Gmail was hacked, was this site hacked?

[Damname]

Hello all

I have reason to believe that ECF may have been hacked for passwords and email addresses. I will explain.

I tried to log into gmail this about an hour ago and was denied due to suspicious activity. I was forced to changed my password before i was allowed access to gmail. I changed it and noticed 10 delivery failures to contacts in my inbox. The spammer that hacked me sent this link http://powersoftware.com.br/mas5.html to only 10 of my contacts. Luckily, all the messages he sent failed to be delivered.

I called my brother to see if he had gotten the spam since he was the first on the list of spam sent. He said he didnt get any but last week his gmail was also hacked in the same way with the same link being sent. We compared notes and decided we both were virus clean and we dont give out our gmail passwords.

I read about how these spammers get our gmail passwords. Phishing, viruses/trojans and stealing the database of legit websites. I called my brother back to see what websites we both have accounts at and the only one is EFC. Since we were both hacked 1 a weeks time on gmail and we really only have 1 website in common, and we both made the mistake of using a master password for most of the accounts we create, it might be a good possibility that ECF was hacked.

Obviously i dont know that ECF was hacked for a fact, but seeing as that we both have accounts here and used our gmail passwords here and this is the only website we both have accounts at other than gmail...it might be worth looking into. The hacker originated from romania from this ip 79.117.144.59. Does this ip show up in any of ECFs logs anywhere?

Im not upset or anything and i know this kind of thing happens from time to time but if someone did hack this site...i want to make it known. For anyone else who uses the same password for alot of sites...change your gmail password and dont reuse your gmail password. Dont use master passwords no matter how secure you think they are.

 

[Elendil]

I am unclear on how someone getting your gmail password would lead you to believe that ECF was hacked. I will let our more technically knowledgeable staff members speak about specific security issues, I will say that is entirely possible (and more likely) that the leak is on your end. Unless you can say with absolute certainty that your computer is 100% locked down, I would be careful making offhand comments without any supporting evidence. All you have is coincidence at this point.

 

[smokum]

I know nothing about your suspicion but just want to mention........ I don't feel its wise to use your email password for "any" forum password in the first place for that exact reason your suggesting.

-Greg

 

[Damname]

yea i know its not wise, i learned that lesson. i simply wanted to let yall know just in case it was here thats all. make sure ya let your more technically minded staff know would ya? i didnt post this to get belittled or rib on my technical ability. if for some reason it was ecf wouldnt it be a good thing to know? we drew a connection and i mentioned it for prosperity nothing more or less. do with it what you will.

 

[Damname]

"I will let our more technically knowledgeable staff members speak about specific security issues"

on second thought. if i mention a possible security problem here and i get a reply like this from an admin/mod...i have no more business here whatsoever. doesnt matter if it was here or not. the mere fact that i bought up a possible security issue should prompt someone to look into it instead of insulting ones technical abilities. thats very fail.

 

[bijo]

I'm just curious Damname, do you believe in aliens?

 

[LynGBH]

My Gmail account was hacked several months ago, before I became an ECF member. I thought it was related to Facebook apps having access to my info.

You might want to consider checking your auto-reply setting on your gmail account. Mine had a spam message sending crap to people who were emailing me. It wasn't extremely harmful or invasive, but it was really annoying.

 

[ladydeth]

Number one rule of passwords.....never use anything based on dictionary words. Even the common replacements for letters, like @ for a and 1 for I, are easily done by password software.
Use spaces in conjunction with special characters. For example: 3-cig R0ck$!
Good Luck!

 

[HzG8rGrl]

"I will let our more technically knowledgeable staff members speak about specific security issues"

on second thought. if i mention a possible security problem here and i get a reply like this from an admin/mod...i have no more business here whatsoever. doesnt matter if it was here or not. the mere fact that i bought up a possible security issue should prompt someone to look into it instead of insulting ones technical abilities. thats very fail.

He was actually speaking of himself and not you-atleast that is how I read his response.

 

[bearscreek]

He was actually speaking of himself and not you-at least that is how I read his response.

I agree. He was minimizing himself. It's okay, although I do see how you could feel like your concerns were brushed off.

 

[Elendil]

He was actually speaking of himself and not you-atleast that is how I read his response.

I agree. He was minimizing himself. It's okay, although I do see how you could feel like your concerns were brushed off.

I was indeed minimizing my technical expertise in the area. I'm not sure how you feel anyone was brushed off. Many times our more technically advanced staff members are around less on the weekends. They will be made aware of your concern.

I do stand by what I said in the first place, all I see is a coincidence and no definite connection.

 

[Whistle_Pig]

Fools rush in where angels fear to tread.

Well, here I am.

I am unclear on how someone getting your gmail password would lead you to believe that ECF was hacked. I will let our more technically knowledgeable staff members speak about specific security issues, I will say that is entirely possible (and more likely) that the leak is on your end.

Damname used the same password here as for Gmail. If she (he?) assumes that passwords are being transmitted and/or stored in cleartext, then it follows that someone who was able to crack ECF, or some piece of network hardware at the hosting site, passwords could be discovered. However, tying those to things such as gmail accounts would require either getting a copy of the database, or a lot of effort put into something like screen-scraping.

Of course, vBulletin doesn't store passwords as clear text. (No, I don't know that at the 100% level, as I haven't examined the code, but I still feel comfortable declaring it a certainty.) However, people who aren't trained or self-educated on security issues won't necessarily know this. (IIRC, there have been issues in the past with certain BBS packages in this regard, hence damname's statement about stealing data from legit websites.) The other attack vector we might think about is that the connection to ECF doesn't use SSL. This can lead people to think that the password could be stolen by sniffing network traffic. However, I did my own local packet sniffing and discovered that the password is not being transmitted as plaintext. (As an aside, this indicates that Javascript is being used, or an HTML forms feature which I'm unfamiliar with.)

What does the above tell us? That it's extremely close to certainty that nobody can uncover a password by cracking or by some other method obtaining a copy of the ECF database, or by sniffing traffic. However, nothing is perfect. Yes, there's some chance that the cryptographic methods employed by the vBulletin software have some ..... that can be exploited. This is a very, very remote possibility, as long as the developers have been following established good practices.

Crackers are constantly attacking Gmail. Gmail is a huge target. Google is also a technically very saavy company. I can draw no conclusions here.

At the end-user level, there are a lot of possibilities. Cross-site scripting attacks, other browser-based vulnerablities, and viruses. I hope that all Windows users are using some sort of anti-virus software. None of those packages are 100%. For one thing, they have to wait for viruses to hit before guarding against them -- they are, by nature, reactionary. So there's always a window of opportunity when a new virus is released before your anti-virus software updates to protect from it. (I'm somewhat oversimplifying here.) There are reports you can look for which will talk about things such as "of the known viruses in the wild, X anti-virus package protects against 93% of them", and similar evaluations. There is no 100% certainty of being free of virus infection, other than having a computer that is never connected to the network, and never exchanges data with another computer that is (there's a bit more to it, actually, but it would get tedious to discuss it).

Recent buzz in the security business is that a lot of account hijacks are due to simple password problems, i.e. a lot of people are using bad passwords. This news item goes around on the internet periodically, but, as others have noted, it's worth repeating. Top 500 most common passwords. Due to people using passwords like these, password guessing attacks are both common and successful. This is far and away the most likely attack vector, though I must add that the OP could well have used a strong password, and some other attack vector was used.

This is all likely more than needs to be said, but I do that sometimes. And it never hurts to reiterate that using good passwords is a must.

 

[Timtam]

Well, here I am.



Damname used the same password here as for Gmail. If she (he?) assumes that passwords are being transmitted and/or stored in cleartext, then it follows that someone who was able to crack ECF, or some piece of network hardware at the hosting site, passwords could be discovered. However, tying those to things such as gmail accounts would require either getting a copy of the database, or a lot of effort put into something like screen-scraping.

Of course, vBulletin doesn't store passwords as clear text. (No, I don't know that at the 100% level, as I haven't examined the code, but I still feel comfortable declaring it a certainty.) However, people who aren't trained or self-educated on security issues won't necessarily know this. (IIRC, there have been issues in the past with certain BBS packages in this regard, hence damname's statement about stealing data from legit websites.) The other attack vector we might think about is that the connection to ECF doesn't use SSL. This can lead people to think that the password could be stolen by sniffing network traffic. However, I did my own local packet sniffing and discovered that the password is not being transmitted as plaintext. (As an aside, this indicates that Javascript is being used, or an HTML forms feature which I'm unfamiliar with.)

What does the above tell us? That it's extremely close to certainty that nobody can uncover a password by cracking or by some other method obtaining a copy of the ECF database, or by sniffing traffic. However, nothing is perfect. Yes, there's some chance that the cryptographic methods employed by the vBulletin software have some ..... that can be exploited. This is a very, very remote possibility, as long as the developers have been following established good practices.

Crackers are constantly attacking Gmail. Gmail is a huge target. Google is also a technically very saavy company. I can draw no conclusions here.

At the end-user level, there are a lot of possibilities. Cross-site scripting attacks, other browser-based vulnerablities, and viruses. I hope that all Windows users are using some sort of anti-virus software. None of those packages are 100%. For one thing, they have to wait for viruses to hit before guarding against them -- they are, by nature, reactionary. So there's always a window of opportunity when a new virus is released before your anti-virus software updates to protect from it. (I'm somewhat oversimplifying here.) There are reports you can look for which will talk about things such as "of the known viruses in the wild, X anti-virus package protects against 93% of them", and similar evaluations. There is no 100% certainty of being free of virus infection, other than having a computer that is never connected to the network, and never exchanges data with another computer that is (there's a bit more to it, actually, but it would get tedious to discuss it).

Recent buzz in the security business is that a lot of account hijacks are due to simple password problems, i.e. a lot of people are using bad passwords. This news item goes around on the internet periodically, but, as others have noted, it's worth repeating. Top 500 most common passwords. Due to people using passwords like these, password guessing attacks are both common and successful. This is far and away the most likely attack vector, though I must add that the OP could well have used a strong password, and some other attack vector was used.

This is all likely more than needs to be said, but I do that sometimes. And it never hurts to reiterate that using good passwords is a must.

I like this reply!

vB stores passwords as a MD5 hash. It would take a long time to crack a MD5 hash on your own, however with the addition of rainbow tables and the like, if someone does manage to get the hash, if you are using a simple password, by comparing the hash to other hashes, they can get the password.

I'd be willing to bet that ECF has not been hacked. I know the person who does all of our web stuff for a couple of years now (Alex) and I can tell you, some of the security measures he takes are some of the best, and would be extremely hard to exploit. If someone has the knowledge to crack Alex's work, they would have the knowledge to crack Gmail themselves.

By the sounds of things, the OP is using their Gmail account to sign-up to other things, so it could be that it was taken from a site which has poor security measures, or was a phishing site itself, and that is where it was stolen. It could even be that the user was sent to a simple site which has a Java script which downloads and executes files without the end user knowing.

Rest assured, we do take security very seriously here, and we are always making sure that our servers are air-tight to protect us, but more importantly to protect you.

 

[rolygate]

Thanks Tim and WhistlePig.

Just to add a couple of points: as Tim says, vB stores passwords as an MD5 hash (encrypted code), and they are sent over the network encrypted, so it's unlikely to be an exploit here. In addition we would have heard a lot more about it, since getting someone's Gmail p/w is not really going to be the primary aim of someone exploiting ECF.

Like every big site we get a ton of attacks, probably over 100 a day, and they are all blocked except for extremely rare occasions when the vB code has a new and unpatched exploit. We did have one a while back, before we upgraded to the latest version, and it was soon patched.

You should probably go to vB central and take a look round their sites (vbulletin.com and .org). This is a big commercial web server application with a lot of work being done on it, plus a huge community also helping with code. They are pretty good on security. Forum software is intrinsically more vulnerable than any other type of server software, but they do a good job. vB has never had the same sort of security problems that phpBB and IPB have had, for example.

The main target of attackers is to get their code onto the site and infect visitor's PCs in order to get them into botnets, which are a big commercial enterprise now with substantial payoffs for the botnet controllers. A botnet is a group of slave machines which can be used for PPC fraud and DDOS attack blackmail etc. The best way you can stop your site being infected by botnet malware is (a) don't use Internet Explorer, and (b) use a real firewall and antivirus. A 'real' firewall by the way works in both directions and has a HIPS component - unlike Windows 'firewall' which only blocks incoming attacks and allows resident malware to phone home. This is effectively useless because half of the job is to stop it getting in, the other half of the job is to stop it dialling out. Good firewalls, that actually work, include Comodo, Online Armor and Agnitum Outpost. If you google for 'matousec tests' and 'best free firewall gizmos' you can find more resources with tests etc but the names I just gave will do the job. Disable ftp.exe in your firewall options/program control, by the way (rootkits use it to dial out). Instead, if you use ftp, use a 3rd-party app like CoreFTP (which for the purpose under discussion is a better option than FileZilla since Core stores passwords encrypted but FileZilla stores p/w's as plain text - which many people don't know).

Use OpenDNS or similar because that will stop you going to known attack sites.

In my experience (from disinfecting many PCs including all the family's kids' PCs, which are basically malware farms due to using IE, Windows Messenger, and clicking on every flashing twinkling thing out there), the difficult stuff now are the rootkits, and that's increasingly what the successful exploits are using. Standard antivirus and antispyware apps CANNOT fix rootkits. These are expertly coded parasites that dig in deep and camouflage themselves. They don't do anything bad themselves, but they generate executables (the mini-apps that do the data gathering, keylogging, net controlling and phone-home work) and they themselves stay hidden. Your a/v and a/s find the executables occasionally but they can't find the rootkits. You need rootkit removers for this, see:
Best Free Rootkit Scanner/Remover

Another point is that the OP seems to hint that they used the same password for several sites/applications. This is a massive security fail and it points out very clearly that the person doing it has no appreciation whatsoever of any security issues. (Just saying that to make the point clear that somebody doing that cannot comment on any aspect of security/software/etc.)

My opinion is that a person who does not use a password manager such as Roboform or Keepass cannot possibly be using passwords correctly. This is because:

- you MUST use a different p/w for EVERY single site or application.
- a real password looks like this: w7fBH486jSc8ujQ3489b7K4 -- and you CANNOT POSSIBLY remember it. You certainly can't remember 50 of them.

You don't need symbols/punctuation in a p/w, you just make it longer to get the necessary bit strength (some applications don't accept symbols and the thing crashes).

Keepass has a useful feature where it tells you the bit-strength of the p/w. You need a minimum of 50 bits before it's actually a 'password', anything less is just a joke. Go here to get a free password manager:
Best Free Web Form Filler / Password Manager

LastPass is probably the best all-round free one though Keepass has some useful features. Roboform is the best if you can pay.

Due to these various issues I would guess the OP's problem is caused by poor password security. Either an insecure site had traffic intercepted; or the p/w was used for an insecure application; or malware on the PC grabbed it and phoned home; or it was not a real password and was either based on a word in the dictionary or one of the 500 most common passwords - both of which are easily and quickly cracked.

Get a password manager. Get an antivirus like Avast that can run a boot-time scan - this runs before Windows starts up, after Windows is live a scan is not as efficient as some malware can protect itself when live. Get a rootkit scanner or two and run them after the a/v boot-time scan has been done. A-Squared is the best-performing anti-spyware in my tests but the problem now is more likely to be rootkits. Prevx is a good security solution though it can slow the PC down and it can't find many rootkits. Try it free for a couple of weeks and see what it finds on your PC.

A Mac is a good solution, just as Linux is of course. This is simply because 99.99% of attacks are for Windows since they have the most machines out there, plus Linux users (and some Mac users*) are likely to be more security conscious than most Windows users. It's said that 20% of PCs are controlled by a botnet - that's one in five. Does that mean that 1 in 5 of people reading this have slave machines? Probably not. But somebody reading this will have, for sure.

* I have found in my commercial work that a percentage of Mac users are all-round the most incompetent and least-knowledgable of any computer users anywhere; just in case anyone thinks Mac users are 'better'.

 

[o4_srt]

DoD password requirements:

2 special characters
and
2 capital letters
and
2 numbers
and
10+ characters total

also cannot have any part of your first, middle, last name, or birth date.

good luck to anyone who tries to crack it

 

[SlimXero]

Another thing you could try for a more secure password is using a random string of numbers, letters and special characters, then keeping a physical copy of this password in a safe place that is unusual (i.e. not under your keyboard, on a sticky note on the screen, etc. i use this method for a very few websites and i have a copy of it saved in my voicemail.) I change this password every thirty days like clockwork, and i also change my hiding spot (i'll hide it in plain sight often times, such as the book shelve in my house has a find-a-word style puzzle book that is never used. i'll go through it and circle random letters and add numbers at the end of the rows. no one would think to look there).

Another thing to remember is don't allow Firefox/Opera/IE to remember your password. Yes, nearly any password is crackable if enough time is spent, but most people aren't going to spend an extreme amount of time to crack a password for something as unimportant (don't jump me sports fans) as ECF. So usually just having a hard-to-guess/crack password is security in and of itself. If your password can be cracked in a few minutes, why not? If it takes many hours, is it truly worth it?

Hope it's helpful.

 

[rolygate]

A couple more points on passwords:

- You don't need to "store passwords on the computer" or "write them down somewhere". That's what a password manager does, it stores them in encrypted form. You can use a portable version on a USB stick so that you can use it on other PCs if you have to, such as work and home.
- Real passwords for frequent web users are not possible to write and hide. You would have dozens of them, of over 20 characters length. The only practical solution is a password manager.
- OK, you don't need strong passwords for unimportant sites. Fido3 is probably OK for a blog comment or something.

 

[iamjn]

Another thing to remember is don't allow Firefox/Opera/IE to remember your password.

Another interesting note on this: Firefox, which is so much better than IE in most aspects, is actually less secure on this. IE encrypts the stored password (although it is quite easily decrypted-at least it pretends to make an effort at it). Firefox stores the passwords in plaintext. Best advice: don't do it with any browser.

Interesting and quick read on this can be found here: Firefox & IE Prompt You To Remember Passwords – Do You Say Yes ?

 

[tornado9015]

Number one rule of passwords.....never use anything based on dictionary words. Even the common replacements for letters, like @ for a and 1 for I, are easily done by password software.
Use spaces in conjunction with special characters. For example: 3-cig R0ck$!
Good Luck!

Dictionary, and brute force attacks, never work. They take incredible amounts of time, they are almost never successful, they simply aren't practical unless there is a specific high value target that cannot be cracked another way. Most "hacking" these days, is phishing, tricking people into willingly giving out their passwords, I'll let xkcd explain.

xkcd: Password Reuse

 

[Whistle_Pig]

Dictionary, and brute force attacks, never work.

Simply not true. See, for example, this Wired article by Bruce Schneier. See also tools such as John the Ripper.