Unfortunately, due to a combination of circumstances that included one administrator's password being known, attackers were able to gain access to Cemetech's forum database. We have performed all necessary mitigation measures to reverse the effects of the attack, and we have taken multiple steps to make this type of attack impossible in the future. Unfortunately, because the forum database was compromised, the attackers have access to the hashed, salted passwords it stores, users' email addresses, and the contents of private messages (PMs). While salted hashes make it very difficult for attackers to compute the plaintext password, you may wish to change your password. We apologize for the inconvenience and will remain vigilant in preventing, detecting, and resolving future attacks. Remember, we will never send you emails asking you to click a link to change your password or to provide your credentials for any purpose; knowledge and skepticism are the best defenses against phishing.
Egad! I guess it's time I get around to changing my passwords after Heartbleed.
DrDnar wrote:
Egad! I guess it's time I get around to changing my passwords after Heartbleed.
Yeah, that's probably a good idea anyway. Smile
How did they figure out the admin's password?
princetonlion.tibd wrote:
How did they figure out the admin's password?
That is not clear. It is a password he used to use for other websites, so it's possible that another website was compromised, they discovered he was an administrator here, and decided to poke around.
I was thinking along the lines of hacking
princetonlion.tibd wrote:
I was thinking along the lines of hacking
It doesn't appear that any brute-force or other attack was carried out against this administrator's account (or anyone else's account) judging by the activity pattern from the IPs in question.
It is Javascript after all.
Eightx84 wrote:
It is Javascript after all.


Which had -nothing- to do with -anything-. Neutral
KermMartian wrote:
princetonlion.tibd wrote:
How did they figure out the admin's password?
That is not clear. It is a password he used to use for other websites, so it's possible that another website was compromised, they discovered he was an administrator here, and decided to poke around.


However is clear that it was a targeted attack against Cemetech (and that account), rather than the usual automated vulnerability testing we see in logs. Google revealed that another forum had similar problems from the same IP a few days ago.
tifreak8x wrote:
Eightx84 wrote:
It is Javascript after all.


Which had -nothing- to do with -anything-. Neutral
To elaborate, the fact that some Cemetech site tools use Javascript has absolutely nothing to do with anything related to this incident, nor does its use weaken or strengthen the site's security in any way. Please restrain yourself to constructive posts.
Does this have anything to do with the loss of almost 16 hours of posts? Thanks for the information!
MateoConLechuga wrote:
Does this have anything to do with the loss of almost 16 hours of posts? Thanks for the information!
Yes, it has everything to do with it. The state of the server was rolled back an unspecified amount (I don't think 16 hours is exactly right) in order to reduce the impact of the attack on any files or database contents that may have been compromised in the attack.
Why would someone target Cemetech? Unless they loved to hack so much.
KermMartian wrote:
MateoConLechuga wrote:
Does this have anything to do with the loss of almost 16 hours of posts? Thanks for the information!
Yes, it has everything to do with it. The state of the server was rolled back an unspecified amount (I don't think 16 hours is exactly right) in order to reduce the impact of the attack on any files or database contents that may have been compromised in the attack.


That sounds good. How did you find out about this attack? I just got my information from here:
http://www.cemetech.net/forum/viewtopic.php?t=882&postdays=0&postorder=asc&start=180
For the security-conscious/paranoid, a reminder that we do have SSL on cemetech, but it's not strictly enforced (since our CA is StartCom, which some vendors don't trust by default).

If you're using HTTPS Everywhere, I whipped up a ruleset for cemetech:
Code:
<ruleset name="Cemetech">
    <target host="www.cemetech.net" />

    <rule from="^http://www\.cemetech\.net/"
            to="https://www.cemetech.net/" />
</ruleset>
You can enable it in your own browser by installing it in the User Rules directory as cemetech.xml; I don't think it's worth submitting to the official ruleset though (but maybe y'all disagree?).
Has the hacked user's account been suspended? This plus an email to the account owner could help diffuse hard feelings.
ordelore wrote:
Has the hacked user's account been suspended? This plus an email to the account owner could help diffuse hard feelings.


Did you even read the top post in this topic? It's very hard to misinterpret what was said, there..
KermMartian wrote:
Remember, we will never send you emails asking you to click a link to change your password or to provide your credentials for any purpose; knowledge and skepticism are the best defenses against phishing.


I find that hard to believe, given that you send out this email for "forgot my password":

Quote:
Hello chronomex:

You are receiving this email because you have (or someone pretending to be you has) requested that your Cemetech account password be reset. If you did not request this email then please ignore it; if you keep receiving it please contact the board administrator.

To create a new password you need to activate the new password request. To do this click the link provided below.

http://www.cemetech.net/forum/profile.php?mode=newpass&u=...&act_key=...

If sucessful you will be able to create a new password.

You can of course change this password yourself via the profile page, if you remember your existing password. If you have any difficulties please contact the board administrator.

--
Sincerely,
Christopher "Kerm Martian"
President and Founder, Cemetech
chronomex wrote:
KermMartian wrote:
Remember, we will never send you emails asking you to click a link to change your password or to provide your credentials for any purpose; knowledge and skepticism are the best defenses against phishing.


I find that hard to believe, given that you send out this email for "forgot my password":


I'm pretty sure you're being clever but just to be sure, Kerm means we will never send unsolicited e-mails asking you to reset your passwords. The only e-mails you receive about your password is when you click "Forgot Password."

If you do get an unsolicited e-mail for your password, let us know and ignore the e-mail so we can follow up.
  
Register to Join the Conversation
Have your own thoughts to add to this or any other topic? Want to ask a question, offer a suggestion, share your own programs and projects, upload a file to the file archives, get help with calculator and computer programming, or simply chat with like-minded coders and tech and calculator enthusiasts via the site-wide AJAX SAX widget? Registration for a free Cemetech account only takes a minute.

» Go to Registration page
Page 1 of 2
» All times are UTC - 5 Hours
 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

 

Advertisement