Important: We did not send an email asking for donations - scam alert

[Condobloke]

I made comment up above. I note that @f33dm3bits asked a similar question.

Important: We did not send an email asking for donations - scam alert

Earlier today an email was sent out to our members stating that we now accept donations via cryptocurrency in exchange for upgraded member perks. This email is a scam, do not send anything to the addresses listed in the email. Someone was able to gain access to the administrator area of the...

www.linux.org

 

[Rob]

@Rob I think it would be a good idea to have the admin accounts use two-factor authentication, I actually use it for my account here as well since it's an option. That way if they get your password if you have a weak one they won't be able to login since the second factor is still needed. And if possible it may be a good idea to limit admin access to white listed ip adresses.

Yes, all mods/admins are now using 2fa .. i had been for a while, but didn't enforce it

 

[Rob]

Thanks @Rob for all you do that many will never see. Hope the one who did this will be rewareded by being banished from all forums some day. In any event, it is good to have the forum back up and running. Again thank you!

Thanks, but I don't do very much - it's the @KGIII's and @wizardfromoz's and you guys that keep this forum going

 

[Rob]

@Rob has our e-mail addresses been compromised, do I need to change my e-mail address so that I don't get future spam? I know this message was sent through the board forums but not sure if this person who had admin access also made a database dump?

Luckily our "user exporter" within xenforo seems to be broken lol .. so i'm gonna say, since it was just the backend and not actual db access we're all good.

 

[Rob]

Looks like it came from an American Hacker [or from another country that doesn't speak English]

It was someone using an american VPN

 

[KGIII]

I connect with a VPN, often from America!

I am right this minute using a US server!

(It wasn't me. I'd never spell that poorly.)

 

[Brickwizard]

(It wasn't me. I'd never spell that poorly.)

What immediately grabbed me was the "Z" instead of "S" all block caps, and shite punctuation, I dismissed spelling as most people [including I] make mistakes

 

[KGIII]

Also, I think it goes without saying - but I'll say it anyhow, I'd never do anything to harm the site. My days of misbehaving online are well behind me.

 

[donnerkebab1730]

was there any data leaked? or was the email system just broken?

 

[Brickwizard]

was there any data leaked

from Robs earlier post

@Rob has our e-mail addresses been compromised, do I need to change my e-mail address so that I don't get future spam? I know this message was sent through the board forums but not sure if this person who had admin access also made a database dump?

Luckily our "user exporter" within xenforo seems to be broken lol .. so i'm gonna say, since it was just the backend and not actual db access we're all good.

From what has been said, we lost a day's worth of posts when the system was re-booted to the last time stamp

 

[KGIII]

That is correct. The email exporter doesn't work, so the jackass wasn't able to escape with email addresses.

It is also correct that we lost a "day's worth of posts", give or take a few hours. As far as outcomes go, it wasn't too terrible.

Changes have been made to at least close the hole used by the jackass (they don't rise to the level of 'hacker' in my view).

If you care about your account, I strongly urge you to use a complex password that you do not use at any other site, and that you enable 2FA for your account. You can have the code sent to your email, or you can use an application on your phone as your second 'factor' in authentication. If you're doing it with your email, and I can't stress this enough, do not reuse the same password you used here.

Even though the passwords here are almost certainly salted and hashed, they can still be recovered with something known as a 'rainbow table attack'. Then, one of the worst things people do is use the same password for multiple accounts. That's a horrible idea, for what should be obvious reasons.

 

[CrazedNerd]

I have email notifications turned off for this site, which is probably why i didn't get one. It wouldn't have worked anyway because my net worth in bitcoin is exactly 0$

 

[MikeWalsh]

@Rob I think it would be a good idea to have the admin accounts use two-factor authentication, I actually use it for my account here as well since it's an option. That way if they get your password if you have a weak one they won't be able to login since the second factor is still needed. And if possible it may be a good idea to limit admin access to white listed ip adresses.

Not a bad idea at all. When BleepingComputer set-up their own Discord server a couple of years back, those of us mods who regularly drop-in can only do so via.....you guessed it!.....2FA.

One of our number is currently bemoaning the fact that she can't log-in, due to NOT having a smart-phone.....and Discord only do smartphone authentication. Used be via SMS or email too, till around 18 months ago, then it was all change overnight.

I also possess only a dumb-phone, but I last logged-in via 2FA thru a text message nearly a year ago. 'Twas around that time I discovered the availability of Discord's 'backup codes'; so long as you keep a 'current' list of 10 backup codes, every one of those codes will log you back in with the same 2FA 'status' as your last official login.

Works for me.


Mike.

 

[Condobloke]

The only drawback I see with the current 2fa on L:inux.org, is it keeps you logged in via 2fa for a certain number of days....30??

Does that mean if a password is on the weak side and is cracked/guessed, that the perpetrator can log into the site/steal the email address.... and create mayhem because the 2fa is taken care of for a period of time ?

I hope that was explained clearly enough !

 

[KGIII]

Does that mean if a password is on the weak side and is cracked/guessed, that the perpetrator can log into the site/steal the email address.... and create mayhem because the 2fa is taken care of for a period of time ?

No. They'd be logged out and have to log in. The login will require 2FA. You can test this by going to another browser instance and attempting to login. It will require the second factor.

Now, if they had access to your email (not just the name, but password and all) they could certainly login as you - unless you use the phone app. In which case they'd need your phone in an unlocked state to provide the second factor.

If they could perform some sort of cookie hijack, they might be able to login as you, but that's asking a little much. While possible, it usually requires some vulnerability in the underlying software and something like CSS (cross site scripting) to collect your cookies. While possible, that's not all that likely.

I'm pretty sure...

 

[Sunil1991]

was there any data leaked? or was the email system just broken?

Could be, As i started receiving spam emails (.co.in domain)

 

[Condobloke]

@Sunil1991 .... Who are the spam from?....

 

[wizardfromoz]

The only drawback I see with the current 2fa on L:inux.org, is it keeps you logged in via 2fa for a certain number of days....30??

Brian I am currently using the 2FA directed to email, and of course I have a different password. Under that regime, it offers for me to check a box if I want to allow device for 30 days, does it not do that with mobile (cell) phone?

Wiz

 

[rado84]

using a weak password from one of our administrators

Yeah, that's a common problem with many system administrators - the use of a ridiculously weak password.

 

[Condobloke]

Chris, yes it does give that option. i wondered if that was, in fact, a weakness. As David pointed out, it is not.

I use Bitwarden for storing passwords

I also use pwgen in terminal to generate them (bitwarden has a password generator as well)

I created an alias to save typing out the blurb each and every time i need a new password.

pwgen -snycB1 21 6 ....gives me...

[email protected]:~$ pwgen -snycB1 21 6
zn3b]NY*/&*+*#x9|J:,,
3=(UNkMj(|MvE{'i|%TY,
h%J"!j<3ar&^/[%/.b|w;
9(veVeesNsJgv('<Nn"{}
:"T/pXj%ohL./u$o)?h;7
[NvoecuC<w4P*d>MuXzgF
[email protected]:~$

6 passwords....21 characters long.

BitWarden remembers them with ease.