Poster | Thread |
BigD
| |
Amigaworld.net Hacked continued... Posted on 21-Mar-2019 0:03:19
| | [ #1 ] |
|
|
|
Elite Member |
Joined: 11-Aug-2005 Posts: 7323
From: UK | | |
|
| Dear all,
As you all know Amigaworld.net was hacked on or around the 1st October 2018. This was the second successful attack in recent memory and we are assured that some modern password 'PHP hashing' technology is in place to deter similar encription hacks in the future if the hackers get hold of the database again.
I have started this because the old 'Amigaworld.net hacked!' thread has been locked without comment from the moderators. Which I think is unreasonable. This site may or may not now be secure but we should be able to at least speak about it and debate whether it's time for a complete rebuild as per Amiga.org.
I have been threatened by the AmigaWorld hacker from the October 2018 breech for the second time via email (he doesn't have the password but if I'd used my old AmigaWorld one he would have) and just like before since I didn't respond he's 'leaked' my email address to more spam advertisers. I had more Spam in my Inbox today than proper email and I send every unwanted email to the Spam folder but some new ones still get through despite the spam filter adapting as I send new emails to the Spam folder manually. It really is unacceptable that this website has fallen so far behind in security measures having been documented as being hacked in both 2012 and 2018.
Sibbi Quote from 7th November 2018:
Quote:
I've modified the login code to make it update your password using the password_hash method of PHP, which is a far better way of hashing the password, making it much more difficult to decrypt, even if someone were to gain control of the user database. |
Has that really been enough to stop this happening again? Is the core database safe from being copied and then cracked at leisure by the hacker? Surely the hash method of PHP could have been implemented after the first attack in 2012?
Finally, why the silence? This issue has not gone away and this is a paid for webmail service that the AmigaWorld breech is well on the way to making inoperable! To say I'm disappointed is an understatement. The big companies such as Sony and Microsoft would be litigated beyond the pail for having two hacks in the space of 6 years. AmigaWorld however just locks the threads and prays that the site is secure not knowing whether the layers of Classic Amiga browser compliant custom code is a security risk or not! At least you don't have my credit card number though at least I could easily have got a replacement card whereas giving up on my email address is a lot more painful.
_________________ "Art challenges technology. Technology inspires the art." John Lasseter, Co-Founder of Pixar Animation Studios |
|
Status: Offline |
|
|
bison
| |
Re: Amigaworld.net Hacked continued... Posted on 21-Mar-2019 3:56:45
| | [ #2 ] |
|
|
|
Elite Member |
Joined: 18-Dec-2007 Posts: 2112
From: N-Space | | |
|
| @BigD
This is becoming a problem for me as well. Going forward I'm using a different email address for each online account. If I get hacked, at least it will be contained, and if I get spam, I know where it came from.
For years I've used two email addresses, one for personal use, and one for online accounts, but that no longer seems to be sufficient.
_________________ "Unix is supposed to fix that." -- Jay Miner |
|
Status: Offline |
|
|
ASiegel
| |
Re: Amigaworld.net Hacked continued... Posted on 21-Mar-2019 8:41:37
| | [ #3 ] |
|
|
|
Regular Member |
Joined: 22-Oct-2013 Posts: 212
From: Unknown | | |
|
| @BigD
Quote:
I had more Spam in my Inbox today than proper email and I send every unwanted email to the Spam folder but some new ones still get through despite the spam filter adapting as I send new emails to the Spam folder manually. |
Who is your email provider? Some companies are much better at automated spam detection than others.
Quote:
The big companies such as Sony and Microsoft would be litigated beyond the pail for having two hacks in the space of 6 years. |
Actually, history shows that even the most severe data breaches have rarely had any serious legal consequences.
Quote:
Has that really been enough to stop this happening again? Is the core database safe from being copied and then cracked at leisure by the hacker? Surely the hash method of PHP could have been implemented after the first attack in 2012? |
The nasty little secret is that almost every established Amiga-related forum is still running on either PHP4 (worst case) or PHP5, which finally reached 'end of life' status in December of 2018.
Due to incompatibilities between the various PHP versions, moving to PHP7 does require you to either manually update existing forum engines or to migrate all data to new forum engines.
This process should not take months but it is not a matter of minutes either. |
|
Status: Offline |
|
|
BigD
| |
Re: Amigaworld.net Hacked continued... Posted on 21-Mar-2019 10:17:07
| | [ #4 ] |
|
|
|
Elite Member |
Joined: 11-Aug-2005 Posts: 7323
From: UK | | |
|
| @ASiegel
Perhaps it's time a migration plan was formulated and the members asked for donations if required. It is not good enough to ignore the problem until ALL our Inboxes are bloated messes of SPAM! _________________ "Art challenges technology. Technology inspires the art." John Lasseter, Co-Founder of Pixar Animation Studios |
|
Status: Offline |
|
|
ASiegel
| |
Re: Amigaworld.net Hacked continued... Posted on 21-Mar-2019 11:35:32
| | [ #5 ] |
|
|
|
Regular Member |
Joined: 22-Oct-2013 Posts: 212
From: Unknown | | |
|
| @BigD
Quote:
It is not good enough to ignore the problem |
Well, this is your opinion.
As long as these discussions are deliberately hidden from the frontpage and purposefully restricted to one of the least visited parts of this website, it will be next to impossible to find out if others agree. |
|
Status: Offline |
|
|
number6
| |
Re: Amigaworld.net Hacked continued... Posted on 21-Mar-2019 11:58:58
| | [ #6 ] |
|
|
|
Elite Member |
Joined: 25-Mar-2005 Posts: 11589
From: In the village | | |
|
| @ASiegel
Now I'm confused.
The thread category at top shows it IS in a forum viewable on the front page (Website feedback and suggestions) , yet it clearly is not.
#6 _________________ This posting, in its entirety, represents solely the perspective of the author. *Secrecy has served us so well* |
|
Status: Offline |
|
|
number6
| |
Re: Amigaworld.net Hacked continued... Posted on 21-Mar-2019 12:35:09
| | [ #7 ] |
|
|
|
Elite Member |
Joined: 25-Mar-2005 Posts: 11589
From: In the village | | |
|
| @thread
In addition:
shows the former thread on the topic is locked from posting
Correct me if I am reading this wrong.
@BigD
I see your mention of this. I'm just confirming.
#6
Last edited by number6 on 21-Mar-2019 at 12:41 PM.
_________________ This posting, in its entirety, represents solely the perspective of the author. *Secrecy has served us so well* |
|
Status: Offline |
|
|
broadblues
| |
Re: Amigaworld.net Hacked continued... Posted on 21-Mar-2019 12:41:29
| | [ #8 ] |
|
|
|
Amiga Developer Team |
Joined: 20-Jul-2004 Posts: 4446
From: Portsmouth England | | |
|
| @BigD
Span is thing that happens on the internet, be an adult and use a proper spam filter. YAMs heuristic filter works fairly well, I get virtually no false positives these days though it does miss a few. Thunderbirds one is also good I hear.
Whilst perfect security on all sites would be lovely, you need to take responsibilty for your own net security. Use a different password foreach forum and certainly don't use one you use with bank or similar.
_________________ BroadBlues On Blues BroadBlues On Amiga Walker Broad |
|
Status: Offline |
|
|
number6
| |
Re: Amigaworld.net Hacked continued... Posted on 21-Mar-2019 12:43:17
| | [ #9 ] |
|
|
|
Elite Member |
Joined: 25-Mar-2005 Posts: 11589
From: In the village | | |
|
| @broadblues
And never ever use "Amiga" as a password. heh.
#6 _________________ This posting, in its entirety, represents solely the perspective of the author. *Secrecy has served us so well* |
|
Status: Offline |
|
|
broadblues
| |
Re: Amigaworld.net Hacked continued... Posted on 21-Mar-2019 13:10:29
| | [ #10 ] |
|
|
|
Amiga Developer Team |
Joined: 20-Jul-2004 Posts: 4446
From: Portsmouth England | | |
|
| |
Status: Offline |
|
|
number6
| |
Re: Amigaworld.net Hacked continued... Posted on 21-Mar-2019 13:40:25
| | [ #11 ] |
|
|
|
Elite Member |
Joined: 25-Mar-2005 Posts: 11589
From: In the village | | |
|
| @broadblues
Nzvtn_Ehyrm perhaps, since rot13 is all the rage now.
#6 _________________ This posting, in its entirety, represents solely the perspective of the author. *Secrecy has served us so well* |
|
Status: Offline |
|
|
BigD
| |
Re: Amigaworld.net Hacked continued... Posted on 21-Mar-2019 14:04:05
| | [ #12 ] |
|
|
|
Elite Member |
Joined: 11-Aug-2005 Posts: 7323
From: UK | | |
|
| @broadblues
I file this issue under major annoyance rather than criminal negligence but if Amigaworld is hacked again whose fault is that?
I am not saying anyone has gained access to any other of my accounts but only that I am receiving a 20 fold increase in SPAM to the leaked email address I should not have to change email addresses due to the negligence of the moderators of this site. If there is no long term migration plan to a more secure PHP framework / database then Amiga.org will remain and Amigaworld WILL fall away IMHO! Last edited by BigD on 21-Mar-2019 at 02:04 PM.
_________________ "Art challenges technology. Technology inspires the art." John Lasseter, Co-Founder of Pixar Animation Studios |
|
Status: Offline |
|
|
ASiegel
| |
Re: Amigaworld.net Hacked continued... Posted on 21-Mar-2019 14:13:25
| | [ #13 ] |
|
|
|
Regular Member |
Joined: 22-Oct-2013 Posts: 212
From: Unknown | | |
|
| @BigD
Quote:
I should not have to change email addresses due to the negligence of the moderators of this site. |
Moderators often lack sufficient technical access to improve security issues. They are not necessarily to blame.
Quote:
If there is no long term migration plan to a more secure PHP framework / database then Amiga.org will remain and Amigaworld WILL fall away IMHO! |
I hope you are aware that amiga.org and amigaworld.net are owned by the same people.
From a pure business perspective, it might be beneficial to only have to maintain one community website.Last edited by ASiegel on 21-Mar-2019 at 02:14 PM.
|
|
Status: Offline |
|
|
BigD
| |
Re: Amigaworld.net Hacked continued... Posted on 21-Mar-2019 14:52:54
| | [ #14 ] |
|
|
|
Elite Member |
Joined: 11-Aug-2005 Posts: 7323
From: UK | | |
|
| @ASiegel
Quote:
From a pure business perspective, it might be beneficial to only have to maintain one community website. |
Maybe that's the medium term plan then. Let AmigaWorld die a slow death and in the meantime keep their fingers in their ears regarding potential security holes they have no intention of fixing. That would make a lot of sense! "Only Amiga" _________________ "Art challenges technology. Technology inspires the art." John Lasseter, Co-Founder of Pixar Animation Studios |
|
Status: Offline |
|
|