Security Notice

New threads (topics) in the Announcements forum are only to be initiated by Forum Administrators. Of course, users are encouraged to post replies where appropriate.

Moderators: MGmirkin, bboyer

Security Notice

Unread postby davesmith_au » Wed Feb 19, 2014 2:38 am

The thunderbolts site was recently the victim of a distributed brute force attack which spread across WordPress sites all around the globe in a matter of minutes. An injection of unusual hidden scripts onto our site is what caused the “Malware Ahead” warning which Google issued and forced onto the frontend of our site along with many thousands of others. Unfortunately, Google’s warning and the removal thereof lag somewhat in comparison to any real-time threat.

Upon the realization that something serious was amiss, we engaged the services of a very reputable professional site cleanup service (wpsecuritylock.com). Due to the sheer size of our site (and other mitigating circumstances like power outages caused by snow, Murphy’s Law hard at work et. al.) and the fact that each and every file (including images) needed to be inspected for malicious code, this took a number of days to achieve. A “normal” site would usually be in maintenance mode for only a day or so, even less.

We are assured that the site now contains no malicious code or scripts. There is no real way of knowing if any visitors may have had their own computers compromised so it is prudent that all visitors to our site (and any other WordPress based sites) over the last several weeks have their computers scanned by one or more of the virus/malware removal tools which are readily available on the internet. If you don’t already have such software on your machine, be sure to seek sound advice as to which tools are reputable and only ever get them from the proper source.

We apologize for the long delay in getting our site up and running smoothly again but can assure visitors that we have beefed up security to the hilt and taken all of the advice the professionals have issued. Thank you for your patience.
"Those who fail to think outside the square will always be confined within it" - Dave Smith 2007
Please visit PlasmaResources
Please visit Thunderblogs
Please visit ColumbiaDisaster
User avatar
davesmith_au
Site Admin
 
Posts: 828
Joined: Thu Mar 13, 2008 7:29 pm
Location: Adelaide, the great land of Oz

Re: Security Notice

Unread postby Sparky » Wed Feb 19, 2014 9:38 am

Dave;

Thank you for your quick reaction and services. ;)

I run sandboxed, with AVG realtime, so I no longer worry about infections. I still run Emisoft and Malwarebites to alleviate my congenital paranoia when it flares up.. :?

Thank you... ;)
"It is dangerous to be right in matters where established men are wrong."
"Doubt is not an agreeable condition, but certainty is an absurd one."
"Those who can make you believe absurdities, can make you commit atrocities." Voltaire
Sparky
 
Posts: 3517
Joined: Tue Jul 20, 2010 2:20 pm

Re: Security Notice

Unread postby chrimony » Wed Feb 19, 2014 9:41 am

davesmith_au wrote:We are assured that the site now contains no malicious code or scripts. There is no real way of knowing if any visitors may have had their own computers compromised so it is prudent that all visitors to our site (and any other WordPress based sites) over the last several weeks have their computers scanned by one or more of the virus/malware removal tools which are readily available on the internet.


It would be nice if you listed the malware that was found and removed. While scans and general security practices are always a good idea, specifics help as an extra step.
chrimony
 
Posts: 271
Joined: Sun Apr 07, 2013 6:37 am

Re: Security Notice

Unread postby nick c » Wed Feb 19, 2014 2:51 pm

A big thanks to Dave Smith!
I know that it was a herculean effort to get the TB websites, including the forum, running smoothly.
User avatar
nick c
Moderator
 
Posts: 2243
Joined: Sun Mar 16, 2008 8:12 pm
Location: connecticut

Re: Security Notice

Unread postby Lloyd » Sun Feb 23, 2014 8:40 am

I think Charles says the hackers may have gotten all of the forum members' forum passwords and that everyone should be warned to change their passwords, if I understood correctly. I'm having some trouble changing my password though.
Lloyd
 
Posts: 4113
Joined: Fri Apr 04, 2008 2:54 pm

Re: Security Notice

Unread postby Lloyd » Sun Feb 23, 2014 8:42 am

Sparky wrote:Dave;

Thank you for your quick reaction and services. ;)

I run sandboxed, with AVG realtime, so I no longer worry about infections. I still run Emisoft and Malwarebites to alleviate my congenital paranoia when it flares up.. :?

Thank you... ;)

How do you do that first part, Sparky?
Lloyd
 
Posts: 4113
Joined: Fri Apr 04, 2008 2:54 pm

Re: Security Notice

Unread postby Sparky » Sun Feb 23, 2014 9:23 am

Lloyd...do you mean ,"sandoxed".?
http://www.sandboxie.com/index.php?GettingStarted :? ;)
"It is dangerous to be right in matters where established men are wrong."
"Doubt is not an agreeable condition, but certainty is an absurd one."
"Those who can make you believe absurdities, can make you commit atrocities." Voltaire
Sparky
 
Posts: 3517
Joined: Tue Jul 20, 2010 2:20 pm

Re: Security Notice

Unread postby seasmith » Sun Feb 23, 2014 1:13 pm

by chrimony » Wed Feb 19, 2014 9:41 am

davesmith_au wrote:
We are assured that the site now contains no malicious code or scripts. There is no real way of knowing if any visitors may have had their own computers compromised so it is prudent that all visitors to our site (and any other WordPress based sites) over the last several weeks have their computers scanned by one or more of the virus/malware removal tools which are readily available on the internet.


It would be nice if you listed the malware that was found and removed. While scans and general security practices are always a good idea, specifics help as an extra step.


Yes, that would be a help, for users running the forum on different platforms.
thanks,
s smith
seasmith
 
Posts: 2624
Joined: Thu Mar 27, 2008 6:59 pm

Re: Security Notice

Unread postby nick c » Sun Feb 23, 2014 2:08 pm

Lloyd,
I'm having some trouble changing my password though.

It is probably a good idea to get in the habit of regular password changes.
-click "User Control Panel"
-click "Profile"
-click "edit account settings"
-enter new password, confirm new password, enter current (your old) password
-click submit
User avatar
nick c
Moderator
 
Posts: 2243
Joined: Sun Mar 16, 2008 8:12 pm
Location: connecticut

Re: Security Notice

Unread postby davesmith_au » Sun Feb 23, 2014 5:58 pm

OK now that I've had time to breathe, here's some answers to some of the previous posts. Please note, some specifics are either not known or too security-sensitive to share.

chrimony wrote:It would be nice if you listed the malware that was found and removed. While scans and general security practices are always a good idea, specifics help as an extra step.


seasmith wrote:Yes, that would be a help, for users running the forum on different platforms.
thanks,
s smith


Sometimes having too much information can be a problem. If you only scan for specific "known" viruses, you'll always be one step behind the hackers. Having said that, the security firm we hired did find a known virus called "FilesMan" and have now inspected every file on the site (many thousands of them). There were a number of bad files and there's no way of knowing if they were part of the 'filesman' virus or some other unidentified source. Remember, the site was the victim of a worldwide brute force attack and may have been compromised a number of ways. Needless to say, we invested some serious money into having the site cleaned file by file and upgrading security measures to help protect our visitors' safety.

Lloyd wrote:I think Charles says the hackers may have gotten all of the forum members' forum passwords and that everyone should be warned to change their passwords, if I understood correctly. I'm having some trouble changing my password though.


Whilst Charles MAY be right, I have serious doubts that this has happened, for a number of reasons. However, it is ALWAYS prudent to review passwords from time to time anyhow.

1. It is highly unlikely that the hackers had any interest in milking forum passwords. This was an attack aimed at infecting (and eventually crashing) as many sites worldwide as they could, more likely for 'bragging rights' than anything else.

2. ALL forum passwords are encrypted on site and no-one, not even admins, can see them. IF hackers were to get into the database, they'd find a bunch of encrypted codes with no real passwords to be seen. Hackers know that phpBB3 software does this, so they won't waste their time on it (except in the case of a personal, targeted attack which this was not).

3. This event was not about some individual trying to target the thunderolts site or forum deliberately to steal information. It was about an individual or group of people using automated bots and scripts to try to infect as many sites as they could.

4. The hackers have most likely got into the site using one or several known or milked MAIN SITE ADMIN usernames and an algorithm to crack one of the passwords of the site admins. We are now ENFORCING extremely strong passwords for main site users and admins (of which there are only a few) and have taken many other measures to minimize the risk of this happening again.

None of the above however, should give rise to forum user complacency. It is important that EVERY password you use for ANY site be as strong as you can make it. A long (12 to 30 or more characters are now being encouraged) password with a combination of uppercase, lowercase, numerals and symbols. NEVER use a known word or phrase as your password, even if you change some of the letters out for a few numbers. Serious hackers know these 'tricks' and are constantly developing stronger algorithms to try to circumvent them. NO password is foolproof, but the longer and stronger you make them, the better. Don't use the same password across multiple sites and never print your password(s) using your computer. Instead, write each one down on a piece of paper (yes, paper and pen still exist and come in quite handy) and be sure to keep them in a safe place.

Dave Smith.
Thunderbolts Forum Administrator.
"Those who fail to think outside the square will always be confined within it" - Dave Smith 2007
Please visit PlasmaResources
Please visit Thunderblogs
Please visit ColumbiaDisaster
User avatar
davesmith_au
Site Admin
 
Posts: 828
Joined: Thu Mar 13, 2008 7:29 pm
Location: Adelaide, the great land of Oz

Re: Security Notice

Unread postby chrimony » Tue Feb 25, 2014 7:46 pm

davesmith_au wrote:OK now that I've had time to breathe, here's some answers to some of the previous posts. Please note, some specifics are either not known or too security-sensitive to share.


Thanks for your answers. I have some comments and further questions. The first comment is "too security-sensitive to share" sounds like a weak, generic excuse. For example, there's no security issue by saying, "file xyz.jpg" was infected with so-and-so.

Sometimes having too much information can be a problem. If you only scan for specific "known" viruses, you'll always be one step behind the hackers.


On the other hand, if you already run the standard generic checks, then having the extra information can be helpful.

Having said that, the security firm we hired did find a known virus called "FilesMan" and have now inspected every file on the site (many thousands of them). There were a number of bad files and there's no way of knowing if they were part of the 'filesman' virus or some other unidentified source. Remember, the site was the victim of a worldwide brute force attack and may have been compromised a number of ways. Needless to say, we invested some serious money into having the site cleaned file by file and upgrading security measures to help protect our visitors' safety.


OK, I looked up "filesman", and it is not a virus. It's a backdoor that was left by the hackers to get back in to your system (as they apparently broke in by brute forcing the admin password). Since you paid all that money, I'd think they would give you a report with all the actual viruses or malicious code that users would have been exposed to. For example, what triggered the Google alert that the site was infected? Why not share the list of everything that was found?

1. It is highly unlikely that the hackers had any interest in milking forum passwords. This was an attack aimed at infecting (and eventually crashing) as many sites worldwide as they could, more likely for 'bragging rights' than anything else.


It's a bad assumption that they were just in it for bragging rights and crashing. First off, there's that backdoor, which allowed them admin access at any time. Second, there was whatever user-facing malicious code that prompted Google to warn against the site. Third, lots of hacking these days is done for criminal profit.

2. ALL forum passwords are encrypted on site and no-one, not even admins, can see them. IF hackers were to get into the database, they'd find a bunch of encrypted codes with no real passwords to be seen. Hackers know that phpBB3 software does this, so they won't waste their time on it (except in the case of a personal, targeted attack which this was not).


Weak passwords are easy to bruteforce if you have the database. Second, they could have modified the server to snoop on the unencrypted passwords as people logged in. I believe the safest assumption, as a user, is that your password is compromised, and if you use the same password on multiple sites (a bad idea, as Dave says), then they may have your access to those sites, too.

3. This event was not about some individual trying to target the thunderolts site or forum deliberately to steal information. It was about an individual or group of people using automated bots and scripts to try to infect as many sites as they could.


For unknown reasons. While they are extremely unlikely to want to mess with your posts (unless it's to spam), they could chain the attacks here against users' personal computers in an automated fashion.

I don't have anything further to add, except that the advice below is good for protecting your passwords.

None of the above however, should give rise to forum user complacency. It is important that EVERY password you use for ANY site be as strong as you can make it. A long (12 to 30 or more characters are now being encouraged) password with a combination of uppercase, lowercase, numerals and symbols. NEVER use a known word or phrase as your password, even if you change some of the letters out for a few numbers. Serious hackers know these 'tricks' and are constantly developing stronger algorithms to try to circumvent them. NO password is foolproof, but the longer and stronger you make them, the better. Don't use the same password across multiple sites and never print your password(s) using your computer. Instead, write each one down on a piece of paper (yes, paper and pen still exist and come in quite handy) and be sure to keep them in a safe place.
chrimony
 
Posts: 271
Joined: Sun Apr 07, 2013 6:37 am

Re: Security Notice

Unread postby davesmith_au » Tue Feb 25, 2014 11:43 pm

chrimony wrote:
davesmith_au wrote:OK now that I've had time to breathe, here's some answers to some of the previous posts. Please note, some specifics are either not known or too security-sensitive to share.


Thanks for your answers. I have some comments and further questions. The first comment is "too security-sensitive to share" sounds like a weak, generic excuse. For example, there's no security issue by saying, "file xyz.jpg" was infected with so-and-so.


That's your opinion. However, as I am somewhat responsible for a website with many thousands of files and tens of thousands of visitors each month, and a forum with over 1200 registered users, I intend to be a bit more cautious than you might like me to be. I'd rather take the advice of those who have been doing serious website security for well over a decade than someone I know nothing about. I have no intention of going into detail with your or anyone else. Nothing personal, you understand.

chrimony wrote:
Sometimes having too much information can be a problem. If you only scan for specific "known" viruses, you'll always be one step behind the hackers.


On the other hand, if you already run the standard generic checks, then having the extra information can be helpful.


On the other hand, such extra information could be unhelpful, for many of the punters out there who don't seem to know as much as your good self likes to think you do. Best to leave security up to the experts who create the programs than to second-guess what you should look for.


chrimony wrote:
Having said that, the security firm we hired did find a known virus called "FilesMan" and have now inspected every file on the site (many thousands of them). There were a number of bad files and there's no way of knowing if they were part of the 'filesman' virus or some other unidentified source. Remember, the site was the victim of a worldwide brute force attack and may have been compromised a number of ways. Needless to say, we invested some serious money into having the site cleaned file by file and upgrading security measures to help protect our visitors' safety.


OK, I looked up "filesman", and it is not a virus. It's a backdoor that was left by the hackers to get back in to your system (as they apparently broke in by brute forcing the admin password). Since you paid all that money, I'd think they would give you a report with all the actual viruses or malicious code that users would have been exposed to. For example, what triggered the Google alert that the site was infected? Why not share the list of everything that was found?


So you can use Google. Bully for you. I did in fact use the wrong term, the term our security firm used was that the "hack" was known as "filesman". My bad. But it makes no difference. I have access to a report so detailed it would probably make your head spin, if you were capable of understanding it. Your continued insistsnce that the information be shared, raises a suspicion in me. Perhaps your motives are questionable. I hope not, but your behavior is strange, to say the least.


chrimony wrote:
1. It is highly unlikely that the hackers had any interest in milking forum passwords. This was an attack aimed at infecting (and eventually crashing) as many sites worldwide as they could, more likely for 'bragging rights' than anything else.


It's a bad assumption that they were just in it for bragging rights and crashing. First off, there's that backdoor, which allowed them admin access at any time. Second, there was whatever user-facing malicious code that prompted Google to warn against the site. Third, lots of hacking these days is done for criminal profit.


Two points in response. I did not make any assumption, but rather stated it was "highly unlikely". You also seem to have missed (or ignored) my opening post, wherein I not only stated it was part of a worldwide brute force attack, but I supplied a link to one security organization which confirms what I said. I also had confirmation of same from experts in the field. I don't see why I should question all of that for you. I have better things to do with my voluntary time.

chrimony wrote:
2. ALL forum passwords are encrypted on site and no-one, not even admins, can see them. IF hackers were to get into the database, they'd find a bunch of encrypted codes with no real passwords to be seen. Hackers know that phpBB3 software does this, so they won't waste their time on it (except in the case of a personal, targeted attack which this was not).


Weak passwords are easy to bruteforce if you have the database. Second, they could have modified the server to snoop on the unencrypted passwords as people logged in. I believe the safest assumption, as a user, is that your password is compromised, and if you use the same password on multiple sites (a bad idea, as Dave says), then they may have your access to those sites, too.


ANYthing is possible, and the bottom line is that users (like always) be responsible for their own security by taking appropriate precautions, and appropriate actions once they're alerted to specific incidents such as this one. Many sites won't tell you a thing when they've been compromised. Our users are getting on one hand, the advice to take as much precaution as they can, and on the other, having their fears of targeted password theft etc allayed to some degree, by what is the best judgment of our security people and myself. Yes, they MAY have had their passwords compromised, but it is highly unlikely.


chrimony wrote:
3. This event was not about some individual trying to target the thunderolts site or forum deliberately to steal information. It was about an individual or group of people using automated bots and scripts to try to infect as many sites as they could.


For unknown reasons. While they are extremely unlikely to want to mess with your posts (unless it's to spam), they could chain the attacks here against users' personal computers in an automated fashion.


Yes, for unknown reasons. So we could speculate all day on what they *could* do, there's nothing we can do about what they *did* do except to take the advice already give, clean your machines and change your passwords. Scaremongering is not going to help anyone, except perhaps those who wish to create confusion and panic.

chrimony wrote:I don't have anything further to add, except that the advice below is good for protecting your passwords.

None of the above however, should give rise to forum user complacency. It is important that EVERY password you use for ANY site be as strong as you can make it. A long (12 to 30 or more characters are now being encouraged) password with a combination of uppercase, lowercase, numerals and symbols. NEVER use a known word or phrase as your password, even if you change some of the letters out for a few numbers. Serious hackers know these 'tricks' and are constantly developing stronger algorithms to try to circumvent them. NO password is foolproof, but the longer and stronger you make them, the better. Don't use the same password across multiple sites and never print your password(s) using your computer. Instead, write each one down on a piece of paper (yes, paper and pen still exist and come in quite handy) and be sure to keep them in a safe place.


You seem to have forgotten to mention previous advice like "... it is prudent that all visitors to our site (and any other WordPress based sites) over the last several weeks have their computers scanned by one or more of the virus/malware removal tools which are readily available on the internet..." and "... it is ALWAYS prudent to review passwords from time to time anyhow ..." But then again, acknowledging these statements would make all of your rhetoric redundant now, wouldn't it?

I intend to post no further on this topic.
"Those who fail to think outside the square will always be confined within it" - Dave Smith 2007
Please visit PlasmaResources
Please visit Thunderblogs
Please visit ColumbiaDisaster
User avatar
davesmith_au
Site Admin
 
Posts: 828
Joined: Thu Mar 13, 2008 7:29 pm
Location: Adelaide, the great land of Oz

Re: Security Notice

Unread postby chrimony » Wed Feb 26, 2014 2:52 am

davesmith_au wrote:That's your opinion. However, as I am somewhat responsible for a website with many thousands of files and tens of thousands of visitors each month, and a forum with over 1200 registered users, I intend to be a bit more cautious than you might like me to be. I'd rather take the advice of those who have been doing serious website security for well over a decade than someone I know nothing about. I have no intention of going into detail with your or anyone else. Nothing personal, you understand.


Pardon me if I don't believe you that the security experts told you that you can't share with users what malicious code they were exposed to. The fact that you already mentioned FilesMan contradicts that sentiment.

On the other hand, such extra information could be unhelpful, for many of the punters out there who don't seem to know as much as your good self likes to think you do. Best to leave security up to the experts who create the programs than to second-guess what you should look for.


Security software is not 100% reliable. If there's a specific attack to look for, it helps. Your position of non-transparency and assuming users are too dumb to do anything with this information is quite condescending to users, especially since multiple users have asked for this information. If you were exposed to a disease, would you rather be told "go to the doctor and get checked out for all illnesses", or be told specifically what it was?

So you can use Google. Bully for you. I did in fact use the wrong term, the term our security firm used was that the "hack" was known as "filesman". My bad. But it makes no difference. I have access to a report so detailed it would probably make your head spin, if you were capable of understanding it. Your continued insistsnce that the information be shared, raises a suspicion in me. Perhaps your motives are questionable. I hope not, but your behavior is strange, to say the least.


I'm sorry you're taking this personal. While I may have been blunt in what I found to be a weak excuse, my post was meant to be helpful for users (of which I'm one) and corrected misinformation in your post. I also thanked you for the information you did provide. But you have demonstrated a very naive view on security issues, so I find your condescending attitude about my expertise and motivations quite inappropriate and hostile. Since seasmith asked for the same information, do you also find his motives suspicious and questionable? I'm a user advocate here, nothing more.

Two points in response. I did not make any assumption, but rather stated it was "highly unlikely". You also seem to have missed (or ignored) my opening post, wherein I not only stated it was part of a worldwide brute force attack, but I supplied a link to one security organization which confirms what I said. I also had confirmation of same from experts in the field. I don't see why I should question all of that for you. I have better things to do with my voluntary time.


That it is "highly unlikely" is a naive assumption on your part. I did in fact read the link you gave. Can you explain where in that link it states that users are not a followup target? I gave three arguments on why they might be. You have refuted none of them. Or can you show where in the link that it states the goal was "highly likely" for bragging rights or to crash the server? All it states is that multiple sites were attacked at once to brute force the passwords.

What we know is that not only did they succeed in breaking into the site, they planted a backdoor and also planted user-facing malicious code that caused Google to alert users not to go to the site. That's a lot more than bragging rights and crashing.

ANYthing is possible, and the bottom line is that users (like always) be responsible for their own security by taking appropriate precautions, and appropriate actions once they're alerted to specific incidents such as this one. Many sites won't tell you a thing when they've been compromised. Our users are getting on one hand, the advice to take as much precaution as they can, and on the other, having their fears of targeted password theft etc allayed to some degree, by what is the best judgment of our security people and myself. Yes, they MAY have had their passwords compromised, but it is highly unlikely.


That the site was compromised was already public information. The few details you did provide is appreciated, and further information that you provided after prompting is also appreciated. What is not appreciated is the false assurances and resistance to detailed transparency about what users were exposed to, and I highly doubt you got those from the security consultants, just like your statements went well beyond what your link stated.

You seem to have forgotten to mention previous advice like "... it is prudent that all visitors to our site (and any other WordPress based sites) over the last several weeks have their computers scanned by one or more of the virus/malware removal tools which are readily available on the internet..."


No, I haven't, as I acknowledged in my first post that "scans and general security practices are always a good idea".

and "... it is ALWAYS prudent to review passwords from time to time anyhow ..." But then again, acknowledging these statements would make all of your rhetoric redundant now, wouldn't it?


Funny, I just acknowledged your advice about passwords, but because I didn't specifically mention that line that somehow invalidates everything I've said? Ridiculous.

I intend to post no further on this topic.


Ho hum.
chrimony
 
Posts: 271
Joined: Sun Apr 07, 2013 6:37 am


Return to Announcements

Who is online

Users browsing this forum: No registered users and 2 guests