Site Stuff #1
Security Issues
Archive: 34 posts
| As many of you are aware, an anonymous party recently took advantage of a security hole in order to gain control of the site and prove a point. Now that we've sealed those leaks and reclaimed control, I'd like to be here to clarify a few questions and concerns you very likely have. What was the extent of the damage? At this point, we have no evidence to suggest that this was anything other than a skilled hacker making a point. He did not at any point ask us for money or information, and he quite willingly described both his methods and why they worked. I have since verified them with Aya042 (our resident server guy and code monkey) and sealed up the security holes, along with taking care of any other potential security concerns as well (for example, we have changed all of our server passwords, just to be safe). We have looked (and continue to look) and there is no evidence that any data, raw or encrypted, was downloaded, transferred, or otherwise accessed. What about my passwords and other personally identifying information? vBulletin 4 salts and md5 hashes all of its passwords. Even if the hacker downloaded the database containing the protected information (we have no reason to believe so), it would be next to impossible for him to retrieve and view one password - let alone all of them. Even considering all of that, there is no evidence that the hacking was fueled by malicious intent. The hacker was happy to help point out the flaws in our system, and we have double-checked for any back doors or other potential loose ends (of which we have found none). THAT SAID, because there is a (very) slight chance that your old password could be unsafe, we must recommend that you change your password here AND ON ANY OTHER SITES THAT SHARE IT. We doubt that your information was viewed or taken, but we cannot ignore the possibility, however small. I'm a Donor. Is my payment information in danger? Donors are safe. Even if the hacker managed to acquire our Paypal password (which we, again, have no evidence of), it's simply impossible to view a Donor's payment information through Paypal due to their (quite fantastic) security measures. Even by us. So you're safe. I appreciate your help and openness, but I just don't trust LBPCentral with my information anymore. We understand. So, for those looking to remove information from our servers, we are offering two services that you can take advantage of: For Donors: if you have a subscription, PM us (http://www.lbpcentral.com/forums/private.php?do=newpm&u=118) and we'll cancel it for you (even though all payment information is stored on Paypal's servers, not ours). If you're a one-time Donor, check your Paypal password and make sure it's not the same as your LBPCentral password. Aside from that, you'll be safe. For everyone else: If you'd like us to remove your information from LBPCentral's servers and delete your account, send us a PM (http://www.lbpcentral.com/forums/private.php?do=newpm&u=118) and we'll take care of it. Keep in mind: if you ask us to delete your account, that is exactly what we will do. Your account, including posts and other information tied to it, will be gone for good. Nothing has changed, we are still offering this service - we just want you to be fully aware of what it is you're asking us to do. ---------- If you have any other questions, feel free to post them here or PM them to me and I'll do my best to answer as promptly as I can. Thank you all for your patience. | 2012-01-16 01:33:00 Author: ConfusedCartman  Posts: 3729 |
| Geez...and I thought anonymous was the only group to worry about... Good to see nothing "very, very VERY" bad happened.  | 2012-01-16 02:20:00 Author: comishguy67  Posts: 849 |
| Wow, nice hacker. | 2012-01-16 02:33:00 Author: JspOt  Posts: 3607 |
| Tbh I haven't noticed at all D: I'm glad everything's okay, but how was the site affected during the hacking...? | 2012-01-16 04:24:00 Author: Fang  Posts: 578 |
| I would like to thank CC and Aya for such prompt attention to this. Thank ya'll for handling this quickly and with minimal disturbance to the site and its members. Also for keeping us informed via twitter and this post. I think sometimes people forget you guys have real lives too. | 2012-01-16 04:30:00 Author: Lady_Luck__777  Posts: 3458 |
Yes, for goodness sake, you are running this place voluntarily for us. You never had to make it in the first place! Thanks so much to all founders and admins for taking great care of the site and nurturing our creativity  | 2012-01-16 04:33:00 Author: xtremesackboy  Posts: 479 |
| Thanks, CC and crew. Although I don't necessarily agree with the method the hacker used to make his point, it does seem like we're better off now than we were before. | 2012-01-16 04:54:00 Author: n00bsack  Posts: 59 |
| If he was so willing to help, what did he want, anyways? | 2012-01-16 04:54:00 Author: Fishrock123  Posts: 1578 |
| I'd like to say pretty much what Lady Luck said, I'd like to thank yall' as well. You did it so quick considering you do have your own things going on in real life. Good job!! | 2012-01-16 04:55:00 Author: Unknown User  |
| If he was so willing to help, what did he want, anyways? this...what was his intent/purpose for doing all of this? doesn't make any sense the way you describe him/her as openly helping you guys fix the very security he/she compromised. | 2012-01-16 05:01:00 Author: Shadowcrazy  Posts: 3365 |
| this...what was his intent/purpose for doing all of this? doesn't make any sense the way you describe him/her as openly helping you guys fix the very security he/she compromised. This kind of activity is not unheard of in the cyber world. There are hackers out there that exploit security flaws for the sole purpose of pointing them out to the sys admin. | 2012-01-16 05:04:00 Author: n00bsack Posts: 59 |
| This kind of activity is not unheard of in the cyber world. There are hackers out there that exploit security flaws for the sole purpose of pointing them out to the sys admin. yeah but it's usually for a job or for money...in this case from what we know the hacker has received none of those...so what was the purpose? | 2012-01-16 05:19:00 Author: Shadowcrazy Posts: 3365 |
| No wonder i couldnt get on the forums for days or do half the stuff i wanted to do, i thought someone had hacked the site, sad to see that and also hope they were dealt with accordingly, though it seems you guys have no idea who it was XD | 2012-01-16 05:32:00 Author: Tyranny68  Posts: 390 |
| yeah but it's usually for a job or for money...in this case from what we know the hacker has received none of those...so what was the purpose? Merely to make CC aware of the flaws in the site's security. | 2012-01-16 05:57:00 Author: n00bsack Posts: 59 |
| So like, can we do this again for april fools? | 2012-01-16 06:05:00 Author: majormel84  Posts: 398 |
| Merely to make CC aware of the flaws in the site's security. most likely it...but it felt like there was more to it then just that. | 2012-01-16 06:11:00 Author: Shadowcrazy Posts: 3365 |
| Wow, I never even noticed. A little off topic, but CC, you are a good writer(I told you it was off topic). | 2012-01-16 06:21:00 Author: dogcity999  Posts: 86 |
| most likely it...but it felt like there was more to it then just that. There isn't. A lot of hackers do this, mainly because they'll get bored and see if they can hack a site they feel is susceptible to hacking. Most of the time the person enjoys the site, so they hack it and then tell the admin of the flaws to both help the site and to somewhat "brag" about what they did. It really doesn't do much harm, but then again nobody likes to be forced to listen to advice, especially in this manner. | 2012-01-16 07:27:00 Author: CyberSora Posts: 5551 |
| could of been worce at least he didnt destroy the whole network and reprogram everything to make our words go to bork | 2012-01-16 08:00:00 Author: WESFUN  Posts: 1336 |
| most likely it...but it felt like there was more to it then just that. Perhaps I can put this situation into a different, yet applicable scenario... Let's say you live across the street from me and you notice that I have a latch on my door that I sometimes use instead of locking my door. You know, when I'm just out front walking the dog or something, I'll just use an old fashioned latch (like the ones used to close chicken pens) to close my door. Sure, it's kind of peculiar but hey, it's what I do in this scenario. Before I get ahead of myself, let me tell you about the neighborhood we live in. The community itself is great. It's a wonderful neighborhood full of nice people but the outlying areas can be a bit dodgy at times. Hooligans have been known to wander into our parts and cause trouble. Back to the story... One evening, as you're coming home, you notice my front door is ajar, held in place by the latch but all the lights in my home are off. So, being the neighbor that you are, you come over and knock on my door. Then you call, and hear my answering machine pick up inside so you leave a message that the door was open and you're going to close it. Thinking I've just stepped out with my dog (or whatever) and become sidetracked, you close my front door and think little of it. The next morning you notice the latch on my front door but the house still looks empty so you call again and leave another message. Days pass and I don't return your call and my house is left open to any stray hooligan that cares to flip the latch and open the door, gaining access to my valuables. So you lock the door with a special key and leave a note saying to contact you because I left my home virtually wide open. Even though you could have easily walked into my home and snooped through all my stuff and even stolen anything you wanted (including the message machine with the only evidence that you knew the door was not locked), you wouldn't. Because you're not that type of person. Most people aren't that type of person. If, as CC says (and there's no reason not to believe him), nothing was compromised, then it appears as though someone simply locked the door and left a note. I don't know if that story is helpful or even applicable but that's how I look at a situation such as this. edit: I left out a key (no pun intended) component to the story: You're a locksmith. That''s why you have a special key to lock my door (but just because you have this and other tools at your disposal doesn't mean you have any intent to use them for criminal activity). | 2012-01-16 09:54:00 Author: n00bsack Posts: 59 |
| If I were a locksmith I'd use the key to go looking in more interesting places, like that girl's dorm down the road. | 2012-01-16 11:10:00 Author: Mr_Fusion  Posts: 1799 |
| I have a question. From the text left behind in the crackers wake (yeah, that wasn't hacking, it was cracking. Get your terminology right people) it appears that it was because CC ignored this person before? What was that all about? Was it simply that it was when CC was busy and the person was impatient or what? | 2012-01-16 13:52:00 Author: Super_Dork_42  Posts: 1874 |
| yeah but it's usually for a job or for money...in this case from what we know the hacker has received none of those...so what was the purpose? Yes, everyone has an ulterior motive. I have a question. From the text left behind in the crackers wake (yeah, that wasn't hacking, it was cracking. Get your terminology right people) it appears that it was because CC ignored this person before? What was that all about? Was it simply that it was when CC was busy and the person was impatient or what? We're so sorry, great lord of hacking. Or cracking, I don't even know anymore. | 2012-01-16 14:19:00 Author: Unknown User |
| Thanks so much to the mods, especially Aya, for keeping everyone safe and sound during this period! We love you guys <3 Epicness on a stick with extra awesome for you all! (Been a while since I said that on here.. ) | 2012-01-16 14:36:00 Author: Plasmavore  Posts: 1913 |
| He may have changed my comment. Yesterday it was "10 Wittle Gween Bars" Then today it was "Flabadab" Hrrrrrrrrmmmm? | 2012-01-16 16:19:00 Author: craigmond  Posts: 2426 |
| I wondered why it was down. I guess that solves the mystery. ^_~ | 2012-01-16 17:15:00 Author: PygmyOwl  Posts: 1316 |
| phew again luck had | 2012-01-16 17:17:00 Author: SenneChuChi  Posts: 31 |
| He may have changed my comment. Yesterday it was "10 Wittle Gween Bars" Then today it was "Flabadab" Hrrrrrrrrmmmm? Someone changed mine too. I swear to god it wasn't Mr. UltimateClay before. So I guess passwords were leaked. | 2012-01-16 21:15:00 Author: Testudini  Posts: 3262 |
| If he was so willing to help, what did he want, anyways? Based on his actions, I'd say mostly he just wanted some attention. His secondary goal genuinely seemed to be to point out a security hole in the forum software, but the way he did it was highly invasive, almost certainly illegal, and had the side-effect of erasing the main forum index page which no doubt irritated anyone who was trying to use the forums at the time. Not to mention he wasted about 10 hours of my time. :/ ...that wasn't hacking, it was cracking... Either term is valid, although some bigots argue otherwise (http://en.wikipedia.org/wiki/Hacker_(term)#Hacker_definition_controversy). Was it simply that it was when CC was busy and the person was impatient or what? Pretty much. He may have changed my comment. Yesterday it was "10 Wittle Gween Bars" Then today it was "Flabadab" Hrrrrrrrrmmmm? Someone changed mine too. I swear to god it wasn't Mr. UltimateClay before. The upgrade of the market system reintroduced a bug I'd patched out of the old version which sometimes reset user titles. I've patched it out again, so it shouldn't happen any more. So I guess passwords were leaked. FWIW, I'm fairly certain that he only accessed password hashes for administrative accounts, so if your username ain't green or blue, you're probably okay. Still, it's probably a good idea to change your password anyway. | 2012-01-17 12:53:00 Author: Aya042  Posts: 2870 |
| -snip- only read a bit of it but that analogy is wrong. there's a difference between "locking the door" and just breaking and entering and waiting for the owner to open the door with you inside so you can tell them you just committed an illegal act to show them that their door security sucks. hacking is just that...you're breaking through security you're not just causally locking some door that you saw open and telling them about it. | 2012-01-17 21:31:00 Author: Shadowcrazy Posts: 3365 |
| FWIW, I'm fairly certain that he only accessed password hashes for administrative accounts, so if your username ain't green or blue, you're probably okay. Someone changed mine too. I swear to god it wasn't Mr. UltimateClay before. So I guess passwords were leaked. No, they probably weren't actually. To "unhash" an MD5-hashed password isn't possible. You would have to guess it, which would take over a hundred years. Instead, the cracker would have probably changed the hash - temporarily - to a password of his/her own. They then do irritating things as the administrator account. Then, they change it back when they're done. Based on his actions, I'd say mostly he just wanted some attention. His secondary goal genuinely seemed to be to point out a security hole in the forum software, but the way he did it was highly invasive, almost certainly illegal, and had the side-effect of erasing the main forum index page which no doubt irritated anyone who was trying to use the forums at the time. Illegal? Maybe not where they're from. It all depends on your country. Still, it's probably a good idea to change your password anyway. Always. | 2012-01-18 07:29:00 Author: Unknown User |
| Thanks for informing us exactly of what has happened. I have recently accured a whole new appreciation for Cyber warfare and security, after all the recent attacks on other major companies. It made me realize that because cyber security is designed by man, even the most alabrite secuity system can and would eventually be hacked. So, with that said, thank you for doing your best. *can you imagine what would happen if someone hacked a major cell phone carrier. | 2012-01-18 21:34:00 Author: sascha_winter  Posts: 163 |
| If, as CC says (and there's no reason not to believe him), nothing was compromised How do we not know that this isn't an elaborate plot to destroy LBPC? CC might be being held at gunpoint and forced to write reassuring messages to the community so that we don't suspect anything. Food for thought... | 2012-01-19 18:24:00 Author: PGdafrog  Posts: 277 |
| Never knew there were nice ? it's a nice little surprise , like finding 10 bucks in you pockets. Anyway, I'm proud of the administrators and the great job they are doing. | 2012-01-26 20:49:00 Author: zouz_ Posts: 125 |
LBPCentral Archive Statistics
Posts: 1077139
Threads: 69970
Members: 9661
Archive-Date: 2019-01-19
Datenschutz
Aus dem Archiv wurden alle persönlichen Daten wie Name, Anschrift, Email etc. - aber auch sämtliche Inhalte wie z.B. persönliche Nachrichten - entfernt.
Die Nutzung dieser Webseite erfolgt ohne Speicherung personenbezogener Daten. Es werden keinerlei Cookies, Logs, 3rd-Party-Plugins etc. verwendet.
Die Nutzung dieser Webseite erfolgt ohne Speicherung personenbezogener Daten. Es werden keinerlei Cookies, Logs, 3rd-Party-Plugins etc. verwendet.