About the recent server compromise

[Racey]

I got the e-mail from here, I am using hotmail, but my mail is masked so its useless to anyone.
Any spam I can reject it back to the Abine website and never get mail from them again

I only changed my password for the forum as it makes sense to keep this, I use many masked mails.
You should give it a go its free, you do get an option to buy premium, it has more features.
I have have the free one...works good for me.

One of my newly created e-mail accounts was used to sign up for that Mine that cloud scam, I recived a few spam mailings, so I knew it came from them, or they sold it on to third parties.

These did admit to buying my mail, but removed his post some time later.

https://bitcointalk.org/index.php?topic=946801.msg10470176#msg10470176

[1715016434]

1715016434

[1715016434]

1715016434

[bcearl]

Wait, you are suggesting because few guys' spam filters blocked the circular mail theymos should spam us all with that mail again?!? That makes no sense. Have you ever, I mean ever, seen same circular mail re-sent to you just in case somebody may miss it? No serious entity does that, so should not Bitcointalk either.

It is NOT in the spam filters.

Also: I am a member for 4 years, and I got several mails from bitcointalk in the past.

[svein]

Second time I get the error after a post:

Database error
Please try again. If you come back to this error screen, report the error to an administrator.

But my posts got posted so I don't know if there is really an error or if the message itself is the error

[MakingMoneyHoney]

Second time I get the error after a post:

Database error
Please try again. If you come back to this error screen, report the error to an administrator.

But my posts got posted so I don't know if there is really an error or if the message itself is the error

I also saw someone triple posting in a thread I posted in. When I posted, it didn't look like it worked. But I refreshed the page in another tab and was able to see my post went through.

Also, unread new replies, when I click them and read them, they're not showing up as read afterwards.

[Brewins]

Everyone get a load of this?

https://www.reddit.com/r/Bitcoin/comments/37w9a0/bitcointalk_database_for_sell/

Seem legit?

someone is/has been spamming the goods section with that, but got banned pretty quickly.

For me is just scam. Any kid can make a large file that looks more or less like a database with lots of nonsense then put it for sale in the hope that some moron will buy it

[BlindMayorBitcorn]

Everyone get a load of this?

https://www.reddit.com/r/Bitcoin/comments/37w9a0/bitcointalk_database_for_sell/

Seem legit?

someone is/has been spamming the goods section with that, but got banned pretty quickly.

For me is just scam. Any kid can make a large file that looks more or less like a database with lots of nonsense then put it for sale in the hope that some moron will buy it

Ah. Understood.

[theymos]

Search is enabled again.

[deepceleron]

Code:

Estimated time (conservative) for an attacker to break randomly-constructed
bitcointalk.org passwords with current technology

s=second; m=minute; h=hour; d=day; y=year; ky=1000 years; My=1 million years

Password length  a-z  a-zA-Z  a-zA-Z0-9  <all standard>
              8    0      3s        12s              2m
              9    0      2m        13m              3h
             10   8s      2h        13h             13d
             11   3m      5d        34d              1y
             12   1h    261d         3y            260y
             13   1d     37y       366y            22ky
             14  43d   1938y       22ky             1My
             15   1y   100ky        1My           160My
-------------------------------------------------------
         1 word  0
        2 words  0
        3 words  0
        4 words  3m
        5 words  19d
        6 words  405y
        7 words  3My

Good luck to the password hashers with my 34 character random password. The security answer is similar strength garbage. Don't think I'll need to change it. The forum also has it's own non-reused email address, if any mail turns up there I know the source is the forum or a leak.

Once you are hosting-pwnd though, you have to audit EVERYTHING if you're not going to wipe and restore from backup pre-intrusion. Anything could have been done, such as redirects or php hacks to capture passwords or cookie sessions, or wholesale VM state dumps that still would allow compromise of existing accounts.

[mmortal03]

why reject them ??

Probably due to the fact that the site has sent out thousands of mails within a short period of time, due to the recent compromise.

That would make sense it must have triggered some spam filter and ended up on hotmails block list
Guess it might fix itself sooner or later

Yeah, I've just started to get e-mail notifications again in my Hotmail account.

[theymos]

Automatic unproxybans are enabled again.

[opentoe]

How many times is this place going to get hacked and beat up? Now on two years saying the forum SW will be updated from the thousands and thousands of dollars in donations. Are we all missing something? Jesus, even try discourse if you have to.

[Malin Keshar]

How many times is this place going to get hacked and beat up? Now on two years saying the forum SW will be updated from the thousands and thousands of dollars in donations. Are we all missing something? Jesus, even try discourse if you have to.

This time was not forum's fault, but ISP's fault. At least is what theymos says.

And thheymos changed ISP, he said, so I guess the odds of another attack of same kind are lowered

[favdesu]

How many times is this place going to get hacked and beat up? Now on two years saying the forum SW will be updated from the thousands and thousands of dollars in donations. Are we all missing something? Jesus, even try discourse if you have to.

This time was not forum's fault, but ISP's fault. At least is what theymos says.

And thheymos changed ISP, he said, so I guess the odds of another attack of same kind are lowered

not really. social engineering is omnipresent and can happen everywhere. hopefully the new ISP has some stricter quality management and certain processes to prevent it.

[Syke]

So NFOrce reset the server's root password for him, giving him complete access to the server

Is this normal for ISPs to have the sort of access that allows them to reset any server root password??? That is insane!!!

[Lauda]

So NFOrce reset the server's root password for him, giving him complete access to the server

Is this normal for ISPs to have the sort of access that allows them to reset any server root password??? That is insane!!!

Update 2:
It is normal. Stop quoting this post.

Update: You've just presented an example how this attack could have been avoided. This attack is just one (1) way of doing social engineering. It can't be prevented, because everything can be hacked.
Because of your nonsense, you are now put in the same group as BADecker. Have a nice day.

[AGD]

So NFOrce reset the server's root password for him, giving him complete access to the server

Is this normal for ISPs to have the sort of access that allows them to reset any server root password??? That is insane!!!

No, it is not. What would happen if theymos actually forgot his password and they couldn't reset it?
You can't prevent social engineering, no matter what you do.

Usually ISPs have contact information, like phone number, home adress, passport scan etc which can easily be used to verify a person. When combined with PGP, whis should be almost 100% safe.

[favdesu]

So NFOrce reset the server's root password for him, giving him complete access to the server

Is this normal for ISPs to have the sort of access that allows them to reset any server root password??? That is insane!!!

No, it is not. What would happen if theymos actually forgot his password and they couldn't reset it?
You can't prevent social engineering, no matter what you do.

Usually ISPs have contact information, like phone number, home adress, passport scan etc which can easily be used to verify a person. When combined with PGP, whis should be almost 100% safe.

and that's the point. social engineering depends on human error.

[AGD]

So NFOrce reset the server's root password for him, giving him complete access to the server

Is this normal for ISPs to have the sort of access that allows them to reset any server root password??? That is insane!!!

No, it is not. What would happen if theymos actually forgot his password and they couldn't reset it?
You can't prevent social engineering, no matter what you do.

Usually ISPs have contact information, like phone number, home adress, passport scan etc which can easily be used to verify a person. When combined with PGP, whis should be almost 100% safe.

and that's the point. social engineering depends on human error.

My point is, that you can prevent social engineering with a good training of your staff. That money is always good invested, because it gains trust from the customer. Now, after all these hacks that had happened in the past, theymos should have chosen the right ISP with the right policy already a long time ago.

edit:

just an example:

http://www.esecurityplanet.com/views/article.php/3908881/9-Best-Defenses-Against-Social-Engineering-Attacks.htm

...
 
1. Educate yourself.

"Our first mitigation is security through education," Hadnagy said. "If people aren't educated to the types of attacks being used, then they cannot possibly defend against them."
Social-Engineer.org provides a number of information resources on social engineering attacks. The two most commonly used and effective approaches, or "pretexts," used in the contest were posing as an internal employee or posing as someone hired by corporate to perform an audit or take a survey.
"Contestants used the survey pretext a lot," Hadnagy said. "It allowed them to ask questions that are believable in that context."
Hadnagy noted that employees rarely sought to confirm the pretext with another source, like a manager, before giving away information.

 
2. Be aware of the information you're releasing.

This tip encompasses both verbal communication and social media like Facebook or Twitter. Hadnagy noted that serious social engineers, as opposed to someone participating in a contest for fun, would get deep background on their targets before moving.
"You would know where they live," he said. "You would know whether they're happy or unhappy in their jobs."


3. Determine which of your assets are most valuable to criminals.

Even companies that actively seek to protect themselves from social engineering attacks often focus on protecting the wrong things, according to Jim O'Gorman, a security consultant and member of Social-Engineer.org.
"When a lot of companies focus on protecting their assets, they're very focused on that from the perspective of their business," O'Gorman said. "That's not necessarily the way an attacker will look at your company. They'll look for assets that are valuable to them, assets that they can monetize."
"Information perceived as having no value will not be protected," Social-Engineer.org said in the primary findings of its report. "This is the underlying fact that most social engineering efforts rely upon, as value to an attacker is different than value to an organization. Companies need to consider this when evaluating what to protect, considering more than just the importance of value to the delivery of service, product, or intellectual property."
O'Gorman said an independent assessment is the best tool to determine which of your assets criminals are most likely to target.

 
4. Write a policy and back it up with good awareness training.

Once you know which of your assets are most tempting to criminals and the pretexts they're most likely to use to pursue them, write a security policy for protecting your data assets. Then back up that policy with good awareness training.
"A policy is just a written statement," Hadnagy said. "It doesn't mean anything if people don't follow it."
In the primary findings of its report on the contest, Social-Engineer.org noted, "For awareness training to be truly effective it requires complete coverage of all employees. In many instances contestants would contact call centers, which often do not have as complete of awareness training programs. This translated into information leakage that could have been avoided, as well as significant increase of risk to the target organizations. Demonstration of the ineffectiveness of awareness training was apparent by the lack of employee resistance to answering questions."
Social-Engineer.org believes employees need a clear set of guidelines in place to respond well to a given situation. Absent such guidelines, employees will default to actions they perceive as helpful, which often means giving away information they shouldn't.

 
5. Keep your software up to date.

Hackers using social engineering techniques are often seeking to determine whether you are running unpatched, out-of-date software they can exploit.
"A lot of the information given out really would not be damaging if the target keeps his software up to date," Hadnagy said.
Staying on top of patches and keeping your software updated can mitigate a lot of risk.

 
6. Give employees a sense of ownership when it comes to security

"Security programs in this country are failing miserably," Hadnagy said. "The reason is that they're not personal. They don't make security a personal thing. Employees need to feel a sense of ownership when it comes to security."
O'Gorman added, "I think it's important that employees understand that what applies in the workplace also applies at home. Make it personal to that extent. Changing habits, changing culture is extremely difficult."
Both noted that criminals will not respect boundaries between one's work life and one's personal life, and any personal information obtained from a compromised work computer may also compromise one's personal life.

 
7. When asked for information, consider whether the person you're talking to deserves the information they're asking about.

This is where the rubber meets the road. Whenever you are in a conversation with someone you don't know, before you answer a question they ask, make sure they deserve to know the information that they're asking about.
In most cases, the person you're talking to has no need to know what version of an operating system you're running, or who handles trash collection at your company.
As Hadnagy is fond of pointing out, social engineers know that most people instinctively try hard to be helpful to their fellow human beings when asked. Social engineers leverage that instinct to their advantage. Companies certainly want their employees—especially customer-facing employees—to be friendly and helpful, but they must also temper that helpfulness with restraint.
For instance, an employee in sales wants to be as helpful to a potential customer as possible. But that employee should still make sure that the questions the potential customer is asking are relevant before answering.
"From a sales point of view, it's hard to say that," Hadnagy said. "If you're a sales guy, you don't want to lose that potential sale. You have to determine if the information you're giving out really is relevant to the potential sale."

 
8. Watch for questions that don't fit the pretext.

The last tip leads directly into this one. If a person asks a question that does not fit the persona they present, it should set off alarm bells.
"In a business sense, I think you have to be really aware of questions that do no match the person on the phone," Hadnagy said.
 Additionally, a sudden sense of pressure or urgency is often a sign.
"When you're on the phone with someone, or you're talking to someone, and all of a sudden you feel this pressure to make a decision, to take an action, you have to stop and think where is this pressure coming from? They'll try to put pressure on the target so they don't have time to think about their decision," O'Gorman said. "Don't get caught up in the story that's being told to you. A sense of pressure that shouldn't be there, that's a big red flag."

 
9. Stick to your guns.

If you do get a feeling that someone is fishing for information that they shouldn't, stick to your guns.
"If someone asks for information that you don't know if you should release, ask your manager," Hadnagy said. "Many social engineers will break if off if there's a break in the conversation."
Hadnagy pointed to one call during the contest in which the employee who received the call put up some resistance, but ultimately gave in to the social engineer's persistence.
"The employee actually had a pretty good sense," Hadnagy said. "Three times, he said, ‘our corporate policy is that you e-mail these questions, and we answer them together as a team.’ That whole phone call would have failed from a social engineering standpoint if that employee had stuck to his guns."

 

Thor Olavsrud is a contributor to eSecurityPlanet.com and a former senior editor at InternetNews.com. He covers operating systems, standards and security, among other technologies.

[2112]

I see more ignorant posts being made by idiots in the field of actual computer security, not salesmanship.

not really. social engineering is omnipresent and can happen everywhere. hopefully the new ISP has some stricter quality management and certain processes to prevent it.

No, it is not. What would happen if theymos actually forgot his password and they couldn't reset it?
You can't prevent social engineering, no matter what you do.

This type of attack is easily preventable. I'm just going to quote myself again. Further discussion and explanations are available in the parallel threads in this subforum.

Easily preventable on two levels:

1) collocate your own equipment in a remote data center. The customer service staff will simply have no access to it besides being able to press buttons on the box.

2) use non-commodity hardware like Oracle SPARC or IBM POWER or HP Integrity/Itanium.  Then even if they manage to steal it they most likely will not be able to get the data off of it without specialized assistance.

Edit: Also, don't run Linux on those machines, but their native OS: Solaris, AIX, HP/UX respectively.

[Syke]

No, it is not. What would happen if theymos actually forgot his password and they couldn't reset it?
You can't prevent social engineering, no matter what you do.

LOL! A server admin needs a mommy to reset his password for him? I'm sorry, but if you can't keep your root password safe, you don't deserve to be a server admin. No one ever needs to know the root passwords to my servers. No one. Ever.