• You are viewing the forum as a Guest, please login (you can use your Facebook, Twitter, Google or Microsoft account to login) or register using this link: Log in or Sign Up

PFK Website Compromised

As mentioned earlier, if the hashes were not salted then they could have been reversed using rainbow tables. Also, the stolen passwords could have been hashed by the individual who lifted the list for placing onto pastebin to advertise the list for "sale" with the unhashed passwords provided to purchasers.

All pure , unsubstantiated speculation however. If the lists are freely available online with unhashed passwords, anyone with their details on this list needs to make sure they have re-secured any other services using the same credentials.
 
Log on with the wrong password, click forgot password, get new link sent to you, create new password :)

Assuming the PFK website is back up of course ;)
 
I wonder why it is taking them so long to get back up? Was it just their membership database that was compromised or were the main PFK content pages also hacked/vandalised?

What about their backups and disaster recovery provision?
 
With websites which are often updated, the content is almost always stored in a database. The only thing which remains static is the framework to render the site.

When a hack occurs, one of two things will have to happen. Either the database will have to be rolled-back to a point in time before the hack occurred, or each and every line will need to be inspected for malicious content. The problem with rolling back is content loss, and obviously this grows depending on how far back the database has to be taken. Consider the fact that users here have found reference to leaked user accounts reaching as far back as October, and then consider the kind of content that PFK will have stored in the database - each news article they publish, reviews, editorial, not to mention forum posts. The work involved in "putting things right" is colossal.

On the flip side of that, there is no point doing a mountain of work to clean the database if you don't fix the site code which was vulnerable in the first place, and finding the vulnerabilities can take ages, especially if you have a large site framework.

I wouldn't be surprised if the hack was executed via a technique called SQL-injection. SQL-injection utilizes the normal behavior of a piece of code, and tries to manipulate it into doing things it shouldn't. It is up to server protection technologies and input validation to protect against these. Take the following as an illustration:

The user is browsing a website, and clicks on an article about planted aquaria. The article has an article ID in the database where the article is stored, so the link the browser requests is something like:

http://www.plantedaquariumsarefab.tld/a ... p?id=12345

where "12345" is the ID of the article the browser wants. Now take that same page (articles.php), and get it to spit out things it shouldn't:

http://www.plantedaquariumsarefab.tld/articles.php?id=("SELECT+*+FROM+'tbl_users')

where "tbl_users" is the table containing all the user accounts.

SQL injection is a right royal pain-in-the-ass, but with suitable server technologies (such as mod_security for Apache server and URLScan and similar for Microsoft IIS), it can be mostly mitigated against. The remainder of the protection comes from the site code, ensuring that it will not execute queries it is not supposed to, and a database architecture which prevents unauthorized access to, and modification of data.

Thus endeth the lesson on website security ;)

IT11

(Edit: fixed typo)
 
I got about a paragraph into that and started looking for a compass...

But I'll reread to educate myself :lol:
 
aquaticmaniac said:
I got about a paragraph into that and started looking for a compass...

But I'll reread to educate myself :lol:

That's the thing about web security anyone with a bit of technical know how can knock up a quick web site but making it secure is hard. I've just been trying to get my head around sql-injection as well see:
http://en.wikipedia.org/wiki/SQL_injection.

I also followed the link to the posted PFK user accounts and didn't find my username or pwd on the list but I don't know if that means they don't have my details or if that was just one of several user account lists that have been posted! :(
 
Hmm, I know everyone is paranoid about this. But I just remembered that a couple of months ago I started getting spam everyday on my email associated with PFK. I don't know if my info is on that list (can't get link to work).
Luckily I don't have any important information associated with that...
 
itstricky11 said:
With websites which are often updated, the content is almost always stored in a database. The only thing which remains static is the framework to render the site.

When a hack occurs, one of two things will have to happen. Either the database will have to be rolled-back to a point in time before the hack occurred, or each and every line will need to be inspected for malicious content. The problem with rolling back is content loss, and obviously this grows depending on how far back the database has to be taken. Consider the fact that users here have found reference to leaked user accounts reaching as far back as October, and then consider the kind of content that PFK will have stored in the database - each news article they publish, reviews, editorial, not to mention forum posts. The work involved in "putting things right" is colossal.

On the flip side of that, there is no point doing a mountain of work to clean the database if you don't fix the site code which was vulnerable in the first place, and finding the vulnerabilities can take ages, especially if you have a large site framework.

I wouldn't be surprised if the hack was executed via a technique called SQL-injection. SQL-injection utilizes the normal behavior of a piece of code, and tries to manipulate it into doing things it shouldn't. It is up to server protection technologies and input validation to protect against these. Take the following as an illustration:

The user is browsing a website, and clicks on an article about planted aquaria. The article has an article ID in the database where the article is stored, so the link the browser requests is something like:

http://www.plantedaquariumsarefab.tld/a ... p?id=12345

where "12345" is the ID of the article the browser wants. Now take that same page (articles.php), and get it to spit out things it shouldn't:

http://www.plantedaquariumsarefab.tld/articles.php?id=("SELECT+*+FROM+'tbl_users')

where "tbl_users" is the table containing all the user accounts.

SQL injection is a right royal pain-in-the-ass, but with suitable server technologies (such as mod_security for Apache server and URLScan and similar for Microsoft IIS), it can be mostly mitigated against. The remainder of the protection comes from the site code, ensuring that it will not execute queries it is not supposed to, and a database architecture which prevents unauthorized access to, and modification of data.

Thus endeth the lesson on website security ;)

IT11

(Edit: fixed typo)

Wow now i am totally bamboosoodled :crazy: :crazy: :crazy: :crazy: :lol: :lol:

regards john.
 
Sorry folks, I do appreciate that my last post was very "techy", but I tried to keep it as simple as possible while providing as much information as I could. Planted aquaria and database technologies are about as far apart as I could pick two subjects, so it is hardly surprising that subscribers here would find the above a bit baffling!

I would tend not to associate spam with the leaking of a list like this as in my experience this is not how spammers work, but it is not outside the realms of possibility that a list such as this could be sold to a spammer.

Bearing in mind my deep understanding of the issues at hand here, my advice would be to accept that it has happened, reset your passwords for other services and move on. It isn't the first time that a company has leaked the personal details of its customers, and the sad fact is that it will not be the last. In fact, Bauer publishing are to be applauded that they actually notified their subscribers that this had occurred - there are many companies out there which would do all in their power to hush an incident such as this to prevent the ensuing detrimental publicity :shh:.

IT11.
 
This is disappointing, as I'm very careful with exposing my email address online.
Over the last few weeks, I've started to receive spam mail through my email address that was used on the PFK website. I've never received them before and doubt it's a coincidence.

Whilst I'm not on the list discussed above, I guess there's nothing to stop them holding details in the background.

Fortunately, I have different passwords for secured/personal websites.

I'm reconsidering my subscription to PFK.
 
Is there any idea when PFK will be back up? I had hoped for a temp web page with some information but its still the same maintenance page.
 
Wow i can't believe the site is still down, they must be either doing a complete site relaunch or going through the database with a fine tooth comb!
 
also wondering when the site will be back online. and ofcourse curious about the december 2009 magazine. i should receive this version. but i can understand they first need to fix the large problems. :)
 
I emailed Matt Clarke a couple of days ago and he gave me to understand that they should be up and running by mid-February. He made it clear that this is being taken very seriously and they are doing their utmost to avoid a repetition.

Hope this helps...
 
Having a website offline for this long is unprecedented in my experience. Bauer must really be hurting over this, and I can see why they would want to protect their subscriber-base at any cost.

I can only assume that they are rebuilding the site from the ground-up.
 
Back
Top