Security and Privacy Issue : May-2014

[GHDpro]

Quote:

Originally Posted by Scorpiopt

If vbulletin is shitty (witch it is ) i suggest you guys move to xenforo , its way better in terms of security and faster

I haven't looked at XenForo recently but one of the key problems I noticed when I tried to look into whether it would be a good replacement is that you'd basically have to say goodbye to the Socials Groups and Pictures & Albums options, which will make a LOT of users unhappy. Yes I know these two features have XenForo equivalents, but afaik there is no easy way to convert them, so you'd have to start over from scratch.

Also the lawsuit dealt a serious blow to the future of XenForo. I know the lawsuit is now over and updates are continuing again, but it still makes me a bit wary.

[ellifeedn]

Is it possible to lock up accounts that are inactive after a long enough time?

[GHDpro]

Quote:

Originally Posted by ellifeedn

Is it possible to lock up accounts that are inactive after a long enough time?

Yes but that wouldn't be really necessary. What we should have done is remove accounts that weren't really active from usergroups with elevated privileges. In other words the compromised admin account that made this possible should have been demoted to a regular user account ages ago.

Needless to say we did remove any inactive admins & mods now.

[Hooves]

Well that's good to hear. Still strange that this issue came up so randomly. I myself even thought I got banned for unknown reasons. So basically only active admins & mods are still around now?

[KholdStare]

Quote:

Originally Posted by GHDpro

I haven't looked at XenForo recently but one of the key problems I noticed when I tried to look into whether it would be a good replacement is that you'd basically have to say goodbye to the Socials Groups and Pictures & Albums options, which will make a LOT of users unhappy. Yes I know these two features have XenForo equivalents, but afaik there is no easy way to convert them, so you'd have to start over from scratch.

Also the lawsuit dealt a serious blow to the future of XenForo. I know the lawsuit is now over and updates are continuing again, but it still makes me a bit wary.

Maybe it's just me, but at this point I think forum members will understand some inconvenience in exchange for more security when visiting the forums. If you give notice ahead of time, people will at least have time to save their albums. I highly doubt many people use AS as their only means of storing pictures. Regarding social groups, I would be even be willing to say that we will get more interest in them if members have to create them again.

[Scorpiopt]

Quote:

Originally Posted by KholdStare

Maybe it's just me, but at this point I think forum members will understand some inconvenience in exchange for more security when visiting the forums. If you give notice ahead of time, people will at least have time to save their albums. I highly doubt many people use AS as their only means of storing pictures. Regarding social groups, I would be even be willing to say that we will get more interest in them if members have to create them again.

I agree with is

[Hooves]

I also agree, depending on other's responses who are more invested on social albums and such.

[DragoMuseveni]

Its very hard to handle with xenforo , i`d suggest to remain on vbulletin cuz from my searches , almost all forums use md5 hash , except phpbb3 and ipboard if i recall corectly .

[Auxilism]

Were recent avatars, profile pictures (maybe?) and signatures wiped/reverted after the downtime intentionally? Should we reupload/re-edit them or wait for more news?

[milan kyuubi]

^ It seams only some users were affected by that...

Question to the mods/admins: Is everything ok with forum now?

[GHDpro]

I suppose I should have made a post at the end of the thread too, rather than just updating the first one.

Quote:

Update May 13 - Forum Server Rebuild Complete (by GHDpro)
Due to this security issue we felt it necessary to completely wipe & rebuild the forum server and restore from backups. The backup that was restored is about two weeks old. However three tables were kept from before the rebuild: users, posts and threads. This means all user accounts (including password changes you may have already done) and posts and threads should have been preserved.

However, anything else posted, changed or uploaded in that time may have been lost, including visitor messages, PMs and any changes to pictures and albums, just to name a few. If you changed your avatar in the past two weeks you might also have to upload it again.

Due to the server rebuild (which took much longer than expected, sorry about that) and the way we restored the forum some things may be broken or not working correctly. Please notify us about this by posting in this thread, thank you.

[Kakurin]

I think it depends on when you updated your avatar / signature. The backup of messages etc. seems to be slightly older. The newest PM left in my inbox is from 4/27. I guess this should be the same for avatars etc.

[FlyingCow65]

Great, made an account for the first time in a forum and this happens T.T if I made an account last week not the day of the attack, am I safe? just a question.

[GHDpro]

Quote:

Originally Posted by FlyingCow65

Great, made an account for the first time in a forum and this happens T.T if I made an account last week not the day of the attack, am I safe? just a question.

From what information I can gather (Nightwish and relentlessflame did most of the investigation work) the user database was downloaded on May 6 at around 18:00 UTC (GMT).

I cannot guarantee that if you registered after that you are safe as I'm not sure if Nightwish/relentlessflame found multiple downloads or just the one.

In any case you probably were asked to update your password already. And I sincerely hope nobody reused their password on other sites (use a password manager!).

It may be worth mentioning that you may receive phishing attempts on the email account you used to register. Be careful & suspicious of any mail you receive!

[milan kyuubi]

Maybe a silly question, since this things happen very often on internet. But were some higher forces (police etc etc) informed of this? Is it possible to discover/find the culprit behind this?

[Solace]

Quote:

Originally Posted by KholdStare

Maybe it's just me, but at this point I think forum members will understand some inconvenience in exchange for more security when visiting the forums. If you give notice ahead of time, people will at least have time to save their albums. I highly doubt many people use AS as their only means of storing pictures. Regarding social groups, I would be even be willing to say that we will get more interest in them if members have to create them again.

Well, beyond things like social groups and albums, the forum is also customized with many features and tweaks we've created over the years. For example, the ability to block particular signatures/avatars, custom tags, groups, etc.

It's highly unlikely we would be able to migrate these features into a newer version of VB (or at least, not without a tremendous amount of work), and even less likely for other forum software. Basically, we haven't found the right balance between ease of migration for everyone, yet.

We're still deep in discussion about how to best move the site/forum forward, but we don't want to make such a huge change without being sure it's something that is absolutely worth it for everyone even if there are some downsides. Forum migration/upgrades done wrong could decimate the community.

[Liddo-kun]

Quote:

Originally Posted by NightWish

Attack Details
We do not yet know how the initial account break happened, except to say that a some-what dormant staff account was used to create an announcement that injected a malicious script in each forum-viewing page, which in turn compromised the forum for each user (and resulted in private messages being downloaded). It is possible your own browser will have a record of this happening, as it was noticed as a back-button problem by some. If you block java-scripts by default you may have been protected.

This gave me the shivers a bit.. feels like deja vu. A dormant mod account being used by an attacker is what caused the downfall of another forum that I was active in years ago.. Glad that the staff here managed to stop it in time.

I've changed my email and password. Does that help?

[Fireminer]

I just don't understand: Why the heck does anybody want to hack Animesuki? The only worthy thing around here are the torrents.

[milan kyuubi]

Quote:

Originally Posted by Fireminer

I just don't understand: Why the heck does anybody want to hack Animesuki? The only worthy thing around here are the torrents.

Some of the users here may have used the same passwords etc for some money relating sites. Using info gathered here the hacker could crack accounts on those sites, and really mess things up.

Or it could be simple for fun!

[LKK]

Quote:

Originally Posted by Fireminer

I just don't understand: Why the heck does anybody want to hack Animesuki? The only worthy thing around here are the torrents.

It's not Animesuki per se that they wanted to get into, it's the user account information they were looking for: the login names, the email addresses, and the passwords. With your login name, your email address, and your password, they might be able to get into far more important places around the net that you access (such as online retailers, credit card companies, bank accounts, etc.) IF you used the same information on those sites that you used here at AS. That's why we are advising everyone to change your other sites' account information if you used the same login information there that you used here.

In other words, Animesuki's value to the ones who broke in is in finding key information that will help them get into other more valuable sites you access.

Edit: milan kyuubi types faster than me.