Hi! We see you’re using an ad-blocker. We’re fine with that and won’t stop you visiting the site.
But as we’re losing ad-revenue from this then why not make a donation towards website running costs?. Or you could disable your ad-blocker for this site. We think you’ll find our adverts are not overbearing!
btw: Mac Users can get a program called "1Password" it can generate passwords for you and you only ever have to remember just one to get at all your passwords for everything, it also works in your web browsers to…
Last edited by unwanted on Fri Nov 08, 2013 11:08 am; edited 1 time in total
Joined: 11/07/2002 14:36:40 Posts: 23848 Location: Hampshire, UK
Posted: Fri Nov 08, 2013 11:32 am Post subject:
unwanted wrote:
btw: Mac Users can get a program called "1Password" it can generate passwords for you and you only ever have to remember just one to get at all your passwords for everything, it also works in your web browsers to…
And for PC users, there are solutions such LastPass _________________ Darren Griffin
Joined: 11/07/2002 14:36:40 Posts: 23848 Location: Hampshire, UK
Posted: Fri Nov 08, 2013 2:14 pm Post subject:
PaulMoore2013 wrote:
I highly recommend 1Password. It's great for both PC and Mac use.
That's a very interesting article, thank you. I'm a 1Password user, I've spent some time over the past few months going through all the old accounts I have and upgrading their passwords using the random password generator. _________________ Darren Griffin
Dropbox is pretty good, but it's not foolproof. It can be and has been hacked in the past with surprising simplicity.
The config database (containing the encryption keys etc) can be copied to another device and Dropbox restores all the data without requiring a username or password. The argument (from Dropbox and advocates of it) is
"ah, but they need access to the PC to do it... so you're already compromised!"
True enough, but how many people think to check for "linked Dropbox PCs" after clearing the malware/viruses that caused it? Once those encryption keys are stolen, you're screwed. The only way to protect yourself is to revoke the PC (and thus the encryption key) and start again.
As your 1Password keychain is encrypted, the risk (even if Dropbox is hacked) is fairly minimal. The only risk is keychain tampering (not possible with v4 on a Mac) - which I mentioned in the article. Even then, there's a very specific set of circumstances in which that exploit will work. AgileBits are already working to resolve it too.
Before that article went live, I spent many hours literally tearing these password storage apps apart... and 1Password, despite a few glitches, won hands down.
Joined: Aug 31, 2005 Posts: 15356 Location: Bradford, West Yorkshire
Posted: Fri Nov 08, 2013 2:35 pm Post subject: Re: Badly handled ?
molerat wrote:
I am appalled with the lax way you have handled this serious breach of your security. Why have you not informed ALL of your subscribers with a personal e-mail. Many will not receive or read the news letter or go to the main page. Why do you not have a bold banner on all of the forums and the download pages so there is a chance that ALL of your subscribers stand a chance of receiving this information. 1/10 for your handling of this serious situation I am afraid.
I wonder how many smaller companies (like ours) simply wouldn't have told anyone and, worse still, not taken steps to improve matters?
Would that then get 10/10 because you'd not even be aware of the breach?
This is a bit belated as I've already posted, but for the sake of brevity...
I'm Paul Moore. I'm the Director at the Cresona Corporation. For the past few days, I've been working with the team at PGPSW to secure the site, assess the risk and make recommendations.
Password storage:
Passwords are hashed using the MD5 algorithm. This was not a design decision; rather a restriction of the PHPNuke platform on which PGPSW is based.
There are modifications for PHPNuke which improve password security by moving to the SHA-1 algorithm. In terms of actual, tangible strength however, SHA-1 offers only slightly more resistance to attack than MD5. Furthermore, it's written by a 3rd-party, so there's no guarantee the modification itself is safe to use in a production environment.
PGPSW does not collect or store any financial or personally identifiable information.
Investigations into the breach are ongoing - with many security enhancements already applied.
@molerat
PGPSW responded within minutes of the report on Twitter. They posted a news report available on the homepage, forum and Twitter. They have been open & honest about the situation and have taken steps to resolve straight away. To describe the response as "lax" is neither accurate nor fair. _________________ 1
Joined: Jul 06, 2007 Posts: 203 Location: Very North of the Border
Posted: Sat Nov 09, 2013 5:24 pm Post subject:
The breach was on Tuesday, I found out on Friday because this week I happened to read the newsletter, I do not always read it. What would have been easier than posting an urgent e-mail to everyone on that list, probably the easiest and quickest way to reach the majority of those possibly affected. "Responded on Twitter within minutes", FYI not everybody uses Twitter or other social media. It is not, as techies seem to believe, the answer to all the world's problems. There are probably many out there that are still uninformed because they have not actively logged into the correct area of the site, I only go directly to the area of the site that interests me and there is no mention of it there. Yes fixing the breach seems to have been handled well but I still believe that the informing those possibly affected has been handled badly. _________________ Garmin Drive 51LMT-S EU
(TT One V3 512MB + RDS TMC UK&RoI v1005 now retired, dead due to withdrawal of manufacturer support)
Joined: 11/07/2002 14:36:40 Posts: 23848 Location: Hampshire, UK
Posted: Sat Nov 09, 2013 5:36 pm Post subject:
In an ideal world we would have happily sent out an email to everyone, but we have over 570,000 users and it's far from as simple as you seem to think.
Sending out a bulk email to more than half a million recipients is not a simple process. Had we done so, the email would have instantly been flagged as spam, our mail server would be flagged or blocked and then we'd have had an even bigger issue on our hands.
As it was, our priority was to secure the server and provide as much warning as we could.
Adobe took nearly 10 days before they alerted their customers to a far more serious security breach, one which also saw payment information stolen. _________________ Darren Griffin
FYI not everybody uses Twitter or other social media. It is not, as techies seem to believe, the answer to all the world's problems.
I wasn't suggesting it was. It is however, another venue to quickly and reliably contact members who want to keep themselves informed. Crucially, it's a method of communication separate from a system which they suspected was compromised. The decision not to immediately mass-mail everyone was a wise one. As Darren has said, it would have taken a fair amount of admin time to write and send (time better spent elsewhere), placed the server under considerable load and could have led to further issues.
molerat wrote:
I only go directly to the area of the site that interests me and there is no mention of it there.
Short of posting the same sticky repeatedly throughout the forums, there's not a great deal the admins can do. There is a global sticky / global announcements facility in later version but back-porting to a heavily modified earlier version could be tricky and time consuming. _________________ 1
Posted: Tue Nov 12, 2013 5:04 am Post subject: I have some experience in this...
As one of the people who raised the alarm (I started a thread over in the subscriber area forum as soon as I'd seen what had happened), I'm in two minds about whether to lay blame here. In full disclosure, I'm an IT pro myself, with many years experience of running internet connected systems. I don't know the pgpsw system, but I've had experience of this kind of breach before. I suspect I'll be teaching grannies to suck eggs, but this is my take on it. (Apologies for the length.)
Firstly, I've watched firewall logs in real time, seeing hackers actively and repeatedly probing websites and servers looking for an entry point. It's a real education. Running live systems securely isn't easy, and it only takes a moments slippage - or a missed security patch to open up a hole. Jumping on the pocketgps guys may not be warranted. As my first boss told me when I'd dropped a by rushing through a code change that went pear shaped in live, "it's only those who do work that make mistakes". Given the fact that this hack hasn't previously occurred in the several years that I've been registered, I'm inclined to believe that the systems are run and maintained professionally - and maybe an accidentally missed php or nuke patch, or even a zero day exploit has opened up a hole here. I've personally seen a junior member of staff in my own organization connect a ghosted but non-hardened windows server to a public ip without thinking, only to see it hacked and being used as a bulk email server sending out millions of spam messages to china. From making it live, to being fully pwned by the hacker and acting as a live relay - took just twelve minutes. The bad guys take no prisoners, and they are extremely aggressive at trying to exploit php/nuke/vbulletin or windows type servers in particular. If you run these servers, you really need to be on your game. (Personally I hate them, as they're so widely used, and are therefore such a juicy target for hack attempts. I can see why you run the site with it, and moving an established site to an alternative tool is extremely difficult - but the php nuke derivatives are a favourite hacker magnet...)
Secondly I've also been responsible for running intrusion detection systems, and running penetration tests against supposedly hardened applications. There are some great open source tools available to help in this (you don't need expensive commercial alternatives) - but I have two golden procedure rules that can't be broken. Firstly, nothing goes live (not a patch, not an app change nor a hardware upgrade) without being pen-tested. Secondly, you don't test something once, and then tick the box marked "it's safe". You have to repeat the tests on an ongoing basis, keeping the probe tools updated with the latest exploits. I'd never want to be told about a hack by a member of the public. I'd want my tools and monitors to pick up any holes first, and the serious hack attempts second, so I could patch and firewall the hell out of my site. I'm sure the admins will learn from this. If they don't, and it happens again - then it'll be valid grounds for trouble.
As I mentioned on my original post, I worked out that something had gone amiss by virtue of the fact that I use my own domain and a custom return address for each email contact. It makes it easier to manage the fallout of this kind of event. I'll now change my pgpsw address, and bin emails to the original one. And before people have a go at the pgpsw admins in particular, I've already had to nuke return addresses from ebay, amazon and travelodge - to name but three much bigger organizations, with far greater resources available. They had also lost their customer contact databases (due to either hackers, or dodgy employees selling them) - and I started receiving spam to their unique addresses. If you give your single email address to the world and wife, you're never going to find out where the leak originated.
So my advice for the admins (who probably need advice like a hole in the head, and I know will be seriously p****d off and embarrassed that this has happened, and will be also as busy as hell trying to fix it) would be to go through the site code to ensure that the hack isn't more than a simple data theft (I.e.the bad guys haven't left any trojans around), tighten the security patching regime, and put in place some proactive testing processes and monitoring software to ensure that no doors are left open again. And those of us whose email addresses has been misappropriated,I'm afraid we'll just have to expect an increase in spam levels - and we'll have to deal with it. That's life. You can't put the genie back in the bottle, unfortunately.
I couldn't have put it better myself. These are really useful insights... if only more people would heed the advice.
PHPNuke is an awful application... even beyond the obvious security risks it introduces. I'm yet to find anyone with what I'd consider to be a sufficiently-hardened instance.
I would say however... I firmly believe the sole use of open source/free "pen testing" apps actually damages the industry as a whole. It's not because they're not effective (some are very good), but people tend to revert to a DIY approach; treating them as some sort of silver bullet.
As you know Chris, security is hard to get right and all-too easy to get wrong. A quick search for "pen testing" on Google reveals a plethora of seemingly savvy, professional firms. In truth, many are just kids sporting the latest BackTrack VMware file... with absolutely no idea of how to interpret the results correctly.
You're right too regarding eBay and others. My latest article still hasn't been resolved, despite being published around the world. BBC, Anonymous, Softpedia, CERT (http://cert.at/warnings/all/20130916.html), HackerNews et al have all picked it up... eBay believe it has been resolved. It hasn't. I notified them in July.
Absolute security is knowing security isn't an absolute. _________________ 1
Posted: Today Post subject: Pocket GPS Advertising
We see you’re using an ad-blocker. We’re fine with that and won’t stop you visiting the site.
Have you considered making a donation towards website running costs?. Or you could disable your ad-blocker for this site. We think you’ll find our adverts are not overbearing!
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
Or you could disable your ad-blocker for this site. We think you’ll find our adverts are not overbearing!
Hi! We see you’re using an ad-blocker. We’re fine with that and won’t stop you visiting the site.
But as we’re losing ad-revenue from this then why not make a donation towards website running costs?. Or you could disable your ad-blocker for this site. We think you’ll find our adverts are not overbearing!