Author Topic: Spam Attack and User Advice  (Read 2433 times)

0 Members and 1 Guest are viewing this topic.

Offline HAL

  • Professor
  • ********
  • Posts: 5014
  • Darwins +98/-17
  • Gender: Male
Spam Attack and User Advice
« on: February 13, 2011, 09:06:15 AM »
Many SMF forums (including this one) are being targeted by persons or bots at this time. They attempt to create accounts with ads in the signature, and also attempt to log into existing user accounts, even if you are already logged in. This can cause you to be logged out due to the bot exceeding failed login attempts.

If your password is of the form "membername+numbers" or any other simple form of password, then I would suggest changing it to a tougher password, and anyone with any type of simple password would be advised to change it to include capital and lowercase letters and numbers having nothing to do with your member name. You don't want the bot getting into your account and harvesting your email address.

We have installed a spam blocking Mod that is helping, in addition to other security measures. It's possible we will implement other measures too, so be prepared for additional changes in how the forum looks or acts.
« Last Edit: February 13, 2011, 11:51:36 AM by HAL »

Offline Ambassador Pony

  • You keep what you kill.
  • Administrator
  • *******
  • Posts: 6858
  • Darwins +71/-4
  • Gender: Male
  • illuminatus
Re: Spam Attack and User Advice
« Reply #1 on: February 13, 2011, 09:41:46 AM »
The Great Leader shall provide.

You believe evolution and there is no evidence for that. Where is the fossil record of a half man half ape. I've only ever heard about it in reading.

Offline One Above All

  • Laureate
  • *********
  • Posts: 11041
  • Darwins +285/-37
  • Supreme ruler of the multiverse; All In One
Re: Spam Attack and User Advice
« Reply #2 on: February 13, 2011, 10:08:09 AM »
The Great Leader shall provide.

Thanks, AP, but this is very powerful magic indeed. Even I am affected[1]
EDIT: Would it be possible to "simply" set everyone to be logged in forever until this dies out, then prevent anyone else from logging in?
 1. Secret BM
The truth is absolute. Life forms are specks of specks (...) of specks of dust in the universe.
Why settle for normal, when you can be so much more? Why settle for something, when you can have everything?
We choose our own gods.

A.K.A.: Blaziken_rjcf/Lucifer/All In One.

Offline ParkingPlaces

  • Professor
  • ********
  • Posts: 6465
  • Darwins +769/-6
  • Gender: Male
  • Hide and Seek World Champion since 1958!
Re: Spam Attack and User Advice
« Reply #3 on: February 13, 2011, 11:46:08 AM »
I was wondering what was happening and now I know. Appreciate the update. And I assume prayer won't help.  :)

Thanks for letting us know.
Not everyone is entitled to their own opinion. They're all entitled to mine though.

Offline LadyLucy

  • Reader
  • ******
  • Posts: 1408
  • Darwins +1/-0
  • Gender: Female
  • No one leaves the Nightosphere
Re: Spam Attack and User Advice
« Reply #4 on: February 13, 2011, 03:06:16 PM »
Thanks, HAL ol' pal.

Changed it.


Offline pingnak

Re: Spam Attack and User Advice
« Reply #5 on: February 13, 2011, 03:36:10 PM »
I always worry about changing my password 'right away' during these attacks, mainly because a compromise that got the forum or its hosting web server to serve up a 'change password' page could capture both new and old password. 

When they were attacking Sourceforge.net, I had the same reaction.  If you have a more secure kind of password that a dictionary attack won't get, and have no indication that your account has been accessed, changing the password is just putting your password out on the internet, up for grabs.

One GOOD addition for the forum software would be something letting you know when you last logged in.  So sharp-eyed people whose accounts were accessed when they weren't around to notice can see right away if it's been logged into.

Another problem is, when a 'You must change your password' prompt comes up, I need more than one source of this news to give it a password.  This is JUST the sort of popup that I would generate, if I wanted passwords. 

I thought this one up years before the comic was published, too.
http://xkcd.com/792/

And be sure to take a moment to thank all the Windoze Luzers out there for being bot hosts, making this sort of distributed attack possible.  Nope, their antivirus-antimalware, etc. crap doesn't do shit for this except make their Windoze computers even slower than they were.


Offline changeling

  • Postgraduate
  • *****
  • Posts: 663
  • Darwins +15/-0
Re: Spam Attack and User Advice
« Reply #6 on: February 14, 2011, 08:11:35 AM »
+1 for the good suggestion pingnak.
I wish I wasn't such a computer illiterate forced to be a windowz luzer.
The level of dumb they have to sell, is only made remotely possible by the level of flocking their sheep are willing to do in the name of rewards for no thought. quote: Kin Hell

"Faith is the enemy of evidence, for when we know the truth, no faith is required." Graybeard

Offline Nick

  • Laureate
  • *********
  • Posts: 10401
  • Darwins +185/-8
  • Gender: Male
Re: Spam Attack and User Advice
« Reply #7 on: February 14, 2011, 09:06:06 AM »
One day they will have to stand before the Lord and answer for this crime.
Yo, put that in your pipe and smoke it.  Quit ragging on my Lord.

Tide goes in, tide goes out !!!

Offline ZenZen

  • Undergraduate
  • ***
  • Posts: 230
  • Darwins +1/-0
  • Gender: Female
  • An atheist, who loves her GODless life....!
Re: Spam Attack and User Advice
« Reply #8 on: February 14, 2011, 10:34:26 AM »
How about a feature(?) that asks you to tell which computer you logged in from. I have that on Facebook. I can tell if someone logged in from another computer.

For example: My own home computer is no worry. But when I then log in at school, it asks me for a name of the pc. Then I get an email telling me that "pcname" logged in on that specific time. If it was me, then I can ignore the email. If not, I should change my password.

I think it works quite well.  ;D
It is better to be hated for what you are than to be loved for what you are not.

Those who can make you believe absurdities can make you commit atrocities. - Voltaire

Offline pingnak

Re: Spam Attack and User Advice
« Reply #9 on: February 14, 2011, 12:47:30 PM »
+1 for the good suggestion pingnak.
I wish I wasn't such a computer illiterate forced to be a windowz luzer.

Download and burn a Linux ISO to CD.  See if you like it.  Ubuntu is nice.  It's free, too.
http://www.ubuntu.com/

You can even install it without repartitioning the drive.  Boot into windows and insert the disk, and the Wubi install will pop up to put the Linux partition into a file that can be un-installed in the normal windoze manner.

Even if you 'don't like it', keep the CD around.  If someday your computer's hard drive gets borked, you can still boot off the CD, all the way to a live browser to order a replacement drive.

Offline HAL

  • Professor
  • ********
  • Posts: 5014
  • Darwins +98/-17
  • Gender: Male
Re: Spam Attack and User Advice
« Reply #10 on: February 15, 2011, 09:42:48 AM »
The bots are still trying member accounts, guessing passwords. If you haven't created a secure password, do it today!

Offline Jim

  • Reader
  • ******
  • Posts: 2462
  • Darwins +11/-1
  • Born Again Atheist
Re: Spam Attack and User Advice
« Reply #11 on: February 15, 2011, 01:14:00 PM »
I always worry about changing my password 'right away' during these attacks, mainly because a compromise that got the forum or its hosting web server to serve up a 'change password' page could capture both new and old password. 

When they were attacking Sourceforge.net, I had the same reaction.  If you have a more secure kind of password that a dictionary attack won't get, and have no indication that your account has been accessed, changing the password is just putting your password out on the internet, up for grabs....

Pingnak, your password advice can be misunderstood so easily, and there are better ways of going about it.

First, if you think that a system might be compromised, and the login page might be iinsecure, first check the source code of the page, and the page address.  Was the web page redirected -- are you seeing the right page address in the URL?  In the source, any strange redirects on it?  Is it mailto'ing a funny address in china or russia when you hit submit?  Search for the "@" symbol to see what emails are contained in the source code on the pages. 

If you still doubt it at all, or you don't know what to check, email the admin of the system through the standard webmaster or admin email address for that site asking about it.  Until you get a reply or feel the danger is passed, don't use the site. 

Also, if you used that same password on other sites or systems -- change the password on those other sites, PRONTO.

Second, when it is time to make a new password... make a new password.  NEW.  Never seen before.  If you think it could become compromised in a future wave of phishing/spam/DB cracking, then make it a unique password that you don't share with similar systems (which is a good practice no matter what.)  Also, retire the old password from all uses.  Never use it again.  Get it off of all systems.

When you make them, make them strong passwords.  Like Madbunny suggested, make it a complicated acronym.  I suggest taking a lyric from a song, using the first letter of every word, adding numbers or punctuation.  Example from an old '70's tune: S!ITNOL  (Stop! in the name of love), if you can't use punctuation, use numbers, S1ITN0L.  Now that this particular example password is shown, don't use it, it is compromised. 

If you need to, keep a piece of paper (well hidden) in your house with a hint of passwords (NOT the passwords themselves).  Or keep the same thing on your phone or pda, or whatever.  Secure your phone or PDA, while you're at it with a unique and secure password.  It is far better to have to use a hint-cheat-sheet for rarely used passwords, than to have weak or similar passwords all left on systems.

But, generally, right now...
- It is time to make a new password.
- It is time to turn off the "allow members to email me" function in the user account settings.
- It is time to remove IM, YIL, ICQ or MSN email or contact information from the forum profile settings.  The spammers and bots are reading that stuff.  For the moment, only rely on in-system PM's for member to member communications.  There are many members of this forum who are allowing their information be seen too easily.  You are handing out your contact info and email address to spammers and strangers.
- When you are done with a session -- LOG OUT by clicking the Log Out button.
Survey results coming soon!

Offline HAL

  • Professor
  • ********
  • Posts: 5014
  • Darwins +98/-17
  • Gender: Male
Re: Spam Attack and User Advice
« Reply #12 on: February 15, 2011, 01:29:02 PM »
This attack is not a joke and it's serious business. If the bot guesses your password, they will get your email address, then it's off to paypal or wherever to try to log in with your email address and password they got from here. This is affecting many SMF forums.

MAKE YOUR PASSWORD VERY SECURE TODAY - NOT TOMORROW!

Offline One Above All

  • Laureate
  • *********
  • Posts: 11041
  • Darwins +285/-37
  • Supreme ruler of the multiverse; All In One
Re: Spam Attack and User Advice
« Reply #13 on: February 15, 2011, 02:36:28 PM »
This attack is not a joke and it's serious business. If the bot guesses your password, they will get your email address, then it's off to paypal or wherever to try to log in with your email address and password they got from here. This is affecting many SMF forums.

MAKE YOUR PASSWORD VERY SECURE TODAY - NOT TOMORROW!

I changed my password to something even more secure with over 10 characters, lowercase, uppercase and numbers. I dunno if passwords allow symbols so I didn't try
The truth is absolute. Life forms are specks of specks (...) of specks of dust in the universe.
Why settle for normal, when you can be so much more? Why settle for something, when you can have everything?
We choose our own gods.

A.K.A.: Blaziken_rjcf/Lucifer/All In One.

Offline LadyLucy

  • Reader
  • ******
  • Posts: 1408
  • Darwins +1/-0
  • Gender: Female
  • No one leaves the Nightosphere
Re: Spam Attack and User Advice
« Reply #14 on: February 15, 2011, 02:48:54 PM »
I'm confident that I am safe now.  ;)


Offline Larissa238

  • Postgraduate
  • *****
  • Posts: 880
  • Darwins +12/-1
  • Gender: Female
Re: Spam Attack and User Advice
« Reply #15 on: February 20, 2011, 04:32:45 PM »
Just a message to HAL and the mods:

I changed my password when I was in Miami. I am now posting from a different IP since I am with my mother in Jacksonville, FL. Don't think someone hacked my account!
On why Christians and non-Christians have the same rate of divorce:

He would rather it that they worship Him, instead of spending their time on family.

Offline Emily

  • Professor
  • ********
  • Posts: 5670
  • Darwins +50/-0
  • Gender: Female
Re: Spam Attack and User Advice
« Reply #16 on: February 20, 2011, 04:45:51 PM »
This attack is not a joke and it's serious business. If the bot guesses your password, they will get your email address, then it's off to paypal or wherever to try to log in with your email address and password they got from here. This is affecting many SMF forums.

MAKE YOUR PASSWORD VERY SECURE TODAY - NOT TOMORROW!

One thing that one can also do is just create a real e-mail account that you just never access. The e-mail account I have with this forum I haven't used in about 5 years.

I never trust using my main e-mail address anywhere on the internet.
"Great moments are born from great opportunities." Herb Brooks

I edit a lot of my posts. The reason being it to add content or to correct grammar/wording. All edits to remove wording get a strike through through the wording.

Offline pingnak

Re: Spam Attack and User Advice
« Reply #17 on: February 20, 2011, 06:07:56 PM »
The main thing is not to use the same password over & over again... at least not on sites where it matters.

Yeah, if they try that password, they might be able to post spam on another forum or two in my name.  Ooh, scary! 

If someone penetrates my account password here somehow, and my account goes bye-bye, it's not as if I couldn't just create a new account and introduce myself as 'Hey!  It's me!'.

So I'm still pretty unimpressed by the big, scary security threat.


Offline pianodwarf

  • Global Moderator
  • ******
  • Posts: 4366
  • Darwins +208/-6
  • Gender: Male
  • Je bois ton lait frappé
Re: Spam Attack and User Advice
« Reply #18 on: February 20, 2011, 06:19:43 PM »
The main thing is not to use the same password over & over again... at least not on sites where it matters.

I highly recommend a good password manager.  I use 1Password under OS X at home.  1Password features a strong password generator and AES-encrypted storage of your existing passwords, as well as a slew of other features that, once you start using them, make you wonder how you ever lived without them.  1Password also has a companion app for iOS if you use an iPhone, iPad, or iPod Touch.

I haven't looked into similar apps for Windows or Linux, but I'm sure there are excellent solutions there as well.
[On how kangaroos could have gotten back to Australia after the flood]:  Don't kangaroos skip along the surface of the water? --Kenn

Offline pingnak

Re: Spam Attack and User Advice
« Reply #19 on: February 20, 2011, 07:44:23 PM »
My 'app' is a text file on a flash drive.  Web site, credential, etc.  If I can't remember the password, there it is.  And it's not anywhere on the computer when the drive isn't mounted.

Things that 'remember' passwords for you have several issues:

1. If it 'forgets' (i.e. computer crash, no backup), all of your credentials get lost with it.

2. Standard means of storing passwords breed standard means of stealing them.  If you let 'anything' remember those passwords, if a crack for that is developed, all of your passwords are compromised.

It's probably a 'good' development that some social web sites now provide a means to log in with different aggregators' credentials, insofar as people used the same username/password all over the place, anyway, and at least they don't end up compromising it by it being stored and crackable in a lot of different places.  On the down side, your privacy is that much more compromised, as the aggregator gets to know 'where else you go', too.

Offline pianodwarf

  • Global Moderator
  • ******
  • Posts: 4366
  • Darwins +208/-6
  • Gender: Male
  • Je bois ton lait frappé
Re: Spam Attack and User Advice
« Reply #20 on: February 20, 2011, 08:04:48 PM »
My 'app' is a text file on a flash drive.  Web site, credential, etc.  If I can't remember the password, there it is.  And it's not anywhere on the computer when the drive isn't mounted.

Be sure not to lose it, then.  Or have it on you when you're planning to get mugged.

Quote
Things that 'remember' passwords for you have several issues:

Using a password manager, obviously, is only one element of many that one needs to implement for data security.  Just as you wouldn't have a wood shop with nothing but a hammer, you also wouldn't rely on just a password manager for data security.

Quote
1. If it 'forgets' (i.e. computer crash, no backup), all of your credentials get lost with it.

If you don't backup your data regularly, I have no sympathy for whatever data loss you might incur.  For my own part, I'm the only person I know who has been performing backups religiously since about 1993.  I'm also the only person I know who has never suffered a major data loss.  I don't think that's a coincidence...

Quote
2. Standard means of storing passwords breed standard means of stealing them.  If you let 'anything' remember those passwords, if a crack for that is developed, all of your passwords are compromised.

Which is why you research any potential password manager, identify any weaknesses that it may have, and ensure that your security measures account for those weaknesses.

With my own solution, for example, -- 1Password -- the passwords are stored in an AES-encrypted database.  AES has never been broken, but that doesn't mean that everything is fine and dandy.  You also have to consider other contingencies -- such as if someone else manages to access your computer when you're not in front of it.

Quote
It's probably a 'good' development that some social web sites now provide a means to log in with different aggregators' credentials, insofar as people used the same username/password all over the place, anyway, and at least they don't end up compromising it by it being stored and crackable in a lot of different places.  On the down side, your privacy is that much more compromised, as the aggregator gets to know 'where else you go', too.

This isn't a password issue, per se.  As I said above, a password manager is only one element of computing security, just like a fire extinguisher is only one element of home security.  The fire extinguisher will be great for fires, and may have some marginal use in the event of a home invasion (inasmuch as you could use it to conk someone on the head).  But there are so many other things you have to think of, such as browser cookies, your ISP's traffic logs, WiFi sniffers...
[On how kangaroos could have gotten back to Australia after the flood]:  Don't kangaroos skip along the surface of the water? --Kenn

Offline Emily

  • Professor
  • ********
  • Posts: 5670
  • Darwins +50/-0
  • Gender: Female
Re: Spam Attack and User Advice
« Reply #21 on: February 20, 2011, 08:13:15 PM »
I haven't looked into similar apps for Windows or Linux, but I'm sure there are excellent solutions there as well.

There is one for Linux called KeePassX which is pretty good.

It's also ported to Windows

http://www.keepassx.org/
« Last Edit: February 20, 2011, 08:20:44 PM by Emily »
"Great moments are born from great opportunities." Herb Brooks

I edit a lot of my posts. The reason being it to add content or to correct grammar/wording. All edits to remove wording get a strike through through the wording.

Offline pingnak

Re: Spam Attack and User Advice
« Reply #22 on: February 20, 2011, 08:32:47 PM »
The 'other' issue is those 'backed up' passwords.  You may have something as nice as 'Time Machine', or that windoze backup they added with 7.  However many times you automatically back that data up, indicates how accessible that data may be. 

If you need to 'restore' those passwords, and it IS secure enough not to to be opened by 'another computer', then there is every possibility that some day, after a hardware change, or being forced to re-install the OS from scratch, your system credentials won't match, and those passwords will become inaccessible.  You NEED TO back them up separately, especially if they're not the kind of passwords you could remember.  Something that 'generates' them will be secure against cracking... but it'll be just as secure against you.

And as a matter of fact, no, the flash memory I stick those credentials (and tax records, and other such junk) on don't generally travel with me.  I know my passwords, and type them myself.  I have a little fire-proof box that holds nik-naks like that flash drive, unused credit cards, passports, checkbooks, etc.  If I don't need it, I don't carry it around with me.

None of my computers know any passwords besides the one to log in with, and a couple of key rings for networks.  So if they get stolen, the thief gets nothing of value besides the computer, its self.  And I can change my network password in minutes.



Offline pianodwarf

  • Global Moderator
  • ******
  • Posts: 4366
  • Darwins +208/-6
  • Gender: Male
  • Je bois ton lait frappé
Re: Spam Attack and User Advice
« Reply #23 on: February 21, 2011, 06:59:37 AM »
The 'other' issue is those 'backed up' passwords.  {miscellaneous other potential difficulties also cited}

Yes, yes, you're not telling me anything I don't already know -- I work in information technology and have a CompTIA Security+ certification, so I'm more aware than most of the fact that a proper security solution has to take a variety of factors into account.  (I'm also aware that perfect security is not possible.)  The risk of losing your password database -- or any of your other data, for that matter -- can be kept to a minimum if you recognize other threats and implement solutions and procedures  to address them.  The advantages of a password manager far outweigh the risks -- so long as you're aware of what the risks are and recognize that it's only one element of an overall security approach.  You wouldn't rely solely on your car's airbag for safety, either.  You wear your seatbelt, keep your eyes on the road, watch out for kids running into the street, and so on.
[On how kangaroos could have gotten back to Australia after the flood]:  Don't kangaroos skip along the surface of the water? --Kenn

Offline pingnak

Re: Spam Attack and User Advice
« Reply #24 on: February 21, 2011, 04:21:56 PM »
Well, yeah.  Those kids are awfully hard to hit if you don't track them the whole time.