Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - LowWaterMark

Pages: [1]
Security Topics / How forums get hacked, well, most of the time...
« on: July 11, 2014, 12:28:31 PM »
Over the past year, a large number of the publicized forum hacking incidents have had as their root cause compromised access to forum staff or ftp account credentials.

While many people believe that most of the hacks happen because of unknown software bugs or zero-day exploits, that is simply not the case with most forum software hacks.  If you look at the major forum software packages, you will not see many updates in the last year because of some serious new exploit found in the code.  Yet, forums keep getting hacked.

As a consultant that assists forum owners with security matters, most of the hacks I've worked on were caused simply by staff members reusing passwords at multiple sites.  Then, when one of the other sites has its database compromised, the passwords recovered from there are used at other sites, often leading to additional hacked forums.  And, this just keeps going.  Passwords from that site, then in turn, are used to hack the next site...

Moderator or Admin accounts being accessed by persons unknown is much more common than people think.  So, my advice is that you tell your staff to never use the same password at more than one site.  If they have, they should change the password on your site immediately!

Also, maintain proper security over domain/ftp account passwords.  Change them whenever any staff change occurs, consultant finishes a project, or, if there's any chance that a password was communicated insecurely.

The vast majority of forum hacks could be prevented if the staff and server side passwords are simply kept unique to each site.


The new book by Brian Krebs looks to cover the full range of cyber criminal activities.  It's not just about spam email, if that's what you infer from the title.  It will take you deep into the workings of the cybercrime underground, which makes it well worth review.

Due out Nov. 18, 2014 - Spam Nation by Brian Krebs

Security Topics / ESET Forums Hacked
« on: June 05, 2014, 02:46:15 PM »
Joining a long line of hacked web forums, ESET, makers of the antivirus product Nod32, has had their forum database compromised.

The following is the email message ESET has mailed to their approximately 2700 forum members:

Quote from: ESET
From: "ESET Security Forum" <noreply @>
To: (noone) @
Sent: Thursday, June 05, 2014 11:30 AM
Subject: security incident on

Dear (noone),

we have been informed by our third-party forum provider that user login details of ESET Security Forum members have been compromised. At this time we have confirmed that login data (user name/email and hashed forum passwords) have been accessed. We have requested details about the incident from our provider and have launched a full-scale investigation with them. ESET Security Forum has around 2,700 registered users and the only information stored are login details: no financial or other sensitive data are affected. ESET-operated infrastructure and ESET software users were not affected in any way by this incident.

We recommend that all ESET Security Forum users change their passwords. Having different passwords for different services is a good practice: if you used your ESET Security Forum password for other services, we recommend that you also change those passwords immediately too. Some useful tips on how to create strong passwords can be found at ESET WeLiveSecurity website:

We apologize for any inconvenience.

ESET Security Forum

ESET appears to have out-sourced the hosting of their forum to a third-party.  As a no doubt paid for service, ESET should be justifiably upset that a professional hosting services company could not keep their member data secured.  One of the main reasons to out-source forum hosting is to get professionals to provide the best and most secure services possible.

The ESET forums have been hosted on IPB (IP.Board) since September, 2013.  Prior to that, ESET had their official forums hosted at Wilders Security Forums for 11 years without any hacking incidents.

Everyone says "passwords are bad."  They are insecure by design because in order to be secure, they must be complex.  If they are complex, almost no one can remember them.  So, people either dumb-down their passwords, or, record them insecurely somewhere. ("Post-it note under the keyboard" sound familiar?)

So, I decided to use biometrics in my security app.  With the latest devices having built-in fingerprint scanners, I figured that would be the idle tool.  After a long development process, I perfected my fingerprint ID system, with biometric information stored in a database on the backend authentication server.

All tests and initial implementation went great.  It worked!  People authenticate with just a touch of a finger.  So, we went live across the board.

What could possibly go wrong?

Hackers cracked their way into the server and stole the database.  That's what could and did go wrong.

The bad guys made off with 80000 customer records, which included all the digitized fingerprint scans.  And, since I made ten separate accounts while testing, the hackers have all my fingerprints.  Since I'll never have any other fingers, and therefore no new or different fingerprints, I am basically screwed - forever.

At least with passwords, if the database was stolen, I could pick new passwords in the future.  With fingerprints, I only got 10 chances to keep them secure.  And now those are gone.

Biometrics - an idea that sounds so good on the surface, but, should never be used in the real world.

Forum Matters / ct7Security Forums Upgraded
« on: May 30, 2014, 06:01:09 PM »
The forums here at ct7Security have been upgraded to SMF v2.0.7.

See the explanation for this upgrade in the avast! forums still offline after hack topic.

Security Topics / avast! forums still offline after hack
« on: May 30, 2014, 05:54:36 PM »
The avast! forum remains offline since it was hacked on May 24, 2014.  No word has yet been released as to the exact attack vector used to gain entry.  Company representatives said the database of usernames, email addresses and hashed passwords for its almost 400,000 members was downloaded by the hackers.

The avast! forum was running on the SMF (Simple Machines Forum) software package.  The avast! COO stated they were running version 2.0.6, though there was confusion over why their forum had an old copyright date notice in their footer, (i.e. SMF © 2012).  There were no versions of SMF v2 using that date.  A v2.0.6 SMF forum should have had a 2013 date for its copyright notice.

Early speculation by avast! staff was that there was an unannounced security fix in the latest version of the SMF, v2.0.7, which may have been used to hack their forum.  The SMF support team denies any security fix was included in 2.0.7.

This forum was built deliberately to review the upgrade path, copyright notice dates, and code changes, occurring from a base install of SMF v2.0.3, and stepping through each patch/upgrade kit to 2.0.7.  No 2012 copyright signature ever appeared throughout this process.  Likewise, a code review performed here showed no security fixes occurred from 2.0.6 to 2.0.7.  The changelog from the SMF website appears to be accurate.

avast! and the SMF team have said they are working together to review logs, and any other available data, in order to determine just what happened during the hack.

Pages: [1]