Sciencemadness Discussion Board
Not logged in [Login ]
Go To Bottom

Printable Version  
 Pages:  1  2    4  ..  7
Author: Subject: The Forum Has Been Hacked
Texium
Administrator
********




Posts: 4606
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: PhD candidate!

[*] posted on 12-8-2014 at 10:23


I'm not sure who was first, but maybe Polverone will find out since he's been looking through the archives and stuff.



Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
Zyklon-A
International Hazard
*****




Posts: 1547
Registered: 26-11-2013
Member Is Offline

Mood: Fluorine radical

[*] posted on 12-8-2014 at 10:33


I noticed, all of the accounts that have been compromised (in the top ten pages of members, by post count) do not have real words for usernames - especially with numbers and strange letter sequences.
Manifest is an exception, but I'm pretty sure he put /root/ as his location himself.




View user's profile View All Posts By User
Texium
Administrator
********




Posts: 4606
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: PhD candidate!

[*] posted on 12-8-2014 at 10:37


I think that that's probably a coincidence. And I don't think that Manifest faked it. His was already like that before we knew what was going on. I had reason to believe that B&F did, because it happened later and right after he posted something about how we might be dealing with an experienced hacker, and then the same thing happened to his Töilet Plünger account when he posted to say that Brain&Force was compromised. It looked a bit sketchy to me, but it seems like he was being serious.



Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
arkoma
Redneck Overlord
*******




Posts: 1763
Registered: 3-2-2014
Location: On a Big Blue Marble hurtling through space
Member Is Offline

Mood: украї́нська

[*] posted on 12-8-2014 at 11:04


Well I may owe Mr_Magnesium an apology if that wasn't really him. Only he knows.

I DID just CHANGE my password.

@Polverone---thank you AGAIN for your tireless, mostly thankless, time consuming effort in keeping Sciencemadness.org the PREMIER home science spot on the web.




"We believe the knowledge and cultural heritage of mankind should be accessible to all people around the world, regardless of their wealth, social status, nationality, citizenship, etc" z-lib

View user's profile View All Posts By User
S.C. Wack
bibliomaster
*****




Posts: 2419
Registered: 7-5-2004
Location: Cornworld, Central USA
Member Is Offline

Mood: Enhanced

[*] posted on 12-8-2014 at 11:16


> What do the members on this list have in common?

Presumably past usage of a common exit node, not necessarily a scanning one at all.




"You're going to be all right, kid...Everything's under control." Yossarian, to Snowden
View user's profile Visit user's homepage View All Posts By User
Loptr
International Hazard
*****




Posts: 1348
Registered: 20-5-2014
Location: USA
Member Is Offline

Mood: Grateful

[*] posted on 12-8-2014 at 11:17


I would say that it is time that the SM forum required SSL to access it, instead of giving the option for either HTTP or HTTPS.

Everyone uses the HTTPS address, right? :o

You might want to because of this very reason.
View user's profile View All Posts By User
Zyklon-A
International Hazard
*****




Posts: 1547
Registered: 26-11-2013
Member Is Offline

Mood: Fluorine radical

[*] posted on 12-8-2014 at 11:19


All compromised members registered in between 2011 and 2014.
Also they all were active on 11-8-14.
None of this is new information though.




View user's profile View All Posts By User
Texium
Administrator
********




Posts: 4606
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: PhD candidate!

[*] posted on 12-8-2014 at 11:23


Quote: Originally posted by Zyklon-A  
All compromised members registered in between 2011 and 2014.
Also they all were active on 11-8-14.
None of this is new information though.
If you look at my list, yes, but if you look at Polverone's list there were plenty of members who registered before 2011 who were compromised.
What I'm curious about is why DJF90's location says /dev/null. That happened more recently than the others.

[Edited on 8-12-2014 by zts16]




Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
Polverone
Now celebrating 21 years of madness
*********




Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline

Mood: Waiting for spring

[*] posted on 12-8-2014 at 11:56


Here is my updated list of assumed-compromised users, whose accounts have been frozen:

Code:
+----------------------+ | username | +----------------------+ | acetone | | bamboula | | BMN_1 | | bobm4360 | | Brain&Force | | Ddan | | DJF90 | | DubaiAmateurRocketry | | elementcollector1 | | freedompyro | | gdflp | | GreyCatFin | | HeYBrO | | Manifest | | Mr_Magnesium | | numos | | Oscilllator | | plante1999 | | SweetHomeSunscreen | | Tdep | | TheChemiKid | | Töilet Plünger | | zebilol | +----------------------+


I have reactivated careysub's account with a strong password, since I was already in email contact with him at the time of the breech. His account did have a weak password. It will take me some time to work on reactivating other accounts because I have to attend to my day job for a few hours.




PGP Key and corresponding e-mail address
View user's profile Visit user's homepage View All Posts By User
DrAldehyde
Hazard to Self
**




Posts: 82
Registered: 12-1-2014
Member Is Offline

Mood: No Mood

[*] posted on 12-8-2014 at 12:00


Quote: Originally posted by Loptr  
I would say that it is time that the SM forum required SSL to access it, instead of giving the option for either HTTP or HTTPS.

Everyone uses the HTTPS address, right? :o

You might want to because of this very reason.



Actually, I don't use the HTTPS site, I have always gotten a site security certificate error loading the https site.



Screenshot_2014-08-12-13-00-05.png - 204kB
View user's profile View All Posts By User
arkoma
Redneck Overlord
*******




Posts: 1763
Registered: 3-2-2014
Location: On a Big Blue Marble hurtling through space
Member Is Offline

Mood: украї́нська

[*] posted on 12-8-2014 at 12:04


speaking of HTTPS, I always get an "invalid security certificate" message. Use the HTTPS anyway, but do any y'all know how to tell chromium to accept it?

I run Mint17 Qiana




"We believe the knowledge and cultural heritage of mankind should be accessible to all people around the world, regardless of their wealth, social status, nationality, citizenship, etc" z-lib

View user's profile View All Posts By User
prof_genius
Hazard to Others
***




Posts: 147
Registered: 15-5-2013
Member Is Offline

Mood: No Mood

[*] posted on 12-8-2014 at 12:06


Happens to me too, but I have now started using HTTPS.

[Edited on 12-8-2014 by prof_genius]
View user's profile View All Posts By User
gdflp2
Harmless
*




Posts: 5
Registered: 12-8-2014
Location: /tree/
Member Is Offline

Mood: No Mood

[*] posted on 12-8-2014 at 12:12


Polverone, just out of curiosity, how are you planning to contact the people who have had their accounts hacked? Thanks for all you do for this forum, it wouldn't be the same without you.
View user's profile View All Posts By User
gdflp2
Harmless
*




Posts: 5
Registered: 12-8-2014
Location: /tree/
Member Is Offline

Mood: No Mood

[*] posted on 12-8-2014 at 12:16


Hmmm it seems that all of the hacked accounts have had their signatures erased as well.
View user's profile View All Posts By User
Texium
Administrator
********




Posts: 4606
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: PhD candidate!

[*] posted on 12-8-2014 at 12:40


Quote: Originally posted by gdflp2  
Hmmm it seems that all of the hacked accounts have had their signatures erased as well.
Yeah, I noticed that too. And I also got a security error the first time I went to the HTTPS site, but I ignored it and told Firefox to trust it, and it's never given me any problems.



Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
quantime
Harmless
*




Posts: 18
Registered: 26-6-2014
Location: divergent
Member Is Offline

Mood: purple

[*] posted on 12-8-2014 at 12:56
use the https site - ignore the message


That message is just a stupid message that says the certificate is not tied back to an authority. In reality all certificates on the net that are tied back to an authority are immediately insecure. That is what a certificate authority is. A certificate authority is suppose to lend credibility to a certificate. A certificate authority is suppose to tell your browser that a certificate is safe. In reality the certificate authority gives away the encryption keys to whatever agency wants it. In our case the browser warning deceives you into making the wrong choice. When setting up a system like this one, the best choice for security is to encrypt with a certificate, and not register the certificate. It looks weird to users, but we should be smarter than that. Whomever setup this site did it right. I assume Polverone.

[Edited on 12-8-2014 by quantime]

[Edited on 12-8-2014 by quantime]
View user's profile Visit user's homepage View All Posts By User
Loptr
International Hazard
*****




Posts: 1348
Registered: 20-5-2014
Location: USA
Member Is Offline

Mood: Grateful

[*] posted on 12-8-2014 at 13:12


Quote: Originally posted by quantime  
That message is just a stupid message that says the certificate is not tied back to an authority. In reality all certificates on the net that are tied back to an authority are immediately insecure. That is what a certificate authority is. A certificate authority is suppose to lend credibility to a certificate. A certificate authority is suppose to tell your browser that a certificate is safe. In reality the certificate authority gives away the encryption keys to whatever agency wants it. In our case the browser warning deceives you into making the wrong choice. When setting up a system like this one, the best choice for security is to encrypt with a certificate, and not register the certificate. It looks weird to users, but we should be smarter than that. Whomever setup this site did it right. I assume Polverone.

[Edited on 12-8-2014 by quantime]

[Edited on 12-8-2014 by quantime]


Yeah, it's a self-signed certificate. You can add the certificate to your local certificate authority, also possible to add it to the browsers list, and it will accept the certificate from that point on.
View user's profile View All Posts By User
APO
National Hazard
****




Posts: 627
Registered: 28-12-2012
Location: China Lake
Member Is Offline

Mood: Refluxing

[*] posted on 12-8-2014 at 13:56


I think you missed kentkams, who has been compromised.



"Damn it George! I told you not to drop me!"
View user's profile View All Posts By User
Texium
Administrator
********




Posts: 4606
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: PhD candidate!

[*] posted on 12-8-2014 at 14:04


Um, I don't think so. His account looks normal. At first I thought he was, because he was right below the /root/ people on the member list and I misread, but then later I noticed he wasn't.



Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
S.C. Wack
bibliomaster
*****




Posts: 2419
Registered: 7-5-2004
Location: Cornworld, Central USA
Member Is Offline

Mood: Enhanced

[*] posted on 12-8-2014 at 14:06


It's weird that there are 10 people common to both lists, and not more or less. It would be interesting to know if anyone now locked had a strong password, or is it on the short list or "short" list of passwords. My password is on a higher level, but I log in https with tor anyways.



"You're going to be all right, kid...Everything's under control." Yossarian, to Snowden
View user's profile Visit user's homepage View All Posts By User
Polverone
Now celebrating 21 years of madness
*********




Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline

Mood: Waiting for spring

[*] posted on 12-8-2014 at 14:25


Some "attacker" actions came from woelen's IP address. As far as we can tell his actual account was never taken over. It is possible that the attacker embedded a script or a script-loading iframe sandbox in a U2U or post that hijacked the browser in the background. One thing such a script could do is steal authentication cookies, because the XMB software was not setting the HttpOnly flag on cookies. Once the attacker has your xmbpw cookie he could run a dictionary attack against it to recover the actual account password.

I have now patched our XMB software so that cookies are set to HttpOnly, meaning they cannot be captured by a rogue script even if one is running: https://www.owasp.org/index.php/HttpOnly

I suggest that everyone log out and log in again so as to get the more secure HttpOnly cookies stored by their browser.




PGP Key and corresponding e-mail address
View user's profile Visit user's homepage View All Posts By User
Texium
Administrator
********




Posts: 4606
Registered: 11-1-2014
Location: Salt Lake City
Member Is Offline

Mood: PhD candidate!

[*] posted on 12-8-2014 at 14:29


Alright, will do. Thanks Polverone.



Come check out the Official Sciencemadness Wiki
They're not really active right now, but here's my YouTube channel and my blog.
View user's profile Visit user's homepage View All Posts By User
forgotpassword
Harmless
*




Posts: 47
Registered: 12-8-2014
Member Is Offline

Mood: No Mood

[*] posted on 12-8-2014 at 17:33


Okay Polverone, how are you going to contact us though to get our accounts back?
I hope it stops now that you've set cookies to HttpOnly.




View user's profile View All Posts By User
Polverone
Now celebrating 21 years of madness
*********




Posts: 3186
Registered: 19-5-2002
Location: The Sunny Pacific Northwest
Member Is Offline

Mood: Waiting for spring

mad.gif posted on 12-8-2014 at 22:35
You might recognize the jerk who hijacked accounts: help identify him


I am working toward frozen account restoration soon. I will reset passwords manually and send them to the original email address associated with the frozen account. Unfortunately, a cat knocked my external hard drive to the floor while I was trying to retrieve the most recent forum DB backup. That drive is dead now. I have to go back to a backup from 2012 to find non-tainted email addresses for members, and not all affected members had yet registered at that time. I'll probably need to do a web-of-trust thing where members who have been in contact with a frozen-account member can vouch for the correct email address that should be associated with the account.

Some measures have been taken to improve security, which I won't describe in public yet so as to delay someone intent on circumventing them.

I think the attacker is a current or recent-past student of the Lumen Christi Catholic grammar school in Derry, Northern Ireland. I think he has an interest in pyrotechnics and may be known by members here or on other chemistry/pyrotechnics forums due to his interests.

I have uploaded the most interesting material that I mirrored from the attacker's web server:
http://www.sciencemadness.org/evidence/

For the story so far read this:
http://www.sciencemadness.org/evidence/READTHIS.html

There are videos including voice tracks and recorded phone calls that I grabbed from his server. It's unlikely that anyone would know him in person, but someone who understands the regional accents better than I do and/or has more time to listen to phone calls might find some interesting material among the recordings.

I hope that someone might be able to tease out clues to the attacker's identity that I have missed so far.

The most maddening thing is that I still have not figured out how compromised members' browsers were tricked into loading a file from the attacker's server. I have searched forum U2Us and posts here in various ways looking for weird iframes, scripts, or links, but no luck so far. If there is not a deeply disguised poison post somewhere here on sciencemadness, then the attack was initiated from a third party site. My best guess at current would be sciencemadness.wikia.com. The site loads such a multitude of scripts and third party content that it could take a very long time to inspect everything thoroughly for suspicious scripts, frames, or links.




PGP Key and corresponding e-mail address
View user's profile Visit user's homepage View All Posts By User
APO
National Hazard
****




Posts: 627
Registered: 28-12-2012
Location: China Lake
Member Is Offline

Mood: Refluxing

[*] posted on 12-8-2014 at 23:01


I'll have to break out the steganography on this one. Shall I call up dateline?



"Damn it George! I told you not to drop me!"
View user's profile View All Posts By User
 Pages:  1  2    4  ..  7

  Go To Top