Click Here
home features news forums classifieds faqs links search
6071 members 
Amiga Q&A /  Free for All /  Emulation /  Gaming / (Latest Posts)
Login

Nickname

Password

Lost Password?

Don't have an account yet?
Register now!

Support Amigaworld.net
Your support is needed and is appreciated as Amigaworld.net is primarily dependent upon the support of its users.
Donate

Menu
Main sections
» Home
» Features
» News
» Forums
» Classifieds
» Links
» Downloads
Extras
» OS4 Zone
» IRC Network
» AmigaWorld Radio
» Newsfeed
» Top Members
» Amiga Dealers
Information
» About Us
» FAQs
» Advertise
» Polls
» Terms of Service
» Search

IRC Channel
Server: irc.amigaworld.net
Ports: 1024,5555, 6665-6669
SSL port: 6697
Channel: #Amigaworld
Channel Policy and Guidelines

Who's Online
23 crawler(s) on-line.
 151 guest(s) on-line.
 0 member(s) on-line.



You are an anonymous user.
Register Now!
 miggymac:  26 mins ago
 Gunnar:  54 mins ago
 pixie:  2 hrs 15 mins ago
 DiscreetFX:  2 hrs 54 mins ago
 DWolfman:  3 hrs 3 mins ago
 cncparts:  4 hrs 37 mins ago
 saipaman4366:  5 hrs 23 mins ago
 Beajar:  5 hrs 42 mins ago
 Rob:  5 hrs 45 mins ago
 agami:  6 hrs 48 mins ago

/  Forum Index
   /  Website feedback and suggestions
      /  Amigaworld.net hacked?
Register To Post

Goto page ( Previous Page 1 | 2 | 3 | 4 | 5 Next Page )
PosterThread
sibbi 
Re: Amigaworld.net hacked?
Posted on 7-Nov-2018 23:54:22
#41 ]
Team Member
Joined: 18-Mar-2003
Posts: 664
From: Iceland

@Broadblues/Thread

I've watched this thread, we're not ignoring it...

There are obviously some things that we were already doing to try to prevent this.

We do regularly patch the server, run a recent, fully patched version of both Apache and PHP, as well as MySQL, and we patch the kernel and reboot the server on a fairly regular basis.

However, even given all that, the Xoops code we are running is very old, and although we've made multiple precautions in various places in the code and have custom developed patches for well known holes, there might be a hole in it somewhere that we're not aware of. Numerous discussions have taken place over the years about moving to another CMS, but we lack a developer and doing so would break the site in non-css capable browsers.

I wasn't able to find a local file on the filesystem containing this password database information anywhere, but that doesn't necessarily mean that nothing happened nor that we should just ignore it.

The Xoops code uses the fairly weak MD5 method of hashing passwords. It's somewhat easy to crack passwords using MD5 at this stage, using a precompiled library of "well known" hashes.

I've modified the login code to make it update your password using the password_hash method of PHP, which is a far better way of hashing the password, making it much more difficult to decrypt, even if someone were to gain control of the user database.

All you have to do, to "update" your password to the new hashing algorithm, is to log out, and log back in.

Once you do that, your password hash will be updated in the database and stored using the far more secure method.

Having said that, it's still good practice to never re-use a password between sites, as has been mentioned many times in this thread.


_________________
---
Sibbi

Disclaimer:
The opinions stated do not neccesarily represent those of my employer.

 Status: Offline
Profile     Report this post  
AlexC 
Re: Amigaworld.net hacked?
Posted on 8-Nov-2018 1:25:56
#42 ]
Super Member
Joined: 22-Jan-2004
Posts: 1300
From: City of Lost Angels, California.

@sibbi

One small issue with the updated login script:

I logged in to refresh the password hash and upon successful login, the user.php script created a redirection to "https://" with no URL.

_________________
AlexC's free OS4 software collection

AmigaOne XE/X1000/X5000/UAE-PPC OS4 laptop/X-10 Home Automation

 Status: Offline
Profile     Report this post  
spud101 
Re: Amigaworld.net hacked?
Posted on 8-Nov-2018 8:18:45
#43 ]
Member
Joined: 4-Aug-2016
Posts: 83
From: Unknown

@sibbi

Super! Very happy you are working on this. Indeed MD5 has been found insecure for many years now. Good you have implemented a new hash. Thanks a lot!!

 Status: Offline
Profile     Report this post  
saimo 
Re: Amigaworld.net hacked?
Posted on 8-Nov-2018 9:58:55
#44 ]
Elite Member
Joined: 11-Mar-2003
Posts: 2450
From: Unknown

@sibbi

Quote:
I've modified the login code to make it update your password using the password_hash method of PHP, which is a far better way of hashing the password, making it much more difficult to decrypt, even if someone were to gain control of the user database.

All you have to do, to "update" your password to the new hashing algorithm, is to log out, and log back in.

Once you do that, your password hash will be updated in the database and stored using the far more secure method.

Thanks for this. There should be a prominent notice on the front page to inform all the users.

_________________
RETREAM - retro dreams for Amiga, Commodore 64 and PC

 Status: Offline
Profile     Report this post  
sibbi 
Re: Amigaworld.net hacked?
Posted on 8-Nov-2018 10:02:07
#45 ]
Team Member
Joined: 18-Mar-2003
Posts: 664
From: Iceland

@AlexC

Yeah I noticed this once, but when I tried to reproduce it, it did not do it again

_________________
---
Sibbi

Disclaimer:
The opinions stated do not neccesarily represent those of my employer.

 Status: Offline
Profile     Report this post  
broadblues 
Re: Amigaworld.net hacked?
Posted on 8-Nov-2018 11:43:50
#46 ]
Amiga Developer Team
Joined: 20-Jul-2004
Posts: 4446
From: Portsmouth England

@sibbi

Quote:


@Broadblues/Thread

I've watched this thread, we're not ignoring it...


I nnever said you were, that was Spud

Good to hear you've made an improvement though.

_________________
BroadBlues On Blues BroadBlues On Amiga Walker Broad

 Status: Offline
Profile     Report this post  
AmigaOneProductions 
Re: Amigaworld.net hacked?
Posted on 8-Nov-2018 11:51:51
#47 ]
Cult Member
Joined: 11-Jan-2006
Posts: 717
From: Ingle land

I have had 3 mails over the past month addressed to an address I used here, one of them had the password that I have used in the past, but had been changed some time ago.

I also use email addresses keyed to individual websites so I know that the address came from here.

Quote:
Hello! I'm a programmer who cracked your email account and device about half year ago. You entered a password on one of the insecure site you visited, and I catched it. Your password from amigaworld@techmailbox.co.uk on moment of crack: *********


EDIT:
Make that 4 emails, the one I just received pretends to be from PayPal, probably wants to steal my details from there too.

Last edited by AmigaOneProductions on 08-Nov-2018 at 05:28 PM.

_________________
Glass coffins, a success?
Remains to be seen.

 Status: Offline
Profile     Report this post  
number6 
Re: Amigaworld.net hacked?
Posted on 8-Nov-2018 16:36:35
#48 ]
Elite Member
Joined: 25-Mar-2005
Posts: 11540
From: In the village

@thread

Unrelated but: https://forum.amiga.org/

Quote:
Most Online Today: 743. Most Online Ever: 800 (November 07, 2018, 01:09:31 PM)


I don't think so...

#6

Last edited by number6 on 08-Nov-2018 at 04:37 PM.

_________________
This posting, in its entirety, represents solely the perspective of the author.
*Secrecy has served us so well*

 Status: Offline
Profile     Report this post  
BigD 
Re: Amigaworld.net hacked?
Posted on 8-Nov-2018 16:45:05
#49 ]
Elite Member
Joined: 11-Aug-2005
Posts: 7307
From: UK

@sibbi

Quote:
I've modified the login code to make it update your password using the password_hash method of PHP, which is a far better way of hashing the password, making it much more difficult to decrypt, even if someone were to gain control of the user database.


I've just got my first email today providing my current AmigaWorld password and stating that my 'email has been hacked' though it is obviously AmigaWorld only!!!

What exactly is going on and why is there no message on the front of this site informing us all of the dangers? The programmer states proudly he hacked it 6 months ago!!

Last edited by BigD on 08-Nov-2018 at 04:45 PM.

_________________
"Art challenges technology. Technology inspires the art."
John Lasseter, Co-Founder of Pixar Animation Studios

 Status: Offline
Profile     Report this post  
BigD 
Re: Amigaworld.net hacked?
Posted on 8-Nov-2018 17:53:10
#50 ]
Elite Member
Joined: 11-Aug-2005
Posts: 7307
From: UK

@sibbi

... and now I'm getting considerably more spam emails!!! This is very annoying. I've changed my password but it this going to be an ongoing problem with AmigaWorld or has your PHP pasword_hash thingy made some difference? From the sounds of it there could be a back door in the website that you're not aware of! If there was an attack in 2012 or 6 months ago or whenever then why weren't we told?

_________________
"Art challenges technology. Technology inspires the art."
John Lasseter, Co-Founder of Pixar Animation Studios

 Status: Offline
Profile     Report this post  
number6 
Re: Amigaworld.net hacked?
Posted on 8-Nov-2018 18:12:16
#51 ]
Elite Member
Joined: 25-Mar-2005
Posts: 11540
From: In the village

@BigD

Quote:
If there was an attack in 2012 or 6 months ago or whenever then why weren't we told?


AmigaWorld.Net hacked!

That ^ did not constitute "telling" to you?

#6

_________________
This posting, in its entirety, represents solely the perspective of the author.
*Secrecy has served us so well*

 Status: Offline
Profile     Report this post  
zipper 
Re: Amigaworld.net hacked?
Posted on 8-Nov-2018 20:00:21
#52 ]
Regular Member
Joined: 11-Jul-2005
Posts: 275
From: finland

Got mine today I suppose my pw was hacked via Adobe 2013. No wonder at all to get the message, my other "dirty" email has been pwned for many years..

 Status: Offline
Profile     Report this post  
BigD 
Re: Amigaworld.net hacked?
Posted on 8-Nov-2018 22:56:44
#53 ]
Elite Member
Joined: 11-Aug-2005
Posts: 7307
From: UK

@number6

It was flagged up as being all above board and that MD5 encryption was enough!

sibbi wrote on 12th January 2012
Quote:
Our passwords are saved as MD5... There is nothing that suggests that the site has been hacked in any way, and since the actual user password was gotten from somewhere, our suspicion is that the passwords were retrieved from another Amiga site which does not do that (store the passwords encrypted), we have no idea from what site though, nor do we have any proof of any of this, this could simply have been guesswork.

To be on the safe-side however, we are recommending that users change their passwords, especially if they re-use the same password on many Amiga sites (which in general is a bad idea). Password complexity is a whole other discussion.


He therefore refused to accept that there was a weakness in the Amigaworld.net setup whereas now 6 & 1/2 years on he accepts there is / was!

So now PHP_Hash type encryption should solve it all and keep us safe? Who knows?

Last edited by BigD on 08-Nov-2018 at 10:58 PM.

_________________
"Art challenges technology. Technology inspires the art."
John Lasseter, Co-Founder of Pixar Animation Studios

 Status: Offline
Profile     Report this post  
BigD 
Re: Amigaworld.net hacked?
Posted on 8-Nov-2018 23:01:42
#54 ]
Elite Member
Joined: 11-Aug-2005
Posts: 7307
From: UK

@sibbi

I get spam every 15 to 18 minutes now! Thanks for this situation!

_________________
"Art challenges technology. Technology inspires the art."
John Lasseter, Co-Founder of Pixar Animation Studios

 Status: Offline
Profile     Report this post  
tonyw 
Re: Amigaworld.net hacked?
Posted on 8-Nov-2018 23:33:31
#55 ]
Elite Member
Joined: 8-Mar-2003
Posts: 3240
From: Sydney (of course)

@BigD

Quote:

He therefore refused to accept that there was a weakness in the Amigaworld.net setup whereas now 6 & 1/2 years on he accepts there is / was!


That's being unreasonable. Back in 2012, MD5 WAS good enough. Times have changed, the baddies have got more skills. We have to fix things reactively, not proactively: there aren't enough hours in the day to fix bugs that aren't yet a problem.

If you have been sensible and used unique passwords in different situations, you won't have a problem.

_________________
cheers
tony

Hyperion Support Forum: http://forum.hyperion-entertainment.biz/index.php

 Status: Offline
Profile     Report this post  
BigD 
Re: Amigaworld.net hacked?
Posted on 9-Nov-2018 0:06:28
#56 ]
Elite Member
Joined: 11-Aug-2005
Posts: 7307
From: UK

@tonyw

Quote:
If you have been sensible and used unique passwords in different situations, you won't have a problem.


I did that but the hacker has my email address now (only) and is spamming me and this is annoying enough. This must have been a recent attack as I'd have had an influx of spammed email before now! Why wasn't the PHP_Hash encryption thought about in the last two years? Surely the 2012 attack was a warning on that front? Did they hack the MD5 protection in 2012 or not? If they did then it wasn't strong enough!

There needs to be some honesty here. I remember when TalkTalk and the Post Office Broadband companies got hacked that they tried to hush it up to. Not the best strategy IMHO

_________________
"Art challenges technology. Technology inspires the art."
John Lasseter, Co-Founder of Pixar Animation Studios

 Status: Offline
Profile     Report this post  
jPV 
Re: Amigaworld.net hacked?
Posted on 9-Nov-2018 6:22:32
#57 ]
Cult Member
Joined: 11-Apr-2005
Posts: 809
From: .fi

Quote:

AlexC wrote:
@sibbi

One small issue with the updated login script:

I logged in to refresh the password hash and upon successful login, the user.php script created a redirection to "https://" with no URL.

This kind of thing is reproduceable if you initially go to http://amigaworld.net , it gets forwarded to https://amigaworld.net , which looks correct, but after login it tries to go to "https:/" and you get an error requester.

_________________
- The wiki based MorphOS Library - Your starting point for MorphOS
- Software made by jPV^RNO

 Status: Offline
Profile     Report this post  
spud101 
Re: Amigaworld.net hacked?
Posted on 9-Nov-2018 18:21:47
#58 ]
Member
Joined: 4-Aug-2016
Posts: 83
From: Unknown

AmigaWorld, I do want to stress again you are OBLIGED to report a databreach to the authorities and inform the users: https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/what-data-breach-and-what-do-we-have-do-case-data-breach_en

If not, we can decide to report you.

 Status: Offline
Profile     Report this post  
amigakit 
Re: Amigaworld.net hacked?
Posted on 9-Nov-2018 19:25:16
#59 ]
Amiga Kit
Joined: 28-Jun-2004
Posts: 2515
From: www.amigakit.com

@spud101

AmigaWorld has nearly 6000 accounts on the database (probably only a percentage these days is active). In this thread I have read through and counted 8 users who are reporting problems. There have been no reports to privacy@a-eon.co.uk so far which is the official channel to relay any privacy questions or alerts/reports.

Data integrity is extremely important to everyone here and is regarded with the highest priority. Sibbi has duly upgraded the encryption strength of the database. He has still not found any server side evidence that a data breach has occurred but checking will continue. As a precaution an initial report has been made to the Information Commissioner's Office whilst it is investigated further.

Soon advice will be published regarding changing passwords.

Depending on the outcome of server investigations we may need to review all options.

Last edited by amigakit on 09-Nov-2018 at 07:39 PM.
Last edited by amigakit on 09-Nov-2018 at 07:25 PM.

_________________
Amiga Kit Amiga Store
Links: www.amigakit.com | New Products | A600GS

 Status: Offline
Profile     Report this post  
number6 
Re: Amigaworld.net hacked?
Posted on 9-Nov-2018 19:44:03
#60 ]
Elite Member
Joined: 25-Mar-2005
Posts: 11540
From: In the village

@amigakit

Quote:
AmigaWorld has nearly 6000 accounts on the database (probably only a percentage these days is active


Depends on how one defines active these days. If just logging in counts, as opposed to having to post:

unique nicks in the last year = 961

monthly hovers around 385, which is actually an increase since all the legal activity began.

#6

_________________
This posting, in its entirety, represents solely the perspective of the author.
*Secrecy has served us so well*

 Status: Offline
Profile     Report this post  
Goto page ( Previous Page 1 | 2 | 3 | 4 | 5 Next Page )

[ home ][ about us ][ privacy ] [ forums ][ classifieds ] [ links ][ news archive ] [ link to us ][ user account ]
Copyright (C) 2000 - 2019 Amigaworld.net.
Amigaworld.net was originally founded by David Doyle