Q&A for announcement about forum database intrusion

[TGO David]

You can read the announcement here: http://www.tngunowners.com/forums/topic/47498-tgo-forum-database-partially-compromised-email-addresses-swiped/

You can use this thread to ask any questions that you might have and I will do my best to answer them.

First and foremost let me say that I -- like many of you, I suspect -- am extremely aggravated that this happened. It's a complete pain in the ass for a forum administrator to deal with and due to the nature of the way it happened, it is also one of those really annoying things that we are completely at the mercy of others to prevent. We didn't write the software. Neither did Invision Power in this particular instance. The loophole that was used came from a third party add-on contributed by a member of the IPB community.

Second, it appears that the only damage so far is that several of our members have been spammed with anti-political junk email.

Third, and most importantly perhaps, it is crucial that if you use the same password here as you use somewhere else, that you change your password in both places to something unique. And by unique I mean not shared between any other sites. This is perhaps the biggest pain in the ass of all because most of us tend to use the same or similar passwords on the different sites we visit. It's an inherently unsafe practice but it is also inherently human.

Anyway, ask away. Like I said, I'll do my best to answer.

[TGO David]

Allow me to make one preemptive remark before someone makes the conclusion that this would have never happened on vBulletin software: The problem stemmed from the fact that we used Google-hosted code for certain UI elements. vBulletin sites have been hit by this same thing.

https://www.vbulletin.com/forum/showthread.php/398334-Emails-from-quot-Anonymous-quot-All-appear-to-be-from-sites-running-vBulletin?highlight=anonymous

https://www.vbulletin.com/forum/showthread.php/380561-vBulletin-3-x-and-4-x-Redirect-Security-Exploit?highlight=anonymous

Not sure if you guys can read those links or not but basically they're talking about the same emails some of you guys got.

Again, it's a total pain in the ass and has caused me to revert back to hosting all of our UI code and not relying on Google (or Yahoo) for their public libraries any longer. It will definitely cause a performance hit on the site but it's worth it.

[Caster]

Without starting a speculation brushfire, is there a possible motive beyond the typical sociopathic hacker mentality?

[Will H]

No question, just an observation. If I were going to hack a website and steal user's personal information I would NOT pick a forum full of gun owners. I think I would pick a Toyota Prius Forum, but that's just me.

[TGO David]

Without starting a speculation brushfire, is there a possible motive beyond the typical sociopathic hacker mentality?

No question, just an observation. If I were going to hack a website and steal user's personal information I would NOT pick a forum full of gun owners. I think I would pick a Toyota Prius Forum, but that's just me.

Going to answer these two together. This was not a targeted attack. Rather, this was an exploit of dozens (maybe hundreds) of forums across the Internet running IPB and vBulletin, perhaps other software as well, all of which were leveraging third party user interface (UI) code hosted by Google and Yahoo. We were just one of the unfortunate communities using this code which allowed this group to lift portions of our member list for use in a mass emailing.

So no, I don't think there was any further motive than just spamming a million or so email addresses with anti-political rhetoric.

[Slasher]

If you are looking for a good password manager check out LastPass. It keeps all of your passwords secured with one master password and the client is available for multiple platforms, Steve Gibson of GRC did a whole Security Now show and gave it high praises. Here is a link to the show if you are interested in hearing it. http://twit.tv/sn256

I have no ties or affiliations to anything above other than having a lot of respect for Steve and being a happy LastPass customer.

By using something like this you avoid having to remember different passwords for all of your sites plus you can have crazy and long passwords but only have to remember one.

[Jonnin]

A lot of folks recommend a base password + site specific.

For example, if your password for this site were

xy#$,>

you might use things like

xy#$,>tngn //tn guns

xy#$,>fcbk //facebook

xy#$,>yho //yahoo

or the like.

That way you really only remember 1 password, if you can be diciplined enough to have a pattern to how you make the site name portion. this fails if someone targets YOU but it works if someone stole a database and is just feeding name/password combos to various sites to get a hit, which is the most common issue.

Edited April 23, 2012 by Jonnin

[Defender]

A lot of folks recommend a base password + site specific.

For example, if your password for this site were

xy#$,>

you might use things like

xy#$,>tngn //tn guns

xy#$,>fcbk //facebook

xy#$,>yho //yahoo

or the like.

That way you really only remember 1 password, if you can be diciplined enough to have a pattern to how you make the site name portion. this fails if someone targets YOU but it works if someone stole a database and is just feeding name/password combos to various sites to get a hit, which is the most common issue.

I like that idea...I don't want to thread steal here, but it IS related...are there any cons to this method>?

[Jonnin]

I like that idea...I don't want to thread steal here, but it IS related...are there any cons to this method>?

Just the one I listed. If a hacker is going after YOU specifically, and sees the pattern, he can now guess your passwords on various sites easily. It is uncommon for a regular person to be the target of a serious hacker --- you either need an enemy, or be rich/famous/infamous/political/etc or have some other reason to be a target.

[TGO David]

I like that idea...I don't want to thread steal here, but it IS related...are there any cons to this method>?

Not unless you are specifically being targeted. We teach this method to our people at my place of employment. I personally don't use it but my system is somewhat similar, albeit based on a mathematical formula that uses a sequence of #s and variables pulled from the "root" of my passwords. Unfortunately it also means most of my passwords are about 12 characters long.

[East_TN_Patriot]

Is there any way to tell specifically who had their information compromised?

[TGO David]

Is there any way to tell specifically who had their information compromised?

No. Sorry.