Author Topic: foc-u, hacking and your data (a warning) (Read 6556 times)

Farjo · « **on:** 29 August 2013, 11:26:51 pm »

As far as I know, foc-u has not been hacked and no data has been stolen. This post is just a warning, a heads-up.

** Forum hacking has become more and more common. **

There's nothing bad about foc-u's security and we are probably not big enough to be a target. However we should have it in mind.

Therefore:

Don't have the same password for foc-u as your banks (etc).
Don't send personal information via PM. If you have done so then delete those PMs.

Please note that this is not related to getting spam postings, which you should continue to report using the 'Report to moderator' link.

ChristoT · « **Reply #1 on:** 29 August 2013, 11:33:47 pm »

Personally, I never post anything to the internet I have any intention of keeping private. I think the most personal stuff I've sent by PM has been my number and email. And my email's been hacked before now anyway....

Chris · « **Reply #2 on:** 30 August 2013, 12:22:04 am »

Just to confirm for anyone who took part in the Silicone hose group buy that I have deleted all your personal info from my PM's a long time ago.

Chris

noggythenog · « **Reply #3 on:** 30 August 2013, 09:20:21 am »

Thanks Farjo, deadeye was chatting to me about this sort of thing yesterday as he's a crook

, i mean an IT guru!

Ive now gone through all of my messages & deleted any sensitive data.surprising how much was there.

Actually ive also gone way back to my introduction & deleted it too as i told my life story on there.

Once deleted is there pretty much no way of hacking the info???, well unless you were GCHQ, but i take it you have like a bulk delete of deleted info or something?

We should prob keep this thread bumped & see if most of the forum can do some spring cleaning.

mickvp · « **Reply #4 on:** 30 August 2013, 09:58:10 am »

Once its deleted mate its gone. Well, that's how it works on the bulletin database anyway, smf may be slightly different.

noggythenog · « **Reply #5 on:** 30 August 2013, 10:00:52 am »

Quote from: mickvp on 30 August 2013, 09:58:10 am

Once its deleted mate its gone. Well, that's how it works on the bulletin database anyway, smf may be slightly different.

Cheers Mick

simonm · « **Reply #6 on:** 30 August 2013, 12:57:52 pm »

I use lastpass to create and manage random passwords. I can highly recommend it.

As for your bank logon mine is about 15 stages and requires blood and urine samples to get in to. So anyone that wants those has to have a screw loose.

I'd also recommend giving credit card details (verbally if possible) as the credit card company will reimburse you against fraudulent use.

dBfazer600 · « **Reply #7 on:** 30 August 2013, 01:27:27 pm »

Deleted all PM's that I have sent and received to keep peoples minds at rest. I always delete messages with personal details immediately.

Daz

simonm · « **Reply #8 on:** 30 August 2013, 01:53:24 pm »

Ol Jezza makes me laugh

http://news.bbc.co.uk/2/hi/7174760.stm

dBfazer600 · « **Reply #9 on:** 30 August 2013, 02:05:09 pm »

That man is priceless and a foc-u from his friendly fan who had to proof him a knob jockey on this occasion

Daz

His Dudeness · « **Reply #10 on:** 31 August 2013, 02:41:17 pm »

Would it be possible to put an expiration date on message? So say after two months they automatically get deleted.

Farjo · « **Reply #11 on:** 31 August 2013, 05:24:19 pm »

Nice suggestion, however it would upset many people who keep useful information in their PMs.

Dead Eye · « **Reply #12 on:** 31 August 2013, 05:31:42 pm »

I think he means an optional expiry date which you as the user can set on messages that you send. In any case, there is nothing to guarantee that the end user won't copy that data to some other place. The only guaranteed security is to not send sensitive information that could be compromising and lets not even talk about man-in-the-middle attacks...

goldfazer · « **Reply #13 on:** 01 September 2013, 07:16:19 pm »

Can the login passwords not be encrypted?

That's web security for dummies stuff!!

simonm · « **Reply #14 on:** 01 September 2013, 07:29:54 pm »

Quote from: goldfazer on 01 September 2013, 07:16:19 pm

Can the login passwords not be encrypted?

That's web security for dummies stuff!!

This kinda stuff :-) http://stackoverflow.com/questions/5482437/md5-hashing-using-password-as-salt

Dead Eye · « **Reply #15 on:** 01 September 2013, 07:40:55 pm »

I'd be horrifically surprised if SMF didn't use MD5 as a minimum on the passwords. These days though, MD5 is beginning to show a weakness against the sheer processing power available in modern machines coupled with the use of Rainbow Tables (too large a topic to cover)

On most systems I work with I use SHA-1 as minimum but am often using SHA-256 now

Hedgetrimmer · « **Reply #16 on:** 01 September 2013, 08:07:19 pm »

I just whisper very quietly...

simonm · « **Reply #17 on:** 01 September 2013, 08:10:55 pm »

Apparently bcrypt is the way forward but who knows.... I'm guessing security and mathematics experts. I.e. not me.

http://codahale.com/how-to-safely-store-a-password/

Farjo · « **Reply #18 on:** 03 September 2013, 07:30:56 pm »

Quote from: goldfazer on 01 September 2013, 07:16:19 pm

Can the login passwords not be encrypted?

That's web security for dummies stuff!!

Yes they're encrypted, however this is whar I've read elsewhere:
"Yes, they are encrypted. Unfortunately it's possible to brute force with about 3 billion, or more, attempts *per second*.
A very interesting article about that, if you care, is located here:
http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125"

mickvp · « **Reply #19 on:** 03 September 2013, 07:33:42 pm »

I'm not sure if you have implemented this or not, but if not, you could add something that times users out after xx minutes if they make xx number of failed logins. It still doesn't solve the problem, but its a deterrent.

simonm · « **Reply #20 on:** 03 September 2013, 07:43:41 pm »

Quote from: Farjo on 03 September 2013, 07:30:56 pm

Quote from: goldfazer on 01 September 2013, 07:16:19 pm
Can the login passwords not be encrypted?

That's web security for dummies stuff!!

Yes they're encrypted, however this is whar I've read elsewhere:
"Yes, they are encrypted. Unfortunately it's possible to brute force with about 3 billion, or more, attempts *per second*.
A very interesting article about that, if you care, is located here:
http://www.zdnet.com/blog/hardware/cheap-gpus-are-rendering-strong-passwords-useless/13125"

MD5 and SHA are designed to be processed quickly. That's why they're not good for storing passwords as brute force attacks get a quick response. The way around it is to make the processing slow because passwords don't need to be decrypted quickly. That's where Bcrypt comes in.

https://en.wikipedia.org/wiki/Bcrypt

Farjo · « **Reply #21 on:** 03 September 2013, 07:46:06 pm »

The danger is that someone who has stolen the database can then use brute force to obtain the user passwords, rather than attempt it on the live site which would swamp the log files.

simonm · « **Reply #22 on:** 03 September 2013, 08:12:28 pm »

Quote from: Farjo on 03 September 2013, 07:46:06 pm

The danger is that someone who has stolen the database can then use brute force to obtain the user passwords, rather than attempt it on the live site which would swamp the log files.

If someone stole the database and it was encrypted with Bcrypt then they could get a password in 12 years or so depending on configuration.

"So we’re talking about [/size]5 or so orders of magnitude[/color][/size]. Instead of cracking a password every 40 seconds, I’d be cracking them every [/color][/size]12 years[/color][/size] or so"[/color]

Farjo · « **Reply #23 on:** 03 September 2013, 08:47:42 pm »

Search the SMF site for bcrypt - you may understand what you find!