-
You are viewing the forum as a Guest, please login (you can use your Facebook, Twitter, Google or Microsoft account to login) or register using this link: Log in or Sign Up
PFK Website Compromised
- Thread starter 2pods
- Start date
AdAndrews
Member
why would anyone want to hack a fishkeeping magazine website :?
aaronnorth
Member
AdAndrews said:
well most people will use the same password for numerous things, so if their email p/word is the same as PFK, they can try it on numerous fish related websites which store people's credit cards :?
ScottYalloP
Member
well im screwd 
plantbrain
Expert
- Joined
- 2 Aug 2007
- Messages
- 1,938
It's those damn climate change email hackers!
Trying to blame aquarist for climate change!
Regards,
Tom Barr
Trying to blame aquarist for climate change!
Regards,
Tom Barr
itstricky11
Member
I wish the email they sent out had contained a little more technical information as to exactly what had been (possibly) compromised. Depending on how their site is designed, "Joe Public" could either be at great risk, some risk, or little risk.
Let me explain.
When you register an account on somewhere such as a forum, the username and password you pick have to be stored somewhere so that they can be checked against at a later point (when you come to log in!). Usually the details are stored in a database as these are fast and easy to use, however they way they are stored can vary:
1. Plain text. The worst possible scenario (from a security point-of-view) - anyone who can access the database literally can read the information straight out of the users table.
2. Hashed. The username is "hashed" before being stored in the database, usually with an algorith such as MD5. This means that all there is in the database for password is an alphanumeric string. MD5 is not feasibly reversible, however with determination, hashes can be reasonably easily returned to plain text with the use of a "rainbow table" of known or computed hashes.
3. Salted hash. Same as above, but with the inclusion of a secret "key" which the hash is cyphered against. Provided the salt is large enough, a rainbow-tables attack is not feasible.
I am hoping Bauer's web designers are security-concious enough to go for salted hashes (or better!), but some reassurance of this from them would not go amiss. Just in case anyone is wondering, secure website hosting is part of my job description.
IT11
Let me explain.
When you register an account on somewhere such as a forum, the username and password you pick have to be stored somewhere so that they can be checked against at a later point (when you come to log in!). Usually the details are stored in a database as these are fast and easy to use, however they way they are stored can vary:
1. Plain text. The worst possible scenario (from a security point-of-view) - anyone who can access the database literally can read the information straight out of the users table.
2. Hashed. The username is "hashed" before being stored in the database, usually with an algorith such as MD5. This means that all there is in the database for password is an alphanumeric string. MD5 is not feasibly reversible, however with determination, hashes can be reasonably easily returned to plain text with the use of a "rainbow table" of known or computed hashes.
3. Salted hash. Same as above, but with the inclusion of a secret "key" which the hash is cyphered against. Provided the salt is large enough, a rainbow-tables attack is not feasible.
I am hoping Bauer's web designers are security-concious enough to go for salted hashes (or better!), but some reassurance of this from them would not go amiss. Just in case anyone is wondering, secure website hosting is part of my job description.
IT11
The initial stolen details appear to be : email address, password & username.
With these three things it would have been easy to access our other saved details.
I found a link from another fish forum to a pastebin page from California which appears
to be an authentic list totalling 2047 stolen details.
I could only find a cached version dated Wed. Oct. 28th which is even more worrying.
How long our details may have been in the wild, who knows?
I was going to post a link but I'm not sure that would be ethical, unless the mods/admins think
it would be in all our interests to highlight the potential severity of the hack.
With these three things it would have been easy to access our other saved details.
I found a link from another fish forum to a pastebin page from California which appears
to be an authentic list totalling 2047 stolen details.
I could only find a cached version dated Wed. Oct. 28th which is even more worrying.
How long our details may have been in the wild, who knows?
I was going to post a link but I'm not sure that would be ethical, unless the mods/admins think
it would be in all our interests to highlight the potential severity of the hack.
John Starkey
Member
christ,i use the same e-mail and password on everything,would it be a good idea to change my passwords ?
regards john
regards john
A quick question for itstricky11.
I've found a second list ,uploaded Friday, which appears to have MD5 hashes in place of the passwords.
Does this mean anything to you ?
I've also found a third list (a rewrite of the first) which the author begins by writing 'IN ALPHABETICAL ORDER FOR EASY FINDING OF YOUR OWN INFO'.....How considerate !!!
I spent all night following a possible lead and all info has been forwarded to Matt and I'll let you know if I get a reply.
For John Starkey.
I'd advise changing your passwords ,then move house.......maybe the second ones a bit extreme.
I've found a second list ,uploaded Friday, which appears to have MD5 hashes in place of the passwords.
Does this mean anything to you ?
I've also found a third list (a rewrite of the first) which the author begins by writing 'IN ALPHABETICAL ORDER FOR EASY FINDING OF YOUR OWN INFO'.....How considerate !!!
I spent all night following a possible lead and all info has been forwarded to Matt and I'll let you know if I get a reply.
For John Starkey.
I'd advise changing your passwords ,then move house.......maybe the second ones a bit extreme.
naija
Seedling
- Joined
- 6 Oct 2009
- Messages
- 23
Fortunately I haven't used the same password as I usually do (I know, I should be more careful anyway). I've found the link to the cached list on other forums but it seems to be broken. I don't know whether to be relieved or increasingly worried (don't know if my stuff is still out there) 
The link is broken because the paste has been updated. (just alphabetised)
Found a paste for SPAM with this list attached uploaded today.
If you get SPAM about Lloyds Bank then you're probably on the list.
Will keep checking and let you all know if things change.
Can I post a link to the paste ?(As posted by REEFSCAPE on other forums)
Found a paste for SPAM with this list attached uploaded today.
If you get SPAM about Lloyds Bank then you're probably on the list.
Will keep checking and let you all know if things change.
Can I post a link to the paste ?(As posted by REEFSCAPE on other forums)
naija said:
I'll give everybody instructions to find the info.
Find the link in REEFSCAPES post on another forum.(which will bring up a Google page).
Copy and paste the p******n.ca/(some numbers) into your browser bar.
Add 'tree' before the numbers.(no spaces)
Pressing enter takes you to the paste site.
Find the 'View Differences' button and click on it.
SPAM entry and list will now appear.
Keep an eye on the 'Recent posts' on the left.
All entries so far have been titled 'Stuff'.
PLEASE REMOVE POST IF CONTRAVENING ANY RULES.
. I'm not on the list, but I've learned my lesson. Pity the fool who tries to work out my passwords from now on.What worries me the most is that this list was compiled in October.
PFK shut their site down on Friday. 4th Dec.
How many other lists may be in the wild like this ?
Are our addresses and other info trading hands behind the scenes?
Will PFK be informing each subscriber if their info has definitely been stolen?
How will PFK ressurect the subscriptions if no details can be trusted anymore? (may have been edited)
Glad to hear that your info is not on THIS list naija.
By the way great looking tank (could the heater be hidden a bit ,or are the plants starting to mask it)
PFK shut their site down on Friday. 4th Dec.
How many other lists may be in the wild like this ?
Are our addresses and other info trading hands behind the scenes?
Will PFK be informing each subscriber if their info has definitely been stolen?
How will PFK ressurect the subscriptions if no details can be trusted anymore? (may have been edited)
Glad to hear that your info is not on THIS list naija.
By the way great looking tank (could the heater be hidden a bit ,or are the plants starting to mask it)
itstricky11
Member
If the passwords have been hashed, there is less of an issue with the passwords being reversed and used elsewhere - the computational time required to do so would be vast (assuming they are salted as I mentioned before).
However! It is always best-practise to use different usernames and passwords for anything you sign up to. I know that makes things hard to remember, so consider using an application such as the open-source KeyPass (keypass.info), which allows you to store your logins in a single, heavily-encrypted database. Then all you need to do is remember one extra-secure password to look up the other ones you have!
As the tables were hashed I wont be considering cancelling my PFK subscription....yet.
IT11
However! It is always best-practise to use different usernames and passwords for anything you sign up to. I know that makes things hard to remember, so consider using an application such as the open-source KeyPass (keypass.info), which allows you to store your logins in a single, heavily-encrypted database. Then all you need to do is remember one extra-secure password to look up the other ones you have!
As the tables were hashed I wont be considering cancelling my PFK subscription....yet.
IT11
itstricky11 said:
Only one list contains hashed passwords. The other updated list contains the actual passwords not the hashes.
Could the passwords have been hacked from the listed hashes, or could this only have been achieved by accessing the site directly.
