Security and Privacy Issue : May-2014

[demonix]

It's a good thing I changed the password for the email address used to register here a while ago (after it was compromised) otherwise this pile of scum would have had access to other sites and services that use the same password, and the registered IP address is a moot point as well since if it was where I think it was, then I no longer use it (and they have the AS forum on their block list) and I'm now going through the process of disabling java at browser level (it's set to always ask on the browser I use so even though I viewed the malicious announcement, it's unlikely that I was affected).

[KanbeKotori]

Quote:

Originally Posted by Hiroi Sekai

Hey man, if you are tech-savvy enough to superform your passwords, then power to you, you could definitely make better passwords than the LastPass generator could. However, with the general public, most of us don't have the formulaic dexterity to compose 20-30+ passwords and remember them all on the fly. In no way is the LastPass generator weak either, as you can combine numerics, capital/lowercase and special characters, plus it's encrypted with several LastPass secret PHP codes and proper SHA1 encryption. When it comes down to it, not even LastPass knows your password after it's encrypted. Not discarding your method, but I think the everyday man would feel a lot safer with an encryption service supporting them.

P.S. "Laziness" is no longer an appropriately usable term in today's technological workflow. We have the ability to complete basic tasks much more efficiently and effectively, so we take on more as a result. We simply don't have the time to burn doing everything manually when a computer can achieve similar results for you in a fraction of the time. It's not being lazy, it's being efficient and saving the time for other tasks.

Thing is full dependency on technology is bad. It's something that isn't stable enough. While relying on technology is okay, over-relying is bad.

I think you know that SHA1 isn't even good. It's slightly better than MD5. I'll use LastPass ONLY if the security is provided by the NSA. There is no way I'm leaving vulnerable information to some technology that have a chance to fail(no technology is fail-proof). Sure, for the people who can't understand these things much, getting them to use LastPass may be good but I fear the over-dependency of it. I'd have liked it if it used the BATON system but I'm prolly asking too much for something that is almost remotely free. With these systems, one could say it's doing more harm than good. People get complacent and rely on it far too much. When the day comes and these things aren't available anymore, you'll see vulnerable information being much easily exploited due to the fact people don't know how to create passwords without using technology anymore. Just like the saying goes "Give a man a fish and you feed him for a day, teach a man how to fish and you feed him for a lifetime".

Quote:

Originally Posted by Anh_Minh

- Password entropy isn't a solution if you reuse passwords. All it takes is someone getting your password (from something like what happened here, for example).
- If your "shitass long passwords" are existing words with common l33t alterations... well, if everyone starts adopting that strategy, "not-so-brute force" approaches will start taking that into account, and you'll realize the strength for that isn't that big. (Fortunately, many people still use "password".) I mean, how many words does the average user knows? A few thousands in English, maybe a few thousands more in another language.

What makes you think I reuse them? I don't just create my own passwords, I protect my passwords too. How? I'm not gonna mention. Ain't pretty in this field.

You must have sorely mistaken me for the simplistic lazy kind. I'm sorry to disappoint you then. Thing is, the general BASIC rule of creating passwords doesn't tell anyone to adopt a style to follow. It's merely just guidelines. I do run test for my passwords and I can fairly say I'm confident in its strength. Besides, there is a beauty in cryptography, something which many people fail to appreciate.

[GHDpro]

Quote:

Originally Posted by Miraluka

I'm interested to know when the avatar system is going to be fixed since the only way to update it is trought uploading the files and linking is impossible.

I'm not sure what you mean. Is there something broken?

I just tried deleting & re-uploading my avatar and that seems to work fine.

[Tabris]

It's unfortunate that this has happened, but I'm not too fussed. Security is quite a big issue these days though, so I'd have expected more than to have an inactive staff account left laying about to be abused.

That said, in my case, it was an out of date password attached to an old and dusted email account that I don't use any more with a diff pass anyway. My forum username is a common one that is used around the Internet by many others, so that isn't a big deal either unless someone cares enough to try every single "Tabris" they can find, of which there are many and only one that is me, here.

[Ultimateninjax]

can someone send me my password that was actually hacked since i have no clue which one it was

[GHDpro]

Quote:

Originally Posted by Ultimateninjax

can someone send me my password that was actually hacked since i have no clue which one it was

For those not specialized in cracking a MD5 hashed salted password that is not easy. While everyone agrees such a password is `easy` to crack, `easy` in this case is relative to those familiar with password cracking.

So, no, I'm afraid I can't help you.

[KoiYuki]

So I know the password here was changed, but since my email wasn't updated on this account until today (it was on some other email), what are the odds that it could've affected other sites I use? I'm asking because my tumblr password suddenly stopped working (and I was suddenly logged out too), but that email wasn't the same as this one, at least until literally just now.

[Anh_Minh]

Quote:

Originally Posted by GHDpro

For those not specialized in cracking a MD5 hashed salted password that is not easy. While everyone agrees such a password is `easy` to crack, `easy` in this case is relative to those familiar with password cracking.

So, no, I'm afraid I can't help you.

I have no practical knowledge, but from what I've heard, what's easy is finding "a" password that works for a given md5, rather than the password that was actually given.

Though I suppose you could give him his md5, the salt, and let him sort it out.

[chikorita157]

Quote:

Originally Posted by Hiroi Sekai

tl;dr: GET LASTPASS, GENERATE NEW PASSWORDS FOR EACH SITE. NEVER REUSE PASSWORDS WHEN YOU DON'T HAVE TO.

Sure, everyone can use password managers (I personally use 1Password and now generate random passwords and have the program fill it in) and some operating systems, especially Apple's operating systems like OS X Mavericks and iOS 7 has this functionality built in (It also encrypts the login information in AES-256). Of course, if you want to login on a public computer like in the computer lab, it becomes inconvenient.

If you can't remember a complex password, I suggest making a password based on patterns (as long it's not a common one like qwerty) or make one based on a few random words and then substitute it with numbers, caps and symbols. Do not add numbers to existing passwords because one is lazy to memorize another one.

In addition, I suggest turning on two-factor authentication if the service provides it. In multi-factor authentication, there are three, what you know (passwords, pin number, what you have (smartphone or a smart card) and what you are (biometrics). Nowadays, sites like Google, Twitter, Facebook, etc have the ability to send a code via SMS or use an application to provide a code before you can login (and it's hard to crack considering that these codes are only valid for a period of time before they expire).

But aside from that, I feel that while passwords are a necessary evil since it's not practical to have certificate authentication or use RSA keys (typically used in SSH authentication, which is public key cryptography). I do agree with this particular blog post as passwords are becoming archaic as faster GPUs and ASIC makes it easier to crack these passwords… I think it's a good idea to add a two factor authentication option with either Google Authenticator and Authy so the attacker will have a harder time hacking unless they steal the user's phone or device.

[Nvis]

Quote:

Originally Posted by RRW

Well we certain appreciated staff effort of dealing this. But it clearly the entire animesuki staff is heavily understaffed.

I mean both GHD and nightwish is hardly regular right now and other stuff this day is busy with irl stuff. This mean this forum is lacking staff to watch the technical side of the forum regularly.

So how do you guys deal with this. Hire more staff or promote some mod into staff?

Note I am not talking about mod as I think we have enough of that for now.

Too many spoiler-hunting mods. This is far more serious than some spoilers.

[Irenicus]

Looks like I've got to investigate what random old accounts I've made over the years.

Meh, good excuse to start implementing serious security measures anyway. Maybe I could try LastPass out. I may have the sense to at least segregate my bank account and email passwords, but still.

But I hope you guys wake up and start accelerating forum upgrades and/or security upgrade plans going forward. Bring in more staff if you have to. A target once is a repeated target.

A question, however: if a user has previously, before the May 2-4 incident, changed passwords, do you keep any old password data, and if so, are the old ones compromised?

[00-Raiser]

Well, this situation is unfortunate. I have a bit of a problem, though. I don't remember what password I used for this site since I just set it to auto log in. I have a handful of passwords I use for most sites so is it possible for an admin or some one to tell me what my old password was? Just need to know which I need to change.

[AC-Phoenix]

Would be good to know which IP adress I actually registrated with now... I know I moved in here in Aug 2010 which is approximately when i joined the forums... Question is just whether i registrated from my old home or from hre already...

I think the bigger issue is that I use a (TV) Cable modem, rather than a router though... So yeah let the ping wars with the hacker begin...

Can anyone btw please explain how they get the name behind the IP adress? Thats actually an information only your provider should have access too...

[Reckoner]

Fortunately none of my really important accounts shared info with this website.

Quote:

Originally Posted by Irenicus

A target once is a repeated target.

I believe the forum was also hacked in the 2004ish period, so once a decade event for this site?

[Ithekro]

Hopefully nothing of value is lost due to this.

Quote:

Originally Posted by Reckoner

I believe in the forum was also hacked in the 2004ish period, so once a decade event for this site?

I guess it takes that long to go once around the Internet.

[Ledgem]

Quote:

Originally Posted by chikorita157

Sure, everyone can use password managers (I personally use 1Password and now generate random passwords and have the program fill it in) and some operating systems, especially Apple's operating systems like OS X Mavericks and iOS 7 has this functionality built in (It also encrypts the login information in AES-256). Of course, if you want to login on a public computer like in the computer lab, it becomes inconvenient.

I use 1Password as well. The nice thing about it is that it has versions for phones, as well, and you can sync your database between your computer and phone. The benefit is that you always have your passwords with you. I agree that it's inconvenient to enter a 50-character password by hand, but it's a solution for those who are worried about only being able to access accounts on their main computer.

The same (or similar) hack occurred on the larger MacRumors forums a few months ago. There was a similar time delay between the hack and when the administration sent out a notice; compared with the AnimeSuki crowd, there was more outrage, for what ever reason. Maybe anime fans are just more mellow.

To anyone who is upset, I'd say that you should feel lucky. The vast majority of people using the internet without better security precautions are in for a rude awakening. If having a password stolen on an anime forum was the kick you needed to get a password manager and take security seriously, you had a very mild wake-up compared to what others go through.

[Sackett]

Quote:

Originally Posted by Nvis

Sounds like something that when hacked they can use the "program" to steal all your passwords and sites that use them.........

Maybe better if I just write it on a piece of paper.

Actually, discussing this with a security expert, he said that is probably one of the safest options now:

Get a password generator to generate random 35 character passwords with numbers, symbols, and different capitalization. Then write it on a slip of paper and carry it in your wallet, preferably without clearly identifying what password goes to what. If your wallet get stolen/lost then you need to go reset your passwords for everything.

The other safe option he identified is something like Last Pass, but to have it on an actual hard drive and not anywhere else. Then you just need to defend access to your hardware. The most secure option being to have a second computer (something old and obsolete) that is not hooked up to the internet- generate and store all your passwords there and protect it behind a really strong password.

It really depends on how paranoid you want to be.

[SquirrelLuvsPnut]

Not gonna say this was a good thing, but this was finally the kick in the teeth I needed to update all of my passwords!

[Kimidori]

Quote:

Originally Posted by AC-Phoenix

Would be good to know which IP adress I actually registrated with now... I know I moved in here in Aug 2010 which is approximately when i joined the forums... Question is just whether i registrated from my old home or from hre already...

I think the bigger issue is that I use a (TV) Cable modem, rather than a router though... So yeah let the ping wars with the hacker begin...

Can anyone btw please explain how they get the name behind the IP adress? Thats actually an information only your provider should have access too...

unless they specially target you there is nothing to worry about, IP address is one of the most easily exposed information on the internet, if they want to dox you it should only tell your general location to give them some clue, but it's not worth the effort to go further for a random guy on the internet.

if they could and want to hack random guy on the internet based on their IP they could just pick a random Wikipedia editor since their IP are always logged fir everyone to see.

[AC-Phoenix]

Quote:

Originally Posted by Kimidori

unless they specially target you there is nothing to worry about, IP address is one of the most easily exposed information on the internet, if they want to dox you it should only tell your general location to give them some clue, but it's not worth the effort to go further for a random guy on the internet.

if they could and want to hack random guy on the internet based on their IP they could just pick a random Wikipedia editor since their IP are always logged fir everyone to see.

Yeah I read Name and my mind completely ignored that the computer is named too lol.
Just wondering if this incident is worth getting a new static IP adress...(before I continue to anoy my /ipconfig/all netstat - ano lol).

I hope this incident got reported to the authorities - might make getting a new IP easier for people with static IPs since ISP's usually don't change your IP without you giving them a very good reason...