Jump to content

Q&A for announcement about forum database intrusion


Recommended Posts

  • Administrator

You can read the announcement here: http://www.tngunowners.com/forums/topic/47498-tgo-forum-database-partially-compromised-email-addresses-swiped/

You can use this thread to ask any questions that you might have and I will do my best to answer them.

First and foremost let me say that I -- like many of you, I suspect -- am extremely aggravated that this happened. It's a complete pain in the ass for a forum administrator to deal with and due to the nature of the way it happened, it is also one of those really annoying things that we are completely at the mercy of others to prevent. We didn't write the software. Neither did Invision Power in this particular instance. The loophole that was used came from a third party add-on contributed by a member of the IPB community.

Second, it appears that the only damage so far is that several of our members have been spammed with anti-political junk email.

Third, and most importantly perhaps, it is crucial that if you use the same password here as you use somewhere else, that you change your password in both places to something unique. And by unique I mean not shared between any other sites. This is perhaps the biggest pain in the ass of all because most of us tend to use the same or similar passwords on the different sites we visit. It's an inherently unsafe practice but it is also inherently human.

Anyway, ask away. Like I said, I'll do my best to answer.

Link to comment
  • Replies 11
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

  • Administrator

Allow me to make one preemptive remark before someone makes the conclusion that this would have never happened on vBulletin software: The problem stemmed from the fact that we used Google-hosted code for certain UI elements. vBulletin sites have been hit by this same thing.

https://www.vbulletin.com/forum/showthread.php/398334-Emails-from-quot-Anonymous-quot-All-appear-to-be-from-sites-running-vBulletin?highlight=anonymous

https://www.vbulletin.com/forum/showthread.php/380561-vBulletin-3-x-and-4-x-Redirect-Security-Exploit?highlight=anonymous

Not sure if you guys can read those links or not but basically they're talking about the same emails some of you guys got.

Again, it's a total pain in the ass and has caused me to revert back to hosting all of our UI code and not relying on Google (or Yahoo) for their public libraries any longer. It will definitely cause a performance hit on the site but it's worth it.

Link to comment

No question, just an observation. If I were going to hack a website and steal user's personal information I would NOT pick a forum full of gun owners. I think I would pick a Toyota Prius Forum, but that's just me.

Link to comment
  • Administrator

Without starting a speculation brushfire, is there a possible motive beyond the typical sociopathic hacker mentality?

No question, just an observation. If I were going to hack a website and steal user's personal information I would NOT pick a forum full of gun owners. I think I would pick a Toyota Prius Forum, but that's just me.

Going to answer these two together. This was not a targeted attack. Rather, this was an exploit of dozens (maybe hundreds) of forums across the Internet running IPB and vBulletin, perhaps other software as well, all of which were leveraging third party user interface (UI) code hosted by Google and Yahoo. We were just one of the unfortunate communities using this code which allowed this group to lift portions of our member list for use in a mass emailing.

So no, I don't think there was any further motive than just spamming a million or so email addresses with anti-political rhetoric.

Link to comment

If you are looking for a good password manager check out LastPass. It keeps all of your passwords secured with one master password and the client is available for multiple platforms, Steve Gibson of GRC did a whole Security Now show and gave it high praises. Here is a link to the show if you are interested in hearing it. http://twit.tv/sn256

I have no ties or affiliations to anything above other than having a lot of respect for Steve and being a happy LastPass customer.

By using something like this you avoid having to remember different passwords for all of your sites plus you can have crazy and long passwords but only have to remember one.

Link to comment

A lot of folks recommend a base password + site specific.

For example, if your password for this site were

xy#$,>

you might use things like

xy#$,>tngn //tn guns

xy#$,>fcbk //facebook

xy#$,>yho //yahoo

or the like.

That way you really only remember 1 password, if you can be diciplined enough to have a pattern to how you make the site name portion. this fails if someone targets YOU but it works if someone stole a database and is just feeding name/password combos to various sites to get a hit, which is the most common issue.

Edited by Jonnin
Link to comment

A lot of folks recommend a base password + site specific.

For example, if your password for this site were

xy#$,>

you might use things like

xy#$,>tngn //tn guns

xy#$,>fcbk //facebook

xy#$,>yho //yahoo

or the like.

That way you really only remember 1 password, if you can be diciplined enough to have a pattern to how you make the site name portion. this fails if someone targets YOU but it works if someone stole a database and is just feeding name/password combos to various sites to get a hit, which is the most common issue.

I like that idea...I don't want to thread steal here, but it IS related...are there any cons to this method>?

Link to comment

I like that idea...I don't want to thread steal here, but it IS related...are there any cons to this method>?

Just the one I listed. If a hacker is going after YOU specifically, and sees the pattern, he can now guess your passwords on various sites easily. It is uncommon for a regular person to be the target of a serious hacker --- you either need an enemy, or be rich/famous/infamous/political/etc or have some other reason to be a target.

Link to comment
  • Administrator

I like that idea...I don't want to thread steal here, but it IS related...are there any cons to this method>?

Not unless you are specifically being targeted. We teach this method to our people at my place of employment. I personally don't use it but my system is somewhat similar, albeit based on a mathematical formula that uses a sequence of #s and variables pulled from the "root" of my passwords. Unfortunately it also means most of my passwords are about 12 characters long.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

TRADING POST NOTICE

Before engaging in any transaction of goods or services on TGO, all parties involved must know and follow the local, state and Federal laws regarding those transactions.

TGO makes no claims, guarantees or assurances regarding any such transactions.

THE FINE PRINT

Tennessee Gun Owners (TNGunOwners.com) is the premier Community and Discussion Forum for gun owners, firearm enthusiasts, sportsmen and Second Amendment proponents in the state of Tennessee and surrounding region.

TNGunOwners.com (TGO) is a presentation of Enthusiast Productions. The TGO state flag logo and the TGO tri-hole "icon" logo are trademarks of Tennessee Gun Owners. The TGO logos and all content presented on this site may not be reproduced in any form without express written permission. The opinions expressed on TGO are those of their authors and do not necessarily reflect those of the site's owners or staff.

TNGunOwners.com (TGO) is not a lobbying organization and has no affiliation with any lobbying organizations.  Beware of scammers using the Tennessee Gun Owners name, purporting to be Pro-2A lobbying organizations!

×
×
  • Create New...

Important Information

By using this site, you agree to the following.
Terms of Use | Privacy Policy | Guidelines
 
We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.