of their wealth, social
status, nationality, citizenship, etc" z-lib
|
|
|
S.C. Wack
bibliomaster
Posts: 2419
Registered: 7-5-2004
Location: Cornworld, Central USA
Member Is Offline
Mood: Enhanced
|
|
> What do the members on this list have in common?
Presumably past usage of a common exit node, not necessarily a scanning one at all.
|
|
|
Loptr
International Hazard
Posts: 1347
Registered: 20-5-2014
Location: USA
Member Is Offline
Mood: Grateful
|
|
I would say that it is time that the SM forum required SSL to access it, instead of giving the option for either HTTP or HTTPS.
Everyone uses the HTTPS address, right? 
You might want to because of this very reason.
|
|
|
Zyklon-A
International Hazard
Posts: 1547
Registered: 26-11-2013
Member Is Offline
Mood: Fluorine radical
|
|
All compromised members registered in between 2011 and 2014.
Also they all were active on 11-8-14.
None of this is new information though.
|
|
|
Texium
Administrator
Posts: 4508
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
Quote: Originally posted by Zyklon-A  | All compromised members registered in between 2011 and 2014.
Also they all were active on 11-8-14.
None of this is new information though. |
If you look at my list, yes, but if you look at Polverone's list
there were plenty of members who registered before 2011 who were compromised.
What I'm curious about is why DJF90's location says /dev/null. That happened more recently than the others.
[Edited on 8-12-2014 by zts16]
|
|
|
Polverone
Now celebrating 21 years of madness
Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline
Mood: Waiting for spring
|
|
Here is my updated list of assumed-compromised users, whose accounts have been frozen:
| Code: |
+----------------------+
| username |
+----------------------+
| acetone |
| bamboula |
| BMN_1 |
| bobm4360 |
| Brain&Force |
| Ddan |
| DJF90 |
| DubaiAmateurRocketry |
| elementcollector1 |
| freedompyro |
| gdflp |
| GreyCatFin |
| HeYBrO |
| Manifest |
| Mr_Magnesium |
| numos |
| Oscilllator |
| plante1999 |
| SweetHomeSunscreen |
| Tdep |
| TheChemiKid |
| Töilet Plünger |
| zebilol |
+----------------------+
|
I have reactivated careysub's account with a strong password, since I was already in email contact with him at the time of the breech. His account did
have a weak password. It will take me some time to work on reactivating other accounts because I have to attend to my day job for a few hours.
PGP Key and corresponding e-mail address
|
|
|
DrAldehyde
Hazard to Self
Posts: 82
Registered: 12-1-2014
Member Is Offline
Mood: No Mood
|
|
| Quote: Originally posted by Loptr | I would say that it is time that the SM forum required SSL to access it, instead of giving the option for either HTTP or HTTPS.
Everyone uses the HTTPS address, right?
You might want to because of this very reason. |
Actually, I don't use the HTTPS site, I have always gotten a site security certificate error loading the https site.
|
|
|
arkoma
Redneck Overlord
Posts: 1761
Registered: 3-2-2014
Location: On a Big Blue Marble hurtling through space
Member Is Offline
Mood: украї́нська
|
|
speaking of HTTPS, I always get an "invalid security certificate" message. Use the HTTPS anyway, but do any y'all know how to tell chromium to accept
it?
I run Mint17 Qiana
"We believe the knowledge and cultural heritage of mankind should be accessible to all people around the world, regardless of their wealth, social
status, nationality, citizenship, etc" z-lib
|
|
|
prof_genius
Hazard to Others
Posts: 147
Registered: 15-5-2013
Member Is Offline
Mood: No Mood
|
|
Happens to me too, but I have now started using HTTPS.
[Edited on 12-8-2014 by prof_genius]
|
|
|
gdflp2
Harmless
Posts: 5
Registered: 12-8-2014
Location: /tree/
Member Is Offline
Mood: No Mood
|
|
Polverone, just out of curiosity, how are you planning to contact the people who have had their accounts hacked? Thanks for all you do for this
forum, it wouldn't be the same without you.
|
|
|
gdflp2
Harmless
Posts: 5
Registered: 12-8-2014
Location: /tree/
Member Is Offline
Mood: No Mood
|
|
Hmmm it seems that all of the hacked accounts have had their signatures erased as well.
|
|
|
Texium
Administrator
Posts: 4508
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
Yeah, I noticed that
too. And I also got a security error the first time I went to the HTTPS site, but I ignored it and told Firefox to trust it, and it's never given me
any problems.
|
|
|
quantime
Harmless
Posts: 18
Registered: 26-6-2014
Location: divergent
Member Is Offline
Mood: purple
|
|
use the https site - ignore the message
That message is just a stupid message that says the certificate is not tied back to an authority. In reality all certificates on the net that are tied
back to an authority are immediately insecure. That is what a certificate authority is. A certificate authority is suppose to lend credibility to a
certificate. A certificate authority is suppose to tell your browser that a certificate is safe. In reality the certificate authority gives away the
encryption keys to whatever agency wants it. In our case the browser warning deceives you into making the wrong choice. When setting up a system like
this one, the best choice for security is to encrypt with a certificate, and not register the certificate. It looks weird to users, but we should be
smarter than that. Whomever setup this site did it right. I assume Polverone.
[Edited on 12-8-2014 by quantime]
[Edited on 12-8-2014 by quantime]
|
|
|
Loptr
International Hazard
Posts: 1347
Registered: 20-5-2014
Location: USA
Member Is Offline
Mood: Grateful
|
|
| Quote: Originally posted by quantime | That message is just a stupid message that says the certificate is not tied back to an authority. In reality all certificates on the net that are tied
back to an authority are immediately insecure. That is what a certificate authority is. A certificate authority is suppose to lend credibility to a
certificate. A certificate authority is suppose to tell your browser that a certificate is safe. In reality the certificate authority gives away the
encryption keys to whatever agency wants it. In our case the browser warning deceives you into making the wrong choice. When setting up a system like
this one, the best choice for security is to encrypt with a certificate, and not register the certificate. It looks weird to users, but we should be
smarter than that. Whomever setup this site did it right. I assume Polverone.
[Edited on 12-8-2014 by quantime]
[Edited on 12-8-2014 by quantime] |
Yeah, it's a self-signed certificate. You can add the certificate to your local certificate authority, also possible to add it to the browsers list,
and it will accept the certificate from that point on.
|
|
|
APO
National Hazard
Posts: 627
Registered: 28-12-2012
Location: China Lake
Member Is Offline
Mood: Refluxing
|
|
I think you missed kentkams, who has been compromised.
"Damn it George! I told you not to drop me!"
|
|
|
Texium
Administrator
Posts: 4508
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
Um, I don't think so. His account looks normal. At first I thought he was, because he was right below the /root/ people on the member list and I
misread, but then later I noticed he wasn't.
|
|
|
S.C. Wack
bibliomaster
Posts: 2419
Registered: 7-5-2004
Location: Cornworld, Central USA
Member Is Offline
Mood: Enhanced
|
|
It's weird that there are 10 people common to both lists, and not more or less. It would be interesting to know if anyone now locked had a strong
password, or is it on the short list or "short" list of passwords. My password is on a higher level, but I log in https with tor anyways.
|
|
|
Polverone
Now celebrating 21 years of madness
Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline
Mood: Waiting for spring
|
|
Some "attacker" actions came from woelen's IP address. As far as we can tell his actual account was never taken over. It is possible that the attacker
embedded a script or a script-loading iframe sandbox in a U2U or post that hijacked the browser in the background. One thing such a script could do is
steal authentication cookies, because the XMB software was not setting the HttpOnly flag on cookies. Once the attacker has your xmbpw cookie he could
run a dictionary attack against it to recover the actual account password.
I have now patched our XMB software so that cookies are set to HttpOnly, meaning they cannot be captured by a rogue script even if one is running: https://www.owasp.org/index.php/HttpOnly
I suggest that everyone log out and log in again so as to get the more secure HttpOnly cookies stored by their browser.
PGP Key and corresponding e-mail address
|
|
|
Texium
Administrator
Posts: 4508
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline
Mood: PhD candidate!
|
|
Alright, will do. Thanks Polverone.
|
|
|
forgotpassword
Harmless
Posts: 47
Registered: 12-8-2014
Member Is Offline
Mood: No Mood
|
|
Okay Polverone, how are you going to contact us though to get our accounts back?
I hope it stops now that you've set cookies to HttpOnly.
|
|
|
Polverone
Now celebrating 21 years of madness
Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline
Mood: Waiting for spring
|
|
You might recognize the jerk who hijacked accounts: help identify him
I am working toward frozen account restoration soon. I will reset passwords manually and send them to the original email address associated with the
frozen account. Unfortunately, a cat knocked my external hard drive to the floor while I was trying to retrieve the most recent forum DB backup. That
drive is dead now. I have to go back to a backup from 2012 to find non-tainted email addresses for members, and not all affected members had yet
registered at that time. I'll probably need to do a web-of-trust thing where members who have been in contact with a frozen-account member can vouch
for the correct email address that should be associated with the account.
Some measures have been taken to improve security, which I won't describe in public yet so as to delay someone intent on circumventing them.
I think the attacker is a current or recent-past student of the Lumen Christi Catholic grammar school in Derry, Northern Ireland. I think he has an
interest in pyrotechnics and may be known by members here or on other chemistry/pyrotechnics forums due to his interests.
I have uploaded the most interesting material that I mirrored from the attacker's web server:
http://www.sciencemadness.org/evidence/
For the story so far read this:
http://www.sciencemadness.org/evidence/READTHIS.html
There are videos including voice tracks and recorded phone calls that I grabbed from his server. It's unlikely that anyone would know him in person,
but someone who understands the regional accents better than I do and/or has more time to listen to phone calls might find some interesting material
among the recordings.
I hope that someone might be able to tease out clues to the attacker's identity that I have missed so far.
The most maddening thing is that I still have not figured out how compromised members' browsers were tricked into loading a file from the attacker's
server. I have searched forum U2Us and posts here in various ways looking for weird iframes, scripts, or links, but no luck so far. If there is not a
deeply disguised poison post somewhere here on sciencemadness, then the attack was initiated from a third party site. My best guess at current would
be sciencemadness.wikia.com. The site loads such a multitude of scripts and third party content that it could take a very long time to inspect
everything thoroughly for suspicious scripts, frames, or links.
PGP Key and corresponding e-mail address
|
|
|
APO
National Hazard
Posts: 627
Registered: 28-12-2012
Location: China Lake
Member Is Offline
Mood: Refluxing
|
|
I'll have to break out the steganography on this one. Shall I call up dateline?
"Damn it George! I told you not to drop me!"
|
|
|
| Pages:
1
2
3
4
..
7 |
![[*]](images/xpblue/default_icon.gif){kind=icon}
